How to Install, Setup, Config OpenVPN on CentOS 6.4 – In this page I write full tutorial to guide you installing OpenVPN on CentOS 6.x server. I will try all the steps to be as clear as possible. Do not hesitate to ask if you have any question.
WHAT YOU NEED?
[list=30]
[*]A VPS or Dedicated server running CentOS 6.x
[*]Proper knowledge to use Putty, SSH and common Unix command
[*]Only for VPS based-on OpenVZ virtualization (other skip this): please enable TUN/TAPoptions in your VPS control panel (e.g: SolusVM).
[/list]
OpenVZ VPS users only:
HOW TO INSTALL OPENVPN TO BUILD CENTOS VPN SERVER
PREREQUISITE
Step 0 – Login to your server via SSH. You better login as root.
Step 1 – Now issue this first command syntax:
Code:
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
screenshot:
Step 2 – Now download LZO RPM and Configure RPMForge Repo. Use wget command:
Code:
wget [You must be registered and logged in to see this link.]
screenshot:
Step 3 – Now add correct repo for your server:
CentOS 6 32-bit (x86):
Code:
wget [You must be registered and logged in to see this link.]
CentOS 6 64-bit (x86_64):
Code:
wget [You must be registered and logged in to see this link.]
screenshot:
How to know which one is your server? Issue this command:
Code:
uname -a
If you see “x86_64 GNU/Linux” at the end of the output line means your server is 64-bit. Otherwise if you see “i686 i386 GNU/Linux” or “x86 GNU/Linux” means your machine is 32-bit.
Step 4 – Then build the rpm package using this command:
Code:
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*
hit enter for each line above.
INSTALLING OPENVPN
Step 5 – Issue the special yum command:
Code:
yum install openvpn -y
screenshot
Step 6 – Copy the easy-rsa folder to /etc/openvpn/, use this command:
Code:
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
Step 7 – Now edit it:
Code:
nano /etc/openvpn/easy-rsa/2.0/vars
Edit this line:
Code:
export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA'
replace it with:
Code:
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
screenshot:
once done hit Control+O to save then Control+X to exit.
Step 8 – Create the certificate using these commands:
Code:
cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all
hit enter for each line.
Step 9 – It’s time to build necessary CA file:
Code:
./build-ca
screenshot:
Hint
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter
Step 10 – Time to build Key Server:
Code:
./build-key-server server
screenshot:
Hint:
Almost the same with ./build.ca but check the changes and additional
Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y
You can simply leave them blank. The only 2 required are sign the certificate (choose “y”) and1 out of 1 certificate requests (choose “y”)
Step 11 – Now issue command below to build Diffie Hellman:
Code:
./build-dh
screenshot:
Step 12 – Create OpenVPN config file:
Code:
nano /etc/openvpn/server.conf
Step 13 – Now enter this value in that config file:
Code:
port 1194 [You must be registered and logged in to see this link.] port
proto udp [You must be registered and logged in to see this link.] protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login [You must be registered and logged in to see this link.] Comment this line if you are using FreeRADIUS
[You must be registered and logged in to see this link.] /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf [You must be registered and logged in to see this link.] Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
Save it once done. (Control+O then Control+X)
Step 14 – Lets start OpenVPN service on your server for the very first time:
Code:
service openvpn start
pic:
Step 15 – You’ll also need to enable IP forwarding in the file /etc/sysctl.conf. Open it and edit “net.ipv4.ip_forward” line to 1:
Code:
nano /etc/sysctl.conf
replace 0 with 1 in this line:
Code:
net.ipv4.ip_forward = 1
pic:
Hit Control+O to save then Control+X to exit nano.
Step 16 – Issue this command to load the change:
Code:
sysctl -p
Step 17 – Create new Linux username which can also be used to login to the VPN:
Code:
useradd username -s /bin/false
replace username with your own username.
Then also create its password:
Code:
passwd username
pic:
Step 18 – Now route some iptables.
Xen and KVM users use:
Code:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
special for OpenVZ use these two instead:
Code:
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123
and
Code:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123
Do not forget to replace 123.123.123.123 with your server IP. Pic:
Step 19 – Note: if you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF:
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123
Step 20 – Now save that iptables rules:
Code:
service iptables save
Step 21 – Finally lets create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:
Code:
client
dev tun
proto udp
remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3
Then save it with .ovpn extension. Save that file in the config directory of where you installed OpenVPN client in your computer. See screenshot:
Step 22 – That’s it. Now you can copy ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in your server’s document root (public_html).
Code:
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /path/to/public/directory
example:
code]
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /var/www/pinoyhideout.com/public_html
[/code]
Now you can download the ca.crt file from your browser by going to domain.com/ca.crt then save it to the same folder as .ovpn file you created earlier.
That’s it. Now you can login to your VPN using username and password you’ve created. ENJOY..
WHAT YOU NEED?
[list=30]
[*]A VPS or Dedicated server running CentOS 6.x
[*]Proper knowledge to use Putty, SSH and common Unix command
[*]Only for VPS based-on OpenVZ virtualization (other skip this): please enable TUN/TAPoptions in your VPS control panel (e.g: SolusVM).
[/list]
OpenVZ VPS users only:
HOW TO INSTALL OPENVPN TO BUILD CENTOS VPN SERVER
PREREQUISITE
Step 0 – Login to your server via SSH. You better login as root.
Step 1 – Now issue this first command syntax:
Code:
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
screenshot:
Step 2 – Now download LZO RPM and Configure RPMForge Repo. Use wget command:
Code:
wget [You must be registered and logged in to see this link.]
screenshot:
Step 3 – Now add correct repo for your server:
CentOS 6 32-bit (x86):
Code:
wget [You must be registered and logged in to see this link.]
CentOS 6 64-bit (x86_64):
Code:
wget [You must be registered and logged in to see this link.]
screenshot:
How to know which one is your server? Issue this command:
Code:
uname -a
If you see “x86_64 GNU/Linux” at the end of the output line means your server is 64-bit. Otherwise if you see “i686 i386 GNU/Linux” or “x86 GNU/Linux” means your machine is 32-bit.
Step 4 – Then build the rpm package using this command:
Code:
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*
hit enter for each line above.
INSTALLING OPENVPN
Step 5 – Issue the special yum command:
Code:
yum install openvpn -y
screenshot
Step 6 – Copy the easy-rsa folder to /etc/openvpn/, use this command:
Code:
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
Step 7 – Now edit it:
Code:
nano /etc/openvpn/easy-rsa/2.0/vars
Edit this line:
Code:
export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA'
replace it with:
Code:
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
screenshot:
once done hit Control+O to save then Control+X to exit.
Step 8 – Create the certificate using these commands:
Code:
cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all
hit enter for each line.
Step 9 – It’s time to build necessary CA file:
Code:
./build-ca
screenshot:
Hint
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter
Step 10 – Time to build Key Server:
Code:
./build-key-server server
screenshot:
Hint:
Almost the same with ./build.ca but check the changes and additional
Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y
You can simply leave them blank. The only 2 required are sign the certificate (choose “y”) and1 out of 1 certificate requests (choose “y”)
Step 11 – Now issue command below to build Diffie Hellman:
Code:
./build-dh
screenshot:
Step 12 – Create OpenVPN config file:
Code:
nano /etc/openvpn/server.conf
Step 13 – Now enter this value in that config file:
Code:
port 1194 [You must be registered and logged in to see this link.] port
proto udp [You must be registered and logged in to see this link.] protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login [You must be registered and logged in to see this link.] Comment this line if you are using FreeRADIUS
[You must be registered and logged in to see this link.] /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf [You must be registered and logged in to see this link.] Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
Save it once done. (Control+O then Control+X)
Step 14 – Lets start OpenVPN service on your server for the very first time:
Code:
service openvpn start
pic:
Step 15 – You’ll also need to enable IP forwarding in the file /etc/sysctl.conf. Open it and edit “net.ipv4.ip_forward” line to 1:
Code:
nano /etc/sysctl.conf
replace 0 with 1 in this line:
Code:
net.ipv4.ip_forward = 1
pic:
Hit Control+O to save then Control+X to exit nano.
Step 16 – Issue this command to load the change:
Code:
sysctl -p
Step 17 – Create new Linux username which can also be used to login to the VPN:
Code:
useradd username -s /bin/false
replace username with your own username.
Then also create its password:
Code:
passwd username
pic:
Step 18 – Now route some iptables.
Xen and KVM users use:
Code:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
special for OpenVZ use these two instead:
Code:
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123
and
Code:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123
Do not forget to replace 123.123.123.123 with your server IP. Pic:
Step 19 – Note: if you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF:
Code:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123
Step 20 – Now save that iptables rules:
Code:
service iptables save
Step 21 – Finally lets create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:
Code:
client
dev tun
proto udp
remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3
Then save it with .ovpn extension. Save that file in the config directory of where you installed OpenVPN client in your computer. See screenshot:
Step 22 – That’s it. Now you can copy ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in your server’s document root (public_html).
Code:
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /path/to/public/directory
example:
code]
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /var/www/pinoyhideout.com/public_html
[/code]
Now you can download the ca.crt file from your browser by going to domain.com/ca.crt then save it to the same folder as .ovpn file you created earlier.
That’s it. Now you can login to your VPN using username and password you’ve created. ENJOY..