How to install OpenVPN on CentOS

Description: In this tutorial we’ll guide you step by step how to install OpenVPN on CentOS 5 and 6.

Follow the steps below for easy installation.

Step 1:

The first step is to check the tun/tap is it active or not. To check he status of tun/tap write:

cat /dev/net/tun

You’ll see this “cat: /dev/net/tun: File descriptor in bad state” if it is in active state.

Step 2:

Now in this step you need to verify the packages weather it is install or not. To check the availability type:

yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y

Download LZO RPM and Configure RPMForge Repo:

wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

For CentOS 5 32 bit:

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm

For CentOS 6 32 bit:

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm

For CentOS 5 64 bit:

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm

For CentOS 6 64 bit:

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

Step 3:

Now built these rpm packages by running this command:

rpmbuild –rebuild lzo-1.08-4.rf.src.rpm

rpm -Uvh lzo-*.rpm

rpm -Uvh rpmforge-release*

Step 4:

Now install the OpenVPN package by giving this command:

yum install openvpn -y

Step 5:

Now copy the folder easy-rsa  to /etc/openvpn/:

cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

If you find error after this command like:

cannot stat `/usr/share/doc/openvpn-2.2.2/easy-rsa/’: No such file or directory

This mean OpenVPN is not included in the new build 2.3.1 so you need to add this manually by using this command:

wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz

Extract using this command and then copy the foler easy-rsa to /etc/openvpn/:

tar -zxvf easy-rsa-2.2.0_master.tar.gz

cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

For CentOS 6 make sure you had these changes in /etc/openvpn/easy-rsa/2.0/vars and edit it before run the command:

Change:

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

To:

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

And save the file

Step 6:

After this we need to create the certificate by using this command:

cd /etc/openvpn/easy-rsa/2.0

And change the permission of the file by chmod 755 *

Run these command step by step:

source ./vars

./vars

./clean-all

Build Certificate Authority now:

./build-ca

Fill the require fields popup on the screen:

Country Name: may be filled or press enter

State or Province Name: may be filled or press enter

City: may be filled or press enter

Org Name: may be filled or press enter

Org Unit Name: may be filled or press enter

Common Name: your server hostname

Email Address: may be filled or press enter

Now build key server:

./build-key-server server

This is almost same as ./build.ca but carefully the additional column.

Common Name: server

A challenge password: leave

Optional company name: fill or enter

sign the certificate: y

1 out of 1 certificate requests: y

After it is finish build Diffie Hellman:

./build-dh

Step 7:

Now you need to create the configuration file by open file touch /etc/openvpn/server.conf and enter the following:

port 1194 #- port

proto udp #- protocol

dev tun

tun-mtu 1500

tun-mtu-extra 32

mssfix 1450

reneg-sec 0

ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt

cert /etc/openvpn/easy-rsa/2.0/keys/server.crt

key /etc/openvpn/easy-rsa/2.0/keys/server.key

dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS

#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS

client-cert-not-required

username-as-common-name

server 10.8.0.0 255.255.255.0

push “redirect-gateway def1″

push “dhcp-option DNS 8.8.8.8″

push “dhcp-option DNS 8.8.4.4″

keepalive 5 30

comp-lzo

persist-key

persist-tun

status 1194.log

verb 3

And now save the file

Step 8:

Now disable the SELinux if it is enable because this cause an issue in starting OpenVPN especially using OpenVPN with multiple config by running this command:

echo 0 > /selinux/enforce

You need to disable this permanently because the above command works unless you reboot the system, for permanently disable you need to edit /etc/selinux/config:

SELINUX=enforcing

To:

SELINUX=disabled

Now if you reboot your system SELINUX is still disable.

Restart the OpenVPN by typing:

service openvpn restart

If you receive error “FAIL” after entering the above command then check your logs for error.

The error is because the package OpenVPN is not included in file, you can download it manually. To check error:

tail -f /var/log/messages

The error is like this:

PLUGIN_INIT: could not load plugin shared object /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so: /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so: cannot open shared object file: No such file or directory

Step 1:

If you have error as mention above then download the file to include the pam auth file from:

For 64 bit CentOS:

wget http://vpn.techinfozone.net/64bit-openvpn-auth-pam.zip

For 32bit CentOS:

wget http://vpn.techinfozone.net/32bit-openvpn-auth-pam.zip

Then extract the file by unzip openvpn-auth-pam.zip

Step 2:

Now move to the OpenVPN directory:

mv openvpn-auth-pam.so /etc/openvpn/openvpn-auth-pam.so

Step 3:

Now you need to replace the apm plugin line in server.conf file:

plugin /etc/openvpn/openvpn-auth-pam.so /etc/pam.d/login

Step 4:

Now it will work fine after restart:

killall -9 openvpn

service openvpn restart

Step 9:

Enable IP forwarding by open the file /etc/sysctl.conf and set ‘net.ipv4.ip_forward’ to 1.

net.ipv4.ip_forward = 1

sysctl -p

Type above command to make changes.

Step 10:

Set IP tables route:

For XEN, KVM based VPS:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

For OpenVZ IP table rules:

iptables -t nat -A POSTROUTING -o venet0 -j SNAT –to-source 123.123.123.123(YOUR IP)

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT –to-source 123.123.123.123(YOUR IP)

If you configure the CSF on the server then you need to open port for OpenVPN which is 1194 , run the following command and also adding it in /etc/csf/csfpre.sh is not a bad idea.

iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT

iptables -A FORWARD -j REJECT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

iptables -t nat -A POSTROUTING -j SNAT –to-source 123.123.123.123

If you cpanel sever is not working fine after the above command or having any issue then remove the above rules and use rules which are mention below:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT

123.123.123.123 Main Server IP.

For save the IP tables run:

service iptables save

Setup FreeRADIUS Plugin:

This time we are going to setup OpenVPN source to authenticate off FreeRADIUS on Centos.

yum install libgcrypt libgcrypt-devel gcc-c++

Now we need to grab the Radius Plugin:

wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz

Untar it:

tar xvfz radiusplugin_v2.1a_beta1.tar.gz

Move to its directory:

cd radiusplugin_v2.1a_beta1/

Compile it:

make

The output will be a single radiusplugin.so file.  Now move the .so file and the .cnf file to the proper openvpn directory like so:

cp radiusplugin.so /etc/openvpn/
cp radiusplugin.cnf /etc/openvpn/

First off, edit the radiusplugin.cnf file. Focus on the “server” section and ensure that the details are correct:

server
{
        # The UDP port for radius accounting.
        acctport=1813
        # The UDP port for radius authentication.
        authport=1812
        # The name or ip address of the radius server.
        name=YOUR RADIUS SERVER IP
        # How many times should the plugin send the if there is no response?
        retry=1
        # How long should the plugin wait for a response?
        wait=1
        # The shared secret.
        sharedsecret=YOUR RADIUS SERVER SECRET
}

Make sure these entries are correct – now lets edit the OpenVPN server config file (server.conf) and add the following line:

plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf

IMPORTANT, MAKE SURE NO OTHER PLUGIN LINE IS IN THE CONFIG FILE, THE ONLY PLUGIN SHOULD BE THE ONE ABOVE, REMOVE PAM PLUGIN IF PRESENT AND REPLACE WITH THE RADIUS PLUGIN LINE ABOVE.

Now restart OpenVPN in the following way:

service openvpn restart

or

/etc/init.d/openvpn restart

If your config is still not working try this:

killall -9 openvpn
service openvpn restart

or

/etc/init.d/openvpn restart

Now try login using a username/password pair which is defined in FreeRADIUS.

Thanks to Safesrv.net

 

Comments
  1. 10 months ago
  2. 9 months ago

Leave a Reply

Your email address will not be published. Required fields are marked *