{"id":235,"date":"2013-07-23T20:02:29","date_gmt":"2013-07-23T12:02:29","guid":{"rendered":"http:\/\/www.cyups.com\/?p=196"},"modified":"2013-07-23T20:02:29","modified_gmt":"2013-07-23T12:02:29","slug":"installing-openvpn-on-centos-5-and-centos-6","status":"publish","type":"post","link":"http:\/\/www.cyups.com\/?p=235","title":{"rendered":"Installing OpenVPN on CentOS 5 and CentOS 6"},"content":{"rendered":"

In this guide we will show you how to setup OpenVPN on centos \u2013 the guide will give you a fully working OpenVPN installation, NOT TESTED ON OTHER DISTROS..<\/strong>
\nFirst step is to check if tun\/tap is active:<\/p>\n

cat \/dev\/net\/tun<\/pre>\n
If tun is active then you should see this:<\/p>\n
cat: \/dev\/net\/tun: File descriptor in bad state<\/pre>\n
 
\nMake sure you have these packages installed:<\/p>\n
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y<\/pre>\n
Download LZO RPM and Configure RPMForge Repo:<\/p>\n
wget http:\/\/openvpn.net\/release\/lzo-1.08-4.rf.src.rpm<\/pre>\n
32bit Package:<\/strong>
\nCentOS 5:<\/p>\n
wget http:\/\/packages.sw.be\/rpmforge-release\/rpmforge-release-0.5.2-2.el5.rf.i386.rpm<\/pre>\n
CentOS 6:<\/p>\n
wget http:\/\/pkgs.repoforge.org\/rpmforge-release\/rpmforge-release-0.5.3-1.el6.rf.i686.rpm<\/pre>\n
64bit Package:<\/strong>
\nCentOS 5:<\/p>\n
wget http:\/\/packages.sw.be\/rpmforge-release\/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm<\/pre>\n
CentOS 6:<\/p>\n
wget http:\/\/pkgs.repoforge.org\/rpmforge-release\/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm<\/pre>\n
Build the rpm packages:<\/p>\n
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm\nrpm -Uvh lzo-*.rpm\nrpm -Uvh rpmforge-release*<\/pre>\n
Install OpenVPN:<\/p>\n
yum install openvpn -y<\/pre>\n
Copy the easy-rsa folder to \/etc\/openvpn\/:<\/p>\n
cp -R \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa\/ \/etc\/openvpn\/<\/pre>\n
**PLEASE NOTE**<\/strong> if the above command brings up an error such as below, then please follow the following steps to download and copy over easy-rsa as its not included in the new build OpenVPN 2.3.1:
\ncannot stat `\/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa\/\u2019: No such file or directory<\/em><\/strong>
\nDownload easy-rsa from below:<\/p>\n
wget https:\/\/github.com\/downloads\/OpenVPN\/easy-rsa\/easy-rsa-2.2.0_master.tar.gz<\/pre>\n
Extract the package:<\/p>\n
tar -zxvf easy-rsa-2.2.0_master.tar.gz<\/pre>\n
Copy to OpenVPN directory:<\/p>\n
cp -R easy-rsa-2.2.0_master\/easy-rsa\/ \/etc\/openvpn\/<\/pre>\n
Please note on CentOS 6<\/strong> we need to make a small change before you run the commands below, open up \/etc\/openvpn\/easy-rsa\/2.0\/vars<\/strong> and edit the below line:
\nChange:<\/p>\n
export KEY_CONFIG=`$EASY_RSA\/whichopensslcnf $EASY_RSA`<\/pre>\n
To:<\/p>\n
export KEY_CONFIG=\/etc\/openvpn\/easy-rsa\/2.0\/openssl-1.0.0.cnf<\/pre>\n
And save..
\nNow let\u2019s create the certificate:<\/p>\n
cd \/etc\/openvpn\/easy-rsa\/2.0\nchmod 755 *\nsource .\/vars\n.\/vars\n.\/clean-all<\/pre>\n
Build CA:<\/p>\n
.\/build-ca<\/pre>\n
Country Name:<\/strong> may be filled or press enter\nState or Province Name:<\/strong> may be filled or press enter\nCity:<\/strong> may be filled or press enter\nOrg Name:<\/strong> may be filled or press enter\nOrg Unit Name:<\/strong> may be filled or press enter\nCommon Name:<\/strong> your server hostname\nEmail Address:<\/strong> may be filled or press enter<\/pre>\n
Build key server:<\/p>\n
.\/build-key-server server<\/pre>\n
Almost the same with .\/build.ca but check the changes and additional\nCommon Name:<\/strong> server\nA challenge password:<\/strong> leave\nOptional company name:<\/strong> fill or enter\nsign the certificate:<\/strong> y\n1 out of 1 certificate requests:<\/strong> y<\/pre>\n
Build Diffie Hellman (wait a moment until the process finish):<\/p>\n
.\/build-dh<\/pre>\n
Now create your config file:<\/p>\n
touch \/etc\/openvpn\/server.conf<\/pre>\n
And enter the following:<\/p>\n
port 1194 #- port\nproto udp #- protocol\ndev tun\ntun-mtu 1500\ntun-mtu-extra 32\nmssfix 1450\nreneg-sec 0\nca \/etc\/openvpn\/easy-rsa\/2.0\/keys\/ca.crt\ncert \/etc\/openvpn\/easy-rsa\/2.0\/keys\/server.crt\nkey \/etc\/openvpn\/easy-rsa\/2.0\/keys\/server.key\ndh \/etc\/openvpn\/easy-rsa\/2.0\/keys\/dh1024.pem\nplugin \/usr\/share\/openvpn\/plugin\/lib\/openvpn-auth-pam.so \/etc\/pam.d\/login #- Comment this line if you are using FreeRADIUS\n#plugin \/etc\/openvpn\/radiusplugin.so \/etc\/openvpn\/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS\nclient-cert-not-required\nusername-as-common-name\nserver 10.8.0.0 255.255.255.0\npush \"redirect-gateway def1\"\npush \"dhcp-option DNS 8.8.8.8\"\npush \"dhcp-option DNS 8.8.4.4\"\nkeepalive 5 30\ncomp-lzo\npersist-key\npersist-tun\nstatus 1194.log\nverb 3<\/pre>\n
Save it.
\nBefore we start OpenVPN, lets disable SELinux if enabled, this can cause issues with OpenVPN, especially when using OpenVPN with multiple configs:<\/p>\n
echo 0 > \/selinux\/enforce<\/pre>\n
This is a temporary solution and will re-enable once you reboot your system, to disable on a permanent basis you need to edit the following \/etc\/selinux\/config<\/strong> and edit this line:<\/p>\n
SELINUX=enforcing<\/pre>\n
To:<\/p>\n
SELINUX=disabled<\/pre>\n
When your system next reboots it will still be disabled.
\nNow lets start OpenVPN:<\/p>\n
service openvpn restart<\/pre>\n
*Please note if you receive \u201cFAIL\u201d when OpenVPN trys to start and you have the following error in your \/var\/log\/messages<\/strong>:<\/p>\n
PLUGIN_INIT: could not load plugin shared object \/usr\/share\/openvpn\/plugin\/lib\/openvpn-auth-pam.so: \/usr\/share\/openvpn\/plugin\/lib\/openvpn-auth-pam.so: cannot open shared object file: No such file or directory<\/pre>\n
Then this is because the latest OpenVPN package doesn\u2019t include this file (which is reported to be fixed soon) but you can download the pam auth file from here for now:
\n64Bit:<\/p>\n
wget http:\/\/safesrv.net\/public\/openvpn-auth-pam.zip<\/pre>\n
32Bit:<\/p>\n
wget http:\/\/safesrv.net\/public\/dl\/openvpn-auth-pam.zip<\/pre>\n
Extract the file:<\/p>\n
unzip openvpn-auth-pam.zip<\/pre>\n
Move to the OpenVPN directory:<\/p>\n
mv openvpn-auth-pam.so \/etc\/openvpn\/openvpn-auth-pam.so<\/pre>\n
Then replace the PAM plugin line in your server.conf to below:<\/p>\n
plugin \/etc\/openvpn\/openvpn-auth-pam.so \/etc\/pam.d\/login<\/pre>\n
Restart OpenVPN and all should now work:<\/p>\n
killall -9 openvpn<\/pre>\n
service openvpn restart<\/pre>\n
Now we need to enable IP forwarding. So open the file \/etc\/sysctl.conf<\/strong> and set \u2018net.ipv4.ip_forward\u2019 to 1.<\/p>\n
net.ipv4.ip_forward = 1<\/pre>\n
To make the changes to sysctl.conf take effect, use the following command.<\/p>\n
sysctl -p<\/pre>\n
Route Iptables:
\nThe rule below will work fine on xen and KVM based VPS\u2019s but for OpenVZ use the OpenVZ iptable rule instead:<\/strong><\/p>\n
iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE<\/pre>\n
OpenVZ iptable rules:<\/strong><\/p>\n
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123<\/pre>\n
And<\/p>\n
iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT --to-source 123.123.123.123<\/pre>\n
Make sure you change 123.123.123.123 to your server IP.
\nIF you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF, also its a good idea to add them to \/etc\/csf\/csfpre.sh<\/strong>.<\/p>\n
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\niptables -A FORWARD -s 10.8.0.0\/24 -j ACCEPT\niptables -A FORWARD -j REJECT\niptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\niptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123<\/pre>\n
If the above rules cause you any problems or don\u2019t seem to work (Especially on cPanel servers) then remove the rules above and use below:<\/p>\n
iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\niptables -A FORWARD -i tun0 -o eth0 -j ACCEPT\niptables -A FORWARD -i eth0 -o tun0 -j ACCEPT<\/pre>\n
Please make sure 123.123.123.123 is your main server IP.
\nThen run\u2026<\/p>\n
service iptables save\n<\/pre>\n
Please note if you are using our FreeRADIUS module for WHMCS then you don\u2019t have to do the below step for adding users just follow the link above to setup OpenVPN to auth off FreeRADIUS \u2013 otherwise you can create a user as follows:<\/p>\n
useradd username -s \/bin\/false\npasswd username<\/pre>\n
If you wanted to delete a user you would use:<\/p>\n
userdel username<\/pre>\n
Now create a server.ovpn config file and enter the following:<\/p>\n
client\ndev tun\nproto udp\nremote 123.123.123.123 1194 # - Your server IP and OpenVPN Port\nresolv-retry infinite\nnobind\ntun-mtu 1500\ntun-mtu-extra 32\nmssfix 1450\npersist-key\npersist-tun\nca ca.crt\nauth-user-pass\ncomp-lzo\nreneg-sec 0\nverb 3<\/pre>\n
Make sure you change 123.123.123.123 to your server IP.
\nAnd make sure OpenVPN starts at boot:<\/p>\n
chkconfig openvpn on<\/pre>\n
Download ca.crt file in \/etc\/openvpn\/easy-rsa\/2.0\/keys\/<\/strong> directory and place it in the same directory as your server.ovpn.
\nNow download a VPN client and import your config file and enter your username and password created above or if you have already configured OpeVPN Source with the FreeRADIUS plugin, use a username and password created in the radius database.<\/p>\n
\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
In this guide we will show you how to setup OpenVPN on centos \u2013 t …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[18],"tags":[61,190,192],"class_list":["post-235","post","type-post","status-publish","format-standard","hentry","category-kuruantuijian","tag-centos-openvpn2-2-2","tag-openvpn","tag-openvpn2-2-2"],"_links":{"self":[{"href":"http:\/\/www.cyups.com\/index.php?rest_route=\/wp\/v2\/posts\/235","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.cyups.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.cyups.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.cyups.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.cyups.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=235"}],"version-history":[{"count":0,"href":"http:\/\/www.cyups.com\/index.php?rest_route=\/wp\/v2\/posts\/235\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.cyups.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.cyups.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=235"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.cyups.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}