Installing OpenVPN on CentOS 5 and

CentOS 6
03 Apr 2012/200 Comments/in VPN's /by Admin

In this guide we will show you how to setup OpenVPN on centos the guide will give you a
fully working OpenVPN installation, NOT TESTED ON OTHER DISTROS..
First step is to check if tun/tap is active:

cat /dev/net/tun

If tun is active then you should see this:

cat: /dev/net/tun: File descriptor in bad state

Make sure you have these packages installed:

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

Download LZO RPM and Configure RPMForge Repo:

wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

32bit Package:
CentOS 5:

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm

CentOS 6:

Wget

http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-

1.el6.rf.i686.rpm

64bit Package:
CentOS 5:

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm

CentOS 6:

wget

http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-

1.el6.rf.x86_64.rpm

Build the rpm packages:

rpmbuild --rebuild lzo-1.08-4.rf.src.rpm

rpm -Uvh lzo-*.rpm

rpm -Uvh rpmforge-release*

Install OpenVPN:

yum install openvpn -y

Copy the easy-rsa folder to /etc/openvpn/:

cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

**PLEASE NOTE** if the above command brings up an error such as below, then please
follow the following steps to download and copy over easy-rsa as its not included in the new
build OpenVPN 2.3.1:
cannot stat `/usr/share/doc/openvpn-2.2.2/easy-rsa/': No such file or
directory
Download easy-rsa from below:

wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz

Extract the package:

tar -zxvf easy-rsa-2.2.0_master.tar.gz

Copy to OpenVPN directory:

cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/

Please note on CentOS 6 we need to make a small change before you run the commands
below, open up /etc/openvpn/easy-rsa/2.0/vars and edit the below line:
Change:

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

To:

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

And save..
Now lets create the certificate:

cd /etc/openvpn/easy-rsa/2.0

chmod 755 *

source ./vars

./vars

./clean-all

Build CA:

./build-ca

Country Name: may be filled or press enter

State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter

Build key server:

./build-key-server server

Almost the same with ./build.ca but check the changes and additional

Common Name: server

A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y

Build Diffie Hellman (wait a moment until the process finish):

./build-dh

Now create your config file:

touch /etc/openvpn/server.conf

And enter the following:

port 1194 #- port

proto udp #- protocol

dev tun

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

reneg-sec 0

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt

cert /etc/openvpn/easy-rsa/2.0/keys/server.crt

key /etc/openvpn/easy-rsa/2.0/keys/server.key

dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment

this line if you are using FreeRADIUS

#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this

line if you are using FreeRADIUS

client-cert-not-required

username-as-common-name

server 10.8.0.0 255.255.255.0

push "redirect-gateway def1"

push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"

keepalive 5 30

comp-lzo

persist-key

persist-tun

status 1194.log

verb 3

Save it.
Before we start OpenVPN, lets disable SELinux if enabled, this can cause issues with
OpenVPN, especially when using OpenVPN with multiple configs:

echo 0 > /selinux/enforce

This is a temporary solution and will re-enable once you reboot your system, to disable on a
permanent basis you need to edit the following /etc/selinux/config and edit this line:

SELINUX=enforcing

To:

SELINUX=disabled

When your system next reboots it will still be disabled.

Now lets start OpenVPN:

service openvpn restart

*Please note if you receive FAIL when OpenVPN trys to start and you have the following
error in your /var/log/messages:

PLUGIN_INIT:

could

not

load

plugin

shared

object

/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so:
/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so: cannot open shared object file: No
such file or directory

Then this is because the latest OpenVPN package doesnt include this file (which is
reported to be fixed soon) but you can download the pam auth file from here for now:
64Bit:

wget http://safesrv.net/public/openvpn-auth-pam.zip

32Bit:

wget http://safesrv.net/public/dl/openvpn-auth-pam.zip

Extract the file:

unzip openvpn-auth-pam.zip

Move to the OpenVPN directory:

mv openvpn-auth-pam.so /etc/openvpn/openvpn-auth-pam.so

Then replace the PAM plugin line in your server.conf to below:

plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/login

Restart OpenVPN and all should now work:

killall -9 openvpn

service openvpn restart

Now we need to enable IP forwarding. So open the file /etc/sysctl.conf and set
net.ipv4.ip_forward to 1.

net.ipv4.ip_forward = 1

To make the changes to sysctl.conf take effect, use the following command.

sysctl -p

Route Iptables:
The rule below will work fine on xen and KVM based VPSs but for
OpenVZ use the OpenVZ iptable rule instead:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

OpenVZ iptable rules:

iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123

And

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123

Make sure you change 123.123.123.123 to your server IP.

IF you have CSF on the same server you need to open your OpenVPN port (Usually 1194)
through the firewall and run the below commands for CSF, also its a good idea to add them
to /etc/csf/csfpre.sh.

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

iptables -A FORWARD -j REJECT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123

If the above rules cause you any problems or dont seem to work (Especially on cPanel
servers) then remove the rules above and use below:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

Please make sure 123.123.123.123 is your main server IP.

Then run

service iptables save

Please note if you are using our FreeRADIUS module for WHMCS then you dont have to do
the below step for adding users just follow the link above to setup OpenVPN to auth off
FreeRADIUS otherwise you can create a user as follows:

useradd username -s /bin/false

passwd username

If you wanted to delete a user you would use:

userdel username

Now create a server.ovpn config file and enter the following:

client

dev tun

proto udp

remote 123.123.123.123 1194 # - Your server IP and OpenVPN Port

resolv-retry infinite

nobind

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

persist-key

persist-tun

ca ca.crt

auth-user-pass

comp-lzo

reneg-sec 0

verb 3

Make sure you change 123.123.123.123 to your server IP.

And make sure OpenVPN starts at boot:

chkconfig openvpn on

Download ca.crt file in /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in the

same directory as your server.ovpn.
Now download a VPN client and import your config file and enter your username and
password created above