May 2, 2013

Advanced

How to Setup and Configure an OpenVPN Server on CentOS 6

Tagged In: Cent Os, Miscellaneous, Vpn

Introduction


This article will guide you through the setup and configuration of OpenVPN server on your CentOS 6 cloud server. We will also cover how to configure your Windows, OS X, or Linux client to connect to your newly installed OpenVPN server.

Before we begin, you'll need to have the Extra Packages for Enterprise Linux (EPEL) Repository enabled on your cloud server. This is a third party repository offered by the Fedora Project which will provide the OpenVPN package.
wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-8.noarch.rpm

Initial OpenVPN Configuration


First, install the OpenVPN package from EPEL:
yum install openvpn -y

OpenVPN ships with only a sample configuration, so we will copy the configuration file to its destination:
cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn

Now that we have the file in the proper location, open it for editing:
nano -w /etc/openvpn/server.conf

Our first change will be to uncomment the "push" parameter which causes traffic on our client systems to be routed through OpenVPN.
push "redirect-gateway def1 bypass-dhcp"

We'll also want to change the section that immediately follows route DNS queries to Google's Public DNS servers.
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

In addition, to enhance security, make sure OpenVPN drops privileges after startup. Uncomment the relevant "user" and "group" lines.
user nobody
group nobody

Generating Keys and Certificates Using easy-rsa


Now that we've finished modifying the configuration file, we'll generate the required keys and certificates. As with the configuration file, OpenVPN places the required scripts in the documentation folder by default. Create the required folder and copy the files over.
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa

With the files in the desired location, we'll edit the "vars" file which provides the easy-rsa scripts with required information.
nano -w /etc/openvpn/easy-rsa/vars

We're looking to modify the "KEY_" variables, located at the bottom of the file. The variable names are fairly descriptive and should be filled out with the applicable information.

Once completed, the bottom of your "vars" file should appear similar to the following:
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="New York"
export KEY_ORG="Organization Name"
export KEY_EMAIL="[email protected]"
export KEY_CN=droplet.example.com
export KEY_NAME=server
export KEY_OU=server

OpenVPN might fail to properly detect the OpenSSL version on CentOS 6. As a precaution, manually copy the required OpenSSL configuration file.
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf

We'll now change into our working directory and build our Certificate Authority, or CA, based on the information provided above.
cd /etc/openvpn/easy-rsa
source ./vars
./clean-all
./build-ca

Now that we have our CA, we'll create our certificate for the OpenVPN server. When asked by build-key-server, answer yes to commit.
./build-key-server server

We're also going to need to generate our Diffie Hellman key exchange files using the build-dh script and copy all of our files into /etc/openvpn as follows:
./build-dh
cd /etc/openvpn/easy-rsa/keys
cp dh1024.pem ca.crt server.crt server.key /etc/openvpn

In order to allow clients to authenticate, we'll need to create client certificates. You can repeat this as necessary to generate a unique certificate and key for each client or device. If you plan to have more than a couple certificate pairs be sure to use descriptive filenames.
cd /etc/openvpn/easy-rsa
./build-key client

Routing Configuration and Starting OpenVPN Server


Create an iptables rule to allow proper routing of our VPN subnet.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
service iptables save

Then, enable IP Forwarding in sysctl:
nano -w /etc/sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

Finally, apply our new sysctl settings. Start the server and assure that it starts automatically on boot:
sysctl -p
service openvpn start
chkconfig openvpn on

You now have a working OpenVPN server. In the following steps, we'll discuss how to properly configure your client.

Configuring OpenVPN Client


Now that your OpenVPN server is online, lets configure your client to connect. The steps are largely the same regardless of what operating system you have.

In order to proceed, we will need to retrieve the ca.crt, client.crt and client.key files from the remote server. Simply use your favorite SFTP/SCP (Secure File Transfer Protocol/Secure Copy) client and move them to a local directory. You can alternatively open the files in nano and copy the contents to local files manually. Be aware that the client.crt and client.key files will are automatically named based on the parameters used with "./build-key" earlier. All of the necessary files are located in /etc/openvpn/easy-rsa/keys
nano -w /etc/openvpn/easy-rsa/keys/ca.crt
nano -w /etc/openvpn/easy-rsa/keys/client.crt
nano -w /etc/openvpn/easy-rsa/keys/client.key

With our certificates now on our client system, we'll create another new file called client.ovpn, where "client" should match the name of the client being deployed (from build-key), the contents should be as follows, substituting "x.x.x.x" with your cloud servers IP address, and with the appropriate files pasted into the designated areas. Include only the contents starting from the "BEGIN" header line, to the "END" line, as demonstrated below. Be sure to keep these files as confidential as you would any authentication token.
client
dev tun
proto udp
remote x.x.x.x 1194
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
<ca>
Contents of ca.crt
</ca>
<cert>
Contents of client.crt
</cert>
<key>
Contents of client.key
</key>

As all of the required information to establish a connection is now centralized in the .ovpn file, we can now deploy it on our client system. On Windows, regardless of edition, you will need the official OpenVPN Community Edition binaries which come prepackaged with a GUI. The only step required post-installation is to place your .ovpn configuration file into the proper directory (C:\Program Files\OpenVPN\config) and click connect in the GUI. OpenVPN GUI on Windows must be executed with administrative privileges.

On Mac OS X, the open source application "Tunnelblick" provides an interface similar to OpenVPN GUI on Windows, and comes prepackagd with OpenVPN and required TUN/TAP drivers. As with Windows, the only step required is to place your .ovpn configuration file into the ~/Library/Application Support/Tunnelblick/Configurations directory.

On Linux, you should install OpenVPN from your distributions official repositories. You can then invoke OpenVPN by simply executing:
sudo openvpn --config ~/path/to/client.ovpn

Congratulations! If you made it this far you should now have a fully operational VPN running on your cloud server. You can verify that your traffic is being routed through the VPN by checking Google to reveal your public IP.

Share this Tutorial

Vote on Hacker News

Try this tutorial on an SSD cloud server.

Includes 512MB RAM, 20GB SSD Disk, and 1TB Transfer for $5/mo! Learn more

Create an account or login:

101 Comments

Write Tutorial
  • Gravatar me 12 months

    Hello, How could I force usage of TLS certificates as well as ensure AES cbc 256bit encryption?

  • Gravatar Bulat Khamitov 12 months

    You can create a shared secret TLS authentication key with "openvpn --genkey --secret tls.key" then add "tls-auth tls.key 0" on server config, and "tls-auth tls.key 1" on client config. Make sure to copy over the tls.key file over secure channel like SSH. For cipher, place this line in both server and client configs: "cipher AES-256-CBC"

  • Gravatar zhifangyizhiyang 11 months

    Note that easy-rsa is no longer bundled with OpenVPN source code archives. To get it, visit the easy-rsa page on GitHub, or download it from our Linux software repositories. https://github.com/OpenVPN/easy-rsa

  • Gravatar dtocila 11 months

    It won't let my copy the configuration file to the destination? It says it doesn't exist. Any ideas?

  • Gravatar dtocila 11 months

    There is no /share directory in my /etc directory. I'm currently the root user. Any idea where the server.conf file might be hiding?

  • Gravatar dtocila 11 months

    Never mind, found it. ^_^ Next time, I'll spend more time looking prior to posting.

  • Gravatar dtocila 11 months

    I'm at the following step: mkdir -p /etc/openvpn/easy-rsa/keys cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa There is nothing inside the usr/share/openvpn directory. No easy-rsa directory, nothing. I'm finding a variety of scripts in the /doc/openvpn-2.3.1/sample/sample-scripts directory but no vars file. :(

  • Gravatar dtocila 11 months

    Aha, that's because the files aren't bundled with source OpenVPN. I wish I saw the comment up above earlier. Can you guys edit the tutorial to reflect that comment? The files are on the github

  • Gravatar Kamal Nasser 10 months

    They should be there. Did you find them elsewhere?

  • Gravatar aqua682 10 months

    Looks like easy-rsa is not included anymore using the EPEL repo. Can you please update guide to reflect changes, thanks!

  • Gravatar martinalejandronavarro 10 months

    For some reason y get a "FAILED" error message when I run service openvpn start Any idea? Thanks!

  • Gravatar Kamal Nasser 10 months

    @martinalejandronavarro Check openvpn's error log (/var/log/openvpn.log)

  • Gravatar fadzil 10 months

    i'm stuck at "cp: cannot stat `/etc/openvpn/easy-rsa/openssl-1.0.0.cnf': No such file or directory" help...

  • Gravatar Kamal Nasser 10 months

    @fadzil: Please see zhifangyizhiyang's comment above. The files are no longer bundled with openvpn so easy-rsa has to be downloaded from an external source.

  • Gravatar wrightjim 10 months

    I just noted that the build-dh only created a dh2048.pem file. Changed the openvpn server.conf to match, and all seems fine (so far...haven't tried connecting yet).

  • Gravatar vinay 10 months

    Thx for documenting this. One small error that needs to be corrected The correct path for the sample config file is /usr/share/doc/openvpn-*/sample/sample-config-files and not /usr/share/doc/openvpn-*/sample-config-files as described in the note

  • Gravatar mohammad.aidid 10 months

    Is it possible to run OpenVPN alongside the same server that I used to served my websites with Nginx ? I am ultra noob. Is there any security issue ? And what is the best setup to run OpenVPN ? Do I need to get another droplet ? Thanks in advance !!! Ultra noob me.

  • Gravatar Kamal Nasser 10 months

    @mohammad.aidid: Yes, you can install openvpn on an already existing droplet.

  • Gravatar kenan 10 months

    Hey there, I'm trying to get this working and the server says it received the request — however, here's what happens: Jul 5 14:13:27 s16365416 openvpn[2425]: MULTI: multi_create_instance called Jul 5 14:13:27 s16365416 openvpn[2425]: 91.21.135.193:63180 Re-using SSL/TLS context Jul 5 14:13:27 s16365416 openvpn[2425]: 91.21.135.193:63180 LZO compression initialized Jul 5 14:13:27 s16365416 openvpn[2425]: 91.21.135.193:63180 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Jul 5 14:13:27 s16365416 openvpn[2425]: 91.21.135.193:63180 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Jul 5 14:13:27 s16365416 openvpn[2425]: 91.21.135.193:63180 Local Options hash (VER=V4): '530fdded' Jul 5 14:13:27 s16365416 openvpn[2425]: 91.21.135.193:63180 Expected Remote Options hash (VER=V4): '41690919' Jul 5 14:13:27 s16365416 openvpn[2425]: 91.21.135.193:63180 TLS: Initial packet from 91.21.135.193:63180, sid=6916c575 36715648 Jul 5 14:14:04 s16365416 openvpn[2425]: 91.21.135.193:63801 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Jul 5 14:14:04 s16365416 openvpn[2425]: 91.21.135.193:63801 TLS Error: TLS handshake failed Jul 5 14:14:04 s16365416 openvpn[2425]: 91.21.135.193:63801 SIGUSR1[soft,tls-error] received, client-instance restarting No connection can be established. Any idea?

  • Gravatar Kamal Nasser 10 months

    @kenan are you connecting from Windows? Make sure you whitelist openvpn in the firewall. Do you have any firewalls running? (It's possible that you do if you are in a work environment).

  • Gravatar ajftek 9 months

    For those like me that have not used Github before - I found the following to be useful in explaining how to obtain Easy-RSA. This is from: http://safesrv.net/install-openvpn-on-centos/ Download easy-rsa from below: wget https://github.com/downloads/OpenVPN/easy-rsa/easy-rsa-2.2.0_master.tar.gz Extract the package: tar -zxvf easy-rsa-2.2.0_master.tar.gz Copy to OpenVPN directory: cp -R easy-rsa-2.2.0_master/easy-rsa/ /etc/openvpn/ Please note on CentOS 6 we need to make a small change before you run the commands below, open up /etc/openvpn/easy-rsa/2.0/vars and edit the below line: Change: export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` To: export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf And save..

  • Gravatar ahmad.m.alsaleh 9 months

    @ajftek Thanks a lot for the help. However, after I did what was described in your comment, I went back to continue from the article and got this error: cp: cannot stat `/usr/share/openvpn/easy-rsa/2.0/*': No such file or directory when running this command: cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa any idea about this problem.

  • Gravatar Kamal Nasser 9 months

    @ahmad.m.alsaleh: If you followed @ajftek's comment, you don't have to run these commands: mkdir -p /etc/openvpn/easy-rsa/keys cp -rf /usr/share/openvpn/easy-rsa/2.0/* /etc/openvpn/easy-rsa (Generating Keys and Certificates Using easy-rsa)

  • Gravatar edgar_garcias 9 months

    Hi Guys!, I'm writing this note, because I've tried this procedure with no luck, I could not start the openvpn service on centos 6.4, and 6 hours ago I found the file openvpn-as-1.8.5-CentOS6.i386.rpm on openvpn site, and the procedure for its instalation (a simply rpm -ivh openvpn-as-1.8.5-CentOS6.i386.rpm) and it worked, I finally had access to openvpn's admin site, but as the first time couldn't start the openvpn service, this is my question, should we install both archives openvpn-as-1.8.5-CentOS6.i386.rpm and do the "yum -y install openvpn" in order to setup our servers and try this app, thanks for your replay

  • Gravatar Kamal Nasser 9 months

    @edgar_garcias: OpenVPN AS is NOT OpenVPN. They're different. You should be able to only install OpenVPN and it would work. Not being able to start the OpenVPN service is usually a result of a config syntax error.

  • Gravatar worldisfreedom 8 months

    Thank you! Great tutorial. Some fix for commands: 1. yum install easy-rsa 2. cp /usr/share/doc/openvpn-2.*/sample/sample-config-files/server.conf /etc/openvpn/ 3 cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

  • Gravatar mailkrushna 8 months

    Hi Everybody , I followed the tutorial .Everything is working fine except whatismyipaddress.com still showing my ISP IP not the p VPN IP . How to change that .

  • Gravatar Kamal Nasser 8 months

    @mailkrushna: Did you connect to OpenVPN? whatismyipaddress.com might be cached in your browser so try clearing your cache.

  • Gravatar Andrew Good 7 months

    Hi, I am still showing my ISP IP address on whatismyipaddress.com. I have cleared cache etc and OpenVPN says its connected

  • Gravatar Kamal Nasser 7 months

    @Andrew: Did you configure the OpenVPN client properly? Make sure you have it set to forward all traffic to the VPN connection. Also try another site, such as https://encrypted.google.com/search?hl=en&q=what+is+my+ip

  • Gravatar antonini 7 months

    Hi, I Just helping. The first CP command don't works any more on CentOS 6.4. Here are the command updated. cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/

  • Gravatar antonini 7 months

    Other thing, the easy-rsa need to be installed: yum install easy-rsa The origin folder to copy easy-rsa files is: "/usr/share/easy-rsa/2.0/".

  • Gravatar markjcayetano 7 months

    How can i make it so that multiple clients can connect from one key/ca

  • Gravatar Kamal Nasser 7 months

    @markjcayetano: It is not recommended to do that (you should have a separate cert/key per client) but if you still want to you can just copy the ca, cert, and key files to all of the clients.

  • Gravatar godwin668 7 months

    I followed above instructions and can connect to the VPN Server, but can NOT surf the internet via it. Any ideas?

  • Gravatar Kamal Nasser 7 months

    @godwin668: Did you follow the Routing Configuration and Starting OpenVPN Server section?

  • Gravatar markjcayetano 7 months

    This tutorial has RSA Key but what about RSA Private Key?

  • Gravatar Kamal Nasser 7 months

    @markjcayetano: The *.key files are RSA private keys.

  • Gravatar Zig 7 months

    UPDATE THIS TUTORIAL

  • Gravatar Zig 7 months

    *-caps +please

  • Gravatar JP Caparas 7 months

    If you want username/password authentication (without the need for a client certificate), put this directive at the bottom of your server.conf file: plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so login client-cert-not-required username-as-common-name

  • Gravatar JP Caparas 7 months

    Note: I forgot the mention that the pam file location above is for 64-bit installations; for 32-bit, you'll need to change it to: /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login

  • Gravatar antonini 7 months

    Done all those steps and worked. What should be nice is to create a post like these to create a VPN Server to IP-Sec with ipsec-tools or other tool.

  • Gravatar Kamal Nasser 7 months

    @Zig: Which part did not work for you?

  • Gravatar garfieldcoke.d 7 months

    Service openvpn start failed. Double checked all configs, everything looks OK. The only discrepancy was noticed when executing "sysctl -p" this produced the following errors: "Net.bridge.bridge-nf-call-iptables6" is an unknown key "Net.bridge.bridge-nf-call-iptables" is an unknown key "Net.bridge.bridge-nf-call-artables" is an unknown key I changed the command to sysctl -e -p and the errors were not displayed anymore but the service still failed.

  • Gravatar Kamal Nasser 7 months

    @garfieldcoke.d: Try changing the directives to lowercase (i.e. 'net' instead of 'Net').

  • Gravatar garfieldcoke.d 7 months

    Thanks for the reply Kamal. I re-checked the conf file and they all starts with lowercase and value set to 0. Is there anything else you would recommend?

  • Gravatar garfieldcoke.d 7 months

    After checking the logs, i realized that server.conf was looking for "dh1024.pem" but i was using "dh2048.pem". After making that change and running, the service command openvpn started ok. Moving on to the next step now :D

  • Gravatar garfieldcoke.d 7 months

    Success! I had to to redo the following steps: cd /etc/openvpn/easy-rsa source ./vars ./clean-all ./build-ca ./build-key-server server ./build-dh cd /etc/openvpn/easy-rsa/keys cp dh1024.pem ca.crt server.crt server.key /etc/openvpn cd /etc/openvpn/easy-rsa ./build-key-pass client #Had to change ./build-key to ./build-key-pass to prevent password error in openvpn gui client

  • Gravatar soulblender 7 months

    The install went great and everything works, but I can't figure out how to install a license. I purchased 10 user licenses from OpenVPN but I can't find the "liman" command I'm supposed to run to install them, and the web UI mentioned in the documentation doesn't work either.

  • Gravatar Edi Septriyanto 7 months

    @soulblender: i guess you're purchasing OpenVPN access server? this tutorial is for open-source version of OpenVPN so no license required.

  • Gravatar andrey.yackiv 7 months

    I get OpenVPN error in Windows: Fri Oct 04 11:04:20 2013 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011 Fri Oct 04 11:04:20 2013 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Fri Oct 04 11:04:20 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Fri Oct 04 11:04:21 2013 Cannot load inline certificate file: error:0906D06C:PEM routines:PEM_read_bio:no start line Fri Oct 04 11:04:21 2013 Exiting

  • Gravatar yogeshtambe11 7 months

    I am getting below error [root@Centos-6 easy-rsa]# source ./vars -bash: /etc/openvpn/easy-rsa/whichopensslcnf: Permission denied NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys

  • Gravatar mafiqh90 7 months

    update this tutorial please...........

  • Gravatar login 7 months

    Also here trying to follow the steps today the 4th of October 2013 and I'm back and forth reading the comments and supporting it with other articles and forum threads I need to hunt for as it's very inconsistent and filled up with errors. It is very much needing a full reviewe to provide correct step by step instructions that actually work. Thanks!

  • Gravatar petertwo3 6 months

    #!/bin/bash rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm yum install openvpn -y \cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn sed -i 's@.*f1.*@push "redirect-gateway def1 bypass-dhcp"@' /etc/openvpn/server.conf sed -i 's@.*222.*@push "dhcp-option DNS 8.8.8.8"@' /etc/openvpn/server.conf sed -i 's@.*220.*@push "dhcp-option DNS 8.8.4.4"@' /etc/openvpn/server.conf sed -i 's@;user nobody@user nobody@' /etc/openvpn/server.conf sed -i 's@;group nobody@group nobody@' /etc/openvpn/server.conf \cp /usr/share/doc/openvpn-*/sample/sample-keys/* /etc/openvpn iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE service iptables save service iptables restart sed -i "s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g" /etc/sysctl.conf sysctl -p service openvpn restart chkconfig openvpn on

  • Gravatar Anton Novojilov 6 months

    Worstest tutorial that ever seen.

  • Gravatar Kamal Nasser 6 months

    @Anton: Sorry to hear that -- is there anything that didn't work for you?

  • Gravatar milliriba 6 months

    iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

  • Gravatar milliriba 6 months

    oops... I meant "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" gives out "iptables: No chain/target/match by that name." error. Why?

  • Gravatar Kamal Nasser 6 months

    @milliriba: Does running

    modprobe ipt_MASQUERADE
    fix it?

  • Gravatar Pablo of vDevices.com 5 months

    Is it okay to download & install http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm onto a 64-bit CentOS 6.4 or should we use http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm, instead? Or does it not matter?

  • Gravatar Kamal Nasser 5 months

    Pablo, you can use whichever file you want since they're both noarch (and their MD5sums match - 2cd0ae668a585a14e07c2ea4f264d79b).

  • Gravatar colonelu 5 months

    Hello Everyone. Good guide, I followed it all and done the job. I have one problem. On my home PC functioned well, connected and reach the work network. On my iPad doesn't work. (of course using the same ovpn file). Any ideas? TY

  • Gravatar Kamal Nasser 5 months

    @colonelu: Are the certificate files present on your iPad? Do you get any errors?

  • Gravatar bogshne 5 months

    I'm so lost lol(I'm terrible at putty/VPS'), is there anyone I can add on skype or something I can pay to help me set up this VPN? Will pay $20, not much but yeh.

  • Gravatar dennis 5 months

    After following this tutorial, port 1194 on the VPN server appeared to be blocked. When I tried to connect to the server using OpenVPN (Windows client), it was stuck with a message that said "MANAGEMENT: >STATE:1384715550,WAIT,,," and the openVPN tray icon had a yellow light. I found a fix which suggested opening UDP port 1194 for both incoming and outgoing connections on my main public IP address on the vpn server. In my case, my vpn server uses eth0 to connect to another private subnet (softlayer network) and eth1 is connected to the public subnet. So, I used eth1 instead of eth0 in the iptable rules below. nano -w /etc/sysconfig/iptables ####https://workaround.org/openvpn-faq ####use eth0 or eth1 - whichever is connected to your public IP -A INPUT -i eth1 -p udp --dport 1194 -j ACCEPT -A OUTPUT -o eth1 -p udp --dport 1194 -j ACCEPT ####allow certain traffic going through the tunnel. If you don't want any restrictions then use: -A INPUT -i tun0 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A FORWARD -o tun0 -j ACCEPT Note that I also did 'iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE' (since eth1 is my public IP ethernet), but it did not have an effect. Only after opening port 1194 was I able to connect. Also, commenting out the same 'masquerade' statements in iptables did not seem to make any difference once port 1194 was opened, so I'm not even sure if I need it.

  • Gravatar Pablo of vDevices.com 5 months

    RE: the Generating Keys and Certificates Using easy-rsa section I, for some reason, am having a difficult time finding /usr/share/openvpn/easy-rsa/. By chance, is it in a different directory?

  • Gravatar Kamal Nasser 5 months

    @Pablo: Hmm, I think it was changed in the newer package. Try installing easy-rsa manually:

    sudo yum install easy-rsa
    I believe it'll get installed to /usr/share/easy-rsa.

  • Gravatar junk 5 months

    Freshly updated and tested article: http://geek-kb.com/linux/install-and-configure-openvpn-centos-6-x/

  • Gravatar Yuri Bichkoff 5 months

    Thank you for a good VPN installation guide. Unfortunately, the field testing of the working system has failed. I mean, some (some—not all!) sites, presumably, are able to analyze packets and refuse them. Example: hulu.com. The message I get reads as follows: “We're sorry, currently our video library can only be streamed within the United States...” In the help article there I found this: “Using a VPN or other work network to access Hulu Many companies use Virtual Private Networks (VPNs) to monitor and secure their employees’ Internet traffic. Since they typically route all their Internet traffic through a central server, our system may determine that they are Anonymous Proxies. If you are having trouble accessing Hulu while using your work computer, you may want to contact your company’s Network Administrator for help.” Understand me right: I don’t watch movies—don’t even have a TV at home—but use them as a config test. So, I see three possibilities here. 1. DigitalOcean droplet IP I use was blacklisted previously. 2. I should use bridging instead of routing VPN configuration. Or insert some special iptables rule. 3. Smth. I don’t know about at all. Does anybody know the answer?

  • Gravatar Kamal Nasser 5 months

    @Yuri: That's odd. Your droplet's IP address's GeoIP data might not be set correctly (this is common for new IPs). Please open up a support ticket so we can investigate this. Thanks.

  • Gravatar Kamal Nasser 5 months

    @Yuri: Also -- make sure that your traffic is routed through the vpn: https://kmlnsr.me/ip should output your droplet's IP address.

  • Gravatar jerrywilborn 5 months

    This is a great guide... It would be nice to see the instructions on revoking access (./revoke-full client, add the crl-verify to the config, etc)

  • Gravatar Yuri Bichkoff 5 months

    @Kamal, thank you for the response. Alas, all is OK with my IP: kmlnsr.me/ip and whatismyipadddress.com (NY) both confirm 192.241.x.x — my droplet’s. [Though Google analytics detect Chicago] Well, the matter is not so important to make so much fuss about... I’m just curious (it is possible that the IP address was previously blacklisted—as simple as that.) But I don’t understand their ‘VPN’ passage cited above: “Since they typically route all their Internet traffic through a central server, our system may determine that they are Anonymous Proxies.”

  • Gravatar Kamal Nasser 5 months

    @Yuri: I think that applies only for public proxies. Please open up a support ticket so we can investigate the invalid GeoIP info.

  • Gravatar Yuri Bichkoff 5 months

    @Kamal, I did. With an unexpected result of being found guilty in attempt to break laws, lol.

  • Gravatar blobie 4 months

    not sure what my issue is. i have set up openvpn and when i connect i get assigned an ip address. when i check my public ip it shows my regular ip address and now my openvpn address. i have opened the port on my router. not sure what would be causing this issue. any ideas?

  • Gravatar blobie 4 months

    ... i figured it out. didn't have proper routing on this windows box. it now works.

  • Gravatar danielpilch 4 months

    How can I have multiple people connect to the VPN at the same time? Does anyone know? Thanks

  • Gravatar lagrealm 4 months

    Hi I am confused that this part was lack of information: "Routing Configuration and Starting OpenVPN Server" --Performing: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE --Resulting: iptables: No chain/target/match by that name. Reading further comments: --Performing: modprobe ipt_MASQUERADE Resulting: FATAL: Module ipt_MASQUERAD not found. So I am curious how do I go about this? Following all the steps, crossing the Ts and dotting the Is didn't help me to get closer in solving this issue. Kindly please clarify.

  • Gravatar Kamal Nasser 3 months

    @lagrealm: What OS are you using?

  • Gravatar Kamal Nasser 3 months

    @danielpilch: Run these commands for each client:

    cd /etc/openvpn/easy-rsa
    source ./vars
    ./build-key clients-name
    (replacing clients-name with e.g. my-android, home-pc, alex)

  • Gravatar suliuyes 3 months

    I have done the steps. But I had an error when use the windows xp OpenVPN GUI: Sun Jan 05 23:23:20 2014 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013 Enter Management Password: Sun Jan 05 23:23:20 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340 Sun Jan 05 23:23:20 2014 Need hold release from management interface, waiting... Sun Jan 05 23:23:21 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340 Sun Jan 05 23:23:21 2014 MANAGEMENT: CMD 'state on' Sun Jan 05 23:23:21 2014 MANAGEMENT: CMD 'log all on' Sun Jan 05 23:23:21 2014 MANAGEMENT: CMD 'hold off' Sun Jan 05 23:23:21 2014 MANAGEMENT: CMD 'hold release' Sun Jan 05 23:23:21 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Sun Jan 05 23:23:21 2014 MANAGEMENT: Client disconnected Sun Jan 05 23:23:21 2014 Cannot load inline certificate file: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib Sun Jan 05 23:23:21 2014 Exiting due to fatal error Please help!I have done the steps,everthing looks OK.

  • Gravatar suliuyes 3 months

    OK. I had process the problem. Maybe there is something mistake happened when I copy the client.xxx.

  • Gravatar radu.nicolae 3 months

    Setup all corectly. I can reach the VPN server from outside. I get DHCP release (10.69.69.6) but I cannot ping the tun interface of the vpn server, neither the lan interface. suggestions?

  • Gravatar radu.nicolae 3 months

    Update: restart the openvpn server and now I canping the tun interface (10.69.69.1) and the lan interface (192.168.69.50). I cannot ping anything else in the LAN.

  • Gravatar co.koalas 3 months

    Sat Jan 18 10:39:56 2014 Socket Buffers: R=[8192->8192] S=[8192->8192] Sat Jan 18 10:39:56 2014 UDPv4 link local: [undef] Sat Jan 18 10:39:56 2014 UDPv4 link remote: [AF_INET]103.28.44.220:1194 Sat Jan 18 10:39:56 2014 MANAGEMENT: >STATE:1390012796,WAIT,,, Sat Jan 18 10:40:56 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Sat Jan 18 10:40:56 2014 TLS Error: TLS handshake failed Sat Jan 18 10:40:56 2014 SIGUSR1[soft,tls-error] received, process restarting sorry,i really do not have any idea?anybody help

  • Gravatar bogdan.sns 3 months

    Hellow! I need help with some openvpn tunel on my droplet. I create pingable vpn-tunel on server, but I can't connect to some instance on droplet (mongoDB) on some port. Can some help my with port mapping or thm else!

  • Gravatar Kamal Nasser 3 months

    @bogdan.sns: Is OpenVPN running on the same droplet as MongoDB? What IP are you trying to connect to? Also, what's the output of

    sudo netstat -plutn
    ?

  • Gravatar Kamal Nasser 3 months

    @co.koalas: Are you using a valid key/certificate? It seems like it's failing to validate your key.

  • Gravatar mathew.crane 3 months

    "Include only the contents starting from the "BEGIN" header line, to the "END" line," This is wrong with latest available packages. For me, this caused the PEM read error as seen in @suliuyes comment. Including the full contents worked.

  • Gravatar core.hor 3 months

    Hi. Made all as described, but Forwarding still doesn't work. I'm using debian 7. Is there is some difference in configuration for iptables?

  • Gravatar Kamal Nasser 3 months

    @core.hor: This article is for CentOS. Check out https://www.digitalocean.com/community/articles/how-to-setup-and-configure-an-openvpn-server-on-debian-6 instead.

  • Gravatar Quang V. Bui 2 months

    Hello, I've installed and run OpenVPN on my DigitalOcean Droplet (Centos 6.5) successfully. The only issue I have right now is the VPN server does not allow internet connection from VPN client that means my Windows PC can not access internet while connected to my Droplet via VPN. Please help to resolve this issue. Here is iptables in my Droplet: [...~]# nano /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Wed Feb 5 18:07:36 2014 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -j SNAT --to-source my_public_ip COMMIT # Completed on Wed Feb 5 18:07:36 2014 # Generated by iptables-save v1.4.7 on Wed Feb 5 18:07:36 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [48:5264] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.8.0.0/24 -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Wed Feb 5 18:07:36 2014 thanks, Quang

  • Gravatar Quang V. Bui 2 months

    here is my OpenVPN server.conf file: GNU nano 2.0.9 File: /etc/openvpn/server.conf port 1194 #- port proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3

  • Gravatar Quang V. Bui 2 months

    also the file sysctl.conf [.... ~]# nano /etc/sysctl.conf # Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0

  • Gravatar kopanda 15 days

    It doesn't work for me. I'm using Fedora 20 and the OpenVPN is 2.3.2. As easy-rsa is not bundled with OpenVPN anymore and I downloaded easy-rsa 3 from https://github.com/OpenVPN/easy-rsa. Here are the steps I did. 1. Edit vars file and update the values as you described 2. ./easyrsa init-pki 3. ./easyrsa build-ca 4. ./easyrsa build-server-full server 5. ./easyrsa gen-dh I have all the certificates and keys. Then I copy them to /etc/openvpn/ and run service openvpn@server start It didn't run and the system status wrote Apr 05 18:57:30 example.com systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server... Apr 05 18:57:30 example.com openvpn[13825]: OpenVPN 2.3.2 i686-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013 Apr 05 18:57:30 example.com openvpn[13825]: Diffie-Hellman initialized with 2048 bit key Apr 05 18:57:30 example.com openvpn[13825]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Apr 05 18:57:30 example.com openvpn[13825]: Error: private key password verification failed Apr 05 18:57:30 example.com openvpn[13825]: Exiting due to fatal error Apr 05 18:57:30 example.com openvpn[13825]: Enter Private Key Password: Apr 05 18:57:30 example.com systemd[1]: [email protected]: control process exited, code=exited status=1 Apr 05 18:57:30 example.com systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server. Apr 05 18:57:30 example.com systemd[1]: Unit [email protected] entered failed state. Appreciate if you can give me the direction of solving this problem. Thanks!

  • Gravatar kopanda 15 days

    Hi, I downloaded easy-rsa 2.0 and the certificates and keys work now. However, my server is behind a router and I cannot connect to it after running the OpenVPN server. I have already forward port 1194 to the server but can't find it. Anymore firewall settings I have to do?

  • Gravatar Kamal Nasser 13 days

    @kopanda: Have you configured it to use the udp protocol instead of tcp?

  • Gravatar f.cavaillou 12 days

    Hi all, I don't find solution on my issue, so i try my chance here. I follow your good tutorial, i setup my openvpn server well. All works with an linux client but not on windows client or mac. i got this message on windows. > VERIFY ERROR: depth=1, error=certificate signature failure: /C=FR/ST=CAV/L=Cavaillon/O=Neopost-ID/OU=neopost.com/CN=mrs-prd-kebvpn-1/name=mrs-prd-kebvpn-1/emailAddress=[email protected] Tue Apr 08 00:56:06 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Tue Apr 08 00:56:06 2014 TLS Error: TLS object -> incoming plaintext read error i don't understand why it's work well on linux client and not on windows Best regards

Leave a Comment

Create an account or login:
Ajax-loader