OpenVPN Installation and configuration on CentOS 6.x

OpenVPN How To: Install and configure on CentOS 6.4

In this page I write a step-by-step tutorial which will guide you through installing OpenVPN on CentOS 6.x server. I will demonstrate all the steps in order to be as clear as possible. Do not hesitate to ask if you have any question.

What do I need OpenVPN for?

If you need to access your office network from a different location, the office located abroad or just far your 3G phone availability, than a virtual private network might be the solution you are looking for. In todays world many organizations still pay fees for VPN services, rather than use a server or system to fucntions as a VPN end-point. Setting up and configuring OpenVPN was never as easy with the RPMForge repository for CentOS 6.

Wikipedia short description:

OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol[2] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).[3] OpenVPN allows peers to authenticate each other using a pre-shared secret keycertificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.

How To: Install and configure OpenVPN on CentOS 6.x - Geek-KB.com

How To: Install and configure OpenVPN on CentOS 6.x – Geek-KB.com

System requirements:

  1. A Dedicated server running CentOS 6.x
  2. Proper knowledge to use Putty and SSH protocol.

 

How to Install OpenVPN to Build a CentOS VPN server

Prerequisite

Step 0 – Login to your server via SSH. Best login as root.

Step 1 – Now issue this first command syntax:

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
How To: Install and configure OpenVPN on CentOS 6.x

Login as root to your server via SSH.

Step 2 – Now download LZO RPM and Configure RPMForge Repo. Use wget command:

wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
How To: Install and configure OpenVPN on CentOS 6.x

Download LZO RPM and Configure RPMForge Repo Using wget command:

Step 3 – Now add correct repo for your server:

CentOS 6 32-bit (x86):

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm

Or: CentOS 6 64-bit (x86_64):

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
How To: Install and configure OpenVPN on CentOS 6.x

Add correct repo for your server

How to know which one is your server? Issue this command:

uname -a

If you see “x86_64 GNU/Linux” at the end of the output line means your server is 64-bit. Otherwise if you see “i686 i386 GNU/Linux” or “x86 GNU/Linux” means your machine is 32-bit.

How To: Install and configure OpenVPN on CentOS 6.x

username finder

Step 4 – Then build the rpm package using this command:

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*

hit enter for each line above.

How To: Install and configure OpenVPN on CentOS 6.x

Build the rpm package

Installing OpenVPN

Step 5 – Issue the special yum command:

yum install openvpn -y
How To: Install and configure OpenVPN on CentOS 6.x

Install OpenVPN on CentOS 6.x

Step 6 – Copy the easy-rsa folder to /etc/openvpn/, use this command:

cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

It seems like in the new version of OpenVPN (2.3.2) easy-rsa is not included, thus, here’s a download link: http://snk.to/f-ch2svs03

Step 7 – Now edit it:

nano /etc/openvpn/easy-rsa/2.0/vars

Edit this line:

export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA'

And replace it with this line:

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
How To: Install and configure OpenVPN on CentOS 6.x

How To: Install and configure OpenVPN on CentOS 6.x

once done hit Control+O to save then Control+X to exit.

Step 8 – Create the certificate using these commands:

cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all

hit enter for each line.

How To: Install and configure OpenVPN on CentOS 6.x

Create the certificate

Step 9 – It’s time to build necessary CA file:

./build-ca
How To: Install and configure OpenVPN on CentOS 6.x

Build necessary CA file

Hint Country Name: may be filled or press enter State or Province Name: may be filled or press enter City: may be filled or press enter Org Name: may be filled or press enter Org Unit Name: may be filled or press enter Common Name: your server hostname Email Address: may be filled or press enter

Step 10 – Time to build Key Server:

./build-key-server server
How To: Install and configure OpenVPN on CentOS 6.x

Build Key Server

Hint: Almost the same with ./build.ca but check the changes and additional Common Name: server A challenge password: leave Optional company name: fill or enter sign the certificate: y 1 out of 1 certificate requests: y You can simply leave them blank. The only 2 required are sign the certificate (choose “y”) and 1 out of 1 certificate requests (choose “y”)

Step 11 – Now issue command below to build Diffie Hellman:

./build-dh
How To: Install and configure OpenVPN on CentOS 6.x

Build Diffie Hellman

Step 12 – Create OpenVPN config file:

nano /etc/openvpn/server.conf

Step 13 – Now copy and paste these values into the config file:

port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3

Save it once done. (Control+O then Control+X)

How To: Install and configure OpenVPN on CentOS 6.x

Edit config file

How To: Install and configure OpenVPN on CentOS 6.x

Step 14 – Lets start OpenVPN service on your server for the very first time:

service openvpn start
How To: Install and configure OpenVPN on CentOS 6.x

Start OpenVPN service

How To: Install and configure OpenVPN on CentOS 6.x

Step 15 – You’ll also need to enable IP forwarding in the file /etc/sysctl.conf. Open it and edit “net.ipv4.ip_forward” line to 1:

nano /etc/sysctl.conf

replace 0 with 1 in this line:

net.ipv4.ip_forward = 1
How To: Install and configure OpenVPN on CentOS 6.x

enable IP forwarding in the file /etc/sysctl.conf

Hit Control+O to save then Control+X to exit nano.

Step 16 – Issue this command to load the change:

sysctl -p

Step 17 – Create new Linux username which can also be used to login to the VPN:

useradd username -s /bin/false

replace username with your own username. Then also create its password:

passwd username
How To: Install and configure OpenVPN on CentOS 6.x

Replace password\username

Step 18 – Now route some iptables.

Xen and KVM users use:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123

Do not forget to replace 123.123.123.123 with your server IP.

How To: Install and configure OpenVPN on CentOS 6.x

route iptables

How To: Install and configure OpenVPN on CentOS 6.x

Step 19 – Note: if you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF:

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123

Step 20 – Now save that iptables rules:

service iptables save

Step 21 – Windows VPN client installation,  lets create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:

client
dev tun
proto udp
remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3

Then save it with .ovpn extension. Save that file in the config directory of where you installed OpenVPN client in your computer. See

How To: Install and configure OpenVPN on CentOS 6.x

create a server.ovpn config file.

Step 22 – That’s it. Now you can copy ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in your server’s document root (public_html).

cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /path/to/public/directory

example:

cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /var/www/www.geek-kb.com/public_html

Now you can download the ca.crt file from your browser by going to domain.com/ca.crt then save it to the same folder as .ovpn file you created earlier. That’s it. Now you can login to your VPN using username and password you’ve created.

Step 23 – Ubuntu VPN client installation:

Install openvpn:

yum install openvpn -y

Next, copy ca.crt, username.key, and username.crt from the OpenVPN server to your Ubuntu machine.

Step 24 – Configure the client

Create a new config file called server.conf for example and paste these values into it (don’t forget to replace 123.123.123.123 with your OpenVPN server IP and also point the red marked lines to the relative path of your ca.crt, username.key, and username.crt ):

client itaig-lt
dev tun
proto udp
remote 123.123.123.123 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca "/etc/openvpn/homecerts/ca.crt"
cert "/etc/openvpn/homecerts/itaig-lt.crt"
key "/etc/openvpn/homecerts/itaig-lt.key"

Next, move the server.conf file to /etc/openvpn and restart the service:

service openvpn restart

There’s one more thing remaining to do on machines in the remote VPN network:

On each machine you intend to connect to remotely, you have to add the relevant route (if you have a router in the remote network you can simply add the route there):

On a Linux machine:

# route add -net net.id/network.size gw ip.of.gateway metric 1

Example:

# route add -net 192.168.1.0/24 gw 192.168.0.100 metric 1

After adding the route, test to see if it works by using ping on an IP on the remote network and if it works then you should set it as a permanent route. To do that, create a file in /etc/sysconfig/network-scripts/ folder and name it route-dev_name (the device which resides on the network you routed). Example:

nano /etc/sysconfig/network-scripts/route-eth0

And then type into the file the route line, it should look like that:

192.168.1.0/24 via 192.168.0.100 dev eth0

Hit ‘Ctrl + X’ to save the file.

On a Windows machine:

c:\route add net.id mask network.mask gateway.ip

Example:

c:\route add 192.168.1.0 mask 255.255.255.0 192.168.0.100

As mentioned above, after adding the route, test to see if it works by using ping on an IP on the remote network and if it works then you should set it as a permanent route. To do that, run the same command again and add -p at the end of the line, like so:

c:\route add 192.168.1.0 mask 255.255.255.0 192.168.0.100 -p

Optional section (password protect your certificate):

If you would like your users to use a password protected certificate when connecting to your VPN server, follow the next steps: 1. Go to:

/etc/openvpn/easy-rsa/2.0

2. Edit the vars file as mentioned above. 3. Run:

# source ./vars

# ./build-key-pass user_name

The password the user will have to input is the “PEM pass phrase”

How To: Install and configure OpenVPN on CentOS 6.x - Geek-KB.com

Password protect your certificate

4. Now copy the user.crt, user.key and ca.crt to the relevant folder on the client and edit your .ovpn file on Windows or server.conf in Linux to add the new files. 5. Connect.   I hope this guide helped you, feel free to leave comments or ask questions.

Comments

comments

41 Comments

  1. sage on January 5, 2014 at 2:39 am

    Hello my friend! I wish to say that this article
    is awesome, great written and come with almost all important
    infos. I would like to look more posts like this .

  2. Pharmb429 on January 19, 2014 at 12:31 am

    Hello! very interesting site! I’m really like it! Very, very good!

  3. camcorder test on January 21, 2014 at 11:18 pm

    camcorder test
    Howdy I am so happy I found your web site, I really found you by mistake, while I was looking on Bing for something else,
    Anyhow I am here now and would just like to say thank you for a fantastic post and a all round interesting
    blog (I also love the theme/design), I don’t have time to go through it all at the moment but I have
    bookmarked it and also included your RSS feeds, so when I have
    time I will be back to read a lot more, Please do keep up the
    fantastic jo. camcorder test

  4. eric gray buffalo ny on January 22, 2014 at 4:16 am

    Cool blog! Is your theme custom made or did you download
    it from somewhere? A design like yours with a few simple tweeks would really make my blog shine.
    Please let me know where you got your design.
    Kudos

  5. Eric Gray Buffalo NY on January 22, 2014 at 5:51 am

    Very energetic article, I enjoyed that bit. Will there be a part 2?

  6. eric gray buffalo ny on January 22, 2014 at 7:20 am

    What’s up, the whole thing is going nicely here and ofcourse
    every one is sharing information, that’s truly good, keep up writing.

  7. Eric Gray Buffalo NY on January 22, 2014 at 9:16 am

    I need to to thank you for this fantastic read!!

    I absolutely enjoyed every little bit of it. I’ve got you book marked to look at new stuff you post…

  8. Leopoldo Alejandro Betancourt López on January 28, 2014 at 3:28 am

    You really make it appear so easy with your presentation but I find this matter to
    be actually one thing that I feel I’d never understand.
    It kind of feels too complex and extremely large for me.
    I am taking a look ahead in your next post, I will try to get the cling of it!

  9. celtic necklace on January 28, 2014 at 1:42 pm

    Great work! That is the type of information that are supposed to be shared around the
    internet. Shame on Google for not positioning this submit upper!
    Come on over and discuss with my website . Thank
    you =)

  10. University of Kentucky watch on January 28, 2014 at 3:12 pm

    I was extremely pleased to find this site. I need to to thank you for your time just for this fantastic
    read!! I definitely enjoyed every bit of it and i also have
    you saved as a favorite to look at new things on your web site.

  11. doug pitassi on January 28, 2014 at 3:54 pm

    Whoa! This blog looks exactly like my old one!
    It’s on a totally different subject but it has pretty much the same
    layout and design. Superb choice of colors!

  12. Derwick Associates on January 28, 2014 at 5:08 pm

    I love looking through a post that will make men and women think.
    Also, many thanks for permitting me to comment!

  13. Josette on January 28, 2014 at 7:07 pm

    Pretty! This was a really wonderful post. Thank you
    for supplying this info.

  14. doug pitassi on January 28, 2014 at 11:06 pm

    When someone writes an paragraph he/she keeps the plan of a user in his/her brain that how a user can
    understand it. Therefore that’s why this paragraph is perfect.
    Thanks!

  15. Eric Gray Buffalo NY on January 29, 2014 at 12:19 am

    Hello my family member! I wish to say that this article is amazing, great written and include
    approximately all significant infos. I’d like to look
    more posts like this .

  16. Eric Gray Buffalo NY on January 30, 2014 at 7:02 pm

    Thank you for the auspicious writeup. It in fact used to be
    a enjoyment account it. Look complicated to more added
    agreeable from you! By the way, how can we keep in touch?

  17. Regina on February 1, 2014 at 5:14 am

    We are a group of volunteers and opening a new scheme in our community.
    Your web site provided us with valuable information
    to work on. You’ve done a formidable job and our entire
    community will be grateful to you.

  18. Hester on February 1, 2014 at 5:17 am

    Attractive section of content. I just stumbled upon your weblog and in accession
    capital to assert that I acquire actually enjoyed account your blog posts.

    Any way I’ll be subscribing to your augment and even I achievement you
    access consistently rapidly.

  19. Lorrie on February 1, 2014 at 7:22 am

    I have been browsing online more than 4 hours today, yet I never
    found any interesting article like yours. It’s pretty worth
    enough for me. In my opinion, if all webmasters and bloggers made good content as you did, the net will be much more useful
    than ever before.

  20. eric gray buffalo ny on February 2, 2014 at 8:28 pm

    Thanks for sharing your thoughts about OpenVPN.
    Regards

  21. stone wave on February 6, 2014 at 3:25 pm

    Fastidious response in return of this query with solid arguments and describing
    everything concerning that.

  22. Francisco Convit Guruceaga on February 7, 2014 at 12:43 am

    Hi there very nice website!! Man .. Excellent .. Amazing
    .. I will bookmark your website and take the feeds also?
    I am glad to search out so many useful information right here in the submit,
    we want develop more techniques on this regard, thank you for sharing.
    . . . . .

  23. Leopoldo Alejandro on February 8, 2014 at 5:47 pm

    Hello there! I just would like to offer you a huge
    thumbs up for the great information you’ve got here on this post.
    I’ll be coming back to your website for more soon.

  24. Pedro Trebbau Lopez on February 8, 2014 at 7:05 pm

    I delight in, result in I found just what I used to be taking
    a look for. You have ended my four day lengthy hunt! God Bless you man.
    Have a great day. Bye

  25. Edgard Romero Lazo on February 8, 2014 at 7:25 pm

    My partner and I absolutely love your blog and find a lot of your post’s to be precisely what I’m looking for.
    Would you offer guest writers to write content for you?

    I wouldn’t mind publishing a post or elaborating on a few of the subjects you
    write in relation to here. Again, awesome site!

  26. Pedro Trebbau Lopez on February 8, 2014 at 8:46 pm

    I go to see daily a few websites and information sites to read
    articles, but this web site provides feature based content.

  27. djitri2000 on February 8, 2014 at 9:06 pm

    Hello,
    the service refuse to start.
    Log show could not load plugin shared object /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so

    • Itai Ganot on February 9, 2014 at 12:58 pm

      Hi there,

      In order to solve this issue make sure you installed the openvpn package properly as this module belongs to the openvpn package.
      # yum search openvpn-auth-pam.so
      openvpn-2.2.0-3.el6.rf.x86_64 : Robust and highly flexible VPN daemon
      Repo : rpmforge
      Matched from:
      Filename : /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
      Type:
      # yum install openvpn

  28. Derwick Associates on February 8, 2014 at 9:11 pm

    There’s definately a lot to find out about this subject.
    I like all of the points you have made.

  29. Derwick on February 8, 2014 at 9:33 pm

    Hey there! I just wanted to ask if you ever have any problems with hackers?

    My last blog (wordpress) was hacked and I ended up losing several
    weeks of hard work due to no data backup. Do you have any methods to prevent hackers?

    • Itai Ganot on February 9, 2014 at 1:03 pm

      Hi Derwick,
      Hackers will always be there, I just hope they won’t consider my site as a target site.
      My best offer to you is to back up your files on daily basis.
      Create one Full Backup and then Incremental backup for the rest of the days (Incremental backup – Backs up only the delta’s from the last full backup).
      You can use: ‘tar zcf files.tgz /backup/folder’ in order to create the package and then create a cron job that will do it for you.
      I hope I helped.
      Itai Ganot

  30. Derwick on February 8, 2014 at 9:53 pm

    Appreciation to my father who informed me about this web site,
    this web site is genuinely amazing.

  31. Pedro Trebbau Lopez on February 8, 2014 at 10:56 pm

    This post presents clear idea for the new viewers of blogging, that actually how to do
    blogging and site-building.

  32. cancan on February 25, 2014 at 5:11 am

    It’s actually a cool and useful piece of information.
    I’m glad that you shared this helpful information with us.
    Please stay us informed like this. Thank you for sharing.

  33. Joy on February 25, 2014 at 12:36 pm

    Hi

    You mentioned a dedicated server is required to setup OpenVPN and replace 123.123.123.123 with IP address of the server. I’ve got a CentOS machine at home and a CentOS virtual machine at work. Could I apply the same instructions in this article to setup OpenVPN between them?

    Thanks.

    • Itai Ganot on February 25, 2014 at 6:29 pm

      Hi Joy,
      Yes, you can certainly apply the instructions on your environment, I’ve got the exact same config.
      I have a virtual machine installed with CentOS at work and another physical one at home, in my setup, the server is the machine at home and the client is my computer at work or my laptop.
      Just bare in mind that you will need a static IP or, a dynamic ip with a free dynamic dns service (like dyndns.org for example).
      Then, configure your router firewall to use the dyndns account you created along with the virtual host you chose and create a NAT rule like so:
      Source: Any (or your workplace public ip) , Port: 1194 (Tcp or Udp, as you configured in your server.conf on the server side), Destination: Your client’s internal ip (example 192.168.0.10).
      Then, all requests on port 1194 TCP which will arrive your router, will be automatically forwarded to your server in the internal ip.
      Itai Ganot

  34. Lira on February 26, 2014 at 2:50 pm

    Appreciate the great writeup. The idea the truth is once was any fun account them. Glance innovative in order to a lot released gratifying on your part! Nevertheless, how should we talk?

  35. Hipolito M. Wiseman on March 4, 2014 at 3:10 pm

    Amazing composition! Certainly well explained.

Leave a Comment

You must be logged in to post a comment.