{"id":65,"date":"2013-01-08T23:29:00","date_gmt":"2013-01-08T23:29:00","guid":{"rendered":"https:\/\/www.tech-and-dev.com\/blog\/2013\/01\/08\/installing-and-configuring-openvpn-on-centos-6\/"},"modified":"2021-02-22T01:01:15","modified_gmt":"2021-02-22T01:01:15","slug":"installing-and-configuring-openvpn-on-centos-6","status":"publish","type":"post","link":"https:\/\/www.tech-and-dev.com\/blog\/2013\/01\/installing-and-configuring-openvpn-on-centos-6.html","title":{"rendered":"Installing and Configuring OpenVPN on CentOS 6"},"content":{"rendered":"<div dir=\"ltr\" style=\"text-align: left;\">\n<div>\n<p>&nbsp;<\/p>\n<div style=\"clear: both; text-align: center;\"><a style=\"margin-left: 1em; margin-right: 1em;\" href=\"https:\/\/www.tech-and-dev.com\/blog\/wp-content\/uploads\/2021\/02\/openvpn_logo.png\"><img decoding=\"async\" title=\"Installing and Configuring OpenVPN on CentOS 6\" src=\"https:\/\/www.tech-and-dev.com\/blog\/wp-content\/uploads\/2021\/02\/openvpn_logo.png\" alt=\"Open VPN Logo\" border=\"0\" \/><\/a><\/div>\n<p>&nbsp;<\/p>\n<h2 style=\"text-align: left;\">What is VPN?<\/h2>\n<div style=\"text-align: justify;\">A VPN (Virtual Private Network) is a way to securely extend a private network across the internet to another location. The client computer (in this case your computer) makes an encrypted connection to a server which acts as a normal network connection. This technique is usually used in companies to allow their employees to securely connect to their work network from anywhere in the world.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">VPNs provide security through tunneling protocols. The security model provides <b>confidentiality<\/b> which encrypts the data and protect it from being sniffed out, <b>integrity<\/b> which prevent the data from being tampered with and <b>authentication<\/b> which allow only authenticated users with a username and password to connect to the vpn server.<\/div>\n<div style=\"text-align: justify;\"><\/div>\n<div style=\"text-align: justify;\">When a VPN connection is established, it can be considered like having an Ethernet cable connected to the other machine, just a little bit slower since it is going over the internet.<\/div>\n<h2 style=\"text-align: left;\">What is OpenVPN?<\/h2>\n<div style=\"text-align: justify;\">OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point oconnections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL\/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls.<\/div>\n<h2>Requirements<\/h2>\n<ul>\n<li style=\"text-align: justify;\">Server:\n<ul>\n<li style=\"text-align: justify;\">Linux CentOS 6 Operating System<\/li>\n<li style=\"text-align: justify;\">Root access<\/li>\n<\/ul>\n<\/li>\n<li style=\"text-align: justify;\">Client:\n<ul>\n<li style=\"text-align: justify;\">Windows Operating System<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\">Installing OpenVPN on CentOS 6<\/h2>\n<p><span style=\"color: blue;\">Make sure Tun\/Tap is enabled<\/span><\/p>\n<blockquote><p>cat \/dev\/net\/tun<\/p><\/blockquote>\n<p>If Tun\/Tap is enabled and active you will see the following message:<\/p>\n<blockquote><p>cat: \/dev\/net\/tun: File descriptor in bad state<\/p><\/blockquote>\n<p>If you don&#8217;t see the above message, you will have to enable Tun\/Tap or ask your host to enable it for you.<br \/>\n<span style=\"color: blue;\"><br \/>\n<\/span><span style=\"color: blue;\">Install the following packages<\/span><\/p>\n<blockquote><p>yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y<\/p><\/blockquote>\n<p><span style=\"color: blue;\">Download LZO RPM and Configure the Repo<\/span><\/p>\n<blockquote><p>wget http:\/\/openvpn.net\/release\/lzo-1.08-4.rf.src.rpm<\/p><\/blockquote>\n<p>For CentOS 6 &#8211; 32 bit:<\/p>\n<blockquote><p>wget http:\/\/pkgs.repoforge.org\/rpmforge-release\/rpmforge-release-0.5.2-1.el6.rf.i686.rpm<\/p><\/blockquote>\n<p>For CentOS 6 &#8211; 64 bit:<\/p>\n<blockquote><p>wget http:\/\/pkgs.repoforge.org\/rpmforge-release\/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm<\/p><\/blockquote>\n<p><span style=\"color: blue;\">Build the RPM<\/span><\/p>\n<blockquote><p>rpmbuild &#8211;rebuild lzo-1.08-4.rf.src.rpm<br \/>\nrpm -Uvh lzo-*.rpm<br \/>\nrpm -Uvh rpmforge-release*<\/p><\/blockquote>\n<p><span style=\"color: blue;\">Install OpenVPN<\/span><\/p>\n<blockquote><p>yum install openvpn -y<\/p><\/blockquote>\n<p><span style=\"color: blue;\">Copy the <b>easy-rsa<\/b> folder to \/etc\/openvpn\/<\/span><\/p>\n<blockquote><p>cp -R \/usr\/share\/doc\/openvpn-2.2.2\/easy-rsa\/ \/etc\/openvpn\/<\/p><\/blockquote>\n<p><span style=\"color: blue;\">Edit the <b>vars <\/b>file<\/span>:<\/p>\n<blockquote><p>vi\u00a0 \/etc\/openvpn\/easy-rsa\/2.0\/vars<\/p><\/blockquote>\n<p>Replace the line:<\/p>\n<blockquote><p>export KEY_CONFIG=`$EASY_RSA\/whichopensslcnf $EASY_RSA`<\/p><\/blockquote>\n<p>by<\/p>\n<blockquote><p>export KEY_CONFIG=\/etc\/openvpn\/easy-rsa\/2.0\/openssl-1.0.0.cnf<\/p><\/blockquote>\n<p>and save (<b>:w<\/b>) and quit editing the file (<b>:q<\/b>)<\/p>\n<p>&nbsp;<\/p>\n<h2 style=\"text-align: left;\">Create the SSL Certificate<\/h2>\n<p><span style=\"color: blue;\">Create the SSL Certificate <\/span><\/p>\n<blockquote><p>cd \/etc\/openvpn\/easy-rsa\/2.0<\/p><\/blockquote>\n<blockquote><p>chmod 755 *<\/p><\/blockquote>\n<blockquote><p>source .\/vars<\/p><\/blockquote>\n<blockquote><p>.\/vars<\/p><\/blockquote>\n<blockquote><p>.\/clean-all<\/p><\/blockquote>\n<p><span style=\"color: blue;\">Build your own root Certificate Authority (CA)<\/span>, you will be prompted to enter the Country name, State, City, Organization, Common, Email. You can enter any random data or leave them blank.<\/p>\n<blockquote><p>.\/build-ca<\/p><\/blockquote>\n<p><span style=\"color: blue;\">Build your Key Server<\/span>, you will be prompted to enter the same info as before, you can leave them blank. The only 2 required are <b>sign the certificate <\/b>(choose &#8220;y&#8221;) and <b>1 out of 1 certificate requests<\/b> (choose &#8220;y&#8221;)<\/p>\n<blockquote><p>.\/build-key-server server<\/p><\/blockquote>\n<blockquote><p>sign the certificate: y<br \/>\n1 out of 1 certificate requests: y<\/p><\/blockquote>\n<p><span style=\"color: blue;\">Build Diffie Hellman Parameters<\/span> (necessary for the server end of a SSL\/TLS connection).<\/p>\n<blockquote><p>.\/build-dh<\/p><\/blockquote>\n<h2 style=\"text-align: left;\">Configuring OpenVPN<\/h2>\n<p><span style=\"color: blue;\">Create the configuration file:<\/span><\/p>\n<blockquote><p>vi \/etc\/openvpn\/server.conf<\/p><\/blockquote>\n<p><span style=\"color: blue;\">Copy\/paste the following<\/span>, you can choose any <b><span style=\"color: #38761d;\">port<\/span><\/b> number you want:<\/p>\n<blockquote><p><span style=\"color: #38761d;\">port 1194<\/span> #- port<br \/>\nproto udp #- protocol<br \/>\ndev tun<br \/>\ntun-mtu 1500<br \/>\ntun-mtu-extra 32<br \/>\nmssfix 1450<br \/>\nreneg-sec 0<br \/>\nca \/etc\/openvpn\/easy-rsa\/2.0\/keys\/ca.crt<br \/>\ncert \/etc\/openvpn\/easy-rsa\/2.0\/keys\/server.crt<br \/>\nkey \/etc\/openvpn\/easy-rsa\/2.0\/keys\/server.key<br \/>\ndh \/etc\/openvpn\/easy-rsa\/2.0\/keys\/dh1024.pem<br \/>\nplugin \/usr\/share\/openvpn\/plugin\/lib\/openvpn-auth-pam.so \/etc\/pam.d\/login #- Comment this line if you are using FreeRADIUS<br \/>\n#plugin \/etc\/openvpn\/radiusplugin.so \/etc\/openvpn\/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS<br \/>\nclient-cert-not-required<br \/>\nusername-as-common-name<br \/>\nserver 10.8.0.0 255.255.255.0<br \/>\npush &#8220;redirect-gateway def1&#8221;<br \/>\npush &#8220;dhcp-option DNS 8.8.8.8&#8221;<br \/>\npush &#8220;dhcp-option DNS 8.8.4.4&#8221;<br \/>\nkeepalive 5 30<br \/>\ncomp-lzo<br \/>\npersist-key<br \/>\npersist-tun<br \/>\nstatus 1194.log<br \/>\nverb 3<\/p><\/blockquote>\n<p>and save (<b>:w<\/b>) and quit editing the file (<b>:q<\/b>)<\/p>\n<p><span style=\"color: blue;\">Start OpenVPN<\/span><\/p>\n<blockquote><p>\u00a0service openvpn start<\/p><\/blockquote>\n<p><span style=\"color: blue;\"><br \/>\n<\/span><span style=\"color: blue;\">Enable IP Forwarding<\/span><\/p>\n<blockquote><p>vi \/etc\/sysctl.conf<\/p><\/blockquote>\n<p>Change<\/p>\n<blockquote><p>net.ipv4.ip_forward = 0<\/p><\/blockquote>\n<p>to<\/p>\n<blockquote><p>net.ipv4.ip_forward = 1<\/p><\/blockquote>\n<p>and save (<b>:w<\/b>) and quit editing the file (<b>:q<\/b>)<\/p>\n<p><span style=\"color: blue;\">Run sysctl<\/span> to configure kernel parameters at runtime and make the changes take effect immediately<\/p>\n<blockquote><p>sysctl -p<\/p><\/blockquote>\n<p><span style=\"color: blue;\">Create a linux username <\/span>to use it with VPN<\/p>\n<blockquote><p>useradd userone -s \/bin\/false<\/p><\/blockquote>\n<p><span style=\"color: blue;\">And set the password<\/span><\/p>\n<blockquote><p>passwd userone<\/p><\/blockquote>\n<p><span style=\"color: blue;\">If you want the OpenVPN<\/span> to start after every reboot, issue the following command<\/p>\n<blockquote><p>chkconfig openvpn on<\/p><\/blockquote>\n<h2 style=\"text-align: left;\">Configuring IPTables and CSF<\/h2>\n<p><span style=\"color: blue;\">If you are running <b>Xen <\/b>or <b>KVM<\/b><\/span>, issue this command:<\/p>\n<blockquote><p>iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE<\/p><\/blockquote>\n<p><span style=\"color: blue;\">If you are running <b>OpenVZ<\/b><\/span>, run the following command, make sure to replace <span style=\"color: red;\"><b>xxx.xxx.xxx.xxx<\/b><\/span> by your server&#8217;s IP address:<\/p>\n<blockquote><p>iptables -t nat -A POSTROUTING -o venet0 -j SNAT &#8211;to-source <span style=\"color: red;\">xxx.xxx.xxx.xxx<\/span><\/p><\/blockquote>\n<blockquote><p>iptables -t nat -A POSTROUTING -s 10.8.0.0\/24 -j SNAT &#8211;to-source <span style=\"color: red;\">xxx.xxx.xxx.xxx<\/span><\/p><\/blockquote>\n<p><span style=\"color: blue;\">Save ip tables<\/span><\/p>\n<blockquote><p>service iptables save<\/p><\/blockquote>\n<p><span style=\"color: blue;\">If you have CSF\/LFD installed<\/span> on your server, you will have to create a new file to add new rules to your IP tables.<\/p>\n<blockquote><p>vi \/etc\/csf\/csfpre.sh<\/p><\/blockquote>\n<p>Copy Paste the following into csfpre.sh, make sure to replace <span style=\"color: red;\"><b>xxx.xxx.xxx.xxx<\/b><\/span> by your server&#8217;s IP address:<\/p>\n<blockquote><p>iptables -A INPUT -j ACCEPT -s 10.8.0.0\/24 -i tun0<br \/>\niptables -A OUTPUT -j ACCEPT -s 10.8.0.0\/24 -o tun0<br \/>\niptables -A FORWARD -j ACCEPT -p all -s 0\/0 -i tun0<br \/>\niptables -A FORWARD -j ACCEPT -p all -s 0\/0 -o tun0<br \/>\niptables -t nat &#8211;flush<br \/>\niptables -t nat -A POSTROUTING -o venet0 -s 10.8.0.0\/24 -j SNAT &#8211;to <span style=\"color: red;\">xxx.xxx.xxx<\/span><\/p><\/blockquote>\n<p>and save (<b>:w<\/b>) and quit editing the file (<b>:q<\/b>)<\/p>\n<p><span style=\"color: blue;\">Modify CSF configuration file <\/span>to allow the port number you chose earlier<\/p>\n<blockquote><p>vi \/etc\/csf\/csf.conf<\/p><\/blockquote>\n<p>and save (<b>:w<\/b>) and quit editing the file (<b>:q<\/b>)<\/p>\n<p><span style=\"color: blue;\">Restart CSF<\/span><\/p>\n<blockquote><p>csf -r<\/p><\/blockquote>\n<\/div>\n<h2 style=\"text-align: left;\">Downloading, installing and configuring the client<\/h2>\n<p><span style=\"color: blue;\">Download the windows installer<\/span> openVPN from <a href=\"http:\/\/openvpn.net\/index.php\/download.html\" target=\"_blank\" rel=\"nofollow noopener\">openvpn.net<\/a><\/p>\n<p><span style=\"color: blue;\">Install the application<\/span><\/p>\n<p><span style=\"color: blue;\">Go to Config directory<\/span> where you installed OpenVPN (<b>C:Program Files (x86)OpenVPNconfig<\/b> by default)<\/p>\n<p><span style=\"color: blue;\">Create a new file called <b>server.ovpn<\/b><\/span> and open it with any text editor.<\/p>\n<p><span style=\"color: blue;\">Paste the following into your <b>server.ovpn<\/b><\/span>, make sure to replace <span style=\"color: red;\"><b>xxx.xxx.xxx.xxx<\/b><\/span> by your server&#8217;s IP address, and replace <span style=\"color: #38761d;\">1194<\/span> by the port number you chose earlier.<\/p>\n<blockquote><p>client<br \/>\ndev tun<br \/>\nproto udp<br \/>\nremote <span style=\"color: red;\">xxx.xxx.xxx.xxx<\/span> <span style=\"color: #38761d;\">1194<\/span><br \/>\nresolv-retry infinite<br \/>\nnobind<br \/>\ntun-mtu 1500<br \/>\ntun-mtu-extra 32<br \/>\nmssfix 1450<br \/>\npersist-key<br \/>\npersist-tun<br \/>\nca ca.crt<br \/>\nauth-user-pass<br \/>\ncomp-lzo<br \/>\nreneg-sec 0<br \/>\nverb 3<\/p><\/blockquote>\n<p><span style=\"color: blue;\">Download the<b> ca.crt<\/b> and copy it to the same folder as server.ovpn<\/span><\/p>\n<p>If you can&#8217;t download ca.crt, open it from your server<\/p>\n<blockquote><p>vi \/etc\/openvpn\/easy-rsa\/2.0\/keys\/ca.crt<\/p><\/blockquote>\n<p>Copy it&#8217;s content, create a new text file in your config directory and paste it. Rename the text file to ca.crt<\/p>\n<p><span style=\"color: blue;\">Open the client<\/span>, make sure to <b>run as administrator<\/b>, and enter the username and password you created earlier.<\/p>\n<p><span style=\"color: blue;\">If you would like to save the username and password to prevent authenticating<\/span> everytime you want to establish a VPN connection, you can achieve so by creating a new text file, name it anything you want with an extension of your choice. I will create my file with the name <b>login.conf<\/b>. Open this file with a text editor, on the first line enter the username, and on the second line the password.<\/p>\n<p>For example, create a file called login.conf, open it with a text editor and write the following:<\/p>\n<blockquote><p>username<br \/>\nGJASk2398nm$^2389hknasDG<\/p><\/blockquote>\n<p>where <b>username <\/b>is the username and <b>GJASk2398nm$^2389hknasDG<\/b> is the password.<\/p>\n<p>Save that file (login.conf) in the same folder as <b>server.ovpn<\/b> (that is in the config folder (<b>C:Program Files (x86)OpenVPNconfig<\/b> by default))<\/p>\n<p>Open your <b>server.ovpn<\/b> file, and next to auth-user-pass, add login.conf, so the line would become like this:<\/p>\n<blockquote><p>auth-user-pass login.conf<\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; &nbsp; What is VPN? A VPN (Virtual Private Network) is a way to securely extend a private network across the internet to another location. The client computer (in this case your computer) makes an encrypted connection to a server which acts as a normal network connection. This technique is usually used in companies to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[17,6,31,7,15,2],"tags":[],"class_list":["post-65","post","type-post","status-publish","format-standard","hentry","category-centos","category-linux","category-server","category-ssh","category-vpn","category-windows"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/65","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/comments?post=65"}],"version-history":[{"count":1,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/65\/revisions"}],"predecessor-version":[{"id":222,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/posts\/65\/revisions\/222"}],"wp:attachment":[{"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/media?parent=65"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/categories?post=65"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tech-and-dev.com\/blog\/wp-json\/wp\/v2\/tags?post=65"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}