It is recommended to install epel repository first
Make sure you have these packages installed:
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
Download LZO RPM
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
Download RPMForge Repo
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm rpmbuild --rebuild lzo-1.08-4.rf.src.rpm rpm -Uvh lzo-*.rpm rpm -Uvh rpmforge-release*
Install openvpn
yum install openvpn
From the version 2.3 easy-rsa is an independent project so it has to be downloaded separately, for example like this:
wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz
Untar the archive to /etc/openvpn and then copy easy-rsa folder to /etc/openvpn:
cp -R /etc/openvpn/easy-rsa-2.2.0_master/easy-rsa /etc/openvpn
Open up /etc/openvpn/easy-rsa/2.0/vars and change the below line:
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
to:
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
And save changes. Create the certificate:
cd /etc/openvpn/easy-rsa/2.0 chmod 755 * source ./vars ./vars ./clean-all
Build CA:
./build-ca
Build key server:
./build-key-server server
Build Diffie Hellman
./build-dh
Generate clients
./build-key client1 ./build-key client2 ./build-key client3
Copy server config file server.conf from /usr/share/doc/openvpn-2.3.1/sample/sample-config-files/ to /etc/openvpn
cp /usr/share/doc/openvpn-2.3.1/sample/sample-config-files/server.conf /etc/openvpn
Edit the file to get proper configuration. For example, specify path to ca, cert, key, and push public DNS
Example server config:
port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log-append /var/log/openvpn.log verb 3
Save client config file with .ovpn extention
Disable SELinux in /etc/selinux/config by changing
SELINUX=enforcing
to
SELINUX=disabled
Now enable IP forwarding. Open the file /etc/sysctl.conf and change
net.ipv4.ip_forward = 0
to
net.ipv4.ip_forward = 1
Save changes using command:
sysctl -p
Configure /etc/sysconfig/iptables.
Please note that you should change eth0 to your proper network device , it can be eth1 or venet0 if on vps . just check your network devices with ifconfig command.
Sample config: # Generated by iptables-save v1.4.7 on Thu Mar 28 11:52:05 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3:324] -A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT -A INPUT -i eth0 -p gre -j ACCEPT -A FORWARD -i tun+ -o eth0 -j ACCEPT -A FORWARD -i eth0 -o tun+ -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT COMMIT # Completed on Thu Mar 28 11:52:05 2013 # Generated by iptables-save v1.4.7 on Thu Mar 28 11:52:05 2013 *nat :PREROUTING ACCEPT [6222:273716] :POSTROUTING ACCEPT [306:22159] :OUTPUT ACCEPT [306:22159] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Thu Mar 28 11:52:05 2013
Start openvpn
service openvpn start
start openvpn at system startup
chkconfig openvpn on chkconfig iptables on
If OpenVPN fails to start check if tun/tap in active:
cat /dev/net/tun
If output is:
cat: /dev/net/tun: File descriptor in bad state
than tun/tap in active, look /var/log/openvpn.log and /var/log/messages/
If output is:
cat: /dev/net/tun: No such device
than try:
mkdir -p /dev/net mknod /dev/net/tun c 10 200 chmod 600 /dev/net/tun
Download client files from /etc/openvpn/easy-rsa/2.0/keys/ Upload these files to OpenVPN directory on client machine. OpenVPN client is available on official site http://openvpn.net/index.php/“”
How to configure OpenVPN client on Windows
How to configure OpenVPN client on Android
OpenVPN 2.3.1 Centos 6
This guide should be applicable for the openvpn 2.3.x on centos 6.