A brief introduction to CentOS, or if you are a restless soul, just go straight to the process.
CentOS stands for Community ENTerprise Operating System.
CentOS is an Enterprise-class Linux Distribution derived from sources freely provided to the public by a prominent North American Enterprise Linux vendor. CentOS conforms fully with the upstream vendors redistribution policy and aims to be 100% binary compatible developed by a small but growing team of core developers. In turn the core developers are supported by an active user community including system administrators, network administrators, enterprise users, managers, core Linux contributors and Linux enthusiasts from around the world.
CentOS has numerous advantages over some of the other clone projects including: an active and growing user community, quickly rebuilt, tested, and QA’ed errata packages, an extensive mirror network, developers who are contactable and responsive, multiple free support avenues including IRC Chat, Mailing Lists, Forums, a dynamic FAQ. Commercial support is offered via a number of vendors. a community-supported,mainly free software operating system based on Red Hat Enterprise Linux. It exists to provide a free enterprise class computing platform and strives to maintain 100% binary compatibility with its upstream distribution.
Now on with our installation!
Please enable TUN/TAP options in your VPS control panel (e.g: SolusVM).
Step 0 – Login to your server via SSH. You better login as root.
Step 1 – Now issue this first command syntax:
| 1 | yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y |
Step 2 – Now download LZO RPM and Configure RPMForge Repo. Use wget command:
| 1 | wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm |
screenshot:
Step 3 – Now add correct repo for your server:
CentOS 6 32-bit (x86):
| 1 | wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm |
CentOS 6 64-bit (x86_64):
| 1 | wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm |
screenshot:
How to know which one is your server? Issue this command:
| 1 | uname -a |
If you see “x86_64 GNU/Linux” at the end of the output line means your server is 64-bit. Otherwise if you see “i686 i386 GNU/Linux” or “x86 GNU/Linux” means your machine is 32-bit.
Step 4 – Then build the rpm package using this command:
|
1 2 3 |
rpmbuild –rebuild lzo-1.08-4.rf.src.rpm rpm -Uvh lzo-*.rpm rpm -Uvh rpmforge-release* |
hit enter for each line above.
INSTALLING OPENVPN
Step 5 – Issue the special yum command:
| 1 | yum install openvpn -y |
screenshot
Step 6 – Copy the easy-rsa folder to /etc/openvpn/, use this command:
| 1 | cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/ |
Step 7 – Now edit it:
| 1 | nano /etc/openvpn/easy-rsa/2.0/vars |
Edit this line:
| 1 | export KEY_CONFIG=’$EASY_RSA/whichopensslcnf $EASY_RSA’ |
replace it with:
| 1 | export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf |
screenshot:
once done hit Control+O to save then Control+X to exit.
Step 8 – Create the certificate using these commands:
|
1 2 3 4 5 |
cd /etc/openvpn/easy-rsa/2.0 chmod 755 * source ./vars ./vars ./clean-all |
hit enter for each line.
Step 9 – It’s time to build necessary CA file:
| 1 | ./build-ca |
screenshot:
Step 10 – Time to build Key Server:
| 1 | ./build-key-server server |
screenshot:
You can simply leave them blank. The only 2 required are sign the certificate (choose “y”) and 1 out of 1 certificate requests (choose “y”)
Step 11 – Now issue command below to build Diffie Hellman:
| 1 | ./build-dh |
screenshot:
Step 12 – Create OpenVPN config file:
| 1 | nano /etc/openvpn/server.conf |
Step 13 – Now enter this value in that config file:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
port 1194 #- port proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push “redirect-gateway def1” push “dhcp-option DNS 8.8.8.8” push “dhcp-option DNS 8.8.4.4” keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3 |
Save it once done. (Control+O then Control+X)
Step 14 – Lets start OpenVPN service on your server for the very first time:
| 1 | service openvpn start |
pic:
Step 15 – You’ll also need to enable IP forwarding in the file /etc/sysctl.conf. Open it and edit “net.ipv4.ip_forward” line to 1:
| 1 | nano /etc/sysctl.conf |
replace 0 with 1 in this line:
| 1 | net.ipv4.ip_forward = 1 |
pic:
Hit Control+O to save then Control+X to exit nano.
Step 16 – Issue this command to load the change:
| 1 | sysctl -p |
Step 17 – Create new Linux username which can also be used to login to the VPN:
| 1 | useradd username -s /bin/false |
replace username with your own username.
Then also create its password:
| 1 | passwd username |
Step 18 – Now route some iptables.
Xen and KVM users use:
| 1 | iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE |
special for OpenVZ use these two instead:
| 1 | iptables -t nat -A POSTROUTING -o venet0 -j SNAT –to-source 123.123.123.123 |
and
| 1 | iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT –to-source 123.123.123.123 |
Do not forget to replace 123.123.123.123 with your server IP. Pic:
Step 19 – Note: if you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF:
|
1 2 3 4 5 |
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -j SNAT –to-source 123.123.123.123 |
Step 20 – Now save that iptables rules:
| 1 | service iptables save |
Step 21 – Finally lets create a server.ovpn config file. To make it easy, you can simply create it on your local computer using Notepad (or any other simple text editor tool). Enter following in that file:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
client dev tun proto udp remote 123.123.123.123 1194 # – Your server IP and OpenVPN Port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo reneg-sec 0 verb 3 |
Then save it with .ovpn extension. Save that file in the config directory of where you installed OpenVPN client in your computer. See screenshot:
Step 22 – That’s it. Now you can copy ca.crt file from /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in your server’s document root (public_html).
| 1 | cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /path/to/public/directory |
example:
| 1 | cp /etc/openvpn/easy-rsa/2.0/keys/ca.crt /var/www/servermom.com/public_html |
Now you can download the ca.crt file from your browser by going to domain.com/ca.crt then save it to the same folder as .ovpn file you created earlier.
That’s it. Now you can login to your VPN using username and password you’ve created.
0 Comments