Tuesday, August 03, 2010

Install OpenVPN-2.0.9 on Server CentOS 5.5

First check whether your server supports the device dev/tun
# ls -al /dev/net/tun

You'll get results like the following if it supports
# ls -al /dev/net/tun
crw------- 1 root root 10, 200 Aug  1 14:12 /dev/net/tun

Then also check whether the device dev/tun has been enabled or not
# cat /dev/net/tun

You'll get results like the following if it is enabled
# cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state

If it has not enabled you should contact the staff of VPS providers


Install the required supporting dependency
# yum -y install gcc make zlib-devel pam-devel openssl-devel rpm-build autoconf.noarch nano openssl lzo2

Install OpenVPN
# cd /tmp
# wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
# wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
# rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
# rpmbuild -tb openvpn-2.0.9.tar.gz

For server CentOS x86 (i386)
# rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm
# rpm -Uvh /usr/src/redhat/RPMS/i386/openvpn-2.0.9-1.i386.rpm

For server CetOS x64 (x86_64)
# rpm -Uvh /usr/src/redhat/RPMS/x86_64/lzo-*.rpm
# rpm -Uvh /usr/src/redhat/RPMS/x86_64/openvpn-2.0.9-1.x86_64.rpm

Build certificate
# cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
# cd /etc/openvpn/easy-rsa/2.0
# nano ./vars
Find following line
export KEY_DIR=$EASY-RSA/keys
Change like the following
export KEY_DIR="/etc/openvpn/keys"

# chmod 755 *
# source ./vars
# ./vars
# ./clean-all
# ./build-ca

will then appear like the following posts:
Generating a 1024 bit RSA private key
....................................................................++++++
..............................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [Fort-Funston CA]:
Email Address [me@myhost.mydomain]:

Just hit enter in each field, which needs to fill only the "Common Name" fill it with anything you want.


Build Server Key
# ./build-key-server server

will then appear like the posts before, just hit enter in each field, which needs to fill only the "Common Name" fill it with servers, then follow the next steps to complete build server key.

Build DH Key
# ./build-dh


Create OpenVPN configuration file.
# nano /etc/openvpn/server.conf

The following is an example configuration:

local xxx.xxx.xxx.xxx #Replace with your server IP address
port xxxx #Replace with the desired port
proto udp #Choose between tcp and udp (remove instructions in bold)
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 192.168.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-vpn.log
verb 3

Start Service OpenVPN
# service openvpn start
# chkconfig openvpn on

Setting Firewall
# nano /etc/sysctl.conf
find net.ipv4.ip_forward  and give value = 1
# echo 1 > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24  -j SNAT –to xxx.xxx.xxx.xxx
Change xxx.xxx.xxx.xxx with your server IP address
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
Save iptables
# service iptables save

Build Client Key
# cd /etc/openvpn/easy-rsa/2.0
# source ./vars
# ./vars
# ./build-key ClientName

File keys we have made earlier is stored in the directory /etc/openvpn/keys
save to your PC file "ClientName.key", "ClientName.crt" and "ca.crt"

Create a configuration file for the client and name it "ClientName.ovpn"

The following is a sample configuration for the clients based on server configuration:
client
dev tun
proto udp
remote xxx.xxx.xxx.xxx xxxx
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
cert ClientName.crt
key ClientName.key
comp-lzo
verb 3

Replace xxx.xxx.xxx.xxx with the server ip and  xxxx with port that has been in setting on the server.
Save files "ClientName.key", "ClientName.crt", "ClientName.ovpn" and "ca.crt" in the directory OpenVPN.
for example on C:\Program Files\OpenVPN\config\ClientName.
Posted by Manage VPS at 11:32:00 AM
Labels: , , , ,

2 comments:

  1. pionSunday, October 31, 2010 at 3:20:00 AM GMT+7

    thanks sir.

    ReplyDelete
  2. UnknownFriday, October 4, 2013 at 12:38:00 AM GMT+7

    Good guide, you don't see many on Centos for OpenVPN. I just had to setup on Ubuntu 13.04 and so documented it. I used webmin with the openvpn module which is really slick and quite easy. 15 minutes or less to a openvpn server and easy administration.

    I'll leave the guide here if you don't mind for those that may want to do the same setup.

    http://www.ioflare.com/portal/knowledgebase/3/Install-Webmin-And-OpenVPN-On-Your-Ubuntu-Cloud-Server.html

    ReplyDelete

Subscribe to: Post Comments (Atom)