CentOS OpenVPN install how-to

Required kernel module: ppp
If you are running a VPS with OpenVZ you will have to ask your provider to enable PPP support, since OpenVZ uses a shared kernel, preventing you from doing it yourself.

Check if tun/tap is working
#cat /dev/net/tun
If this returns “File descriptor in bad state” it is correctly installed.

Install dependencies with YUM
#yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel

Download the OpenVPN .rpm file
#wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

Next, 32bit users get this one
#wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm

For 64bit users, this file instead
#wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm

Build the rpm packages
*You have to change i386 to x86_64 if you are using 64bit instead of 32bit
———————————–
#rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
#rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm
#rpm -Uvh rpmforge-release-0.5.2-2.el5.rf.i386.rpm
———————————–

Install OpenVPN with YUM
#yum install openvpn

Copy the OpenVPN easy-rsa folder to /etc/openvpn/ so we can start making keys and configuring
———————————–
#cp -R /usr/share/doc/openvpn-2.2.0/easy-rsa/ /etc/openvpn/
———————————–
*Your version may differ from 2.2.0. To find out;
———————————–
#cd /usr/share/doc/
#ls
———————————–
*This should show the openvpn folder, which has your version number in it.

Create certificates
#cd /etc/openvpn/easy-rsa/2.0
#chmod 755 *
#source ./vars
#./vars
#./clean-all

Build CA
#./build-ca
———————————–
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter
———————————–

Build key server
#./build-key-server server

*Same as before but also:
———————————–
Common Name: your server hostname
A challenge password: optional
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y
———————————–

Build Diffie Hellman (wait a moment until the process finish)
#./build-dh

Now we are going to create a conifuration file (.conf) for using OpenVPN over the commonly used port; UDP 1194. I personally use VIM.
#vim /etc/openvpn/1194.conf

Here’s how the config should look:
*Where 123.123.123.123 is your server IP
*1194 is the port
*udp is the protocol
———————————–
local 123.123.123.123
port 1194
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 1.2.3.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 4.2.2.1"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
———————————–

Start OpenVPN server using our newly made config like this:
#openvpn /etc/openvpn/1194.conf &

If OpenVPN installed correctly:
———————————–
UDPv4 link remote: [undef]
MULTI: multi_init called
IFCONFIG POOL: base=1.2.3.4 size=62
Initialization Sequence Completed
———————————–
To continue using your server, make OpenVPN run in the background with the following command:
#bg

Also, enable ipv4 forward or the computer you connect with will have no Internet access.
#echo 1 > /proc/sys/net/ipv4/ip_forward

Route iptables or your client won’t get the external IP
*1.2.3.0 is allocated ip for OPENVPN client, which can also be found in our earlier .conf file
*123.123.123.123 is your server ip
#iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT –to 123.123.123.123

Create a username and password to log in with
#useradd johndoe -s /bin/false
#passwd johndoe

Download the ca.crt file we made earlier. It’s in the /etc/openvpn/easy-rsa/2.0/keys/ directory, you can use an FTP client or maybe you have webmin installed, whatever works for you.

Connecting to VPN with windows

Download the OpenVPN client for windows, download the latest stable version from openvpn.net

After installing OpenVPN, move ca.crt (file that you previously downloaded from /etc/openvpn/easy-rsa/2.0/keys/) to OPENVPN config folder in your program files (C:\Program Files (x86)\OpenVPN\config\) or whatever folder you installed OpenVPN in.

Also create a configuration file in OpenVPN config directory matching the server config we made earlier:
———————————–
client
dev tun
proto udp #- The protocol u chose earlier (UDP or TCP)
remote 123.123.123.123 1194 #- Outgoing server IP followed by the port we chose to run the server on.
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
verb 3
———————————–

Save as myserver.ovpn

Start OpenVPN, connect with your username and password.

And that’s it ;D Verify through http://www.whatismyip.org or something similar.

*Add another port by Creating a new config file on the server, adjust the following lines:
———————————–
port: your preferred port
protocol: tcp or udp
client's ip: 1.2.4.0 or 1.2.5.0 etc.
———————————–

Don’t forget your client will need a matching config file as well:
———————————–
proto xxxx #- change xxxx to tcp or udp
remote 123.123.123.123 portnumhere
———————————–
And also don’t forget to run the iptables command afterwards:
#iptables -t nat -A POSTROUTING -s 1.2.4.0/24 -j SNAT –to 123.123.123.123

Leave a Reply

Your email address will not be published. Required fields are marked *