Escolar Documentos
Profissional Documentos
Cultura Documentos
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
Community
By:JacobTomlinson
23
Menu
33
HowToSetupandConfigureanOpenVPNServeron
CentOS7
Dec3,2014
VPN,FirewallCentOS
Introduction
We'regoingtoinstallandconfigureOpenVPNonaCentOS7server.We'llalsodiscuss
howtoconnectaclienttotheserveronWindows,OSX,andLinux.
OpenVPNisanopen-sourceVPNapplicationthatletsyoucreateandjoinaprivate
networksecurelyoverthepublicInternet.
Prerequisites
Youshouldcompletetheseprerequisites:
CentOS7Droplet
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
1/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
rootaccesstotheserver(severalstepscannotbecompletedwithjustsudoaccess)
Domainorsubdomainthatresolvestoyourserverthatyoucanuseforthecertificates
Beforewestartwe'llneedtoinstalltheExtraPackagesforEnterpriseLinux(EPEL)
repository.ThisisbecauseOpenVPNisn'tavailableinthedefaultCentOSrepositories.
TheEPELrepositoryisanadditionalrepositorymanagedbytheFedoraProjectcontaining
non-standardbutpopularpackages.
yuminstallepelrelease
Step1InstallingOpenVPN
FirstweneedtoinstallOpenVPN.We'llalsoinstallEasyRSAforgeneratingourSSLkey
pairs,whichwillsecureourVPNconnections.
yuminstallopenvpneasyrsay
Step2ConfiguringOpenVPN
OpenVPNhasexampleconfigurationfilesinitsdocumentationdirectory.We'regoingto
copythesample
server.conf fileasastartingpointforourownconfigurationfile.
cp/usr/share/doc/openvpn*/sample/sampleconfigfiles/server.conf/etc/openvpn
Let'sopenthefileforediting.
vi/etc/openvpn/server.conf
Thereareafewlinesweneedtochangeinthisfile.Mostofthelinesjustneedtobe
uncommented(removethe;).Otherchangesaremarkedinred.
Whenwegenerateourkeyslater,thedefaultDiffie-HellmanencryptionlengthforEasy
RSAwillbe2048bytes,soweneedtochangethe
dh filenameto dh2048.pem .
dhdh2048.pem
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
2/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
Weneedtouncommentthe
push"redirectgatewaydef1bypassdhcp" line,which
tellstheclienttoredirectalltrafficthroughourOpenVPN.
push"redirectgatewaydef1bypassdhcp"
NextweneedtoprovideDNSserverstotheclient,asitwillnotbeabletousethedefault
DNSserversprovidedbyyourInternetserviceprovider.We'regoingtouseGoogle's
publicDNSservers,
Dothisbyuncommentingthe
push"dhcpoptionDNS linesandupdatingtheIP
addresses.
push"dhcpoptionDNS8.8.8.8"
push"dhcpoptionDNS8.8.4.4"
WewantOpenVPNtorunwithnoprivilegesonceithasstarted,soweneedtotellittorun
withauserandgroupof
nobody .Toenablethisyou'llneedtouncommenttheselines:
usernobody
groupnobody
SaveandexittheOpenVPNserverconfigurationfile.
Step3GeneratingKeysandCertificates
Nowthattheserverisconfiguredwe'llneedtogenerateourkeysandcertificates.Easy
RSAinstallssomescriptstogeneratethesekeysandcertificates.
Let'screateadirectoryforthekeystogoin.
mkdirp/etc/openvpn/easyrsa/keys
Wealsoneedtocopythekeyandcertificategenerationscriptsintothedirectory.
cprf/usr/share/easyrsa/2.0/*/etc/openvpn/easyrsa
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
3/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
Tomakelifeeasierforourselveswe'regoingtoeditthedefaultvaluesthescript
usessowedon'thavetotypeourinformationineachtime.Thisinformationisstored
inthe
vars filesolet'sopenthisforediting.
vi/etc/openvpn/easyrsa/vars
We'regoingtobechangingthevaluesthatstartwith
KEY_ .Updatethefollowingvaluesto
beaccurateforyourorganization.
Theonesthatmatterthemostare:
server.key and
server.crt
KEY_CN :Enterthedomainorsubdomainthatresolvestoyourserver
Fortheothervalues,youcanenterinformationforyourorganizationbasedonthevariable
name.
...
#Thesearethedefaultvaluesforfields
#whichwillbeplacedinthecertificate.
#Don'tleaveanyofthesefieldsblank.
exportKEY_COUNTRY="US"
exportKEY_PROVINCE="NY"
exportKEY_CITY="NewYork"
exportKEY_ORG="DigitalOcean"
exportKEY_EMAIL="sammy@example.com"
exportKEY_OU="Community"
#X509SubjectField
exportKEY_NAME="server"
...
exportKEY_CN=openvpn.example.com
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
4/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
...
We'realsogoingtoremovethechanceofourOpenSSLconfigurationnotloadingdueto
theversionbeingundetectable.We'regoingtodothisbycopyingtherequired
configurationfileandremovingtheversionnumber.
cp/etc/openvpn/easyrsa/openssl1.0.0.cnf/etc/openvpn/easyrsa/openssl.cnf
Tostartgeneratingourkeysandcertificatesweneedtomoveintoour
easyrsa
directoryandsourceinournewvariables.
cd/etc/openvpn/easyrsa
source./vars
Thenwewillcleanupanykeysandcertificateswhichmayalreadybeinthisfolderand
generateourcertificateauthority.
./cleanall
Whenyoubuildthecertificateauthority,youwillbeaskedtoenteralltheinformationwe
putintothe
vars file,butyouwillseethatyouroptionsarealreadysetasthedefaults.So,
youcanjustpressENTERforeachone.
./buildca
Thenextthingsweneedtogeneratewillarethekeyandcertificatefortheserver.Again
youcanjustgothroughthequestionsandpressENTERforeachonetouseyourdefaults.
Attheend,answerY(yes)tocommitthechanges.
./buildkeyserverserver
WealsoneedtogenerateaDiffie-Hellmankeyexchangefile.Thiscommandwilltakea
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
5/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
minuteortwotocomplete:
nandopensourcetopics.
SignUp
./builddh
That'sitforourserverkeysandcertificates.CopythemallintoourOpenVPNdirectory.
SCROLLTOTOP
cd/etc/openvpn/easyrsa/keys
cpdh2048.pemca.crtserver.crtserver.key/etc/openvpn
Allofourclientswillalsoneedcertificatestobeabletoauthenticate.Thesekeysand
certificateswillbesharedwithyourclients,andit'sbesttogenerateseparatekeysand
certificatesforeachclientyouintendonconnecting.
Makesurethatifyoudothisyougivethemdescriptivenames,butfornowwe'regoingto
haveoneclientsowe'lljustcallit
client .
cd/etc/openvpn/easyrsa
./buildkeyclient
That'sitforkeysandcertificates.
Step4Routing
Tokeepthingssimplewe'regoingtodoourroutingdirectlywithiptablesratherthanthe
newfirewalld.
First,makesuretheiptablesserviceisinstalledandenabled.
yuminstalliptablesservicesy
systemctlmaskfirewalld
systemctlenableiptables
systemctlstopfirewalld
systemctlstartiptables
iptablesflush
Nextwe'lladdaruletoiptablestoforwardourroutingtoourOpenVPNsubnet,andsave
thisrule.
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
6/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
iptablestnatAPOSTROUTINGs10.8.0.0/24oeth0jMASQUERADE
iptablessave>/etc/sysconfig/iptables
ThenwemustenableIPforwardingin
vi/etc/sysctl.conf
Addthefollowinglineatthetopofthefile:
net.ipv4.ip_forward=1
ThenrestartthenetworkservicesotheIPforwardingwilltakeeffect.
systemctlrestartnetwork.service
Step5StartingOpenVPN
Nowwe'rereadytorunourOpenVPNservice.Soletsadditto
systemctl :
systemctlfenableopenvpn@server.service
StartOpenVPN:
systemctlstartopenvpn@server.service
Welldone;that'salltheserver-sideconfigurationdoneforOpenVPN.
Nextwe'lltalkabouthowtoconnectaclienttotheserver.
Step6ConfiguringaClient
Regardlessofyourclientmachine'soperatingsystem,youwilldefinitelyneedacopyof
thecacertificatefromtheserver,alongwiththeclientkeyandcertificate.
Locatethefollowingfilesontheserver.Ifyougeneratedmultipleclientkeyswithunique
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
7/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
descriptivenames,thenthekeyandcertificatenameswillbedifferent.Inthisarticlewe
used
client .
/etc/openvpn/easyrsa/keys/ca.crt
/etc/openvpn/easyrsa/keys/client.crt
/etc/openvpn/easyrsa/keys/client.key
Copythesethreefilestoyourclientmachine.YoucanuseSFTPoryourpreferred
method.Youcouldevenopenthefilesinyourtexteditorandcopyandpastethecontents
intonewfilesonyourclientmachine.
Justmakesureyoumakeanoteofwhereyousavethem.
We'regoingtocreateafilecalled
client.ovpn .Thisisaconfigurationfileforan
OpenVPNclient,tellingithowtoconnecttotheserver.
You'llneedtochangethefirstlinetoreflectthenameyougavetheclientinyourkey
andcertificate;inourcase,thisisjust
client
YoualsoneedtoupdatetheIPaddressfrom
yourserver;port
your_server_ip totheIPaddressof
1194 canstaythesame
Makesurethepathstoyourkeyandcertificatefilesarecorrect
client
devtun
protoudp
remoteyour_server_ip1194
resolvretryinfinite
nobind
persistkey
persisttun
complzo
verb3
ca/path/to/ca.crt
cert/path/to/client.crt
key/path/to/client.key
ThisfilecannowbeusedbyanyOpenVPNclienttoconnecttoyourserver.
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
8/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
Windows:
OnWindows,youwillneedtheofficialOpenVPNCommunityEditionbinarieswhichcome
withaGUI.Then,placeyour
.ovpn configurationfileintotheproperdirectory,
C:\ProgramFiles\OpenVPN\config ,andclickConnectintheGUI.OpenVPNGUIon
Windowsmustbeexecutedwithadministrativeprivileges.
OSX:
OnMacOSX,theopensourceapplicationTunnelblickprovidesaninterfacesimilartothe
OpenVPNGUIonWindows,andcomeswithOpenVPNandtherequiredTUN/TAPdrivers.
AswithWindows,theonlysteprequiredistoplaceyour
.ovpn configurationfileintothe
~/Library/Application
Support/Tunnelblick/Configurations directory.Or,youcandouble-clickonyour
.ovpn file.
Linux:
OnLinux,youshouldinstallOpenVPNfromyourdistribution'sofficialrepositories.Youcan
theninvokeOpenVPNbyexecuting:
sudoopenvpnconfig~/path/to/client.ovpn
Conclusion
Congratulations!Youshouldnowhaveafullyoperationalvirtualprivatenetworkrunning
onyourOpenVPNserver.
Afteryouestablishasuccessfulclientconnection,youcanverifythatyourtrafficisbeing
routedthroughtheVPNbycheckingGoogletorevealyourpublicIP.
Heart
23
Share
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
Subscribe
9/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
Author:
JacobTomlinson
SpinupanSSDcloudserverinunderaminute.
Simplesetup.Fullrootaccess.
Straightforwardpricing.
DEPLOYSERVER
RelatedTutorials
HowToSetupYourOwnVPNWithPPTP
3WaystoSecurelyBrowsetheInternetwithOpenVPNonDebian8
HowToSetUpanOpenVPNServeronDebian8
HowToConfigureandConnecttoaPrivateOpenVPNServeronFreeBSD10.1
7SecurityMeasurestoProtectyourServers
33Comments
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
10/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
Leaveacomment...
LogIntoComment
nickf December8,2014
Thanksfortheguide,Jacob.
Iamhavingissuesconnectingclientstotheopenvpnserver.Ihavecheckedthatthe
necessaryudpportsareopenandforwarded.Doyouhaveanysuggestionson
whatelseIcantry?UnfortunatelythedocumentationforCentOS7isprettylimited.
Thanks!
Herearetheerrors:
TLSError:TLSkeynegotiationfailedtooccurwithin60seconds(checkyour
networkconnectivity)
TLSError:TLShandshakefailed
WARNING:Noservercertificateverificationmethodhasbeenenabled.See
http://openvpn.net/howto.html#mitmformoreinfo.
rkovacic December10,2014
Isyourclient.ovpnfileconfiguredcorrectly?Didyoureplacethevalues?
nickf December10,2014
Iactuallygotitworking.ForsomereasonIhadtochangetheprotocol
fromudptotcptogetthefirewalltoforwardthepacketscorrectly.
NowifIcanjustfigureouttheethernetbridging...
nickf December10,2014
Update--gotbridgingworkingaswell.Incaseanyoneelsestruggleswith
it,makesureyourNICorvirtualnicissettopromiscuousmode.Otherwise
thepacketsfromaclientwon'treachthelocalLAN.
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
11/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
q23 December11,2014
Asuggestion:.ovpnfilessupportinlinecertificatesandkeys.Insteadofhavingto
messaroundwithmultiplefilesandmultiplepaths,youcanjustcopyandpaste
everythingfrom-----BEGIN{CERTIFICATE,RSAPRIVATEKEY}-----to-----END
{CERTIFICATE,RSAPRIVATEKEY}-----inbetweentagsforeachone:<ca>fortheCA
publickey,<cert>fortheserverorclient'spublickey,<key>fortheserverorclient's
privatekey,and<tls-auth>forthestatickeyifyou'reusingit.
Thatway,youcanhaveitallpackagedupnicelyinone.ovpnfileinsteadofhaving
3-4files.MakesitaloteasiertousetheOpenVPNforAndroidclient,too.
RishavAnand December19,2014
cantwousersconnectatthesametime?
andinsteadof.keyfilecantherebeanoptionforusername&password?
giuseppelomba December22,2014
Ifollowedthisandinstalledsuccessfully,butwhenistartopenvpnidon'thave
internetaccess.whyisthis?
AlpineLakes August31,2015
Seemsodd.Ifanythingfollowingthestepsliterallywillleaveyouriptables
inafairlyopenstatewithadefaultACCEPTpolicyontheOUTPUTchainI
iptablesLlinenumbersverbose and
iptablesS havetosay?Also,justforgrinsIwonderwhat systemctl
statusfirewalld and systemctlstatusNetworkManager haveto
believe.Whatdoes
say?
pshinghal December26,2014
Thanksfortheguide!Ithinkthefirstlineofthe.ovpnfileshouldn'tbeinred,though.
Iusedauniquenameformyclient,butusingthatnameasthefirstlinedidn'twork.
WhenIchangedthefirstlinebackto"client",itworkedfine.Imightbemissing
something,though.
freshscaped December29,2014
Didyounamethefilethesameasthefirstlineordidyoucallit
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
12/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
client.ovpn?
pshinghal December30,2014
Inameditthesameasthefirstline,my-client-name.ovpn
freshscaped December30,2014
Thanks.Didyouonlyhavetochangethefirstline,orthenameofthefile
too?I'mgettingtheimpressioneachandeverydetailhastobecorrect
andI'mnotfindingenoughspecificclearguidancesoamhavingtousea
lotofguesswork.
pshinghal January3,2015
WhenI"opened"mymy-client-name.ovpnfilewithTunnelblick,itinstalled
theconfigurationintheappsupportdirectory.There,itrenamedtheovpn
filetoconfig.ovpn
Thekeyandcertsretainedtheiroldnames.Inconfig.ovpn,Ihadto
changethefirstlinefrommy-client-nametoclient
freshscaped December28,2014
WhyGoogle'sDDNSservers?WhynotDigitalOcean'soranybodyelse's?
freshscaped December29,2014
Thereappearstobesomeconfusionhere.YousaychangeKEY_CNin
/etc/openvpn/easy-rsa/varsbutthecommentswithinthefilesayonlyuncomment
thisifyouwishtousethesamecommonnameforallclients.Theadvicewould
appeartobethatitisbettertohaveaseparatenameandkeypairforeachclient.
Whichiscorrect,please?
AlpineLakes August26,2015
Ihavethesamequestion.NotethatinHowToSecureTrafficBetween
VPSUsingOpenVPN
Sep26,2013VPN,Security,Networking,SystemToolsUbuntu(published
ayearearlier)
KEY_CN seemstobeomittedfromsimilardirections.
I'mgoingtoproceedundertheassumptionthat
KEY_CN shouldnotbe
defined.IfIdon'treplytothiscomment,assumeitworked:)
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
13/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
LinuxFreakazoid January8,2015
Theguisaysimconnectedbutmyipdoesnotchange.Helpplease!
eNkrypt January14,2015
Hey,thanksforthetutorial.Iseemtobehavingaproblemthough.Iamunableto
connecttotheserverfromtheclient.Itsimplytimesout.Iassumeit'ssomesortof
firewallrulethatisblockingit.However,whenIruna"nmap-sU-p1194"igeta
"1194/udpopen|filteredopenvpn"soitseemstobeopen.WhenIruna"systemctl
statusopenvpn@server.service"Iget:
openvpn@server.service-OpenVPNRobustAndHighlyFlexibleTunneling
ApplicationOnserver
Loaded:loaded(/usr/lib/systemd/system/openvpn@.service;enabled)
Active:active(running)sinceWed2015011418:26:05UTC;1h31minago
Process:7020ExecStart=/usr/sbin/openvpndaemonwritepid/var/run/openvpn
MainPID:7027(openvpn)
CGroup:/system.slice/systemopenvpn.slice/openvpn@server.service
7027/usr/sbin/openvpndaemonwritepid/var/run/openvpn/server.
Jan1418:26:05<REDACTED>.netsystemd[1]:StartedOpenVPNRobustAndHighlyFle
Hint:Somelineswereellipsized,useltoshowinfull.
Itappearstobeupandrunning.Itrieditbothfrommyphone(whichhasno
firewalls)andmyworkcomputer-bothdon'twork.Anyideawhatcouldbecausing
theclienttotimeoutwhentryingtoconnect?
Thanksagain!
camhart April21,2015
I'mhavingthissameissue...didyouevergetitfiguredout?
pin February28,2015
Inoticeinarticle'https://www.digitalocean.com/community/tutorials/how-to-set-upan-openvpn-server-on-ubuntu-14-04',youcanfindsomeadditionalwriteupabout
howtoconnecttoOpenVPNwithiOS.Prettyinteresting.
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
14/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
ALKateb March1,2015
"You'llneedtochangethefirstlinetoreflectthenameyougavetheclientinyour
keyandcertificate;inourcase,thisisjustclient"
Idonotthinkthispartistrue,"client"hereisakeyword,toletthesoftwareknowthe
followingisclientconfiguration
Greattutrorial,thanksalot
Oniled March16,2015
soItriedtheseinstructionswithCentOS7andtheydidn'tworkforme.WhenIchose
tousefirewalldinsteadofIPTables,Igotitworking.Here'smysteps,usingmostly
theinstructionsinthisarticle.
Logintotheserverasroot
Prereqs-sameasinstructions
Step1-sameasinstructions
Step2-sameasinstructions
Step3-sameasinstructions
Step4-completelydifferentinstructions.we'llusethebuiltin
firewalldwithCentOSinsteadofusingIPTables
openupshell
run"iptables-tnat-APOSTROUTING-s10.8.0.0/24-oeth0-j
MASQUERADE"
run"iptables-save>/etc/sysconfig/iptables"
vi/etc/sysctl.conf
Addthefollowinglineatthetopofthefile"net.ipv4.ip_forward=1"
saveandexitthefile
run"systemctlrestartnetwork.service"sotheIPforwardingwill
takeeffect
Step5-samestepsandthen
afterOpenVPNserviceisstarted
run"firewall-cmd--add-serviceopenvpn"
run"firewall-cmd--permanent--add-serviceopenvpn"to
confirmitworked,run"firewall-cmd--list-services"
run"firewall-cmd--add-masquerade"
run"firewall-cmd--permanent--add-masquerade"
toconfirmitworked,run"firewall-cmd--querymasquerade"
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
15/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
Step6-sameasinstructions
AlpineLakes August27,2015
Iflikemeyouwonderwhere10.8.0.0/24magicallyappearedfromthe
answeris
/etc/openvpn/server.conf :
#ConfigureservermodeandsupplyaVPNsubnet
#forOpenVPNtodrawclientaddressesfrom.
#Theserverwilltake10.8.0.1foritself,
#therestwillbemadeavailabletoclients.
#Eachclientwillbeabletoreachtheserver
#on10.8.0.1.Commentthislineoutifyouare
#ethernetbridging.Seethemanpageformoreinfo.
server10.8.0.0255.255.255.0
wmpr March17,2015
youseemtoknowwhatyou'redoing.ifyoucould,helpmeunderstandwhattodoin
stepthree.howdoifindmydomainthing?
crawfishmedia March25,2015
Workedrightonfirsttryofthetutorial.Haveagreatdaysir.
yenquan March31,2015
WhenIfollowedtut,Igoterrrorbelow.Pleasetellmewhy?
<^>[root@vpsopenvpn]#systemctlstartopenvpn@server.service
Jobforopenvpn@server.servicefailed.See'systemctlstatusopenvpn@server.serv
ice'and'journalctl-xn'fordetails.
[root@vpsopenvpn]#sudosystemctlstatusopenvpn@server.service
openvpn@server.service-OpenVPNRobustAndHighlyFlexibleTunneling
Applicatio
nOnserver
Loaded:loaded(/usr/lib/systemd/system/openvpn@.service;enabled)
Active:failed(Result:exit-code)sinceTue2015-03-3100:08:51EDT;8sago
Process:24119ExecStart=/usr/sbin/openvpn--daemon--writepid/var/run/openvp
n/%i.pid--cd/etc/openvpn/--config%i.conf(code=exited,status=1/FAILURE)
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
16/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
Mar3100:08:51vps.server.comopenvpn[24119]:OpenVPN2.3.6x8664-redhat-l...4
Mar3100:08:51vps.server.comopenvpn[24119]:libraryversions:OpenSSL1.0...6
Mar3100:08:51vps.server.comopenvpn[24119]:Diffie-Hellmaninitializedwi...y
Mar3100:08:51vps.server.comopenvpn[24119]:SocketBuffers:R=[133120->13...]
Mar3100:08:51vps.server.comopenvpn[24119]:ROUTEGATEWAYON_LINK
IFACE=v...0
Mar3100:08:51vps.server.comopenvpn[24119]:ERROR:CannotopenTUN/TAP
de...)
Mar3100:08:51vps.server.comopenvpn[24119]:Exitingduetofatalerror
Mar3100:08:51vps.server.comsystemd[1]:openvpn@server.service:controlp...1
Mar3100:08:52vps.server.comsystemd[1]:FailedtostartOpenVPNRobustAn....
Mar3100:08:52vps.server.comsystemd[1]:Unitopenvpn@server.serviceenter....
Hint:Somelineswereellipsized,use-ltoshowinfull.<^>
sunsiyue April2,2015
Greattutorial!
ImanagedtosetupmyVPNserver,buttheclientsareonlyabletoconnectfora
while,about5minutes,beforelosingallinternetconnection.Icouldmanually
reconnect,however,theproblemappearsagain.
Didanyoneelseencounterthisproblem?DidImissanystepduringconfiguration?
t.wengerd April3,2015
Thanksforthetutorial!AcoupleofchangesIhadtomake:
1. Icustomizedtheclientpartinalloftheinstancesthatitcameup
(client.keybecametyler.key,etc.),butIstillhadtoincludeclient
insteadoftyleratthetopofthe.ovpnfilecreatedinStep6(which
wasnamedtyler.ovpn).OpenVPNdocumentationstatesthatthe
word"client"indicatesaclientconnectionandisn'tspecifictothe
keyused(asALKatebalsomentionedabove).
2. Forstep4,Iwasusingfirewalldanddidn'thavetotouchiptablesat
all-thefollowingworkedasacompletereplacementforstep4for
me:
firewallcmdpermanentaddserviceopenvpn
firewallcmdpermanentaddmasquerade
(Addthefollowinglineatthetopof/etc/sysctl.conf:)
net.ipv4.ip_forward=1
systemctlrestartfirewalld
systemctlrestartnetwork.service
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
17/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
pyotruk April13,2015
Ifyougeterror:"nosuchfileordirectory"after"systemctl-fenable
openvpn@server.service"inSTEP5,call:
lns/lib/systemd/system/openvpn\@.service/etc/systemd/system/multiuser.targe
Helpsforme.
Formoreinforeadhttps://fedoraproject.org/wiki/Openvpn
kyl191 April16,2015
Theequivalentsystemctlcommandis
systemctlenable
openvpn@.service
Notethelackofconfigfilename-systemddoesn'tappeartoallowyouto
selectivelyenableindividualOpenVPNserverstostartonboot.
JeffersonG May17,2015
heloeveryone.IrepeatedlyfollowedandcheckifImissedsomethingin
configurationandverifiedthereisnothingwrongonmyconfigurationbutIstillcan't
connecttotheopenvpnserver.Thisismysetup.Icreatedavminvirtualboxfor
centosserverwitheth0=192.168.15.6(bridgeadapter)andeth1=192.168.10.1(host
only).Ialsocreatedanothercentoswhichhaseth0=192.168.15.3(bridgeadapter).
WhatIamtryingtodoistoreacheth1=192.168.10.1oftheserverandpingitbuttono
success.pleasehelpme.
AlpineLakes August27,2015
careful-ifyouhaveiptablesrulesetinplacebeforestartingthisprocedure,flushing
therulesetislikelynotwhatyouwanttodo.Atleastmakeabackupbefore
flushing:
iptablesLlinenumbers>~/iptablesrulesbackup
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
18/19
6/9/2015
HowToSetupandConfigureanOpenVPNServeronCentOS7|DigitalOcean
LoadMoreComments
ThisworkislicensedunderaCreative
CommonsAttribution-NonCommercialShareAlike4.0InternationalLicense.
Copyright2015DigitalOceanInc.
Community
Tutorials
Terms,Privacy,&Copyright
Questions
Security
Projects
Tags
ReportaBug
RSS
GetPaidtoWrite
https://www.digitalocean.com/community/tutorials/howtosetupandconfigureanopenvpnserveroncentos7
19/19