Introduction


This time we want to show you how to install and properly configure OpenVPN on your virtual private server (VPS) in order for you to make use of this important encryption and tunneling VPN solution for your personal and business use. We will be using Centos 6.4 64 Bits as our host operating system. We will also make a brief review on how to install the Windows OpenVPN client for you to connect from a Windows PC.

First make sure you have the Extra Packages for Enterprise Linux (EPEL) Repository enabled on your VPS. This is a third party repository offered by the Fedora Project which will provide the OpenVPN package.

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm

Initial OpenVPN Configuration


First, install the OpenVPN package from EPEL:

yum install openvpn -y


OpenVPN comes with a sample configuration file, we will copy this configuration file to its destination:

cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn


Now, open the new file for editing:

vi /etc/openvpn/server.conf


Uncomment the "push" parameter which is to "push" traffic on our client systems to be routed through OpenVPN.

push "redirect-gateway def1 bypass-dhcp"


We can change the DNS queries to Google's Public DNS servers or any of your choice, if you want to.

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"


To enhance security, make sure OpenVPN drops privileges after startup. Uncomment the relevant "user" and "group" lines.

user nobody
group nobody

Generating Keys and Certificates Using easy-rsa


Now that we've finished modifying the configuration file, we'll generate the required keys and certificates. As with the configuration file, OpenVPN places the required scripts in the documentation folder by default. Create the required folder and copy the files over.

mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa

If the above command brings up an error such as below, then please follow the steps to download and copy over easy-rsa as its not included in the new build OpenVPN 2.3.1:

cannot stat `/usr/share/doc/openvpn-2.2.2/easy-rsa/’: No such file or directory

Download easy-rsa:

wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz

Extract the package:

tar -zxvf easy-rsa-2.2.0_master.tar.gz

Copy to OpenVPN directory:

cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/


Now edit the "vars" file which provides the easy-rsa scripts with required information.

vi /etc/openvpn/easy-rsa/vars


We will edit the "KEY_" variables, located at the bottom of the file. Fill the keys out with the applicable information.

Once completed, the bottom of your "vars" file should appear similar to the following:

export KEY_COUNTRY="US"
export KEY_PROVINCE="FL"
export KEY_CITY="Miami"
export KEY_ORG="Organization Name"
export KEY_EMAIL="[email protected]"
export KEY_CN=vps.mydomain.com
export KEY_NAME=server
export KEY_OU=server


OpenVPN could fail to detect the OpenSSL version on CentOS 6. You can manually copy the required OpenSSL configuration file.

cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf


Now change into the working directory and build the Certificate Authority, or CA, based on the information provided above.

cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca


Now that we have the CA, we'll create the certificate for the OpenVPN server. When asked by build-key-server, answer yes to commit.

./build-key-server server


We also need to generate our Diffie Hellman key exchange files by using the build-dh script and copy all of the files into /etc/openvpn as follows:

./build-dh
cd /etc/openvpn/easy-rsa/keys
cp dh1024.pem ca.crt server.crt server.key /etc/openvpn


In order to allow clients to authenticate, you need to create client certificates and key. You can do this as many times you need to provide separate and unique certificates for every client. Use unique names for files of each client.

cd /etc/openvpn/easy-rsa
./build-key client

Routing Configuration and Starting OpenVPN Server


Create an iptables rule to allow proper routing of our VPN subnet.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save


Then, enable IP Forwarding in sysctl:

vi /etc/sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1


Now, apply the new sysctl settings. Start the server and make sure that it starts automatically on boot:

sysctl -p
service openvpn start
chkconfig openvpn on


You now have a working OpenVPN server. In the following steps, we'll discuss how to properly configure your client.

Configuring OpenVPN Client


Lets configure the client to connect to the. The steps are largely the same regardless of what operating system you have.

Retrieve the ca.crt, client.crt and client.key files from the remote server. Use your favorite SFTP/SCP (Secure File Transfer Protocol/Secure Copy) client and move them to a local directory on the client. You can also open the files in your favorite text editor and copy the contents to local files manually. Be aware that the client.crt and client.key files will are automatically named based on the parameters used with "./build-key" earlier. All of the necessary files are located in /etc/openvpn/easy-rsa/keys

vi /etc/openvpn/easy-rsa/keys/ca.crt
vi /etc/openvpn/easy-rsa/keys/client.crt
vi /etc/openvpn/easy-rsa/keys/client.key


With the certificates now on our client system, you need to create another new file on the client called client.ovpn, where "client" should match the name of the client being deployed (from build-key), the contents should be as follows, substituting "x.x.x.x" with your VPS IP address, and with the appropriate files pasted into the designated areas. Include only the contents starting from the "BEGIN" header line, to the "END" line. Make sure to keep this files confidential.

client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3

Contents of ca.crt


Contents of client.crt


Contents of client.key


This .ovpn file has all the necessary information to deploy our OpenVPS connection. You can now deploy it on our client system. On Windows, you need the official OpenVPN Community Edition binaries which come prepackaged with a GUI. The only step required post-installation is to place your .ovpn configuration file into the proper directory (C:\Program Files\OpenVPN\config) and click connect in the GUI. Or you can add a new profile on "Connection Profiles", click on the + sign and give it the .ovpn file path.

On Mac OS X, the open source application "Tunnelblick" provides an interface similar to OpenVPN GUI on Windows, and comes prepackagd with OpenVPN and required TUN/TAP drivers. As with Windows, the only step required is to place your .ovpn configuration file into the ~/Library/Application Support/Tunnelblick/Configurations directory.

On Linux, you should install OpenVPN from your distributions official repositories. You can then invoke OpenVPN by simply executing:

sudo openvpn --config ~/path/to/client.ovpn


That's it there is all to it.! You should now have a fully operational VPN running on your VPS server. You can verify that your traffic is being routed through the VPN by checking Google to reveal your VPS public IP instead of your local ISP IP address.

 

Test on a Miami VPS Now

or

Deploy on a Miami Dedicated Server

Was this answer helpful? 19 Users Found This Useful (42 Votes)