OpenVPN How To: Install and configure on CentOS 6.4
In this page I write a step-by-step tutorial which will guide you through installing OpenVPN on CentOS 6.x server. I will demonstrate all the steps in order to be as clear as possible. Do not hesitate to ask if you have any question.
What do I need OpenVPN for?
If you need to access your office network from a different location, the office located abroad or just far your 3G phone availability, than a virtual private network might be the solution you are looking for. In todays world many organizations still pay fees for VPN services, rather than use a server or system to fucntions as a VPN end-point. Setting up and configuring OpenVPN was never as easy with the RPMForge repository for CentOS 6.
Wikipedia short description:
OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol[2] that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).[3] OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.
System requirements:
- A Dedicated server running CentOS 6.x
- Proper knowledge to use Putty and SSH protocol.
How to Install OpenVPN to Build a CentOS VPN server
Prerequisite
Step 0 – Login to your server via SSH. Best login as root.
Step 1 – Now issue this first command syntax:
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
Step 2 – Now download LZO RPM and Configure RPMForge Repo. Use wget command:
wget https://openvpn.net/release/lzo-1.08-4.rf.src.rpm
Step 3 – Now add correct repo for your server:
CentOS 6 32-bit (x86):
wget https://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm
Or: CentOS 6 64-bit (x86_64):
wget https://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
How to know which one is your server? Issue this command:
uname -a
If you see “x86_64 GNU/Linux” at the end of the output line means your server is 64-bit. Otherwise if you see “i686 i386 GNU/Linux” or “x86 GNU/Linux” means your machine is 32-bit.
Step 4 – Then build the rpm package using this command:
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm rpm -Uvh lzo-*.rpm rpm -Uvh rpmforge-release*
hit enter for each line above.
Installing OpenVPN
Step 5 – Issue the special yum command:
yum install openvpn -y
Step 6 – Copy the easy-rsa folder to /etc/openvpn/, use this command:
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
It seems like in the new version of OpenVPN (2.3.2) easy-rsa is not included, thus, here’s a download link: https://snk.to/f-ch2svs03
Step 7 – Now edit it:
nano /etc/openvpn/easy-rsa/2.0/vars
Edit this line:
export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA'
And replace it with this line:
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
once done hit Control+O to save then Control+X to exit.
Step 8 – Create the certificate using these commands:
cd /etc/openvpn/easy-rsa/2.0 chmod 755 * source ./vars ./vars ./clean-all
hit enter for each line.
Step 9 – It’s time to build necessary CA file:
./build-ca
Hint Country Name: may be filled or press enter State or Province Name: may be filled or press enter City: may be filled or press enter Org Name: may be filled or press enter Org Unit Name: may be filled or press enter Common Name: your server hostname Email Address: may be filled or press enter
Step 10 – Time to build Key Server:
./build-key-server server
Hint: Almost the same with ./build.ca but check the changes and additional Common Name: server A challenge password: leave Optional company name: fill or enter sign the certificate: y 1 out of 1 certificate requests: y You can simply leave them blank. The only 2 required are sign the certificate (choose “y”) and 1 out of 1 certificate requests (choose “y”)
Step 11 – Now issue command below to build Diffie Hellman:
./build-dh
Step 12 – Create OpenVPN config file:
nano /etc/openvpn/server.conf
Step 13 – Now copy and paste these values into the config file:
port 1194 #- port proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3
Save it once done. (Control+O then Control+X)
- How To: Install and configure OpenVPN on CentOS 6.x
Step 14 – Lets start OpenVPN service on your server for the very first time:
service openvpn start
- How To: Install and configure OpenVPN on CentOS 6.x
Step 15 – You’ll also need to enable IP forwarding in the file /etc/sysctl.conf. Open it and edit “net.ipv4.ip_forward” line to 1:
nano /etc/sysctl.conf
replace 0 with 1 in this line:
net.ipv4.ip_forward = 1
Hit Control+O to save then Control+X to exit nano.
Step 16 – Issue this command to load the change:
sysctl -p
Step 17 – Create new Linux username which can also be used to login to the VPN:
useradd username -s /bin/false
replace username with your own username. Then also create its password:
passwd username
Step 18 – Now route some iptables.
Xen and KVM users use:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123
Do not forget to replace 123.123.123.123 with your server IP.
How To: Install and configure OpenVPN on CentOS 6.x
Step 19 – Note: if you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123
Step 20 – Now save that iptables rules:
service iptables save
Step 21 – Windows VPN client installation, lets create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:
client dev tun proto udp remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo reneg-sec 0 verb 3
Then save it with .ovpn extension. Save that file in the config directory of where you installed OpenVPN client in your computer. See
Step 22 – That’s it. Now you can copy ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in your server’s document root (public_html).
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /path/to/public/directory
example:
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /var/www/www.geek-kb.com/public_html
Now you can download the ca.crt file from your browser by going to domain.com/ca.crt then save it to the same folder as .ovpn file you created earlier. That’s it. Now you can login to your VPN using username and password you’ve created.
Step 23 – Ubuntu VPN client installation:
Install openvpn:
yum install openvpn -y
Next, copy ca.crt, username.key, and username.crt from the OpenVPN server to your Ubuntu machine.
Step 24 – Configure the client
Create a new config file called server.conf for example and paste these values into it (don’t forget to replace 123.123.123.123 with your OpenVPN server IP and also point the red marked lines to the relative path of your ca.crt, username.key, and username.crt ):
client itaig-lt dev tun proto udp remote 123.123.123.123 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 ca "/etc/openvpn/homecerts/ca.crt" cert "/etc/openvpn/homecerts/itaig-lt.crt" key "/etc/openvpn/homecerts/itaig-lt.key"
Next, move the server.conf file to /etc/openvpn and restart the service:
service openvpn restart
There’s one more thing remaining to do on machines in the remote VPN network:
On each machine you intend to connect to remotely, you have to add the relevant route (if you have a router in the remote network you can simply add the route there):
On a Linux machine:
# route add -net net.id/network.size gw ip.of.gateway metric 1
Example:
# route add -net 192.168.1.0/24 gw 192.168.0.100 metric 1
After adding the route, test to see if it works by using ping on an IP on the remote network and if it works then you should set it as a permanent route. To do that, create a file in /etc/sysconfig/network-scripts/ folder and name it route-dev_name (the device which resides on the network you routed). Example:
nano /etc/sysconfig/network-scripts/route-eth0
And then type into the file the route line, it should look like that:
192.168.1.0/24 via 192.168.0.100 dev eth0
Hit ‘Ctrl + X’ to save the file.
On a Windows machine:
c:\route add net.id mask network.mask gateway.ip
Example:
c:\route add 192.168.1.0 mask 255.255.255.0 192.168.0.100
As mentioned above, after adding the route, test to see if it works by using ping on an IP on the remote network and if it works then you should set it as a permanent route. To do that, run the same command again and add -p at the end of the line, like so:
c:\route add 192.168.1.0 mask 255.255.255.0 192.168.0.100 -p
Optional section (password protect your certificate):
If you would like your users to use a password protected certificate when connecting to your VPN server, follow the next steps: 1. Go to:
/etc/openvpn/easy-rsa/2.0
2. Edit the vars file as mentioned above. 3. Run:
# source ./vars # ./build-key-pass user_name
The password the user will have to input is the “PEM pass phrase”
4. Now copy the user.crt, user.key and ca.crt to the relevant folder on the client and edit your .ovpn file on Windows or server.conf in Linux to add the new files. 5. Connect. I hope this guide helped you, feel free to leave comments or ask questions.
Hello my friend! I wish to say that this article
is awesome, great written and come with almost all important
infos. I would like to look more posts like this .
Hello! very interesting site! I’m really like it! Very, very good!
camcorder test
Howdy I am so happy I found your web site, I really found you by mistake, while I was looking on Bing for something else,
Anyhow I am here now and would just like to say thank you for a fantastic post and a all round interesting
blog (I also love the theme/design), I don’t have time to go through it all at the moment but I have
bookmarked it and also included your RSS feeds, so when I have
time I will be back to read a lot more, Please do keep up the
fantastic jo. camcorder test
Cool blog! Is your theme custom made or did you download
it from somewhere? A design like yours with a few simple tweeks would really make my blog shine.
Please let me know where you got your design.
Kudos
Very energetic article, I enjoyed that bit. Will there be a part 2?
What’s up, the whole thing is going nicely here and ofcourse
every one is sharing information, that’s truly good, keep up writing.
I need to to thank you for this fantastic read!!
I absolutely enjoyed every little bit of it. I’ve got you book marked to look at new stuff you post…
You really make it appear so easy with your presentation but I find this matter to
be actually one thing that I feel I’d never understand.
It kind of feels too complex and extremely large for me.
I am taking a look ahead in your next post, I will try to get the cling of it!
Great work! That is the type of information that are supposed to be shared around the
internet. Shame on Google for not positioning this submit upper!
Come on over and discuss with my website . Thank
you =)
I was extremely pleased to find this site. I need to to thank you for your time just for this fantastic
read!! I definitely enjoyed every bit of it and i also have
you saved as a favorite to look at new things on your web site.
Whoa! This blog looks exactly like my old one!
It’s on a totally different subject but it has pretty much the same
layout and design. Superb choice of colors!
I love looking through a post that will make men and women think.
Also, many thanks for permitting me to comment!
Pretty! This was a really wonderful post. Thank you
for supplying this info.
When someone writes an paragraph he/she keeps the plan of a user in his/her brain that how a user can
understand it. Therefore that’s why this paragraph is perfect.
Thanks!
Hello my family member! I wish to say that this article is amazing, great written and include
approximately all significant infos. I’d like to look
more posts like this .
Thank you for the auspicious writeup. It in fact used to be
a enjoyment account it. Look complicated to more added
agreeable from you! By the way, how can we keep in touch?
Hi Eric,
Please feel free to contact us at Admin@geek-kb.com
Thanks
Itai
We are a group of volunteers and opening a new scheme in our community.
Your web site provided us with valuable information
to work on. You’ve done a formidable job and our entire
community will be grateful to you.
Attractive section of content. I just stumbled upon your weblog and in accession
capital to assert that I acquire actually enjoyed account your blog posts.
Any way I’ll be subscribing to your augment and even I achievement you
access consistently rapidly.
I have been browsing online more than 4 hours today, yet I never
found any interesting article like yours. It’s pretty worth
enough for me. In my opinion, if all webmasters and bloggers made good content as you did, the net will be much more useful
than ever before.
Thanks for sharing your thoughts about OpenVPN.
Regards
Fastidious response in return of this query with solid arguments and describing
everything concerning that.
Hi there very nice website!! Man .. Excellent .. Amazing
.. I will bookmark your website and take the feeds also?
I am glad to search out so many useful information right here in the submit,
we want develop more techniques on this regard, thank you for sharing.
. . . . .
Hello there! I just would like to offer you a huge
thumbs up for the great information you’ve got here on this post.
I’ll be coming back to your website for more soon.
I delight in, result in I found just what I used to be taking
a look for. You have ended my four day lengthy hunt! God Bless you man.
Have a great day. Bye
My partner and I absolutely love your blog and find a lot of your post’s to be precisely what I’m looking for.
Would you offer guest writers to write content for you?
I wouldn’t mind publishing a post or elaborating on a few of the subjects you
write in relation to here. Again, awesome site!
Hi Edgard,
Please feel free to contact us at Admin@geek-kb.com in regard to posting your own articles here.
Thanks
ItaiG
I go to see daily a few websites and information sites to read
articles, but this web site provides feature based content.
Hello,
the service refuse to start.
Log show could not load plugin shared object /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
Hi there,
In order to solve this issue make sure you installed the openvpn package properly as this module belongs to the openvpn package.
# yum search openvpn-auth-pam.so
openvpn-2.2.0-3.el6.rf.x86_64 : Robust and highly flexible VPN daemon
Repo : rpmforge
Matched from:
Filename : /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
Type:
# yum install openvpn
There’s definately a lot to find out about this subject.
I like all of the points you have made.
Hey there! I just wanted to ask if you ever have any problems with hackers?
My last blog (wordpress) was hacked and I ended up losing several
weeks of hard work due to no data backup. Do you have any methods to prevent hackers?
Hi Derwick,
Hackers will always be there, I just hope they won’t consider my site as a target site.
My best offer to you is to back up your files on daily basis.
Create one Full Backup and then Incremental backup for the rest of the days (Incremental backup – Backs up only the delta’s from the last full backup).
You can use: ‘tar zcf files.tgz /backup/folder’ in order to create the package and then create a cron job that will do it for you.
I hope I helped.
Itai Ganot
Appreciation to my father who informed me about this web site,
this web site is genuinely amazing.
This post presents clear idea for the new viewers of blogging, that actually how to do
blogging and site-building.
It’s actually a cool and useful piece of information.
I’m glad that you shared this helpful information with us.
Please stay us informed like this. Thank you for sharing.
Hi
You mentioned a dedicated server is required to setup OpenVPN and replace 123.123.123.123 with IP address of the server. I’ve got a CentOS machine at home and a CentOS virtual machine at work. Could I apply the same instructions in this article to setup OpenVPN between them?
Thanks.
Hi Joy,
Yes, you can certainly apply the instructions on your environment, I’ve got the exact same config.
I have a virtual machine installed with CentOS at work and another physical one at home, in my setup, the server is the machine at home and the client is my computer at work or my laptop.
Just bare in mind that you will need a static IP or, a dynamic ip with a free dynamic dns service (like dyndns.org for example).
Then, configure your router firewall to use the dyndns account you created along with the virtual host you chose and create a NAT rule like so:
Source: Any (or your workplace public ip) , Port: 1194 (Tcp or Udp, as you configured in your server.conf on the server side), Destination: Your client’s internal ip (example 192.168.0.10).
Then, all requests on port 1194 TCP which will arrive your router, will be automatically forwarded to your server in the internal ip.
Itai Ganot
Appreciate the great writeup. The idea the truth is once was any fun account them. Glance innovative in order to a lot released gratifying on your part! Nevertheless, how should we talk?
Hi Lira,
Please feel free to contact us at Admin@geek-kb.com
Thanks
Itai
Amazing composition! Certainly well explained.