Latest news from 5wire Networks

How to Setup and Configure an OpenVPN Server on CentOS 5/6/7

This will guide you how to setup and config an OpenVPN server on your CentOS server.

Prepartion

Before setup of the OpenVPN server, you’ll need to have the Extra Packages for Enterprise Linux (EPEL) Repository enabled on your server. This is a third party repository offered by the Fedora Project which will provide the OpenVPN package.

Login to your server, download and run the following commands –

wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm

OpenVPN Installation & Configuration

To start, install the OpenVPN package –
yum install openvpn easy-rsa -y

OpenVPN comes with a sample configuration, so next we need to copy the sample configuration file to its destination –

cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn

Next, we need to edit the file –

nano -w /etc/openvpn/server.conf

Uncomment the “push” parameter which causes traffic on the client’s system to be routed via OpenVPN.

push "redirect-gateway def1 bypass-dhcp"

We also suggesting changing the section that follows immediately to route DNS queries via Google’s Public DNS Servers.

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

To enhance the security, make sure OpenVPN drops privileges after start up. Uncomment the relevant “user” and “group” lines.

user nobody
group nobody

Now that we have finished the configuration file, we need to generate the required keys and certificates.

Generate Keys & Certificates

OpenVPN has already placed the required scripts in the documentation folder by default. Create the required folder and copy the files over.

mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa

Next, we edit the vars file which provides the easy-rsa scripts with the required information.

nano -w /etc/openvpn/easy-rsa/vars

You then need to modify the “KEY_” variables, at the bottom of the file. The variable names are fairly descriptive and should be filled out with the applicable information.

Once you had updated it, it should look like the below –

export KEY_COUNTRY="GB"
export KEY_PROVINCE="London"
export KEY_CITY="London"
export KEY_ORG="Organisation Name"
export KEY_EMAIL="admin@domain.com"
export KEY_CN=example.domain.com
export KEY_NAME=server
export KEY_OU=server

OpenVPN may fail to detect the OpenSSL version on CentOS 6. To prevent this from happening, copy the required OpenSSL configuration file.
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

Now move into the working directory and build the Certificate Authority (CA), based upon the information provided.

cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca

Once the CA is ready, next we create the certificate for the OpenVPN server. When asked by build-key-server, answer yes to commit.

./build-key-server server

Then, we need to generate our Diffie Hellman key exchange files using the build-dh script, and then copy all of our files into /etc/openvpn –

./build-dh
cd /etc/openvpn/easy-rsa/keys
cp dh1024.pem ca.crt server.crt server.key /etc/openvpn

To allow clients to authenticate, we need to create client certificates. You can repeat this as necessary to generate a unique certificate and key for each client or device that requires a VPN connection. If you are planning to have more than a couple of certificate pairs, make sure you use descriptive file names. For security reasons we insist you create certificates per each device.

cd /etc/openvpn/easy-rsa
./build-key client

Routing Configuration & Starting OpenVPN Server

Create an IPtables rule to allow proper routing of your VPN subnet –

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save

Then, enable IP Forwarding in sysctl –

nano -w /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Finally, apply the new sysctl settings. Start the server and assure that it starts automatically on boot –

sysctl -p
service openvpn start
chkconfig openvpn on

Your OpenVPN server should now be up and running! 🙂

OpenVZ Virtual Machine Container

OpenVZ Virtual Server

Check that the TUN Adaptor is working –

cat /dev/net/tun

If working, it should return the following –

cat: /dev/net/tun: File descriptor in bad state

If it is not working, check within your Control Panel whether you can enable TUN/TAP.

For further info, check out the OpenVZ FAQ.