installing openvpn on centos
TRANSCRIPT
-
8/18/2019 Installing OpenVPN on CentOS
1/16
Installing OpenVPN on CentOS 5 andCentOS 6
03 Apr 2012/200 Comments/in VPN's /b Admin
In this guide we will show you how to setup OpenVPN on centos – the guide will give you a
fully working OpenVPN installation,NOT TESTED ON OTHER DISTROS..
First step is to check if tun/tap is active:
cat /dev/net/tun
If tun is active then you should see this:
cat: /dev/net/tun: File descriptor in bad state
Make sure you have these packages installed:
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
Download LZO RPM and Configure RPMForge Repo:
http://safesrv.net/install-openvpn-on-centos/http://safesrv.net/install-openvpn-on-centos/http://safesrv.net/install-openvpn-on-centos/#commentshttp://safesrv.net/category/vpns/http://safesrv.net/author/ssadmin/http://safesrv.net/install-openvpn-on-centos/#commentshttp://safesrv.net/category/vpns/http://safesrv.net/author/ssadmin/http://safesrv.net/install-openvpn-on-centos/http://safesrv.net/install-openvpn-on-centos/
-
8/18/2019 Installing OpenVPN on CentOS
2/16
wget http://openvpn.net/release/lzo-1.0-!.rf.src.rpm
32bit Package:
CentOS 5:
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.".#-#.el".rf.i$%.rpm
CentOS 6:
&get http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.".$-
1.el%.rf.i%%.rpm
64bit Package:
CentOS 5:
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.".#-#.el".rf.'%(%!.rpm
CentOS 6:
-
8/18/2019 Installing OpenVPN on CentOS
3/16
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.".$-
1.el%.rf.'%(%!.rpm
Build the rpm packages:
rpmbuild --rebuild lzo-1.0-!.rf.src.rpm
rpm -)vh lzo-*.rpm
rpm -)vh rpmforge-release*
Install OpenVPN:
yum install openvpn -y
Copy the easy-rsa folder to /etc/openvpn/:
cp -+ /usr/share/doc/openvpn-#.#.#/easy-rsa/ /etc/openvpn/
-
8/18/2019 Installing OpenVPN on CentOS
4/16
**PLEASE NOTE** if the above command brings up an error such as below, then please
follow the following steps to download and copy over easy-rsa as its not included in the new
build OpenVPN 2.3.1:
cannot stat `/usr/share/doc/openvpn-2.2.2/easy-rsa/': No such fle or
directory
Download easy-rsa from below:
wget https://github.com/downloads/,pen/easy-rsa/easy-rsa-#.#.0(master.tar.gz
Extract the package:
tar -z'vf easy-rsa-#.#.0(master.tar.gz
Copy to OpenVPN directory:
cp -+ easy-rsa-#.#.0(master/easy-rsa/ /etc/openvpn/
Please note onCentOS 6 we need to make a small change before you run the commands
below, open up/etc/!en"!n/ea#$%a/2.'/"a and edit the below line:
Change:
-
8/18/2019 Installing OpenVPN on CentOS
5/16
e'port 2(3,F4567892(+9/whichopensslcnf 892(+97
To:
e'port 2(3,F456/etc/openvpn/easy-rsa/#.0/openssl-1.0.0.cnf
And save..
Now let’s create the certificate:
cd /etc/openvpn/easy-rsa/#.0
chmod ;"" *
source ./vars
./vars
./clean-all
Build CA:
-
8/18/2019 Installing OpenVPN on CentOS
6/16
./build-ca
C(nt&$ Na)e: may be filled or press enter
State & P&"ince Na)e: may be filled or press enter
Cit$: may be filled or press enter
O&g Na)e: may be filled or press enter
O&g nit Na)e: may be filled or press enter
C))n Na)e: your server hostname
E)ai+ A,,&e##: may be filled or press enter
Build key server:
./build-key-server server
9lmost the same with ./build.ca but check the changes and additional
C))n Na)e: server
A c-a++enge !a##&,: leave
O!tina+ c)!an$ na)e: fill or enter
#ign t-e ce&ticate: y
0 (t 1 0 ce&ticate &e(e#t#: y
Build Diffie Hellman (wait a moment until the process finish):
-
8/18/2019 Installing OpenVPN on CentOS
7/16
./build-dh
Now create your config file:
touch /etc/openvpn/server.conf
And enter the following:
port 11
proto udp =- protocol
dev tun
tun-mtu 1"00
tun-mtu-e'tra $#
mssfi' 1!"0
reneg-sec 0
-
8/18/2019 Installing OpenVPN on CentOS
8/16
ca /etc/openvpn/easy-rsa/#.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/#.0/keys/server.crt
key /etc/openvpn/easy-rsa/#.0/keys/server.key
dh /etc/openvpn/easy-rsa/#.0/keys/dh10#!.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login =- 3omment
this line if you are using Free+9>4)
=plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf =- )ncomment this
line if you are using Free+9>4)
client-cert-not-re?uired
username-as-common-name
server 10..0.0 #"".#"".#"".0
push @redirect-gateway def1@
push @dhcp-option > ...@
push @dhcp-option > ..!.!@
-
8/18/2019 Installing OpenVPN on CentOS
9/16
keepalive " $0
comp-lzo
persist-key
persist-tun
status 11
verb $
Save it.
Before we start OpenVPN, lets disable SELinux if enabled, this can cause issues with
OpenVPN, especially when using OpenVPN with multiple configs:
echo 0 A /selinu'/enforce
This is a temporary solution and will re-enable once you reboot your system, to disable on a
permanent basis you need to edit the following/etc/#e+in(/cng and edit this line:
B4)C6enforcing
-
8/18/2019 Installing OpenVPN on CentOS
10/16
To:
B4)C6disabled
When your system next reboots it will still be disabled.
Now lets start OpenVPN:
service openvpn restart
*Please note if you receive “FAIL” when OpenVPN trys to start and you have the following
error in your/"a&/+g/)e##age#:
B)54(44D: could not load plugin shared obEect
/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so:
/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so: cannot open shared obEect file: o
such file or directory
Then this is because the latest OpenVPN package doesn’t include this file (which is
reported to be fixed soon) but you can download the pam auth file from here for now:
64Bit:
-
8/18/2019 Installing OpenVPN on CentOS
11/16
wget http://safesrv.net/public/openvpn-auth-pam.zip
32Bit:
wget http://safesrv.net/public/dl/openvpn-auth-pam.zip
Extract the file:
unzip openvpn-auth-pam.zip
Move to the OpenVPN directory:
mv openvpn-auth-pam.so /etc/openvpn/openvpn-auth-pam.so
Then replace the PAM plugin line in your server.conf to below:
plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/login
Restart OpenVPN and all should now work:
-
8/18/2019 Installing OpenVPN on CentOS
12/16
killall -< openvpn
service openvpn restart
Now we need to enable IP forwarding. So open the file/etc/#$#ct+.cn1 and set
‘net.ipv4.ip_forward’ to 1.
net.ipv!.ip(forward 6 1
To make the changes to sysctl.conf take effect, use the following command.
sysctl -p
Route Iptables:
T-e &(+e be+ i++ &k ne n en an, 5 ba#e, 5PS7# b(t 1&
O!en58 (#e t-e O!en58 i!tab+e &(+e in#tea,:
iptables -t nat -9 ,D+,)D45 -s 10..0.0/#! -o eth0 -E 9G)+9>
O!en58 i!tab+e &(+e#:
-
8/18/2019 Installing OpenVPN on CentOS
13/16
iptables -t nat -9 ,D+,)D45 -o venet0 -E 9D --to-source 1#$.1#$.1#$.1#$
And
iptables -t nat -9 ,D+,)D45 -s 10..0.0/#! -E 9D --to-source 1#$.1#$.1#$.1#$
Make sure you change 123.123.123.123 to your server IP.
IF you have CSF on the same server you need to open your OpenVPN port (Usually 1194)
through the firewall and run the below commands for CSF, also its a good idea to add them
to/etc/c#1/c#1!&e.#-.
iptables -9 F,+&9+> -m state --state +B9D>HD9IB4J> -E 933D
iptables -9 F,+&9+> -s 10..0.0/#! -E 933D
iptables -9 F,+&9+> -E +K3D
iptables -t nat -9 ,D+,)D45 -s 10..0.0/#! -o eth0 -E 9G)+9>
iptables -t nat -9 ,D+,)D45 -E 9D --to-source 1#$.1#$.1#$.1#$
If the above rules cause you any problems or don’t seem to work (Especially on cPanel
servers) then remove the rules above and use below:
-
8/18/2019 Installing OpenVPN on CentOS
14/16
iptables -t nat -9 ,D+,)D45 -s 10..0.0/#! -o eth0 -E 9G)+9>
iptables -9 F,+&9+> -i tun0 -o eth0 -E 933D
iptables -9 F,+&9+> -i eth0 -o tun0 -E 933D
Please make sure 123.123.123.123 is your main server IP.
Then run…
service iptables save
Please note if you are using our FreeRADIUS module for WHMCS then you don’t have to do
the below step for adding users just follow the link above to setup OpenVPN to auth offFreeRADIUS – otherwise you can create a user as follows:
useradd username -s /bin/false
passwd username
If you wanted to delete a user you would use:
-
8/18/2019 Installing OpenVPN on CentOS
15/16
userdel username
Now create a server.ovpn config file and enter the following:
client
dev tun
proto udp
remote 1#$.1#$.1#$.1#$ 11
resolv-retry infinite
nobind
tun-mtu 1"00
tun-mtu-e'tra $#
mssfi' 1!"0
persist-key
-
8/18/2019 Installing OpenVPN on CentOS
16/16
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb $
Make sure you change 123.123.123.123 to your server IP.
And make sure OpenVPN starts at boot:
chkconfig openvpn on
Download ca.crt file in/etc/!en"!n/ea#$%a/2.'/ke$#/ directory and place it in the
same directory as your server.ovpn.
Now download a VPN client and import your config file and enter your username and
password created above