OpenVPN Install on CentOS 6 Server

I recently had a need to install a VPN service in a OpenVZ container. Since I normally only use Hardware emulating VM’s I ran into quite a few issues in terms of low-level networking support on this Container Virtualisation System. Turns out that you are stuck with a TUN/TAP solution as most services won’t enable PPP services on their infrastructure. Also Ethernet bridging is not available (at least on the service I used) so you’re stuck with NAT IP masquerading. Considering the options I thought best served with using OpenVPN server.

Install Server

yum --enablerepo=epel -y install openvpn

Server configuration

cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/
These are the contents of /etc/openvpn/server.conf
local XXX.XXX.XXX.XXX #Server External IP<br></br>port 1194<br></br>proto udp<br></br>dev tun<br></br>ca ca.crt<br></br>cert SERVER.crt<br></br>key SERVER.key #keep file secret<br></br>dh dh1024.pem<br></br>server 10.8.0.0 255.255.255.0<br></br>ifconfig-pool-persist ipp.txt<br></br>push "redirect-gateway def1 bypass-dhcp"<br></br>push "dhcp-option DNS 8.8.8.8" #using Google Public DNS<br></br>push "dhcp-option DNS 8.8.4.4" #using Google Public DNS<br></br>keepalive 10 120<br></br>comp-lzo<br></br>max-clients 5<br></br>user nobody<br></br>group nobody<br></br>persist-key<br></br>persist-tun<br></br>status openvpn-status.log<br></br>log /var/log/openvpn.log<br></br>verb 3

mkdir -p /etc/openvpn/easy-rsa/keys<br></br>cd /etc/openvpn/easy-rsa<br></br>cp -rf /usr/share/openvpn/easy-rsa/2.0/* .<br></br>vim vars<br></br>#Set the country (KEY_COUNTRY)<br></br>#state (KEY_PROVINCE)<br></br>#locality (KEY_CITY)<br></br>#organisation name (KEY_ORG)<br></br>#support email (KEY_EMAIL)

Create certificate authority

./vars<br></br>./clean-all<br></br>./build-ca
The CA key and certificate should not be in the keys directory inside the easy-rsa directory.

Create certificate for the server

./build-key-server NAME_OF_SERVER
Answer the questions and commit the certificate into the database

Create the Diffie Hellman files

These files are used for the actual key exchange to ensure the confidentiality over an insecure channel, aka the Internet. Based on the length of the key used (KEY_SIZE) it may take a while.
./build-dh

Copy crypto files

cd keys/<br></br>cp ca.crt SERVER.crt SERVER.key dh1024.pem /etc/openvpn/

Create the certificate for each client

./build-key NOTEBOOK<br></br>./build-key MOBILE

Enable IP Forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

NAT Masquerading Setup

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE

Start OpenVPN

/etc/init.d/openvpn start<br></br>chkconfig openvpn on

Clients

Ubuntu

apt-get install network-manager-openvpn

Android

FeatVPN: http://www.featvpn.com/

Troubleshooting

• Ensure that the client settings reflect EXACTLY the server setting (I learned the hard way wasting a lot of time on troubleshooting the fact that routing would not work – turned out to be a client setting ‘comp-lzo’ !)
• Ensure TUN/TAP services are enabled for your OpenVZ container (http://wiki.openvz.org/VPN_via_the_TUN/TAP_device)
  ERROR: Linux ip link set failed: external program exited with error status: 255

Documentation: http://openvpn.net/howto.html

• Centos
• Security
• Vpn