originally from https://safesrv.net/install-openvpn-on-centos/
copy pasted here on my blog in case that site ever goes down... really thats the only reason I ever put anything on this blog. heh. saved me a time or two in the past though having it all here.
Its important these days to protect yourself on the web, you never know whose lurking and snoopin on your traffic on Wifi these days. I use my openVPN's for my Android devices as well as my laptops whenever I'm on the go.
This guide was very well written. Minor detail was making sure the -FORWARDing table was setup properly in iptables. I'm not really sure why recompiling lzo was necessary, but I followed the guide and everything turned out ok for me. Mine (2 KVM and 1 OpenVZ) were on CentOS 6 from www.hostigation.net - Tim at hostigation sells some really nice VPS's and is always a pleasure to work with.
Also the author of this article sells VPS/s with OpenVPN preconfigured at http://safesrv.net/secure-vps-hosting/
Installing OpenVPN on CentOS 5 and CentOS 6
In this guide we will show you how to setup OpenVPN on centos – the guide will give you a fully working OpenVPN installation, NOT TESTED ON OTHER DISTROS..
Looking for an OpenVPN Ready VPS ? We setup OpenVPN for youBuy Bow just select OpenVPN at checkout and we will set it all up for you.
First step is to check if tun/tap is active:
cat /dev/net/tun
If tun is active then you should see this:
cat: /dev/net/tun: File descriptor in bad state
Make sure you have these packages installed:
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
Download LZO RPM and Configure RPMForge Repo:
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
32bit Package:
CentOS 5:
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm
CentOS 6:
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm
64bit Package:
CentOS 5:
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm
CentOS 6:
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
Build the rpm packages:
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm rpm -Uvh lzo-*.rpm rpm -Uvh rpmforge-release*
Install OpenVPN:
yum install openvpn -y
Copy the easy-rsa folder to /etc/openvpn/:
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
Please note on CentOS 6 we need to make a small change before you run the commands below, open up /etc/openvpn/easy-rsa/2.0/vars and edit the below line:
Change:
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
To:
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
And save..
Now let’s create the certificate:
cd /etc/openvpn/easy-rsa/2.0 chmod 755 * source ./vars ./vars ./clean-all
Build CA:
./build-ca
Country Name: may be filled or press enter State or Province Name: may be filled or press enter City: may be filled or press enter Org Name: may be filled or press enter Org Unit Name: may be filled or press enter Common Name: your server hostname Email Address: may be filled or press enter
Build key server:
./build-key-server server
Almost the same with ./build.ca but check the changes and additional Common Name: server A challenge password: leave Optional company name: fill or enter sign the certificate: y 1 out of 1 certificate requests: y
Build Diffie Hellman (wait a moment until the process finish):
./build-dh
Now create your config file:
touch /etc/openvpn/server.conf
And enter the following:
local 123.123.123.123 #- your_server_ip goes here port 1194 #- port proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3
Save it and start OpenVPN:
service openvpn start
Now we need to enable IP forwarding. So open the file /etc/sysctl.conf and set ‘net.ipv4.ip_forward’ to 1.
net.ipv4.ip_forward = 1
To make the changes to sysctl.conf take effect, use the following command.
sysctl -p
Route Iptables:
The rule below will work fine on xen and KVM based VPS’s but for OpenVZ use the OpenVZ iptable rule instead:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
OpenVZ iptable rules:
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123
And
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123
Make sure you change 123.123.123.123 to your server IP.
IF you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123
Then run…
service iptables save
Again – make sure you change 123.123.123.123 to your server IP.
This section explains that your vpn will use PAM to auth people to it (on your system, so local users on your system will auth to openvpn via their user/pass that they use for SSH)
If you are using our FreeRADIUS module for WHMCS then you don’t have to do the below step – otherwise you can create a user as follows:
useradd username -s /bin/false passwd username
If you wanted to delete a user you would use:
userdel username
This section is the client config file, you can name it whatever.you.want.ovpn, but OP has used 'server.ovpn'
Now create a server.ovpn config file and enter the following:
client dev tun proto udp remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo verb 3
Make sure you change 123.123.123.123 to your server IP.
If using Windows OpenVPN clients, make sure the path to the 'ca ca.crt' is an absolute path with quotes (for spaces), for my Win7 machine I used
ca "c:\Users\tronik\Personal Documents\ca.crt"
And make sure OpenVPN starts at boot:
chkconfig openvpn on
Download ca.crt file in /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in the same directory as your server.ovpn.
Now download a VPN client and import your config file and enter your username and password created above or if you have already configured OpeVPN Source with the FreeRADIUS plugin, use a username and password created in the radius database.
You can now follow the guide to configure OpenVPN source with FreeRADIUS.
