How to Build OpenVPN Server on CentOS 6.x
How to Install, Setup, Config OpenVPN on CentOS 6.4 – In this page I write full tutorial to guide you installing OpenVPN on CentOS 6.x server. I will try all the steps to be as clear as possible. Do not hesitate to ask if you have any question. Previously: How to install PPTP on CentOS 6.x (the easiest way).
What you need?
- A VPS or Dedicated server running CentOS 6.x
- Proper knowledge to use Putty, SSH and common Unix command
- Only for VPS based-on OpenVZ virtualization (other skip this): please enable TUN/TAP options in your VPS control panel (e.g: SolusVM).
How to Install OpenVPN to Build CentOS VPN server
Prerequisite
Step 0 – Login to your server via SSH. You better login as root.Step 1 – Now issue this first command syntax:
1
| yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y |
Step 2 – Now download LZO RPM and Configure RPMForge Repo. Use wget command:
1
| wget http: //openvpn .net /release/lzo-1 .08-4.rf.src.rpm |
Step 3 – Now add correct repo for your server:
CentOS 6 32-bit (x86):
1
| wget http: //pkgs .repoforge.org /rpmforge-release/rpmforge-release-0 .5.2-1.el6.rf.i686.rpm |
1
| wget http: //pkgs .repoforge.org /rpmforge-release/rpmforge-release-0 .5.2-2.el6.rf.x86_64.rpm |
How to know which one is your server? Issue this command:
1
| uname -a |
Step 4 – Then build the rpm package using this command:
1
2
3
| rpmbuild --rebuild lzo-1.08-4.rf.src.rpm rpm -Uvh lzo-*.rpm rpm -Uvh rpmforge-release* |
Installing OpenVPN
Step 5 – Issue the special yum command:
1
| yum install openvpn -y |
Step 6 – Copy the easy-rsa folder to /etc/openvpn/, use this command:
1
| cp -R /usr/share/doc/openvpn-2 .2.2 /easy-rsa/ /etc/openvpn/ |
1
| nano /etc/openvpn/easy-rsa/2 .0 /vars |
1
| export KEY_CONFIG= '$EASY_RSA/whichopensslcnf $EASY_RSA' |
1
| export KEY_CONFIG= /etc/openvpn/easy-rsa/2 .0 /openssl-1 .0.0.cnf |
once done hit Control+O to save then Control+X to exit.
Step 8 – Create the certificate using these commands:
1
2
3
4
5
| cd /etc/openvpn/easy-rsa/2 .0 chmod 755 * source . /vars . /vars . /clean-all |
Step 9 – It’s time to build necessary CA file:
1
| . /build-ca |
Hint
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter
Step 10 – Time to build Key Server:
1
| . /build-key-server server |
Hint:
Almost the same with ./build.ca but check the changes and additional
Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y
You can simply leave them blank. The only 2 required are sign the certificate (choose “y”) and 1 out of 1 certificate requests (choose “y”)
Step 11 – Now issue command below to build Diffie Hellman:
1
| . /build-dh |
Step 12 – Create OpenVPN config file:
1
| nano /etc/openvpn/server .conf |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| port 1194 #- port proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2 .0 /keys/ca .crt cert /etc/openvpn/easy-rsa/2 .0 /keys/server .crt key /etc/openvpn/easy-rsa/2 .0 /keys/server .key dh /etc/openvpn/easy-rsa/2 .0 /keys/dh1024 .pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam .so /etc/pam .d /login #- Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3 |
Step 14 – Lets start OpenVPN service on your server for the very first time:
1
| service openvpn start |
Step 15 – You’ll also need to enable IP forwarding in the file /etc/sysctl.conf. Open it and edit “net.ipv4.ip_forward” line to 1:
1
| nano /etc/sysctl .conf |
1
| net.ipv4.ip_forward = 1 |
Hit Control+O to save then Control+X to exit nano.
Step 16 – Issue this command to load the change:
1
| sysctl -p |
1
| useradd username -s /bin/false |
Then also create its password:
1
| passwd username |
Step 18 – Now route some iptables.
Xen and KVM users use:
1
| iptables -t nat -A POSTROUTING -s 10.8.0.0 /24 -o eth0 -j MASQUERADE |
1
| iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to- source 123.123.123.123 |
1
| iptables -t nat -A POSTROUTING -s 10.8.0.0 /24 -j SNAT --to- source 123.123.123.123 |
Step 19 – Note: if you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF:
1
2
3
4
5
| iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0 /24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0 /24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -j SNAT --to- source 123.123.123.123 |
1
| service iptables save |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| client dev tun proto udp remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo reneg-sec 0 verb 3 |
Step 22 – That’s it. Now you can copy ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in your server’s document root (public_html).
1
| cp /etc/openvpn/easy-rsa/2 .0 /keys/ca .crt /path/to/public/directory |
1
| cp /etc/openvpn/easy-rsa/2 .0 /keys/ca .crt /var/www/servermom .com /public_html |
That’s it. Now you can login to your VPN using username and password you’ve created. ENJOY..