{"id":247,"date":"2013-10-22T00:37:12","date_gmt":"2013-10-21T16:37:12","guid":{"rendered":"https:\/\/www.ookangzheng.com\/?p=247"},"modified":"2020-05-24T16:02:55","modified_gmt":"2020-05-24T08:02:55","slug":"openvpn-2-3-1-on-centos-6","status":"publish","type":"post","link":"https:\/\/www.ookangzheng.com\/openvpn-2-3-1-on-centos-6\/","title":{"rendered":"OpenVPN 2.3.1 on Centos 6"},"content":{"rendered":"

It is recommended to install epel repository first<\/p>\n

Make sure you have these packages installed:<\/p>\n

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y<\/pre>\n
Download LZO RPM<\/p>\n
wget http:\/\/openvpn.net\/release\/lzo-1.08-4.rf.src.rpm<\/pre>\n
Download RPMForge Repo<\/p>\n
wget http:\/\/pkgs.repoforge.org\/rpmforge-release\/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm\r\n\r\nrpmbuild --rebuild lzo-1.08-4.rf.src.rpm\r\nrpm -Uvh lzo-*.rpm\r\nrpm -Uvh rpmforge-release*<\/pre>\n
Install openvpn<\/p>\n
yum install openvpn<\/pre>\n
From the version 2.3 easy-rsa is an independent project so it has to be downloaded separately, for example like this:<\/p>\n
wget https:\/\/github.com\/downloads\/OpenVPN\/easy-rsa\/easy-rsa-2.2.0_master.tar.gz<\/pre>\n
Untar the archive to \/etc\/openvpn and then copy easy-rsa folder to \/etc\/openvpn:<\/p>\n
cp -R \/etc\/openvpn\/easy-rsa-2.2.0_master\/easy-rsa \/etc\/openvpn<\/pre>\n
Open up \/etc\/openvpn\/easy-rsa\/2.0\/vars and change the below line:<\/p>\n
export KEY_CONFIG=`$EASY_RSA\/whichopensslcnf $EASY_RSA`<\/pre>\n
to:<\/p>\n
export KEY_CONFIG=\/etc\/openvpn\/easy-rsa\/2.0\/openssl-1.0.0.cnf<\/pre>\n
And save changes. Create the certificate:<\/p>\n
cd \/etc\/openvpn\/easy-rsa\/2.0\r\nchmod 755 *\r\nsource .\/vars\r\n.\/vars\r\n.\/clean-all<\/pre>\n
Build CA:<\/p>\n
.\/build-ca<\/pre>\n
Build key server:<\/p>\n
.\/build-key-server server<\/pre>\n
Build Diffie Hellman<\/p>\n
.\/build-dh<\/pre>\n
Generate clients<\/p>\n
.\/build-key client1\r\n.\/build-key client2\r\n.\/build-key client3<\/pre>\n
Copy server config file server.conf from \/usr\/share\/doc\/openvpn-2.3.1\/sample\/sample-config-files\/ to \/etc\/openvpn<\/p>\n
cp \/usr\/share\/doc\/openvpn-2.3.1\/sample\/sample-config-files\/server.conf \/etc\/openvpn<\/pre>\n
Edit the file to get proper configuration. For example, specify path to ca, cert, key, and push public DNS
\nExample server config:<\/p>\n
port 1194\r\nproto udp\r\ndev tun\r\nca \/etc\/openvpn\/easy-rsa\/2.0\/keys\/ca.crt\r\ncert \/etc\/openvpn\/easy-rsa\/2.0\/keys\/server.crt\r\nkey \/etc\/openvpn\/easy-rsa\/2.0\/keys\/server.key\r\ndh \/etc\/openvpn\/easy-rsa\/2.0\/keys\/dh1024.pem\r\nserver 10.8.0.0 255.255.255.0\r\nifconfig-pool-persist ipp.txt\r\npush \"redirect-gateway def1 bypass-dhcp\"\r\npush \"dhcp-option DNS 8.8.8.8\"\r\npush \"dhcp-option DNS 8.8.4.4\"\r\nkeepalive 10 120\r\ncomp-lzo\r\npersist-key\r\npersist-tun\r\nstatus openvpn-status.log\r\nlog-append  \/var\/log\/openvpn.log\r\nverb 3<\/pre>\n
Save client config file with .ovpn extention
\nDisable SELinux in \/etc\/selinux\/config by changing<\/p>\n
SELINUX=enforcing<\/pre>\n
to<\/p>\n
SELINUX=disabled<\/pre>\n
Now enable IP forwarding. Open the file \/etc\/sysctl.conf and change<\/p>\n
net.ipv4.ip_forward = 0<\/pre>\n
to<\/p>\n
net.ipv4.ip_forward = 1<\/pre>\n
Save changes using command:<\/p>\n
sysctl -p<\/pre>\n
Configure \/etc\/sysconfig\/iptables.<\/p>\n
Please note that you should change eth0 to your proper network device , it can be eth1 or venet0 if on vps . just check your network devices with ifconfig command.<\/p>\n
Sample config:\r\n\r\n# Generated by iptables-save v1.4.7 on Thu Mar 28 11:52:05 2013\r\n*filter\r\n:INPUT ACCEPT [0:0]\r\n:FORWARD ACCEPT [0:0]\r\n:OUTPUT ACCEPT [3:324]\r\n-A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT\r\n-A INPUT -i eth0 -p gre -j ACCEPT\r\n-A FORWARD -i tun+ -o eth0 -j ACCEPT\r\n-A FORWARD -i eth0 -o tun+ -j ACCEPT\r\n-A INPUT -p icmp -j ACCEPT\r\n-A INPUT -i lo -j ACCEPT\r\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT\r\nCOMMIT\r\n# Completed on Thu Mar 28 11:52:05 2013\r\n# Generated by iptables-save v1.4.7 on Thu Mar 28 11:52:05 2013\r\n*nat\r\n:PREROUTING ACCEPT [6222:273716]\r\n:POSTROUTING ACCEPT [306:22159]\r\n:OUTPUT ACCEPT [306:22159]\r\n-A POSTROUTING -s 10.8.0.0\/24 -o eth0 -j MASQUERADE\r\nCOMMIT\r\n# Completed on Thu Mar 28 11:52:05 2013<\/pre>\n
Start openvpn<\/p>\n
service openvpn start<\/pre>\n
start openvpn at system startup<\/p>\n
chkconfig openvpn on\r\nchkconfig iptables on<\/pre>\n
If OpenVPN fails to start check if tun\/tap in active:<\/p>\n
cat \/dev\/net\/tun<\/pre>\n
If output is:<\/p>\n
cat: \/dev\/net\/tun: File descriptor in bad state<\/pre>\n
than tun\/tap in active, look\u00a0\/var\/log\/openvpn.log<\/i>\u00a0and\u00a0\/var\/log\/messages\/<\/i>
\nIf output is:<\/p>\n
cat: \/dev\/net\/tun: No such device<\/pre>\n
than try:<\/p>\n
mkdir -p \/dev\/net\r\nmknod \/dev\/net\/tun c 10 200\r\nchmod 600 \/dev\/net\/tun<\/pre>\n
Download client files from \/etc\/openvpn\/easy-rsa\/2.0\/keys\/ Upload these files to OpenVPN directory on client machine. OpenVPN client is available on official site\u00a0http:\/\/openvpn.net\/index.php\/<\/a>“”<\/p>\n
How to configure OpenVPN client on Windows<\/a><\/p>\n
How to configure OpenVPN client on Android<\/a><\/p>\n
OpenVPN 2.3.1 Centos 6<\/p>\n
This guide should be applicable for the openvpn 2.3.x on centos 6.<\/p>\n","protected":false},"excerpt":{"rendered":"
It is recommended to install epel repository first Make sure you have these packages installed: yum install gcc make rpm-build…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[37],"tags":[],"class_list":["post-247","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/posts\/247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/comments?post=247"}],"version-history":[{"count":0,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/posts\/247\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/media?parent=247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/categories?post=247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ookangzheng.com\/wp-json\/wp\/v2\/tags?post=247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}