imported>Admin: uma edição

2020-08-08T03:11:07Z

uma edição

← Edição anterior		Edição das 03h11min de 8 de agosto de 2020
(Sem diferença)

2532252>Jefferson em 16h47min de 22 de abril de 2015

2015-04-22T16:47:29Z

Página nova

How to install OpenVPN 2.3.1 on Centos 6 
 

Tested: OpenVPN 2.3.2 and OpebVPN 2.3.2 on Centos 6 VPS.

Current guide should be applicable for openvpn 2.3 and higher.

>>[https://billing.vpsget.com/cart.php?a=add&pid=17 '''Get OpenVPN Ready2Go VPS. $5.95 p/m] 512RAM,20GB SAS,2Tb, Netherlands, EU'''
remember to enable TUN/TAP in SolusVM CP after you got access.

It is recommended to install [http://wiki.vpsget.com/index.php/Epel_centos epel repository] first 

Make sure you have these packages installed:
<pre>
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
</pre>
Download LZO RPM
<pre>
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
</pre>
Download RPMForge Repo 
x64
<pre>
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
</pre>
x32
<pre>
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
</pre>
<pre>
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
rpm -Uvh lzo-*.rpm
rpm -Uvh rpmforge-release*
</pre>
Install openvpn
<pre>
yum install openvpn
</pre>
From the version 2.3 easy-rsa is an independent project so it has to be downloaded separately, for example like this:
<pre>
cd
wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz
cd easy-rsa-2.2.0_master
cp -R easy-rsa /etc/openvpn/
</pre>
Open up /etc/openvpn/easy-rsa/2.0/vars and change the below line:
<pre>
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
</pre>
to:
<pre>
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
</pre>
And save changes.
Create the certificate:
<pre>
cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all
</pre>
Build CA:
<pre>
./build-ca
</pre>
Build key server:
<pre>
./build-key-server server
</pre>
Build Diffie Hellman
<pre>
./build-dh
</pre>
Generate clients
<pre>
./build-key client1
./build-key client2
./build-key client3
</pre>
Copy server config file server.conf
for openvpn-2.3.1
<pre>
cp /usr/share/doc/openvpn-2.3.1/sample/sample-config-files/server.conf /etc/openvpn
</pre>
for openvpn-2.3.2
<pre>
cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn
</pre>
Edit the file to get proper configuration. For example, specify path to ca, cert, key, and push public DNS 
Example server config:
<pre>
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 3
</pre>
Save client config file with .ovpn extention 
Disable SELinux in /etc/selinux/config by changing
<pre>
SELINUX=enforcing
</pre>
to
<pre>
SELINUX=disabled
</pre>
Now enable IP forwarding. Open the file /etc/sysctl.conf and change
<pre>
net.ipv4.ip_forward = 0
</pre>
to
<pre>
net.ipv4.ip_forward = 1
</pre>
Save changes using command:
<pre>
sysctl -p
</pre>
Configure /etc/sysconfig/iptables.

Please note that you should change eth0 to your proper network device , it can be eth1 or venet0 if on vps . just check your network devices with ifconfig command.

Sample config:
<pre>
# Generated by iptables-save v1.4.7 on Thu Mar 28 11:52:05 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:324]
-A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A FORWARD -i tun+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun+ -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Thu Mar 28 11:52:05 2013
# Generated by iptables-save v1.4.7 on Thu Mar 28 11:52:05 2013
*nat
:PREROUTING ACCEPT [6222:273716]
:POSTROUTING ACCEPT [306:22159]
:OUTPUT ACCEPT [306:22159]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Mar 28 11:52:05 2013
</pre>
Start openvpn
<pre>
service openvpn start
</pre>

start openvpn at system startup

chkconfig openvpn on
chkconfig iptables on

If OpenVPN fails to start check if tun/tap in active:
cat /dev/net/tun
If output is:
cat: /dev/net/tun: File descriptor in bad state
than tun/tap in active, look ''/var/log/openvpn.log'' and ''/var/log/messages/'' 
If output is:
cat: /dev/net/tun: No such device
than try:
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun

Download client files from /etc/openvpn/easy-rsa/2.0/keys/
Upload these files to OpenVPN directory on client machine.
OpenVPN client is available on official site http://openvpn.net/index.php/ ""

[http://wiki.vpsget.com/index.php/Configure_OpenVPN_client_on_Windows How to configure OpenVPN client on Windows]

[http://wiki.vpsget.com/index.php/Configure_OpenVPN_client_on_Android How to configure OpenVPN client on Android]

OpenVPN 2.3.1 Centos 6

This guide should be applicable for the openvpn 2.3.x on centos 6.

*Add user (cert) to existent OpenVPN users DB:

You simply should source the vars before creating the key . Use one of the next ways:
". vars"
or
". ./vars"
or
"source ./vars"

After that you can build key for new user:
./build-key client_new

Also refer to [http://wiki.vpsget.com/index.php/Forward_(redirect/nat)_traffic_with_iptables this guide] if you would like to install double vpn

-----

[[Category:LINUX]]
[[Category: TI]]

OpenVPN 2.3.1 on Centos 6 - Histórico de revisão

imported>Admin: uma edição

2532252>Jefferson em 16h47min de 22 de abril de 2015