centos-6
-----
Install and Configure an OpenVPN Server on CentOS 6
This guide will provide you with all the steps necessary to install a simple OpenVPN server on CentOS 6.
First, login to the SolusVM control panel for your VPS and enable TUN/TAP from the settings menu.
Now, SSH into your VPS where you'll need to install the Enterprise Linux (EPEL) repository:
yum install -y epel-release
Then install OpenVPN:
yum install -y openvpn easy-rsa
Copy the sample configs to make editing it easier:
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Open the config file to edit with the required settings:
vi /etc/openvpn/server.conf
- To enable editing in vi, just hit the "i" key on your keyboard.
Find this line and uncomment it by removing the ; at beginning of the line:
push "redirect-gateway def1 bypass-dhcp"
Now scroll down a bit to uncomment these lines:
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
Then scroll down further to uncomment these lines:
user nobody
group nobody
Once the edits are done, save the file and exit vi.
- To save and exit in vi, just hit the "ESC" key on your keyboard to exit editing mode, then type ":x" (without quotes) and hit enter.
Generate RSA Keys and Certificates Using easy-rsa
OpenVPN requires keys and certificates to authenticate users, so follow these steps to do so:
mkdir -p /etc/openvpn/easy-rsa/keys cp -r /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
Copy the OpenSSL configuration file to the easy-rsa folder:
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
Now we'll start the build process for the key/certificate. You will be asked to enter various information, so just fill them out to your liking.
# cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca
./build-key-server server
Then generate the Diffie Hellman key exchange files:
./build-dh
cd /etc/openvpn/easy-rsa/keys
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
Now create the client ceritificates to allow clients to authenticate with the server:
cd /etc/openvpn/easy-rsa
./build-key client
Configuring iptables and sysctl:
Now to configure your iptables and sysctl to function properly with the VPN:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 104.168.100.156
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
service iptables save
Enable IP forwarding:
vi /etc/sysctl.conf
Set this setting equal to 1:
# net.ipv4.ip_forward = 1
Apply the sysctl settings and start up OpenVPN as well as set it to start up on boot:
sysctl -p
service openvpn start
chkconfig openvpn on
OpenVPN Client for Windows
With your OpenVPN server now online, you'll need to configure your OpenVPN client. You can download it here:
https://openvpn.net/index.php/open-source/downloads.html
First, find the certificate and key files on your server:
Navigate to this directory to find them:
/etc/openvpn/easy-rsa/keys/
These are the files you need:
ca.crt
client.crt
client.key
You will need to paste the contents of each file for the next step. To view each file, simply use the command "vi filename" to view them.
Now create a file on your computer named "client.ovpn" and fill in the following:
- "client" is the name of the user (from when you created the key/certificate)
- replace x.x.x.x with your BeastNode VPS IP
- paste the entire contents of each crt and key file from above as specified in the config
client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
<ca>
Contents of ca.crt
</ca>
<cert>
Contents of client.crt
</cert>
<key>
Contents of client.key
</key>
Now all you need to do to connect to your VPN is to go into the OpenVPN client and do the following:
1. Click on the + (plus) symbol next to "Connection Profiles", select "Local file", click on Import, and navigate to the client.ovpn file you made previously.
2. Enter your desired name for the profile and make sure "Completely trust this profile" is checked, then click Save.
3. You should see the newly added profile in the client window - simply click on it to connect to your VPN and you're all done!
------------ --------X ------------------
OpenVPN Server On CentOS 6.5
To enable EPEL repository On CentOS, refer the following link.
Also, update the system using the following command:
yum update
Install OpenVPN Software
Install the OpenVPN software using the following command:
yum install openvpn easy-rsa
The easy-rsa scripts are located by default in the /usr/share/easy-rsa/ directory. Make a directory /easy-rsa/keys inside the /etc/openvpn directory and copy the scripts to that directory as shown below:
mkdir -p /etc/openvpn/easy-rsa/keys cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Generate CA Certificate and CA key
Edit file /etc/openvpn/easy-rsa/2.0/vars,
vi /etc/openvpn/easy-rsa/vars
And, change the values that matches with your country, state, city, mail id etc.
[...] # Don't leave any of these fields blank. export KEY_COUNTRY="IN" export KEY_PROVINCE="TN" export KEY_CITY="Erode" export KEY_ORG="Unixmen" export KEY_EMAIL="sk@unixmen.com" export KEY_OU="server" [...]
Go to the openvpn/easy-rsa directory:
cd /etc/openvpn/easy-rsa/
Enter the following commands one by one to initialize the certificate authority:
cp openssl-1.0.0.cnf openssl.cnf source ./vars ./clean-all
Then, run the following command to generate CA certificate and CA key:
./build-ca
Sample output:
Generating a 2048 bit RSA private key ......................................................+++ ............................................................+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [IN]: ----> Press Enter State or Province Name (full name) [TN]: ----> Press Enter Locality Name (eg, city) [Erode]: ----> Press Enter Organization Name (eg, company) [Unixmen]: ----> Press Enter Organizational Unit Name (eg, section) [server]: ----> Press Enter Common Name (eg, your name or your server's hostname) [Unixmen CA]: ----> Press Enter Name [EasyRSA]: ----> Press Enter Email Address [sk@unixmen.com]: ----> Press Enter
We have now generated the CA certificate and CA key. Then create certificate and key for server using the following command:
./build-key-server server
Sample output:
Generating a 2048 bit RSA private key ....................+++ .............+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [IN]: ----> Press Enter State or Province Name (full name) [TN]: ----> Press Enter Locality Name (eg, city) [Erode]: ----> Press Enter Organization Name (eg, company) [Unixmen]: ----> Press Enter Organizational Unit Name (eg, section) [server]: ----> Press Enter Common Name (eg, your name or your server's hostname) [server]: ----> Press Enter Name [EasyRSA]: ----> Press Enter Email Address [sk@unixmen.com]: ----> Press Enter Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ----> Press Enter An optional company name []: ----> Press Enter Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'IN' stateOrProvinceName :PRINTABLE:'TN' localityName :PRINTABLE:'Erode' organizationName :PRINTABLE:'Unixmen' organizationalUnitName:PRINTABLE:'server' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'sk@unixmen.com' Certificate is to be certified until Mar 23 12:21:34 2024 GMT (3650 days) Sign the certificate? [y/n]:y ----> Type Y and Press Enter 1 out of 1 certificate requests certified, commit? [y/n]y ----> Type Y and Press Enter Write out database with 1 new entries Data Base Updated
Create certificate and key for VPN clients using the following command:
./build-key client
If you want to create certificate and key files for each client, you should replace the clientparameter with an unique identifier.
Sample output:
Generating a 2048 bit RSA private key .......+++ ..................................................................................................+++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [IN]: ----> Press Enter State or Province Name (full name) [TN]: ----> Press Enter Locality Name (eg, city) [Erode]: ----> Press Enter Organization Name (eg, company) [Unixmen]: ----> Press Enter Organizational Unit Name (eg, section) [server]: ----> Press Enter Common Name (eg, your name or your server's hostname) [client]: ----> Press Enter Name [EasyRSA]: ----> Press Enter Email Address [sk@unixmen.com]: ----> Press Enter Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ----> Press Enter An optional company name []: ----> Press Enter Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'IN' stateOrProvinceName :PRINTABLE:'TN' localityName :PRINTABLE:'Erode' organizationName :PRINTABLE:'Unixmen' organizationalUnitName:PRINTABLE:'server' commonName :PRINTABLE:'client' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'sk@unixmen.com' Certificate is to be certified until Mar 23 12:23:44 2024 GMT (3650 days) Sign the certificate? [y/n]:y ----> Type Y and Press Enter 1 out of 1 certificate requests certified, commit? [y/n]y ----> Type Y and Press Enter Write out database with 1 new entries Data Base Updated
Generate Diffie Hellman Parameter
Enter the following command to generate DH parameter.
./build-dh
Sample output:
Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time
The necessary keys and certificates will be generated in the /etc/openvpn/easy-rsa/keys/directory. Copy the following certificate and key files to the /etc/openvpn/ directory.
ca.crt
dh2048.pem
server.crt
server.key
Go to the directory /etc/openvpn/easy-rsa/keys/ and enter the following command to transfer the above files to /etc/openvpn/ directory.
cd /etc/openvpn/easy-rsa/keys/ cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/
And then, you must copy all client certificates and keys to the remote VPN clients in order to authenticate to the VPN server. In our case, we have generated certificates and keys to only one client, so we have to copy the following files to the VPN client.
ca.crt
client.crt
client.key
As I mentioned before, I have another system running with CentOS 6.5 that acts as my VPN client. Make sure you have installed openvpn package on your client systems. Then, copy the above files to your VPN client system, using the following command:
scp ca.crt client.crt client.key root@192.168.1.101:/etc/openvpn
Copy the keys with caution. If anyone have chances to get the keys, they can easily intrude and get full access to your virtual private network.
Remove Client access to VPN server
If you want to remove a user’s access to the VPN server, enter the following command:
. /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/revoke-full client
The above commands remove the user who have the certificate to access the VPN server.
Configuring VPN Server
Now, we have to configure our VPN server. Copy the file server.conf file to /etc/openvpn/ directory.
cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/
Edit file server.conf,
vi /etc/openvpn/server.conf
Find and uncomment the following lines to route client systems traffic through OpenVPN server.
[...] # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh dh2048.pem [...] push "redirect-gateway def1 bypass-dhcp" [...]
Also, Uncomment and change the DNS servers to reflect your own DNS values. Here I am using Google public DNS servers.
[...] push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" [...]
Uncomment the following lines:
[...] user nobody group nobody [...]
Save and close the file.
Then we need to copy and edit the client.conf file. We need this file to be transferred to the VPN clients. First copy the file to any location (ex. /home directory).
cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/client.conf /home/
Edit file client.conf,
vi /home/client.conf
Set the VPN server host name/IP address:
# The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers.
remote 192.168.1.2 1194
Here 192.168.1.2 is my VPN server IP address. Next, Copy the client.conf file to your client system.
scp /home/client.conf root@192.168.1.101:/etc/openvpn
IP forwarding and routing Configuration
Edit sysctl.conf file,
vi /etc/sysctl.conf
Find the following line and set value “1” to enable IP forwarding.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Run the following command to apply the sysctl changes.
sysctl -p
Adjust iptables to forward traffic through VPN properly.
Enter the following commands one by one:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Save the iptables changes using command:
service iptables save
service iptables restart
Finally, start openvpn service and make it to start automatically on every reboot using the following commands:
service openvpn start
chkconfig openvpn on
At this time, you should have a working OpenVPN server. Next, let us move to client side configuration.
Verify if VPN interface(tun0) is created using ifconfig command:
ifconfig
Sample output:
eth0 Link encap:Ethernet HWaddr 08:00:27:46:36:62
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe46:3662/64 Scope:Link
RX packets:604 errors:0 dropped:0 overruns:0 frame:0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX bytes:44166 (43.1 KiB) TX bytes:14434 (14.0 KiB)
TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
UP LOOPBACK RUNNING MTU:16436 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
collisions:0 txqueuelen:0
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
collisions:0 txqueuelen:100
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Part Two – VPN Client side configuration
Here, I use CentOS 6.5 as my VPN client system. And, it’s actual IP address is 192.168.1.101/24.
Install OpenVPN
Enter the following command from the Terminal to install openvpn package.
yum install openvpn
After installing openvpn, start the service and make it to run automatically on every reboot.
service openvpn start
chkconfig openvpn on
Now, check if tun0(VPN interface) is created.
ifconfig
Sample output:
eth0 Link encap:Ethernet HWaddr 08:00:27:BE:25:49
inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:febe:2549/64 Scope:Link
RX packets:537 errors:0 dropped:0 overruns:0 frame:0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX bytes:52177 (50.9 KiB) TX bytes:50170 (48.9 KiB)
TX packets:387 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
UP LOOPBACK RUNNING MTU:16436 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
collisions:0 txqueuelen:0
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.6 P-t-P:10.8.0.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
collisions:0 txqueuelen:100
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
As you see in the above output, the VPN server has automatically assigned IP address 10.8.0.6 to my VPN client.
Check if you can ping your VPN server from client system.
ping 10.8.0.1
10.8.0.1 is my VPN server tun0 address.
Sample output:
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=9.61 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=7.17 ms 64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=4.87 ms
That’s it. Now the VPN server and client are ready. Connect to your VPN server securely. Happy VPNing!
-------------------------------X----------------------------------------
ll
ll
ll
------------------------X--------------------------
OpenVPN Configuration
First, install the OpenVPN package from EPEL:
yum install openvpn -y
OpenVPN ships with only a sample configuration, so we will copy the configuration file to its destination:
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
Now that we have the file in the proper location, open it for editing:
nano -w /etc/openvpn/server.conf
Our first change will be to uncomment the "push" parameter which causes traffic on our client systems to be routed through OpenVPN.
push "redirect-gateway def1 bypass-dhcp"
We'll also want to change the section that immediately follows route DNS queries to Google's Public DNS servers.
push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4"
In addition, to enhance security, make sure OpenVPN drops privileges after startup. Uncomment the relevant "user" and "group" lines.
user nobody group nobody
Generating Keys and Certificates Using easy-rsa
Now that we've finished modifying the configuration file, we'll generate the required keys and certificates. As with the configuration file, OpenVPN places the required scripts in the documentation folder by default. Create the required folder and copy the files over.
mkdir -p /etc/openvpn/easy-rsa/keys cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa
With the files in the desired location, we'll edit the "vars" file which provides the easy-rsa scripts with required information.
nano -w /etc/openvpn/easy-rsa/vars
We're looking to modify the "KEY_" variables, located at the bottom of the file. The variable names are fairly descriptive and should be filled out with the applicable information.
Once completed, the bottom of your "vars" file should appear similar to the following:
export KEY_COUNTRY="US" export KEY_PROVINCE="NY" export KEY_CITY="New York" export KEY_ORG="Organization Name" export KEY_EMAIL="administrator@example.com" export KEY_CN=droplet.example.com export KEY_NAME=server export KEY_OU=server
OpenVPN might fail to properly detect the OpenSSL version on CentOS 6. As a precaution, manually copy the required OpenSSL configuration file.
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
We'll now change into our working directory and build our Certificate Authority, or CA, based on the information provided above.
cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca
Now that we have our CA, we'll create our certificate for the OpenVPN server. When asked by build-key-server, answer yes to commit.
./build-key-server server
We're also going to need to generate our Diffie Hellman key exchange files using the build-dh script and copy all of our files into /etc/openvpn as follows:
./build-dh cd /etc/openvpn/easy-rsa/keys cp dh1024.pem ca.crt server.crt server.key /etc/openvpn
In order to allow clients to authenticate, we'll need to create client certificates. You can repeat this as necessary to generate a unique certificate and key for each client or device. If you plan to have more than a couple certificate pairs be sure to use descriptive filenames.
cd /etc/openvpn/easy-rsa ./build-key client
Routing Configuration and Starting OpenVPN Server
Create an iptables rule to allow proper routing of our VPN subnet.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE service iptables save
Then, enable IP Forwarding in sysctl:
nano -w /etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 1
Finally, apply our new sysctl settings. Start the server and assure that it starts automatically on boot:
sysctl -p service openvpn start chkconfig openvpn on
You now have a working OpenVPN server. In the following steps, we'll discuss how to properly configure your client.
Configuring OpenVPN Client
Now that your OpenVPN server is online, lets configure your client to connect. The steps are largely the same regardless of what operating system you have.
In order to proceed, we will need to retrieve the ca.crt, client.crt and client.key files from the remote server. Simply use your favorite SFTP/SCP (Secure File Transfer Protocol/Secure Copy) client and move them to a local directory. You can alternatively open the files in nano and copy the contents to local files manually. Be aware that the client.crt and client.key files will are automatically named based on the parameters used with "./build-key" earlier. All of the necessary files are located in /etc/openvpn/easy-rsa/keys
nano -w /etc/openvpn/easy-rsa/keys/ca.crt nano -w /etc/openvpn/easy-rsa/keys/client.crt nano -w /etc/openvpn/easy-rsa/keys/client.key
With our certificates now on our client system, we'll create another new file called client.ovpn, where "client" should match the name of the client being deployed (from build-key), the contents should be as follows, substituting "x.x.x.x" with your cloud servers IP address, and with the appropriate files pasted into the designated areas. Include only the contents starting from the "BEGIN" header line, to the "END" line, as demonstrated below. Be sure to keep these files as confidential as you would any authentication token.
client dev tun proto udp remote x.x.x.x 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 <ca> Contents of ca.crt </ca> <cert> Contents of client.crt </cert> <key> Contents of client.key </key>
As all of the required information to establish a connection is now centralized in the .ovpn file, we can now deploy it on our client system.
-------------------------X--------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------
Installation and configuration of OpenVPN server on Centos 6.8
This blog will help you with the installation and configuration of OpenVPN server on centos 6.8 on DigitalOcean
OpenVPN server version : 2.3.14
CentOS Version : CentOS 6.8
1. Login to server and switch as root user
$ sudo su –
or
$ su –
2. Install EPEL repository
# rpm -Uivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
3. Update and install openvpn-server related packages
# yum update && yum -y install openvpn easy-rsa
4. Generate required certificates and key
# mkdir -p /etc/openvpn/easy-rsa/keys
# cp -r /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
# cd /etc/openvpn/easy-rsa
# source ./vars
# ./clean-all
# ./build-ca
The above command will create ca certificate, and it will be prompted for some values. Please see the below image for sample values :
# ./build-key-server server
The above command will create server certificate, and it will be prompted for some values. Please see the below image for sample values :
# ./build-dh
NOTE : All keys and certs will be saved in /etc/openvpn/easy-rsa/keys folder
5. copy all keys and certificates to /etc/openvpn folder
# cd /etc/openvpn/easy-rsa/keys
# cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/
6. Create a new file in /etc/openvpn/ folder with the name server.conf , and add the following lines
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
7. Enable IP forwarding. Open /etc/sysctl.conf and change the line
from
net.ipv4.ip_forward = 0
to
net.ipv4.ip_forward = 1
8. Add iptables rules for proper routing
# iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
# iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
9. Save and Restart iptables
# service iptables save
# service iptables restart
10. Start openvpn server
# service openvpn start
# chkconfig openvpn on
11. Disable all other ports except 22 (ssh) and 1194 (openvpn).
This is optional, and you do this only if you are running openvpn server on your machine.
Note : On my server, the default chain policy is ACCEPT
# iptables -A INPUT -p tcp –dport 22 -j ACCEPT
# iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT
# iptables -A INPUT -p udp –dport 1194 -j ACCEPT
# iptables -A OUTPUT -p udp –sport 1194 -j ACCEPT
# iptables -A INPUT -j DROP
# iptables -A OUTPUT -j DROP
Done !!.
Click Here to configure OpenVPN client on Windows and Linux machine.
---------------------------------------------------------------------------------------------------------------------------------------------------
##########################################################X
###############################################
---