Categories:

OpenVPN 2.3.1 on Centos 6

It is recommended to install epel repository first

Make sure you have these packages installed:

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

Download LZO RPM

wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

Download RPMForge Repo

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*

Install openvpn

yum install openvpn

From the version 2.3 easy-rsa is an independent project so it has to be downloaded separately, for example like this:

wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz

Untar the archive to /etc/openvpn and then copy easy-rsa folder to /etc/openvpn:

cp -R /etc/openvpn/easy-rsa-2.2.0_master/easy-rsa /etc/openvpn

Open up /etc/openvpn/easy-rsa/2.0/vars and change the below line:

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

to:

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

And save changes. Create the certificate:

cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all

Build CA:

./build-ca

Build key server:

./build-key-server server

Build Diffie Hellman

./build-dh

Generate clients

./build-key client1
./build-key client2
./build-key client3

Copy server config file server.conf from /usr/share/doc/openvpn-2.3.1/sample/sample-config-files/ to /etc/openvpn

cp /usr/share/doc/openvpn-2.3.1/sample/sample-config-files/server.conf /etc/openvpn

Edit the file to get proper configuration. For example, specify path to ca, cert, key, and push public DNS
Example server config:

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

Save client config file with .ovpn extention
Disable SELinux in /etc/selinux/config by changing

SELINUX=enforcing

to

SELINUX=disabled

Now enable IP forwarding. Open the file /etc/sysctl.conf and change

net.ipv4.ip_forward = 0

to

net.ipv4.ip_forward = 1

Save changes using command:

sysctl -p

Configure /etc/sysconfig/iptables.

Please note that you should change eth0 to your proper network device , it can be eth1 or venet0 if on vps . just check your network devices with ifconfig command.

Sample config:

# Generated by iptables-save v1.4.7 on Thu Mar 28 11:52:05 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:324]
-A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A FORWARD -i tun+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun+ -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Thu Mar 28 11:52:05 2013
# Generated by iptables-save v1.4.7 on Thu Mar 28 11:52:05 2013
*nat
:PREROUTING ACCEPT [6222:273716]
:POSTROUTING ACCEPT [306:22159]
:OUTPUT ACCEPT [306:22159]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Mar 28 11:52:05 2013

Start openvpn

service openvpn start

start openvpn at system startup

chkconfig openvpn on
chkconfig iptables on

If OpenVPN fails to start check if tun/tap in active:

cat /dev/net/tun

If output is:

cat: /dev/net/tun: File descriptor in bad state

than tun/tap in active, look /var/log/openvpn.log and /var/log/messages/
If output is:

cat: /dev/net/tun: No such device

than try:

mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun

Download client files from /etc/openvpn/easy-rsa/2.0/keys/ Upload these files to OpenVPN directory on client machine. OpenVPN client is available on official site http://openvpn.net/index.php/“”

How to configure OpenVPN client on Windows

How to configure OpenVPN client on Android

OpenVPN 2.3.1 Centos 6

This guide should be applicable for the openvpn 2.3.x on centos 6.