OpenVPN 2.3 or lower on Centos 6

From vpsget wiki
Jump to: navigation, search

This article is for deprecated OpenVPN version.

The actual KB article for the latest OpenVPN [2.3.6] version could be found here:

 OpenVPN 2.3.6 on Centos 6 

This guide shows how to install OpenVPN on Centos 6 x64

Note: This guide is applicable to openvpn versions under 2.3

Check out if tun/tap is active:

cat /dev/net/tun

If tun is active you should receive this:

cat: /dev/net/tun: File descriptor in bad state

Make sure you have these packages installed:

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

Download LZO RPM


Download RPMForge Repo


Build the rpm packages:

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*

Install OpenVPN:

yum install openvpn -y

Copy the easy-rsa folder to /etc/openvpn/:

cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

Open up /etc/openvpn/easy-rsa/2.0/vars and change the below line:

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`


export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

And save changes.
Create the certificate:

cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars

Build CA:


Build key server:

./build-key-server server

Build Diffie Hellman


Generate clients

./build-key client1
./build-key client2
./build-key client3

Copy server config file server.conf from /usr/share/doc/openvpn-2.2.2/ to /etc/openvpn

cp /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf /etc/openvpn/

Edit the file to get proper configuration. For example, specify path to ca, cert, key, and push public DNS
Example server config:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 10 120
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

Client config sample file: /usr/share/doc/openvpn-2.0/
Example client config:

dev tun
proto udp
remote 1194
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
verb 3

Save client config file with .ovpn extention
Disable SELinux in /etc/selinux/config by changing




Now enable IP forwarding. Open the file /etc/sysctl.conf and change

net.ipv4.ip_forward = 0


net.ipv4.ip_forward = 1

Save changes using command:

sysctl -p

Start OpenVPN

service openvpn start

If no OpenVZ is used add the below line to firewall:

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

If OpenVZ is used add these rules to firewall:

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source
iptables -t nat -A POSTROUTING -s -j SNAT --to-source

Change to correct server IP.
IF you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF, also its a good idea to add them to /etc/csf/

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source

If the above rules cause you any problems or don’t seem to work (Especially on cPanel servers) then remove the rules above and use below:

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Change to correct server IP. Save the changes

iptables-save >/etc/sysconfig/iptables
service iptables restart

Make OpenVPN start at boot:

chkconfig openvpn on

Download client files from /etc/openvpn/easy-rsa/2.0/keys/
Upload these files to OpenVPN directory on client machine.
OpenVPN client is available on official site

How to configure OpenVPN client on Windows

How to configure OpenVPN client on Android