In this tutorial I will guide you how to install OpenVPN on CentOS server.
PREREQUISITE:
- A VPS or Dedicated server with CentOS 6.x
- A good knowledge to use Putty, SSH and common Linux command
- For those VPS based-on OpenVZ virtualization (other skip this): please enable
- TUN/TAP options in your VPS control panel (e.g: SolusVM).
How to install OpenVPN to build CentOS VPN Server:
Step 1- Login to your server via SSH
Step 2- Now run the below command:
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
Step 3- Now download LZO RPM and Configure RPMForge Repo. Use wget command:
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
Step 4- Now add correct repo for your server:
CentOS 6 32-bit (x86):
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release- 0.5.2-1.el6.rf.i686.rpm
CentOS 6 64-bit (x86_64):
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release- 0.5.2-2.el6.rf.x86_64.rpm
If you want to know which is your server, Run this command:
uname -a
If you see “x86_64 GNU/Linux” at the end of the output line means your server is 64-bit. Otherwise if you see “i686 i386 GNU/Linux” or “x86 GNU/Linux” means your machine is 32-bit.
Step 5- Now build the rpm package using this command:
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm rpm -Uvh lzo-*.rpm rpm -Uvh rpmforge-release*
Install OpenVPN
Step 6 – Issue this yum command:
yum install openvpn -y
Step 7- Copy the easy-rsa folder to /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
Step 8- Now edit it:
nano /etc/openvpn/easy-rsa/2.0/vars
Edit this line:
export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA'
Replace it with:
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Once done, save file and exit the editor.
Step 9- Create the certificate using these commands:
cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-allStep 10- It’s time to build necessary CA file:
./build-ca
Step 11- Now build Key Server:
./build-key-server server
Its almost the same as with ./build.ca but check with any additionals
Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y
Step 12- Now issue command below to build Diffie Hellman:
./build-dh
Step 13- Now time to create OpenVPN config file:
nano /etc/openvpn/server.conf
Step 14- Now enter this value in that config file:
port 1194 #- port proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3
Once done, save the file.
Step 15- Lets start OpenVPN service on your server:
service openvpn start
Step 16- You’ll also need to enable IP forwarding in the file /etc/sysctl.conf. Open it and edit “net.ipv4.ip_forward” line to 1:
nano /etc/sysctl.conf
replace 0 with 1 in this line:
net.ipv4.ip_forward = 1
Once done save the file.
Step 17- Issue this command to load the change:
sysctl -p
Step 18- Create new Linux username which can also be used to login to the VPN:
useradd username -s /bin/false
Replace username with your own username.
Then also create its password:
passwd username
Step 19- Now route some iptables.
Xen and KVM users can use:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
OpenVZ can use these two instead:
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123
And
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123
Do not forget to replace 123.123.123.123 with your server IP.
Step 20- Note: if you have CSF on the same server you need to open your OpenVPN port (Usually 1194) wihtin the firewall and run the below commands for CSF:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123
Step 21- Now save that iptables rules:
service iptables save
Step 22- Finally lets create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:
client dev tun proto udp< remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo reneg-sec 0 verb 3
Then save it with .ovpn extension. Save that file in the config directory of where you installed OpenVPN client in your computer
Step 23- Now you can copy ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in your server’s document root (public_html).
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /path/to/public/directory
Example:
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /var/www/cpanelplesk.com /public_html
Now you can download the ca.crt file from your browser by going to domain.com/ca.crt then save it to the same folder as .ovpn file you created earlier.
That’s it. Now you can login to your VPN using username and password you’ve created.
That’s all to do, Now you know how its easy to build OpenVPN server on CentOS 6.X . You also like to know how to install ghost with nginx on CentOS , Please check that and also Give your opinion below if you experience any issues or to discuss your ideas and experiences.