I will guide how to install open VPN step by step. It's very easy
1. Installing OpenVPN and Easy RSA
So assuming you’re logged in as root, start by installing the EPEL Repository:
- # mkdir /root/temp
- # cd /root/temp
- # wget http://epel.mirror.net.in/epel/6/i386/epel-release-6-8.noarch.rpm
- # rpm -Uvh epel-release-6-8.noarch.rpm
Now that you have installed the EPEL repository, you can go ahead and install OpenVPN and Easy RSA:
- # yum install openvpn easy-rsa -y
2. Configuring Easy RSA
Create a directory to store your keys and certificates:
- # mkdir -p /etc/openvpn/easy-rsa/keys
Copy the Easy RSA scripts to the OpenVPN subdirectory:
- # cp -R /usr/share/easy-rsa/2.0/ /etc/openvpn/easy-rsa/
Edit the Easy RSA settings file:
- # vi /etc/openvpn/easy-rsa/2.0/vars
Find and modify these values:
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
export KEY_OU="MyOrganizationalUnit"
Now find this line
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
And change it to:
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Once you’re done, save the file and quit the editor.
3. Generating the CA Certificates and Keys
Enter these commands to initialize Easy RSA:
- cd /etc/openvpn/easy-rsa/2.0
- chmod 0755 *
- ./vars
- ./clean-all
You can then build the CA certificate and key files:
./build-ca
Verify that the files have been created successfully:
# ls -al keys
total 20
drwx------ 2 root root 4096 Jul 30 20:14 .
drwxr-xr-x 3 root root 4096 Jul 30 20:09 ..
-rw-r--r-- 1 root root 1887 Jul 30 20:14 ca.crt
-rw------- 1 root root 1704 Jul 30 20:14 ca.key
-rw-r--r-- 1 root root 0 Jul 30 20:09 index.txt
-rw-r--r-- 1 root root 3 Jul 30 20:09 serial
4. Generating the VPN Client Certificate and Key
You can now go ahead and create the server certificate and key.
./build-key-server server
When asked to provide a challenge password for the key, leave it blank. Otherwise, the openvpn service won’t be able to start automatically since it will require you to enter the password each time:
A challenge password []: <= leave this blank
Again, you can list the content of the “keys” directory to make sure that server.crt, server.csr and server.key have been created:
# ls -al keys
total 56
drwx------ 2 root root 4096 Jul 30 20:18 .
drwxr-xr-x 3 root root 4096 Jul 30 20:09 ..
-rw-r--r-- 1 root root 5732 Jul 30 20:18 01.pem
-rw-r--r-- 1 root root 1887 Jul 30 20:14 ca.crt
-rw------- 1 root root 1704 Jul 30 20:14 ca.key
-rw-r--r-- 1 root root 160 Jul 30 20:18 index.txt
-rw-r--r-- 1 root root 21 Jul 30 20:18 index.txt.attr
-rw-r--r-- 1 root root 0 Jul 30 20:09 index.txt.old
-rw-r--r-- 1 root root 3 Jul 30 20:18 serial
-rw-r--r-- 1 root root 3 Jul 30 20:09 serial.old
-rw-r--r-- 1 root root 5732 Jul 30 20:18 server.crt
-rw-r--r-- 1 root root 1115 Jul 30 20:18 server.csr
-rw------- 1 root root 1704 Jul 30 20:18 server.key
Now you need to create a certificate and key for the VPN clients. I’d recommend that you create a different set of certificate and key for each VPN user:
This time you really should enter a challenge password:
A challenge password []: ChooseASafePassword123
5. Building the Diffie Hellman Parameters
Enter this command to build the .pem file:
6. Creating the OpenVPN Configuration File
Copy the sample configuration file as a starting point:
# cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf
/etc/openvpn/
Edit the configuration file:
# vi /etc/openvpn/server.conf
Find the following line:
dh dh1024.pem
And replace it with:
dh /etc/openvpn/easy-rsa/2.0/keys/dh2048.pem
Now find those lines:
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
And replace them with:
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
Uncomment this line to route all the traffic through the VPN server:
push “redirect-gateway def1 bypass-dhcp”
Uncomment these lines:
push “dhcp-option DNS 208.67.222.222”
push “dhcp-option DNS 208.67.220.220”
And add your DNS values instead:
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
If you want to use Google’s public DNS service, you can use 8.8.8.8 and 8.8.4.4.
Finally, uncomment these lines, save the file and quit the editor:
7. Enabling IP Forwarding and Routing
Edit /etc/sysctl.conf and set the following parameter value to 1:
net.ipv4.ip_forward = 1
Save and close the configuration file. Apply the new settings by using this command:
# sysctl -p
You now need to add some iptables rules. Enter these commands one at a time:
# iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
# iptables -A FORWARD -j REJECT
If you are using a dedicated server or a XEN or KVM VPS, enter this command:
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
If you are using an OpenVZ VPS, enter this command (don’t forget to use your server’s main IP address):
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source main.ip.address
Save the new iptables rules and restart the service:
# service iptables save
# service iptables restart
8. Starting the VPN Server
In order for OpenVPN to start automatically when booting the server, issue these commands:
# chkconfig --add openvpn
# chkconfig openvpn on
Now start the OpenVPN service:
The VPN server is now waiting for clients to connect.
HOW TO SETUP THE OPENVPN CLIENT FOR WINDOWS
Do not launch the OpenVPN GUI at the end of the installation. You need to set it up to run as an administrator first:
Now download the following files from your server to your Windows computer:
- /etc/openvpn/easy-rsa/2.0/keys/ca.crt
- /etc/openvpn/easy-rsa/2.0/keys/johndoe.crt
- /etc/openvpn/easy-rsa/2.0/keys/johndoe.csr
- /etc/openvpn/easy-rsa/2.0/keys/johndoe.key
- /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/client.conf
Copy these five (5) files “C:\Program Files\OpenVPN\config\” on your Windows desktop.
Creating the OpenVPN Configuration file
Before you can establish a connection to a VPN server, you must create a client configuration with the “.ovpn” extension. To do so, rename C:\Program Files\OpenVPN\config\client.conf to client.ovpn. Edit the OVPN file and find the following line:
Replace “my-server-1″ by your VPN server’s IP address:
remote 123.123.123.123 1194
Find the SSL/TLS parameters:
ca ca.crt
cert client.crt
key client.key
Change them to reflect the filenames of your certificate and key files:
ca ca.crt
cert johndoe.crt
key johndoe.key
Save and close the OVPN file.
Starting the OpenVPN Service
If you are using Windows 7 or 8, you must run OpenVPN as a service otherwise you won’t have the necessary privileges to modify your computer’s network configuration. To do so, go to Control Panel > System and Security > Administrative Tools > Services and double-click on OpenVPN Service:
Set the service so that it starts automatically and click the
Start button:
Establishing a Connection to the OpenVPN Server
You can now execute the OpenVPN GUI on your Windows desktop. Remember that it must run as an administrator to work properly. Once OpenVPN is running on your desktop, you should see an icon like this in your taskbar:
Right-click the OpenVPN taskbar icon and it will display a list of available VPN configurations found (the OVPN files). Select the VPN server you wish to connect to and click “Connect”.
If you’ve done everything correctly, the OpenVPN GUI should soon display the IP address it received from the VPN server (10.8.0.x). Try accessing our
IP to location tool to see if you’re browsing the web through the VPN.
TROUBLESHOOTING OPENVPN
If you have trouble connecting to the OpenVPN server, you can try to run it on a common TCP port instead of UDP port 1194. Some ISP do not allow traffic on port 1194. To do so, edit /etc/openvpn/server.conf and make the following changes:
port 80
proto tcp
; proto udp
If the port 80 is already in use on your server, try finding an available port that your ISP won’t block. When you are done, restart OpenVPN:
Don’t forget to make the changes to your OVPN file too.
If you still encounter some problems, you can enable debug logging in /etc/openvpn/server.conf:
Restart the OpenVPN service and look at the content of /etc/openvpn/openvpn.log while attempting to connect to the VPN server:
tail -f /etc/openvpn/openvpn.log
