How to create OpenVPN server on CentOS 6.X

In this tutorial I will guide you how to install OpenVPN on CentOS server.

PREREQUISITE:

  1. A VPS or Dedicated server with CentOS 6.x
  2. A good knowledge to use Putty, SSH and common Linux command
  3. For those VPS based-on OpenVZ virtualization (other skip this): please enable
  4. TUN/TAP options in your VPS control panel (e.g: SolusVM).

How to install OpenVPN to build CentOS VPN Server:

Step 1- Login to your server via SSH

Step 2- Now run the below command:

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel 
openssl-devel -y

Step 3- Now download LZO RPM and Configure RPMForge Repo. Use wget command:

wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

Step 4- Now add correct repo for your server:

CentOS 6 32-bit (x86):

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-
0.5.2-1.el6.rf.i686.rpm

CentOS 6 64-bit (x86_64):

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-
0.5.2-2.el6.rf.x86_64.rpm

If you want to know which is your server, Run this command:

uname -a

If you see “x86_64 GNU/Linux” at the end of the output line means your server is 64-bit. Otherwise if you see “i686 i386 GNU/Linux” or “x86 GNU/Linux” means your machine is 32-bit.

Step 5- Now build the rpm package using this command:

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*

Install OpenVPN

Step 6 – Issue this yum command:

yum install openvpn -y

Step 7- Copy the easy-rsa folder to /etc/openvpn/

cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

Step 8- Now edit it:

nano /etc/openvpn/easy-rsa/2.0/vars

Edit this line:

export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA'

Replace it with:

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

Once done, save file and exit the editor.

Step 9- Create the certificate using these commands:

cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all

Step 10- It’s time to build necessary CA file:

./build-ca

Step 11- Now build Key Server:

./build-key-server server

Its almost the same as with ./build.ca but check with any additionals

Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y

Step 12- Now issue command below to build Diffie Hellman:

./build-dh

Step 13- Now time to create OpenVPN config file:

nano /etc/openvpn/server.conf

Step 14- Now enter this value in that config file:

port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login 
#- Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf 
#- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3

Once done, save the file.

Step 15- Lets start OpenVPN service on your server:

service openvpn start

Step 16- You’ll also need to enable IP forwarding in the file /etc/sysctl.conf. Open it and edit “net.ipv4.ip_forward” line to 1:

nano /etc/sysctl.conf

replace 0 with 1 in this line:

net.ipv4.ip_forward = 1

Once done save the file.

Step 17- Issue this command to load the change:

sysctl -p

Step 18- Create new Linux username which can also be used to login to the VPN:

useradd username -s /bin/false

Replace username with your own username.

Then also create its password:

passwd username

Step 19- Now route some iptables.

Xen and KVM users can use:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

OpenVZ can use these two instead:

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 
123.123.123.123

And

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 
123.123.123.123

Do not forget to replace 123.123.123.123 with your server IP.

Step 20- Note: if you have CSF on the same server you need to open your OpenVPN port (Usually 1194) wihtin the firewall and run the below commands for CSF:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123

Step 21- Now save that iptables rules:

service iptables save

Step 22- Finally lets create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:

client
dev tun
proto udp<
remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3

Then save it with .ovpn extension. Save that file in the config directory of where you installed OpenVPN client in your computer

Step 23- Now you can copy ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in your server’s document root (public_html).

cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /path/to/public/directory

Example:

cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /var/www/cpanelplesk.com
/public_html

Now you can download the ca.crt file from your browser by going to domain.com/ca.crt then save it to the same folder as .ovpn file you created earlier.

That’s it. Now you can login to your VPN using username and password you’ve created.

That’s all to do, Now you know how its easy to build OpenVPN server on  CentOS 6.X . You also like to know how to install ghost with nginx on CentOS , Please check that and also Give your opinion below if you experience any issues or to discuss your ideas and experiences.

Leave a Reply

Your email address will not be published. Required fields are marked *