Before we're going to install OPENVPN, check your TUN/TAP whether it is active or not, if it's not you can try to install another CentOS or contact your vps provider to activate TUN/TAP.
cat /dev/net/tun
if you're TUN/TAP status is like that, then your TUN/TAP is ready, otherwise it's not.
Now we're begin the installation, first of all install gcc and make.
yum install gcc make
Download package for OPENVPN
wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
Download repository for OPENVPN
if you're using 32bit version
wget http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
if you're using 64bit version
wget http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
you can check your server architecture with:
uname -a
lets install
cd /tmp yum install -y wget iptables yum-priorities nano dnsmasq rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.i386.rpm yum check-update yum install -y openvpn-2.0.9 cd /etc/openvpn/ cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/ cd /etc/openvpn/easy-rsa/2.0/ . ../vars chmod +rwx * source ./vars nano ../vars nano vars ./build-ca source ./vars ./clean-all ./build-ca ./build-key-server server
Here is the example of configuration file.
nano /etc/openvpn/openvpn.conf
port 53 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" push "redirect-gateway def1" ifconfig-pool-persist ipp.txt keepalive 5 30 auth none cipher none comp-lzo user nobody group users persist-key persist-tun status openvpn-status.log verb 3
Build Diffie Hellman
cp keys/{ca.crt,ca.key,server.crt,server.key} /etc/openvpn/
./build-dh
cp keys/dh1024.pem /etc/openvpn/
/etc/init.d/openvpn start
cd /etc/openvpn/easy-rsa/2.0
make client key
./build-key alvacode
done, you can download ca.crt on /etc/openvpn/easy-rsa/2.0/keys
service iptables start chkconfig dnsmasq on nano /etc/sysctl.conf
just edit net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1
for always start to next reboot use
nano /etc/rc.local
#!/bin/sh
#
# [...]
#
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
touch /var/lock/subsys/local
adding user
adduser alva -m -s /bin/false passwd alva
now you must restart server
/sbin/reboot
example for client configuration
client dev tun proto udp remote 0.0.0.0 53 resolv-retry infinite nobind persist-key persist-tun ca ca.crt auth-user-pass auth none cipher none comp-lzo verb 3
