OpenVPN 2.3.1 on Centos 6

It is recommended to install epel repository first

Make sure you have these packages installed:

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

Download LZO RPM


Download RPMForge Repo


rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*

Install openvpn

yum install openvpn

From the version 2.3 easy-rsa is an independent project so it has to be downloaded separately, for example like this:


Untar the archive to /etc/openvpn and then copy easy-rsa folder to /etc/openvpn:

cp -R /etc/openvpn/easy-rsa-2.2.0_master/easy-rsa /etc/openvpn

Open up /etc/openvpn/easy-rsa/2.0/vars and change the below line:

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`


export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

And save changes. Create the certificate:

cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars

Build CA:


Build key server:

./build-key-server server

Build Diffie Hellman


Generate clients

./build-key client1
./build-key client2
./build-key client3

Copy server config file server.conf from /usr/share/doc/openvpn-2.3.1/sample/sample-config-files/ to /etc/openvpn

cp /usr/share/doc/openvpn-2.3.1/sample/sample-config-files/server.conf /etc/openvpn

Edit the file to get proper configuration. For example, specify path to ca, cert, key, and push public DNS
Example server config:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS"
push "dhcp-option DNS"
keepalive 10 120
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

Save client config file with .ovpn extention
Disable SELinux in /etc/selinux/config by changing




Now enable IP forwarding. Open the file /etc/sysctl.conf and change

net.ipv4.ip_forward = 0


net.ipv4.ip_forward = 1

Save changes using command:

sysctl -p

Configure /etc/sysconfig/iptables.

Please note that you should change eth0 to your proper network device , it can be eth1 or venet0 if on vps . just check your network devices with ifconfig command.

Sample config:

# Generated by iptables-save v1.4.7 on Thu Mar 28 11:52:05 2013
-A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A FORWARD -i tun+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun+ -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# Completed on Thu Mar 28 11:52:05 2013
# Generated by iptables-save v1.4.7 on Thu Mar 28 11:52:05 2013
:PREROUTING ACCEPT [6222:273716]
:OUTPUT ACCEPT [306:22159]
# Completed on Thu Mar 28 11:52:05 2013

Start openvpn

service openvpn start

start openvpn at system startup

chkconfig openvpn on
chkconfig iptables on

If OpenVPN fails to start check if tun/tap in active:

cat /dev/net/tun

If output is:

cat: /dev/net/tun: File descriptor in bad state

than tun/tap in active, look /var/log/openvpn.log and /var/log/messages/
If output is:

cat: /dev/net/tun: No such device

than try:

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun

Download client files from /etc/openvpn/easy-rsa/2.0/keys/ Upload these files to OpenVPN directory on client machine. OpenVPN client is available on official site“”

How to configure OpenVPN client on Windows

How to configure OpenVPN client on Android

OpenVPN 2.3.1 Centos 6

This guide should be applicable for the openvpn 2.3.x on centos 6.