How to Build OpenVPN Server on CentOS 6.x
| |How to Install, Setup, Config OpenVPN on CentOS 6.4 – In this page I write full tutorial to guide you installing OpenVPN on CentOS 6.x server. I will try all the steps to be as clear as possible. Do not hesitate to ask if you have any question. Previously: How to install PPTP on CentOS 6.x (the easiest way).
What you need?
- A VPS or Dedicated server running CentOS 6.x
- Proper knowledge to use Putty, SSH and common Unix command
- Only for VPS based-on OpenVZ virtualization (other skip this): please enable TUN/TAP options in your VPS control panel (e.g: SolusVM).
OpenVZ VPS users only:
How to Install OpenVPN to Build CentOS VPN server
Prerequisite
Step 0 – Login to your server via SSH. You better login as root.
Step 1 – Now issue this first command syntax:
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
screenshot:
Step 2 – Now download LZO RPM and Configure RPMForge Repo. Use wget command:
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
screenshot:
Step 3 – Now add correct repo for your server:
CentOS 6 32-bit (x86):
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm
CentOS 6 64-bit (x86_64):
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
screenshot:
How to know which one is your server? Issue this command:
uname -a
If you see “x86_64 GNU/Linux” at the end of the output line means your server is 64-bit. Otherwise if you see “i686 i386 GNU/Linux” or “x86 GNU/Linux” means your machine is 32-bit.
Step 4 – Then build the rpm package using this command:
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm rpm -Uvh lzo-*.rpm rpm -Uvh rpmforge-release*
hit enter for each line above.
Installing OpenVPN
Step 5 – Issue the special yum command:
yum install openvpn -y
screenshot
Step 6 – Copy the easy-rsa folder to /etc/openvpn/, use this command:
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
Step 7 – Now edit it:
nano /etc/openvpn/easy-rsa/2.0/vars
Edit this line:
export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA'
replace it with:
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
screenshot:
once done hit Control+O to save then Control+X to exit.
Step 8 – Create the certificate using these commands:
cd /etc/openvpn/easy-rsa/2.0 chmod 755 * source ./vars ./vars ./clean-all
hit enter for each line.
Step 9 – It’s time to build necessary CA file:
./build-ca
screenshot:
Hint
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter
Step 10 – Time to build Key Server:
./build-key-server server
screenshot:
Hint:
Almost the same with ./build.ca but check the changes and additional
Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y
You can simply leave them blank. The only 2 required are sign the certificate (choose “y”) and 1 out of 1 certificate requests (choose “y”)
Step 11 – Now issue command below to build Diffie Hellman:
./build-dh
screenshot:
Step 12 – Create OpenVPN config file:
nano /etc/openvpn/server.conf
Step 13 – Now enter this value in that config file:
port 1194 #- port proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3
Save it once done. (Control+O then Control+X)
Step 14 – Lets start OpenVPN service on your server for the very first time:
service openvpn start
pic:
Step 15 – You’ll also need to enable IP forwarding in the file /etc/sysctl.conf. Open it and edit “net.ipv4.ip_forward” line to 1:
nano /etc/sysctl.conf
replace 0 with 1 in this line:
net.ipv4.ip_forward = 1
pic:
Hit Control+O to save then Control+X to exit nano.
Step 16 – Issue this command to load the change:
sysctl -p
Step 17 – Create new Linux username which can also be used to login to the VPN:
useradd username -s /bin/false
replace username with your own username.
Then also create its password:
passwd username
pic:
Step 18 – Now route some iptables.
Xen and KVM users use:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
special for OpenVZ use these two instead:
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123
and
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123
Do not forget to replace 123.123.123.123 with your server IP. Pic:
Step 19 – Note: if you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123
Step 20 – Now save that iptables rules:
service iptables save
Step 21 – Finally lets create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:
client dev tun proto udp remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo reneg-sec 0 verb 3
Then save it with .ovpn extension. Save that file in the config directory of where you installed OpenVPN client in your computer. See screenshot:
Step 22 – That’s it. Now you can copy ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in your server’s document root (public_html).
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /path/to/public/directory
example:
cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /var/www/servermom.com/public_html
Now you can download the ca.crt file from your browser by going to domain.com/ca.crt then save it to the same folder as .ovpn file you created earlier.
That’s it. Now you can login to your VPN using username and password you’ve created. ENJOY..
Also Read: Get caught using this common VPN connection? I wrote another tutorial how to build Scrambled undetected-version of OpenVPN server, also on CentOS.
Hello,
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
this is an error showing ..
cp: cannot stat `/usr/share/doc/openvpn-2.2.2/easy-rsa/’: No such file or directory
looks like the new openvpn versions dont have easy-rsa folders..
please help..
thank you
Hei.. it would be easier if you install OpenVPN-AS 🙂
i also got the same problem. how to install openvpn-as??
Nice . Thanks for sharing
Hi,
When I start openvpn it shows [FAILED], do you know why?
You need to configure selinux.
echo 0 > /selinux/enforce
That will disabled it until next reboot. (Please read and understand what Selinux does before you remove it from your install. lol
Thanks for the addition.. but you can also edit /etc/selinux/config and set SELINUX=disabled. But however as per my experience most VPS providers have SELinux disabled / no SELinux installed. SELinux is a security extension of CentOS that should provide extended security. In my opinion you don’t need it to configure a secure system with SELinux, and it usually causes more problems than advantages.
Hey Sawiyati thanks for your share. I followed your instruction step by step and I did disable selinux. Yet I still can not start openvpn. whats the possible reason? Thank you….
have you enabled TUN/TAP? What’s the error message is sayin’?
It’s great to see such interest in OpenVPN. OpenVPN is really great. But this is doing things rather complicated, IMHO.
Rather install and enable Fedora EPEL repository (instead of rpmforge, as this one quite often causes update issues later on).
Then just do: [root@server: ~]# yum install openvpn
And you’ll get all you need.
Then there is one big security issue. Never EVER let easy-rsa files reside on the same computer as your OpenVPN server. The easy-rsa files can really be located on an offline medium, just to be used when you need to generate a new certificate for another client or server. All the files OpenVPN server needs are server configuration, CA certificate, private server key, server certificate and the DH file (f.ex. dh2048.pem). The client just need: CA certificate, private client key and client certificate. That’s all needed to make this work.
The CA files (from easy-rsa, or similar tools) are the most sacred files you’ll ever have your hands on. Those files must be protected extremely well. The reason is if an attacker gains access to your CA key, that attacker can sign new certificate and become both a new client and server with nobody else really noticing (unless stricter certificate verfications have been enabled). And the CA key is only needed when signing new certificates.
See the official OpenVPN howto for more info.
Hi Dazo,.. thanks in advanced for your information. It helps
This guide is out of date — OpenVPN has been updated since.
The only thing you need to do differently is get the ‘easy-rsa’ from Github. It’s no longer included with the install.
https://github.com/OpenVPN/easy-rsa
You can
wget https://github.com/OpenVPN/easy-rsa/archive/master.zip
(Keep in mind, zip / unzip is not normally installed by default on CentOS)
You can install zip by running:
yum install zip
After you have the master downloaded, and zip installed.
unzip master
And follow the rest of the tutorial 🙂
Thanks Quentin..
“The only thing you need to do differently is get the ‘easy-rsa’ from Github. It’s no longer included with the install.”
Yes, this worked. Thanks a ton both Sawiyati and Quentin! Well done!
What would you need to configure on the home dsl/cable modem/router in order to get this to work? For example: I have home cable internet and it has a little wireless netgear modem. My centos server is connected to one of the ports on the modem/router. Thanks!
Fantastic Tutorial!
I follow all the steps and worked like a charm, THANK YOU VERY MUCH.
I got a issue when i tried to set up the openvpn service.
i got a vps on ramnode, i asked using a support ticket to enable the tun/tap to my vps.
now i
Thnx for the tut but I still can’t get it running.
@ step 6 I get this after the command; “cp: cannot stat `/usr/share/doc/openvpn-2.2.2/easy-rsa/’: No such file or directory”.
I had open vpn running in the past on my centos box but the dns and routing was not correct.
I have minor linux knowlegde (mostly used Webmin to config the box) so please help me out.
the files which needed to be copied were already in the correct folder so I could continue with step 7 afterall.
I have openvpn-as running but it uses a different ip range (5.5.0.0). What is the difference between the 2 openvpn options? I realy lost the logic in this all.
Maybe I need to remove both openvpn as openvpn-as and start all over?
Stupid me :$
I need help. I get this when trying
./build-ca
[root@panel 2.0]# ./build-ca
grep: /etc/openvpn/easy-rsa/2.0/openssl.cnf: No such file or directory
pkitool: KEY_CONFIG (set by the ./vars script) is pointing to the wrong
version of openssl.cnf: /etc/openvpn/easy-rsa/2.0/openssl.cnf
The correct version should have a comment that says: easy-rsa version 2.x
Can I get some help?
I got everything configured and was able to start the service..but when i try and connect from the client it just says connecting…but never connects…any ideas what would cause that? Or how I can troubleshoot it?
Are you using Wifi?
SELinux disabled is OK but now how can i enable tun/tap on cantos 6 my problems is service openvpn start fail any body please help can you help me ?
how can enable tun/tap on centos ? please
thanks
It’s via your VPS control panel. i.e: SolusVM
if one already have an ssl cert for a vpn device, how would one use it with this openvpn server?
I followed the instructions but now I can’t connect at all to my Centos 6.4 box from anything.
I can’t SSH from inside my home network to the box and when I try telnet to port 1149 on the centos box it comes back with connection refused.
I can hit the internet from the box, but something seems to have blocked anything from talking to it now.
Nice tutorial, what would be the procedure if i want to enable TCP also on the same server (i am a linux noob and plain language tutorial will be highly appreciated) THANKS.
hi. thanks for this good tutorial .
BUT i have a problem . every time i want to start my openvpn i get this message :
Shutting down openvpn: [ OK ]
Starting openvpn: [FAILED]
i did it ever and ever . but i couldn’t succeed .
PLZ HELP ME.
is it about the “./build ca” or “./build server”?
Wed Nov 06 10:00:54 2013 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
[root@vpn ~]# tail -f /var/log/messages
Nov 21 15:27:42 vpn openvpn[1968]: MULTI: multi_create_instance called
Nov 21 15:27:42 vpn openvpn[1968]: 172.16.16.187:1194 Re-using SSL/TLS context
Nov 21 15:27:42 vpn openvpn[1968]: 172.16.16.187:1194 Control Channel MTU parms [ L:1573 D:138 EF:38 EB:0 ET:0 EL:0 ]
Nov 21 15:27:42 vpn openvpn[1968]: 172.16.16.187:1194 Data Channel MTU parms [ L:1573 D:1450 EF:41 EB:4 ET:32 EL:0 ]
Nov 21 15:27:42 vpn openvpn[1968]: 172.16.16.187:1194 Local Options hash (VER=V4): ’56af8162′
Nov 21 15:27:42 vpn openvpn[1968]: 172.16.16.187:1194 Expected Remote Options hash (VER=V4): ‘f61b8fe4’
Nov 21 15:27:42 vpn openvpn[1968]: 172.16.16.187:1194 TLS: Initial packet from 172.16.16.187:1194, sid=20eab3a8 f1dc0ac6
Nov 21 15:27:42 vpn openvpn[1968]: 172.16.16.187:1194 TLS Error: Auth Username/Password was not provided by peer
Nov 21 15:27:42 vpn openvpn[1968]: 172.16.16.187:1194 TLS Error: TLS handshake failed
Nov 21 15:27:42 vpn openvpn[1968]: 172.16.16.187:1194 SIGUSR1[soft,tls-error] received, client-instance restarting
Can u explain this why this error is here…
Hi sawiyati,
Does this works with centos 5?
Hi Sawiyati,
Will you please help me on Expanding the scope of the VPN to include additional machines on either the client or server subnet ( with screen shots ).
Thanks in advance,
Regards,
krishna.
https://icnerd.com/2013/09/02/installed-openvpn-in-centos-6-cant-find-easy-rsa/
you need to setup easy-rsa separately. See above link it’ll explain.
Thanks for the really accurate guide! 🙂
Works Perfectly. Thank You so much. I did hours of research and your guide was a pretty easy walk through.
nice tutorial but please guide me 2 iptables rule i am cannot under stands.
1. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
what is source ip in this iptables rule please tell me that is server side local network range?
2. iptables -t nat -A POSTROUTING -o venet0 -j SNAT –to-source 123.123.123.123
what is –to-source 123.123.123.123? that it is wan interface ip address?
Hope You will send us urgent response
Thanks, this worked perfectly!
Followed this tutorial (many times) but I got an error message when I type:
service openvpn start
I did a check on /var/log/messages, that was happening because there’s no “openvpn” group. Sorry if my english isn’t good but I think that everyone will understand this.
FIX:
Just type:
/usr/sbin/groupadd openvpn
Hope this could be useful for someone 🙂
Sorry, that wasn’t for this post, please ignore my reply!
thanks Oliver 🙂
service openvpn start filed. I also try your tips,however, it doesn’t work.
thank for your tutorial, and it works fine with my VPS.
by the way, there is another method that installing the vpn in the server with a openvpn webpage, allow user to login and download the VPN client, but seem like not this method. Any differences?
Thanks for your post 🙂 .But I followed your’s tutorial i have error
Starting openvpn: Sun May 25 04:22:25 2014 ERROR: Cannot ioctl TUNSETIFF tap0: Permission denied (errno=13)
Sun May 25 04:22:25 2014 Exiting due to fatal error
device br0 already exists; can’t create bridge with the same name
device eth0 is already a member of a bridge; can’t enslave it to bridge br0.
device tap0 is already a member of a bridge; can’t enslave it to bridge br0.
[FAILED]
can you help me solve this error 🙂 thanks so much
Jun 4 05:28:03 ip-10-185-37-73 openvpn[19689]: OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013
Jun 4 05:28:03 ip-10-185-37-73 openvpn[19689]: Diffie-Hellman initialized with 2048 bit key
Jun 4 05:28:03 ip-10-185-37-73 openvpn[19689]: Socket Buffers: R=[229376->131072] S=[229376->131072]
Jun 4 05:28:03 ip-10-185-37-73 openvpn[19689]: TCP/UDP: Socket bind failed on local address [undef]: Address already in use
Jun 4 05:28:03 ip-10-185-37-73 openvpn[19689]: Exiting due to fatal error
Jun 4 05:41:25 ip-10-185-37-73 openvpn[19789]: OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013
Jun 4 05:41:25 ip-10-185-37-73 openvpn[19789]: Diffie-Hellman initialized with 2048 bit key
Jun 4 05:41:25 ip-10-185-37-73 openvpn[19789]: Socket Buffers: R=[229376->131072] S=[229376->131072]
Jun 4 05:41:25 ip-10-185-37-73 openvpn[19789]: TCP/UDP: Socket bind failed on local address [undef]: Address already in use
Jun 4 05:41:25 ip-10-185-37-73 openvpn[19789]: Exiting due to fatal error
Alhamdulillah, 100% work, ga ada error dikitpun.
biasanya klo ikutin tutor di sebelah pasti nemu error.. lah ini lancar jaya..
makasih mom 🙂
Thanks… works nicely….
Hi … is there any way i can delete user already added to open vpn ?
I tried ./revoke-full client 1 but ‘client 1’ still can connect to server
Please make a new tutorial for openvpn 2.3 version scrambled…
how to send mail alert when client connects to vpn server
artikel nya good, bu. saya sudah coba.
mohon bantuannya, saya newbie ada pertanyaan.
server config : saya pakai 192.168.5.0 255.255.255.0
bagaimana membuat agar ip client, saat koneksi openvpn client dapat menggunakan IP di range : 192.168.5.200 – 254
saat ini jika open vpnclient konek, selalu mendapat IP 192.168.5.6 dst
saya sudah coba dengan cara ifconfig-push 192.168.5.200 255.255.255.0 di salah satu uservpn, tapi saat konek muncul eror “the local and remote vpn endpoints must exist within the same subnet”
trims
I already to success install VPN Server on VPS at Vultr, so how can i use it? it’s necessary to open ticket for open TUN/TAP driver ?
And i can use this VPN for surf internet with not block website ?
My problem is i go to china for work but in here block alot of website such as google, facebook, youtube, twitter, ….. a lot….
I need to find way to access that:)
Yes you can. I believe you don’t have to submit ticket to enable TUN/TAP because It is KVM not OpenVZ 🙂 correct me if I’m wrong
good tutorial, its work 100%.. tested on KVM– for step 22 i use manual copy ca.crt file from winscp–on this path : etc/openvpn/easy-rsa/2.0/keys/ca.crt
thanks mom–
Starting openvpn 【filed】 I have tried many times nd of with “Starting openvpn 【filed】”. And I search lots of ways and they don’t work!
I stuck there with the replacement of files at step 6 and 7. i don’t know why i cannot replace it.
Please help.
Thanks. Got this working on my FreePBX installation (CentOS and Asterix), so did not have to create an extra virtual server for this.
1 tip as I wanted to use an iOS device to connect, I had some problems getting profile file to my device.
Found out you can do the following to add the ca.crt data to the ovpn profile file:
cat /etc/openvpn/easy-rsa/2.0/keys/ca.crt
copy the text block shown to your profile file:
edit your profile.ovpn file:
Remove the line “ca ca.crt”
Put around the block.
Will look like this:
…
verb 3
—–BEGIN CERTIFICATE—–
MIIipw==
—–END CERTIFICATE—–
Save the ovpn file.
Now simply email this file to your device, and open it, when you select OpenVPN app you can then click on + and add this, now simply add username and pass and it should work – if everything else is setup correct 😀
Looks like my post got chopped where I have used tag brackets.
So using normal () here goes once more:
cat /etc/openvpn/easy-rsa/2.0/keys/ca.crt
copy the text block shown to your profile file:
edit your profile.ovpn file:
Remove the line “ca ca.crt”
Put (ca)(/ca) around the block.
Will look like this:
…
verb 3
(ca)
—–BEGIN CERTIFICATE—–
MII(emoved most of the text)ipw==
—–END CERTIFICATE—–
(/ca)
Save the ovpn file.
Now simply email this file to your device, and open it, when you select OpenVPN app you can then click on + and add this, now simply add username and pass and it should work – if everything else is setup correct 😀
– Remember to use normal html tag brackets instead of ()!
thanks dude 🙂
Thanks mom for the tutorial, it works perfectly 🙂
Hello servermom, please help me on this whenever i try to connect to openvpn server on my phone it usually shows me this error :” Tun interface setup failed : tun_prop_error : one of ifconfig or ifconfig-ipv6 must be specified” thank you
you can refer to this https://forums.openvpn.net/topic17153.html
is this tutorial’s still applied for the newly version?
i mean *to not *for… sorry… ahakz…
Hi Guys, I am new to OpenVPN. I am planning to deploy this on one of our Site, so that remote users can login via VPN, So please let me know, May I can connect unlimited domain users with OpenVPN or I have to purchase license keys, as I have only 2 users license by default. If you have any other alternative please suggest, I am looking for complete free solution. Thanks alot
yes you have to purchase license keys
When i try to restart OpenVPN, i get
Starting openvpn: [FAILED]
Please help. I do have TUN/TAP turned on