Skip links

How To Set Up and Install an OpenVPN on CentOS 5 and CentOS 6

Introduction

In this guide, we’ll show you how to set up and install an OpenVPN on CentOS 5 and CentOS 6 server – At the end of this guide, you’ll have successfully installed OpenVPN on your server. A VPN stands for Virtual Private Network. It creates a secure connection between 2 or more than two devices. VPN is a connection used to add privacy to public and private networks. VPN is used by the individuals and companies to protect their sensitive data and information.

When combined with HTTPS connections, this setup permits you to secure your wireless logins and transactions. OpenVPN is a full-featured, ASCII document Secure Socket Layer (SSL) VPN resolution that accommodates an oversized vary of configurations.

Requirements

  • OpenVZ based server (Recommended). Other types of servers such as Xen/KVM should work fine too, but you might encounter some additional problems during the installation process.
  • Your server’s operating system should be CentOS 5 or CentOS 6 (This guide will not work for any other Linux distributions).
  • TUN/TAP enabled on the server; You can use below command to check.

The first step is to examine if TUN/TAP is enabled on your server or not by typing this command in your SSH:

cat /dev/net/tun

If TUN/TAP is enabled then you should see this:

cat: /dev/net/tun: File descriptor in bad state

If it’s not turned on, then you must search for TUN/TAP in your server control panel and allow it or contact your hosting.

Installing some required packages

Let’s first check for server updates:

yum update -y

Install the required package for OpenVPN:

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel nano -y

Download LZO RPM and Configure RPMForge Repo:

wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

RPMForge 32-bit Package:

CentOS 5:

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm

CentOS 6:

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm

RPMForge 64-bit Package:

CentOS 5:

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm

CentOS 6:

wget ftp://ftp.pbone.net/mirror/dag.wieers.com/redhat/el6/en/x86_64/dag/RPMS/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

Build the rpm packages:

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*

Set Up and Installing OpenVPN on CentOS (5 and 6)

yum install openvpn -y

Copy the easy-rsa folder to /etc/openvpn/:

cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

Note: If you are using the above commands and if it brings an error like below then you shouldn’t worry about it, follow the below steps to transfer and copy  easy-rsa as it’s not included with the new build OpenVPN 2.3.1:

cannot stat `/usr/share/doc/openvpn-2.2.2/easy-rsa/’: No such file or directory

Download easy-rsa from below:

wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz

Extract the package:

tar -zxvf easy-rsa-2.2.0_master.tar.gz

Copy to OpenVPN directory:

cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/

Please note on CentOS 6 we need to make a small change before you run the commands below, open up /etc/openvpn/easy-rsa/2.0/vars and edit the below line:

Change:

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

To:

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

And save.

Now let’s create the certificate:

cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all

Build CA:

./build-ca
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter

Build key server:

./build-key-server server
Almost the same with ./build.ca but check the changes and additional
Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y

Wait a moment until the process finish:

./build-dh

Now create your config file:

touch /etc/openvpn/server.conf
vi /etc/openvpn/server.conf

And enter the following:

port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "block-outside-dns"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3

Save it.

Now before we start OpenVPN, Let’s first disable the SELinux. If it is left enabled then it can cause some issues with OpenVPN:

echo 0 > /selinux/enforce

This solution is a temporary and will be re-enabled once you boot your system, to disable it permanently you need to edit the following /etc/SELinux/config and change:

SELINUX=enforcing

To:

SELINUX=disabled

When your system next reboots it will still be disabled.

Now, let’s start OpenVPN:

service openvpn restart

Now we need to enable IP forwarding. So open the file /etc/sysctl.conf and set ‘net.ipv4.ip_forward’ to 1:

net.ipv4.ip_forward = 1

To make the changes to sysctl.conf take effect, use the following command.

sysctl -p

Route Iptables:

The rule below will work fine on Xen and KVM based VPS’s but for OpenVZ use the OpenVZ iptable rule instead:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

OpenVZ iptable rules:

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123

And

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123

Make sure you change 123.123.123.123 to your server IP.

IF you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF, also it’s a good idea to add them to /etc/csf/csfpre.sh.

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123

If the above rules cause you any problems or don’t seem to work (Especially on cPanel servers) then remove the rules above and use below:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Please make sure 123.123.123.123 is your primary server IP.

Then run:

service iptables save

Now create a server.ovpn config file and enter the following:

client
dev tun
proto udp
remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3

Make sure you change 123.123.123.123 to your server IP.

And make sure that OpenVPN starts at boot:

chkconfig openvpn on

Download ca.crt file in /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in the same directory as your server.ovpn.

Conclusion

Congratulations! You have successfully installed an OpenVPN on CentOS 5 and CentOS 6 following this guide. As you know, VPN service is essential for businesses and individuals to protect their valuable data and information (for instance, secretive files, credit card details, passwords, and other credentials). We have designed an OpenVPN based management system that will enable you to run your VPN service in a few steps. It automizes everything for you; from sign up to termination. Take a look at our Homepage to learn more about us.

Join the Discussion