Install OpenVPN Server on CentOS 5.4

There are many guys asking me how to install OpenVPN on CentOS 5.2/5.4. I have a server with that system (minimal installation) exactly and I cannot find an all correct guide for this setup step. So I decide to write this post.

You cannot count on the post to explain what OpenVPN is. But if you just require a simple guide for installation, you’ve got it.

Preparation:

1 A server running with CentOS 5.2/5.4. I don’t know which services you’ve installed, so I have to install all necessary components by bash command. You can skip that command if you know that is installed.
2 A KVM, an SSH client or another way to connect to your server.
3 You must know how to use tool vi to edit file.

Setup guide:

All blue texts should be typed into bash command line, and press Enter after each command. All black texts are just commit. Read them as you wish.

Install some tools.

yum install -y wget Install a tool for downloading packages.
yum install -y iptables Install the controller for inputting firewall rules.

Configure yum to install OpenVPN

yum install -y yum-priorities Let your yum to install more packages.
cd /tmp
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm for x86 (32bit) only
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm for x64 (64bit) only
rpm -i rpmforge-release-0.5.1-1.el5.rf.*.rpm
yum check-update

Install OpenVPN

yum install -y openvpn

Configure OpenVPN Server

cd /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
. ../vars There is a space between the 1st and 2nd dot.
chmod +rwx *
source ./vars
vi ../vars Modify the last several lines of this file to match your location and org name.
vi vars Modify the last several lines of this file to match your location and org name.
./build-ca Input your location and org name.
source ./vars
./clean-all
./build-ca Always press enter directly. You can verify your infomation in this step.
./build-key-server server Answer y twice for the 2 questions in the end, press enter directly for others.

Configure OpenVPN Setting. Following this post, you will get a server running at port 1194 with UDP protocol, and the sub network for VPN clients is 10.0.0.0/24. You can modify this document with the rest commands synchronously.

vi /etc/openvpn/openvpn.conf Create setting file.

Type all green text below to the edit form of vi.

port 1194 Use port 1194.
proto udp Use udp protocol. You can change this into tcp as you wish. It seems that udp is faster. Tcp can be used when you are using a udp banned network.
dev tun Mode. You can choose tun or tap. I don’t wanna explain this.
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.0.0.0 255.255.255.0 Sub network for VPN clients
push "dhcp-option DNS 208.67.222.222" Use DNS of OpenDNS.
push "dhcp-option DNS 208.67.220.220" Use DNS of OpenDNS.
push "redirect-gateway" Let all traffic from client to go though with this VPN server. Remove this line if you don’t want it.
ifconfig-pool-persist ipp.txt Let OpenVPN server to record the last used IP for each client, which allows client to use the same IP when reconnected.
keepalive 10 120
comp-lzo Enable compression for saving bandwidth.
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client Allow clients to communicate with each others. Remove this line if you dont’t want it.

Save this file.

cp keys/{ca.crt,ca.key,server.crt,server.key} /etc/openvpn/
./build-dh This may take a while.
cp keys/dh1024.pem /etc/openvpn/
/etc/init.d/openvpn start Service starts!
chkconfig --list | grep vpn

Create key for each client.

The working folder is /etc/openvpn/easy-rsa/2.0 and you can verify it by typing pwd if you like. If it’s not, type cd /etc/openvpn/easy-rsa/2.0 to change it. Run source ./vars if needed.

Run this command for each client.
./build-key <client name> Answer y twice for the 2 questions in the end, press enter directly for others. Change <client name> to client name.

Final steps and add some firewall rules

service iptables start Start the iptables service.
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT Allow udp datagrams to be received from port 1194 of your nic eth0. Notice that there are 2 hyphens before dport.
iptables -A OUTPUT -o eth0 -p udp --dport 1194 -j ACCEPT Allow udp datagrams to be sent from port 1194 of your nic eth0. Notice that there are 2 hyphens before dport.
iptables -A INPUT -i tun0 -j ACCEPT Allow traffic from OpenVPN nic tun0. Change it to tap0 if you use tap mode in server configuration.
iptables -A OUTPUT -o tun0 -j ACCEPT Allow traffic from OpenVPN nic tun0. Change it to tap0 if you use tap mode in server configuration.
iptables -A FORWARD -o tun0 -j ACCEPT Allow traffic from OpenVPN nic tun0. Change it to tap0 if you use tap mode in server configuration.
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE Enable NAT.
/etc/init.d/iptables save Save iptables’ rules.
/etc/init.d/iptables restart Restart iptables service.
chkconfig iptables on Let iptables be started automatically.
chkconfig openvpn on So is openvpn.
vi /etc/sysctl.conf

Find a line with text net.ipv4.ip_forward = 0, change it into net.ipv4.ip_forward = 1, and save this file.

You’ve finished the configuration of server. Please restart it.

shutdown -r now

All certifications and key files can be found at /etc/openvpn/easy-rsa/2.0/keys. You should download ca.crt, <client name>.key and <client name>.crt to each client computer.

I’ll go on to create an OpenVPN client in Windows for example.

Download and install OpenVPN Windows Version.

Copy ca.crt, <client name>.key and <client name>.crt to its config folder (c:\Program Files (x86)\OpenVPN\config\ or c:\Program Files\OpenVPN\config\ by default). You can create a sub folder for each server to make it possible to connect to many servers, not at the same time.

Create a text file with extension “ovpn” in the folder which contains these 3 files with all green text below.

client
dev tun
proto udp
remote
<your server name or ip address> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert
<client name>.crt
key
<client name>.key
ns-cert-type server
comp-lzo
verb 3

Save this file.

Start OpenVPN Client, right click the icon in the system tray and connect the server. If you are running Windows Vista / 7 or Windows Server 2008 / 2008 R2, you have to run this program as administrator coz Route.exe which will be run by OpenVPN need this.

I hope you get it though.
BTW, if you are using fedora, you may wanna check this post, which contains more commands to adjust firewall.

For CentOS 6.0: iptables’ commands need to be adjust. See your iptables configuration file for detail information.

19 thoughts on “Install OpenVPN Server on CentOS 5.4

  1. Thanks so much for this guide!

    ive got right to the end, all is fully working… apart from the iptables commands are not affecting my iptables. Im connected through openvpn, i can log onto the server and cpanels, but i cant access outside internet, would you mind posting your actual iptables, so that i can copy and paste them into mine?

    thank you 🙂 🙂

  2. Hey yes all sorted now thanks, the command was different for me, i needed to run:

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    iptables -t nat -A POSTROUTING -j SNAT –to-source **SERVER IP**

  3. hello, i need some help for open vpn configuration.

    * i need first time 2 user (user & password with bind static/dedicated IP to each vpn user ).
    * i want to add more users in future.
    * i don’t know what is password authentication or certificate authentication? but i need vpn user & password for vpn user.
    * i want to statically bind IP to each vpn user.

    i have vps with 13 ip block for statically bind IP to each vpn user Like 184.22.162.171/28

    1. I’m sorry that this step cannot provide you a way to bind each client to a public ip address. It based on a NAT solution, which means all client use a same public ip address, just like all people work together.
      I hope you can find some other article to bring it out.

  4. hello sir,
    i’m done setting my vps with openvpn.
    i also successful connect with openvpn GUI. the problem is, i only can ping my vps IP. i unable to surf outside of my IP.
    really need some advice. 24hour searching this problem but i unable to solve it.

    thank you

    1. Check:
      1 Server side: net.ipv4.ip_forward should be 1 in file /etc/sysctl.conf
      2 Client side: there should be a route record for your target ip, to route that ip package to your openvpn server.

  5. Thanks for this posting………..

    Now I am able to connect through OpenVPN.
    Previously I face problem with Net Connectivety in my System . Now I have solved that problem.

  6. Thanks For your Post…….
    Now I have successfully Install OpenVPN on my server and I am able to connect through OpenVPN Client.
    Previously I have face problem with net connectivety But Now I have solve that problem.

  7. Hi i was wondering if you could help me opening udp port 1194 on centos(kvm) because i tryed many tutorial but the port is still closed :\ thanks

    1. try to run this command after starting openvpn to check whether your udp port is enabled:
      netstat -a -p UDP -b
      you can use grep to find your port.

  8. hello great tutorial, but I am having a bit of trouble.I am able to connect to VPN, but not able to get internet traffic.

    my client,server and iptables conf are below.can I please get some help?

    client

    [code]
    # Specify that we are a client and that we
    # will be pulling certain config file directives
    # from the server.
    client

    # Use the same setting as you are using on
    # the server.
    # On most systems, the VPN will not function
    # unless you partially or fully disable
    # the firewall for the TUN/TAP interface.
    ;dev tap
    dev tun

    # Windows needs the TAP-Win32 adapter name
    # from the Network Connections panel
    # if you have more than one. On XP SP2,
    # you may need to disable the firewall
    # for the TAP adapter.
    ;dev-node MyTap

    # Are we connecting to a TCP or
    # UDP server? Use the same setting as
    # on the server.
    ;proto tcp
    proto udp

    # The hostname/IP and port of the server.
    # You can have multiple remote entries
    # to load balance between the servers.
    remote 209.159.145.196 1194
    ;remote my-server-2 1194

    # Choose a random host from the remote
    # list for load-balancing. Otherwise
    # try hosts in the order specified.
    ;remote-random

    # Keep trying indefinitely to resolve the
    # host name of the OpenVPN server. Very useful
    # on machines which are not permanently connected
    # to the internet such as laptops.
    resolv-retry infinite

    # Most clients don’t need to bind to
    # a specific local port number.
    nobind

    # Downgrade privileges after initialization (non-Windows only)
    ;user nobody
    ;group nobody

    # Try to preserve some state across restarts.
    persist-key
    persist-tun

    # If you are connecting through an
    # HTTP proxy to reach the actual OpenVPN
    # server, put the proxy server/IP and
    # port number here. See the man page
    # if your proxy server requires
    # authentication.
    ;http-proxy-retry # retry on connection failures
    ;http-proxy [proxy server] [proxy port #]

    # Wireless networks often produce a lot
    # of duplicate packets. Set this flag
    # to silence duplicate packet warnings.
    ;mute-replay-warnings

    # SSL/TLS parms.
    # See the server config file for more
    # description. It’s best to use
    # a separate .crt/.key file pair
    # for each client. A single ca
    # file can be used for all clients.
    ca ca.crt
    cert client.crt
    key client.key

    # Verify server certificate by checking
    # that the certicate has the nsCertType
    # field set to “server”. This is an
    # important precaution to protect against
    # a potential attack discussed here:
    # http://openvpn.net/howto.html#mitm
    #
    # To use this feature, you will need to generate
    # your server certificates with the nsCertType
    # field set to “server”. The build-key-server
    # script in the easy-rsa folder will do this.
    ns-cert-type server

    # If a tls-auth key is used on the server
    # then every client must also have the key.
    ;tls-auth ta.key 1

    # Select a cryptographic cipher.
    # If the cipher option is used on the server
    # then you must also specify it here.
    ;cipher x

    # Enable compression on the VPN link.
    # Don’t enable this unless it is also
    # enabled in the server config file.
    comp-lzo

    # Set log file verbosity.
    verb 3

    # Silence repeating messages
    ;mute 20

    [/code]

    Server

    [code]

    port 1194
    proto udp
    dev tun
    ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
    cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
    key /etc/openvpn/easy-rsa/2.0/keys/server.key
    dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
    server 10.8.0.0 255.255.255.0
    push “dhcp-option DNS 208.67.222.222”
    push “dhcp-option DNS 208.67.220.220”
    push “redirect-gateway”
    ifconfig-pool-persist ipp.txt
    keepalive 10 120
    comp-lzo
    user nobody
    group users
    persist-key
    persist-tun
    status openvpn-status.log
    verb 3
    #client-to-client Allow clien

    [/code]

    iptables

    [code]

    # Generated by iptables-save v1.4.7 on Fri Jun 21 00:06:12 2013
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [10068:1274085]
    -A INPUT -p udp -m udp –dport 20 -j ACCEPT
    -A INPUT -p udp -m udp –dport 21 -j ACCEPT
    -A INPUT -p udp -m udp –dport 53 -j ACCEPT
    -A INPUT -p udp -m udp –dport 1194 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 1194 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 20000 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 10000 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 993 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 143 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 995 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 20 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 21 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 53 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 587 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
    -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i tun0 -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
    -A INPUT -j REJECT –reject-with icmp-host-prohibited
    -A FORWARD -j REJECT –reject-with icmp-host-prohibited
    -A FORWARD -o tun0 -j ACCEPT
    -A OUTPUT -o tun0 -j ACCEPT
    COMMIT
    # Completed on Fri Jun 21 00:06:12 2013
    # Generated by iptables-save v1.4.7 on Fri Jun 21 00:06:12 2013
    *nat
    :PREROUTING ACCEPT [5:294]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
    -A POSTROUTING -s 10.8.0.0/24 -j SNAT –to-source 209.159.145.196
    COMMIT
    # Completed on Fri Jun 21 00:06:12 2013

    [/code]

    1. vi /etc/sysctl.conf

      Find a line with text net.ipv4.ip_forward = 0, change it into net.ipv4.ip_forward = 1, and save this file.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.