SOHO : Small Office Home Office
Freeware - Opensource software tips, tricks, tweaks & fixes for managing, securing, improving the performance of SOHO Desktop, Laptop, Networks

Saturday, August 7, 2010

Installing openvpn on centos 5.5 x86_64


Last time i tried to install OPENVPN for my vps, so i'm searching in google for the tutorial and i found a few ways to install OPENVPN on CentOS. I tried them all but i got the easiest way to install it, and i will write tutorial here.

Anyway what is openvpn?
http://en.wikipedia.org/wiki/OpenVPN

Okay, let's begin.

First off all install CentOS on your vps, here i'm using SolusVM for OS install and choose CentOS 5.5



I'm using CentOS 5.5 because TUN/TAP is not available in CentOS 32bit and x86. Okay, the installation will be finish in approximately 30 minutes, after finished now login to root using ssh.

Before we're going to install OPENVPN, check your TUN/TAP whether it is active or not, if it's not you can try to install another CentOS or contact your vps provider to activate TUN/TAP.

#cat /dev/net/tun


if you're TUN/TAP status is like that, then your TUN/TAP is ready, otherwise it's not.

Now we're begin the installation, first of all install gcc and make.

#yum install gcc make


Download package for OPENVPN
#wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

Download repository for OPENVPN

if you're using 32bit version
#wget http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

if you're using 64bit version
#wget http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

you can check your server architecture with:
#uname -a

Install package needed for OPENVPN
#yum install rpm-build
#yum install autoconf.noarch
#yum install zlib-devel
#yum install pam-devel
#yum install openssl-devel

Install the downloaded rpm package and add the repository to your CentOS
#rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
#rpm -Uvh /usr/src/redhat/RPMS/x86_64/lzo-*.rpm
#rpm -Uvh rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

note: check your architecture engine, if you're using 32bit then change "x86_64" to "i386"

Install OPENVPN
#yum install openvpn

Copy the folder for creating certificate to directory /etc/openvpn/
#cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/

Now let's create the certificate
#cd /etc/openvpn/easy-rsa/2.0
#chmod 755 *
#source ./vars
#./vars
#./clean-all

Build CA
#./build-ca

you'll be asked to fill the field data, you can empty that with click enter repeatedly, but the one you have to fill is the "Common Name" field.

Build Key Server
#./build-key-server server

same as build-ca, but in the "Common Name" fill with: server

Build Diffie Hellman
#./build-dh

Building certificate done, now we create the configuration file in the directory /etc/openvpn
#cd /etc/openvpn
#nano server.conf

you can also use vi or pico editor to create the configuration file

Here is the example of configuration file.

local 123.123.123.123 #- change it with your server ip address
port 1234 #- change the port you want
proto udp #- protocol can be tcp or udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 4.2.2.1"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3


Now start the OPENVPN
#openvpn /etc/openvpn/server.conf

if the status is Initialization Sequence Completed then your OPENVPN is ready.


Now we're enabling ip forward and create NAT iptables rules so we can access the internet with OPENVPN server. This is temporary, on reboot the ip_forward is disabled.
#echo 1 > /proc/sys/net/ipv4/ip_forward

On reboot the ip_forward will be disabled, to make ip_forward persistent edit etc/sysctl.conf
net.ipv4.ip_forward = 1

If you're using VPS:
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 123.123.123.123


123.123.123.123 is your server ip address.  
You can verify that the rule was written correctly with a list:



sudo iptables -t nat -L

If you have a firewall you should disable it for testing and then create rules that allow traffic from your VPN pass.

If you want to remove all the rules if you made a mistake with:

sudo iptables -t nat -F

If you're using Dedicated Server:
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

The iptables are not persistent on reboot you will have to enter the settings again.
To make it persistent on centos 5.5 x86_64
Make sure ipconfig run 3 and 5 is on.
To test chkconfig -list | grep iptables
run command /sbin/service iptables save
done 
To make it persistent on ubuntu and debian flavour follow this tutorial : https://help.ubuntu.com/community/IptablesHowTo

Install process is done, now create user for you OPENVPN.
#useradd username -s /bin/false
#passwd username

to delete existing user, you can use
#userdel username

Now go to your OPENVPN GUI config folder and create client configuration file. This is the example for client configuration.

client
dev tun
proto udp
remote 123.123.123.123 4567 #- your OPENVPN server ip and port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
verb 3


save the configuration with filename.ovpn.

And the last thing you have to do is download ca.crt file in directory /etc/openvpn/easy-rsa/2.0/keys to your PC and save to the OPENVPN GUI config folder.
Your OPENVPN is ready!


Update :
We are working on some improvements to our office vpn servers and is scheduled to be implemented in two weeks time. These are the changes we are looking at

  1. Restrict number of users connecting to the server
  2. Restrict number of concurrent connections
  3. Set access time
  4. Limit bandwidth for users
Dear readers, please subscribe to be updated.

16 comments:

  1. Thank you so much for this awesome guide!

    I am curious tho how you would limit the maximum number of users that can connect.

    Is it with the server.conf file?

    ReplyDelete
  2. Dear G,

    We do have this requirement and we are working on it. Will update you as soon as this is resolved at our end.

    ReplyDelete
  3. sir how about multiple server vpn using dentral authentication system?
    can you help me out?

    ReplyDelete
  4. @truedimension : This can be achieved with LDAP server, Sure I am willing to help you.

    In return, please share the steps and config files.

    ReplyDelete
  5. awesome !!!

    but I got the folowing error:

    # openvpn /etc/openvpn/server.conf
    Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/server.conf:13: /etc/pam.d/login (2.2.0)
    Use --help for more information.


    what wrong? the server.conf exactly like yours,except for IP

    ReplyDelete
  6. @Mukhthar Ahmed, any update on multiple server? This is very helpful if you could share this in this blog.. thanks..

    ReplyDelete
  7. Hey bu9traq,
    Make sure the user credentials are correct and is accessible.

    Hey Jep-Jep,
    We have completed LDAP at our works and is working gr8, will write a tutorial on this and post the configurations files for reference. A new project at our works is keeping me away, but will do...

    Hey Wizac,
    can u be more specific.

    Fellas, sorry for the delay, but work is at priority ;-)

    ReplyDelete
  8. I want to install openVPN on my CentOS, thanks already to guide how to install.

    ReplyDelete
  9. anyone knows how to join 2 servers (multi-server) 1 account can access into 2 servers.

    Thanks

    u2ns

    ReplyDelete
  10. Hi,

    you can achieve this with use of LDAP server

    ReplyDelete
  11. how to connect vpn from windows please post step. i m using openvpn client saying request time out alkways

    ReplyDelete
  12. # chkconfig --list | grep iptables
    iptables 0:off 1:off 2:off 3:off 4:off 5:off 6:off

    ReplyDelete
    Replies
    1. Hello Naveed,

      Will write a post on how to connect to openvpn server from windows. Meanwhile please check your server config and iptables. you can apply my iptables rules from the post http://sohonetwork.blogspot.in/2012/05/install-openvpn-ubuntu-vps-10-minutes.html
      just modify the client ip address range in firewall accordingly.
      check what ports your server is listening to with command "netstat -vatn"

      In Linux generally, "iptables" isn't a service - it's a command to manipulate the netfilter kernel firewall. You can "disable" (or stop) the firewall by setting the default policies on all standard chains to "ACCEPT", and flushing the rules.

      iptables -P INPUT ACCEPT
      iptables -P OUTPUT ACCEPT
      iptables -P FORWARD ACCEPT
      iptables -F

      Delete