First let's prepare your vps. Type in the following on ssh.
yum update -y
Now you are ready to continue on the next steps.
You need to check if you have tun/tap enabled, and you need to download/install all the dependencies and openvpn it'self
Code:
cat /dev/net/tun
Step 2:
Now you need to install openvpn and it's dependencies. Run each of these commands ;
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel iptables
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
yum install openvpn
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
yum install openvpn
Step 3:
Now you need to change some files, copy directories, and generate the SSL keys for your server. Execute the following commands:
cp -r /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
cp -irv /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/2.0/openssl.cnf
cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all
cp -irv /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/2.0/openssl.cnf
cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all
Step 4:
In the following step you can put whatever you like for certificate details, but leave the password blank by entering "." when prompted.
./build-ca
./build-key-server server
./build-dh
./build-key-server server
./build-dh
Step 5:
Now you need to create the openvpn server config file, run the following:
Now you need to create the openvpn server config file, run the following:
*To save and exit the server.conf file we press [ESC] and type: :x
cd /etc/openvpn
vi server.conf
vi server.conf
local x.x.x.x #- change it with your server ip address
port 1194
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3
port 1194
proto udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3
Step 6:
Check your OpenVPN server is working, and configure some few extra bits for firewall, ipforwarding, auto startup, etc
*If you see “Initialization Sequence Completed.” then all is good! Press [CTRL+z] to exit.
openvpn /etc/openvpn/server.conf
Step 7:
type the following ;
chkconfig openvpn on
chkconfig iptables on
chkconfig iptables on
Step 8:
Now change up the iptables for the VPN to work.
*Again, press [ESC] to exit text mode and save/exit with :x
vi /etc/sysctl.conf
Change the line: net.ipv4.ip_forward = 0 TO 1
Comment out this line: # net.ipv4.tcp_syncookies = 1
Comment out this line: # net.ipv4.tcp_syncookies = 1
After type the following to save :
sysctl -p
Step 9:
We will use SNAT instead of MASQUERADE to forward data via iptables.
Remember to replace x.x.x.x with your server IP
Remember to replace x.x.x.x with your server IP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to x.x.x.x
service iptables save
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to x.x.x.x
service iptables save
Step 10:
You need to create a client config file for your VPN clients
Create a config file named NameOfVPN.ovpn and put it in your %programfiles%/OpenVPN/Config/NameOfDir/
Create a config file named NameOfVPN.ovpn and put it in your %programfiles%/OpenVPN/Config/NameOfDir/
The ovpn config file should contain the following, replace x.x.x.x with your VPN IP.
You will also need to copy the Server CA (Certificate Authority) crt file to each of your clients!
Download ca.crt from /etc/openvpn/easy-rsa/2.0/keys and put in %programfiles%/OpenVPN/Config/NameOfDir/
Download ca.crt from /etc/openvpn/easy-rsa/2.0/keys and put in %programfiles%/OpenVPN/Config/NameOfDir/
client
dev tun
proto udp
remote x.x.x.x 1194 #- your OPENVPN server ip and port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
verb 3
dev tun
proto udp
remote x.x.x.x 1194 #- your OPENVPN server ip and port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
verb 3
Step 11:
Make your vpn tunnel start upon boot (adds the command to rc.local)
echo openvpn /etc/openvpn/server.conf >> /etc/rc.d/rc.local
openvpn /etc/openvpn/server.conf
openvpn /etc/openvpn/server.conf
Final step 12:
Your VPS will need to get rebooted so type the following;
reboot
Useful Commands:
To create a new user we type: (replace openvpn with the username)
useradd openvpn -s /bin/false
To create the password we type
passwd openvpn
To Delete a user type
userdel openvpn