OpenVPN Install on CentOS 6 Server

by Leo Gaggl documentation , work

I recently had a need to install a VPN service in a OpenVZ container. Since I normally only use Hardware emulating VM’s I ran into quite a few issues in terms of low-level networking support on this Container Virtualisation System. Turns out that you are stuck with a TUN/TAP solution as most services won’t enable PPP services on their infrastructure. Also Ethernet bridging is not available (at least on the service I used) so you’re stuck with NAT IP masquerading. Considering the options I thought best served with using OpenVPN server.

Install Server

yum --enablerepo=epel -y install openvpn

Server configuration

cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/

These are the contents of /etc/openvpn/server.conf

local XXX.XXX.XXX.XXX #Server External IP
port 1194
proto udp
dev tun
ca ca.crt
cert SERVER.crt
key SERVER.key  #keep file secret
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8" #using Google Public DNS
push "dhcp-option DNS 8.8.4.4" #using Google Public DNS
keepalive 10 120
comp-lzo
max-clients 5
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 3

mkdir -p /etc/openvpn/easy-rsa/keys
cd /etc/openvpn/easy-rsa
cp -rf /usr/share/openvpn/easy-rsa/2.0/* .
vim vars
#Set the country (KEY_COUNTRY)
#state (KEY_PROVINCE)
#locality (KEY_CITY)
#organisation name (KEY_ORG)
#support email (KEY_EMAIL)

Create certificate authority

./vars
./clean-all
./build-ca

The CA key and certificate should not be in the keys directory inside the easy-rsa directory.

Create certificate for the server

./build-key-server NAME_OF_SERVER

Answer the questions and commit the certificate into the database

Create the Diffie Hellman files

These files are used for the actual key exchange to ensure the confidentiality over an insecure channel, aka the Internet. Based on the length of the key used (KEY_SIZE) it may take a while.

./build-dh

Copy crypto files

cd keys/
cp ca.crt SERVER.crt SERVER.key dh1024.pem /etc/openvpn/

Create the certificate for each client

./build-key NOTEBOOK
./build-key MOBILE

Enable IP Forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

NAT Masquerading Setup

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE

Start OpenVPN

/etc/init.d/openvpn start
chkconfig openvpn on

Clients

Ubuntu

apt-get install network-manager-openvpn

Android

FeatVPN: http://www.featvpn.com/

Troubleshooting

  • Ensure that the client settings reflect EXACTLY the server setting (I learned the hard way wasting a lot of time on troubleshooting the fact that routing would not work – turned out to be a client setting ‘comp-lzo’ !)
  • Ensure TUN/TAP services are enabled for your OpenVZ container (http://wiki.openvz.org/VPN_via_the_TUN/TAP_device)
    ERROR: Linux ip link set failed: external program exited with error status: 255

Documentation: http://openvpn.net/howto.html

Comments

Be the first to comment! Reply to this post from your Mastodon/Fediverse account, or mention this post's URL in your reply. Your comment will appear here automatically via webmention.

Don't have a Mastodon account? Join Mastodon or follow this blog at @gaggl.com@web.brid.gy