This will guide you how to setup and config an OpenVPN server on your CentOS server.
Before setup of the OpenVPN server, you’ll need to have the Extra Packages for Enterprise Linux (EPEL) Repository enabled on your server. This is a third party repository offered by the Fedora Project which will provide the OpenVPN package.
Login to your server, download and run the following commands –
rpm -Uvh epel-release-6-8.noarch.rpm
OpenVPN Installation & Configuration
To start, install the OpenVPN package –
yum install openvpn easy-rsa -y
OpenVPN comes with a sample configuration, so next we need to copy the sample configuration file to its destination –
cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn
Next, we need to edit the file –
nano -w /etc/openvpn/server.conf
Uncomment the “push” parameter which causes traffic on the client’s system to be routed via OpenVPN.
push "redirect-gateway def1 bypass-dhcp"
We also suggesting changing the section that follows immediately to route DNS queries via Google’s Public DNS Servers.
push "dhcp-option DNS 22.214.171.124"
push "dhcp-option DNS 126.96.36.199"
To enhance the security, make sure OpenVPN drops privileges after start up. Uncomment the relevant “user” and “group” lines.
Now that we have finished the configuration file, we need to generate the required keys and certificates.
Generate Keys & Certificates
OpenVPN has already placed the required scripts in the documentation folder by default. Create the required folder and copy the files over.
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa
Next, we edit the vars file which provides the easy-rsa scripts with the required information.
nano -w /etc/openvpn/easy-rsa/vars
You then need to modify the “KEY_” variables, at the bottom of the file. The variable names are fairly descriptive and should be filled out with the applicable information.
Once you had updated it, it should look like the below –
export KEY_ORG="Organisation Name"
OpenVPN may fail to detect the OpenSSL version on CentOS 6. To prevent this from happening, copy the required OpenSSL configuration file.
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
Now move into the working directory and build the Certificate Authority (CA), based upon the information provided.
Once the CA is ready, next we create the certificate for the OpenVPN server. When asked by build-key-server, answer yes to commit.
Then, we need to generate our Diffie Hellman key exchange files using the build-dh script, and then copy all of our files into /etc/openvpn –
cp dh1024.pem ca.crt server.crt server.key /etc/openvpn
To allow clients to authenticate, we need to create client certificates. You can repeat this as necessary to generate a unique certificate and key for each client or device that requires a VPN connection. If you are planning to have more than a couple of certificate pairs, make sure you use descriptive file names. For security reasons we insist you create certificates per each device.
Routing Configuration & Starting OpenVPN Server
Create an IPtables rule to allow proper routing of your VPN subnet –
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save
Then, enable IP Forwarding in sysctl –
nano -w /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Finally, apply the new sysctl settings. Start the server and assure that it starts automatically on boot –
service openvpn start
chkconfig openvpn on
Your OpenVPN server should now be up and running! 🙂
OpenVZ Virtual Machine Container
Check that the TUN Adaptor is working –
If working, it should return the following –
cat: /dev/net/tun: File descriptor in bad state
If it is not working, check within your Control Panel whether you can enable TUN/TAP.
For further info, check out the OpenVZ FAQ.