This time we want to show you how to install and properly configure OpenVPN on your virtual private server (VPS) in order for you to make use of this important encryption and tunneling VPN solution for your personal and business use. We will be using Centos 6.4 64 Bits as our host operating system. We will also make a brief review on how to install the Windows OpenVPN client for you to connect from a Windows PC.
First make sure you have the Extra Packages for Enterprise Linux (EPEL) Repository enabled on your VPS. This is a third party repository offered by the Fedora Project which will provide the OpenVPN package.
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm rpm -Uvh epel-release-6-8.noarch.rpm
Initial OpenVPN Configuration
First, install the OpenVPN package from EPEL:
yum install openvpn -y
OpenVPN comes with a sample configuration file, we will copy this configuration file to its destination:
cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn
Now, open the new file for editing:
Uncomment the "push" parameter which is to "push" traffic on our client systems to be routed through OpenVPN.
push "redirect-gateway def1 bypass-dhcp"
We can change the DNS queries to Google's Public DNS servers or any of your choice, if you want to.
push "dhcp-option DNS 22.214.171.124" push "dhcp-option DNS 126.96.36.199"
To enhance security, make sure OpenVPN drops privileges after startup. Uncomment the relevant "user" and "group" lines.
user nobody group nobody
Generating Keys and Certificates Using easy-rsa
Now that we've finished modifying the configuration file, we'll generate the required keys and certificates. As with the configuration file, OpenVPN places the required scripts in the documentation folder by default. Create the required folder and copy the files over.
mkdir -p /etc/openvpn/easy-rsa/keys cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa
If the above command brings up an error such as below, then please follow the steps to download and copy over easy-rsa as its not included in the new build OpenVPN 2.3.1:
cannot stat `/usr/share/doc/openvpn-2.2.2/easy-rsa/’: No such file or directory
Extract the package:
tar -zxvf easy-rsa-2.2.0_master.tar.gz
Copy to OpenVPN directory:
cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/
Now edit the "vars" file which provides the easy-rsa scripts with required information.
We will edit the "KEY_" variables, located at the bottom of the file. Fill the keys out with the applicable information.
Once completed, the bottom of your "vars" file should appear similar to the following:
export KEY_COUNTRY="US" export KEY_PROVINCE="FL" export KEY_CITY="Miami" export KEY_ORG="Organization Name" export KEY_EMAIL="[email protected]" export KEY_CN=vps.mydomain.com export KEY_NAME=server export KEY_OU=server
OpenVPN could fail to detect the OpenSSL version on CentOS 6. You can manually copy the required OpenSSL configuration file.
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
Now change into the working directory and build the Certificate Authority, or CA, based on the information provided above.
cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca
Now that we have the CA, we'll create the certificate for the OpenVPN server. When asked by build-key-server, answer yes to commit.
We also need to generate our Diffie Hellman key exchange files by using the build-dh script and copy all of the files into /etc/openvpn as follows:
./build-dh cd /etc/openvpn/easy-rsa/keys cp dh1024.pem ca.crt server.crt server.key /etc/openvpn
In order to allow clients to authenticate, you need to create client certificates and key. You can do this as many times you need to provide separate and unique certificates for every client. Use unique names for files of each client.
cd /etc/openvpn/easy-rsa ./build-key client
Routing Configuration and Starting OpenVPN Server
Create an iptables rule to allow proper routing of our VPN subnet.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE service iptables save
Then, enable IP Forwarding in sysctl:
vi /etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 1
Now, apply the new sysctl settings. Start the server and make sure that it starts automatically on boot:
sysctl -p service openvpn start chkconfig openvpn on
You now have a working OpenVPN server. In the following steps, we'll discuss how to properly configure your client.
Configuring OpenVPN Client
Lets configure the client to connect to the. The steps are largely the same regardless of what operating system you have.
Retrieve the ca.crt, client.crt and client.key files from the remote server. Use your favorite SFTP/SCP (Secure File Transfer Protocol/Secure Copy) client and move them to a local directory on the client. You can also open the files in your favorite text editor and copy the contents to local files manually. Be aware that the client.crt and client.key files will are automatically named based on the parameters used with "./build-key" earlier. All of the necessary files are located in /etc/openvpn/easy-rsa/keys
vi /etc/openvpn/easy-rsa/keys/ca.crt vi /etc/openvpn/easy-rsa/keys/client.crt vi /etc/openvpn/easy-rsa/keys/client.key
With the certificates now on our client system, you need to create another new file on the client called client.ovpn, where "client" should match the name of the client being deployed (from build-key), the contents should be as follows, substituting "x.x.x.x" with your VPS IP address, and with the appropriate files pasted into the designated areas. Include only the contents starting from the "BEGIN" header line, to the "END" line. Make sure to keep this files confidential.
client dev tun proto udp remote x.x.x.x 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 Contents of ca.crt Contents of client.crt Contents of client.key
This .ovpn file has all the necessary information to deploy our OpenVPS connection. You can now deploy it on our client system. On Windows, you need the official OpenVPN Community Edition binaries which come prepackaged with a GUI. The only step required post-installation is to place your .ovpn configuration file into the proper directory (C:\Program Files\OpenVPN\config) and click connect in the GUI. Or you can add a new profile on "Connection Profiles", click on the + sign and give it the .ovpn file path.
On Mac OS X, the open source application "Tunnelblick" provides an interface similar to OpenVPN GUI on Windows, and comes prepackagd with OpenVPN and required TUN/TAP drivers. As with Windows, the only step required is to place your .ovpn configuration file into the ~/Library/Application Support/Tunnelblick/Configurations directory.
On Linux, you should install OpenVPN from your distributions official repositories. You can then invoke OpenVPN by simply executing:
sudo openvpn --config ~/path/to/client.ovpn
That's it there is all to it.! You should now have a fully operational VPN running on your VPS server. You can verify that your traffic is being routed through the VPN by checking Google to reveal your VPS public IP instead of your local ISP IP address.