Install OpenVPN on CentoOS 5/ CentOS 6 VPS or dedicated server

First step is to check if tun/tap is active:

cat /dev/net/tun

If tun is active then you should see this:

cat: /dev/net/tun: File descriptor in bad state

Make sure you have these packages installed:

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

Download LZO RPM and Configure RPMForge Repo:

wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

32bit Package:

CentOS 5:

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm

CentOS 6:

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm

64bit Package:

CentOS 5:

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm

CentOS 6:

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

Build the rpm packages:

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*

Install OpenVPN:

yum install openvpn -y

Copy the easy-rsa folder to /etc/openvpn/:

cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

Please note on CentOS 6 we need to make a small change before you run the commands below, open up /etc/openvpn/easy-rsa/2.0/vars and edit the below line:

Change:

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

To:

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

And save..

Now let’s create the certificate:

cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all

Build CA:

./build-ca
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter

Build key server:

./build-key-server server
Almost the same with ./build.ca but check the changes and additional
Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y

Build Diffie Hellman (wait a moment until the process finish):

./build-dh

Now create your config file:

touch /etc/openvpn/server.conf

And enter the following:

local 123.123.123.123 #- your_server_ip goes here
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3

Save it and start OpenVPN:

service openvpn start

Now we need to enable IP forwarding. So open the file /etc/sysctl.conf and set ‘net.ipv4.ip_forward’ to 1.

net.ipv4.ip_forward = 1

To make the changes to sysctl.conf take effect, use the following command.

sysctl -p

Route Iptables:

The rule below will work fine on xen and KVM based VPS’s but for OpenVZ use the OpenVZ iptable rule instead:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

OpenVZ iptable rules:

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123

And

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123

Make sure you change 123.123.123.123 to your server IP.

IF you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123

Then run…

service iptables save

Again – make sure you change 123.123.123.123 to your server IP.

Now create a server.ovpn config file and enter the following:

client
dev tun
proto udp
remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
verb 3

Make sure you change 123.123.123.123 to your server IP.

And make sure OpenVPN starts at boot:

chkconfig openvpn on

Download ca.crt file in /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in the same directory as your server.ovpn.

Now download a VPN client and import your config file and enter your username and password created above.

  • 47 gebruikers vonden dit artikel nuttig
Was dit antwoord nuttig?

Gerelateerde artikelen

Change of the reverse DNS record for VPS hosting and dedicated server

To change the reverse DNS record for IP address, you’ll need to contact the support department in...

Checking of open connections

If you want to see the open connections to port 25 on your virtual private server or dedicated...

Do I have full root access to my VPS

Yes you do. With virtual hosting (VPS) you get root password for access, trough which you have...

Do I have my own IP address with my virtual server

Yes you do. We provide your own IP address to each virtual private server. If you need more than...

How to create .tar.gz archive

Creating .tar.gz archive can be done with one command. Use the following: tar -pczf...