How to install openVPN on Virtual Private Server CentOS 5 based

Filed under: Virtual Private Server — Leave a comment

July 17, 2010

Several months ago I rented a virtual private server and I used it for installing openVPN on that server. At that time, I used openVPN in order to be able to access several websites that my office had blocked.

The time I ordered, it was an un-managed VPS and had already been installed on CentOS 32bit which means I only need to install openVPN on it. Depending on the virtualization technology used to run your VPS you might be required to contact your provider and request TUN to be enabled on your VPS. How will you know if you need to request TUN/TAP to be enabled? Well OpenVPN will not be able to start and will give you a weird error but we will go through that below.

First of all, you need to check whether TUN/TAP has already been enabled or not

ls -al/dev/net/tun

If TUN/TAP is enabled, the it will show :

ls -al/dev/net/tun
crw------- 1 root root 10,200 Jul 16 15:26/dev/net/tun

Here are the lists of several applications you need to install

1. nano    (I prefer to use nano because to me it is easy to use)
2. gcc
3. rpm-build
4. autoconf.noarch
5. zlib-devel
6. pam-devel
7. openssl-devel
8. make

You can install all of them directly

yum install nano gcc rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel make

Install openvpn into the server

wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

It is better if you make an update first before continuing to the next step

yum update

After updating, make the files into RPM

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
if you use 64bit # rpm -Uvh /usr/src/redhat/RPMS/x86_64/lzo-*rpm
if you use 32bit # rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm
rpmbuild -tb openvpn-2.0.9.tar.gz
if you use 64bit # rpm -Uvh /usr/src/redhat/RPMS/x86_64/openvpn-2.0.9-1.x86_64.rpm
if you use 32bit # rpm -Uvh /usr/src/redhat/RPMS/i386/openvpn-2.0.9-1.i386.rpm

Copy the configuration file to folder /etc/openvpn

cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/

Building certificate,  get in to directory /etc/openvpn/easy-rsa/2.0

cd /etc/openvpn/easy-rsa/2.0
source ./vars
./vars
./clean-all
./build-ca

These will come up :
Generating a 1024 bit RSA private key
………………………++++++
…………………….++++++
writing new private key to ‘ca.key’
etc…

Just enter it, all you have to fill in is on the “Common Name” field.

Now, it is time to make the server key

./build-key-server server

Make the Diffie Hellman

./build-dh

Copy those newly built certificate to /etc/openvpn/keys

cp /etc/openvpn/easy-rsa/2.0/keys /etc/openvpn/keys -R

Let’s head to the openVPN directory /etc/openvpn/

cd /etc/openvpn/

See what is in it

ls -al

drwxr-xr-x  4 root root 4096 Jul 17 00:42 .
drwxr-xr-x 51 root root 4096 Jul 17 00:28 ..
drwxr-xr-x  4 root root 4096 Jul 17 00:28 easy-rsa
drwx------  2 root root 4096 Jul 17 00:42 keys
-rw-r--r--  1 root root 9970 Jul 17 00:28 server.conf

Erase server.conf

rm -rf server.conf

make another one by using command vi, pico, nano (I prefer to use nano)

nano /etc/openvpn/server.conf

Just write  “dev tun” (without apostrophe) on the first line and save it

It is time to make a configuration. This is the part where we open a port. Be careful on opening a port. Just open what you want to use. Save it using format .conf (example : 443.conf)
this is the example of opening port 443  443.conf
you may edit as you like

#begin
port 443                            # adjust the port as desired
proto tcp                           # check whether you want to use TCP port or UDP port
dev tun                             # this is the firewall server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 192.168.1.0 255.255.255.0             # adjust the IP address with the port you want to open
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 4.2.2.1"               # adjust DNS as desired
push "dhcp-option DNS 4.2.2.2"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server.log
verb 3
#end

This is UDP port configuration. Compare it with 443.conf. You may see the difference

#begin
port 53
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 192.168.2.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 4.2.2.1"
push "dhcp-option DNS 4.2.2.2"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server.log
verb 3
#end

Is it over? Not yet guys, you need to set this automatically running after rebooting. We write for iptables.

For VPS

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o venet0 -j SNAT --to xx.xx.xx.xx

(adjust your usage on xen or openvz)
If you use xen, you must change to eth0

For Dedicated Server

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o venet0 -j MASQUERADE

save it to /etc/sysconfig/iptables-net

iptables-save > /etc/sysconfig/iptables-net

this means your iptables are saved on directory /etc/sysconfig/iptables-net
If you want to add some more port, just add some server configuration regarding your port desired and edit the iptables on directory /etc/sysconfig/iptables-net
Copy the previous line and change the IP address into the newly made port

in order to be running after rebooting, iptables need to be called from directory /etc/init.d/network

nano /etc/init.d/network

put iptables-restore < /etc/sysconfig/iptables-net before exit 0 ( before the last line )

For IP forwarding, open sysctl.conf file

nano /etc/sysctl.conf

Find# Controls IP packet forwarding
net.ipv4.ip_forward = 0
change 0 to 1 which means we enable IP forwarding
# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Done with IP forwarding. Now, the last step is to open rc.local file in order to execute the command after rebooting

nano /etc/rc.local

Go to the last line and fill it with :

service openvpn start

But first..we need to check whether openvpn works well or not

service openvpn start

If that failed, you might want to run a test on your server configuration

openvpn /etc/openvpn/443.conf # any ports that you have

If that doesn't work well with the TUN/TAP, you might want to check on the technical support where you bought the server

Hurray....., We are done!
Now it is time to run all of the commands. Restart your VPS from your VM or Control Panel

Next article I will write on clients' configuration and how to add openVPN clients.
When? After I get some sleep

It's 7.50 AM here..Good night guys.... (or should I say Good Morning? LOL )

Advertisement

Tags: how to install openvpn, how to install openvpn on centos, how to install openvpn on vps, how to set up openvpn, how to setup openvpn on centos, install openvpn, install openvpn on centos, install openvpn vps, openvpn on centos vps, set up openvpn, set up openvpn on centos, set up openvpn vps, vps openvpn

Comments RSS feed