Category Archives: openvpn

Centos OpenVPN Setup

A friend asked me to setup openvpn on a openvz VPS he had, First thing we needed to do which he had already done is contact host to add support for tun/tap devices, for idea of what host had to do here it is: Host Setup His website is so lets use that for this, obviously change to your own domain. We will be doing this for Centos 6 64bit
Basically for a quick rundown of what to do on a centos host:

echo "modprobe tun" >> /etc/rc.d/rc.local; modprobe tun
echo "modprobe ipt_mark" >> /etc/rc.d/rc.local; modprobe ipt_mark
echo "modprobe ipt_MARK" >> /etc/rc.d/rc.local; modprobe ipt_MARK
CTID=101 (change to your CTID)
vzctl set $CTID --devnodes net/tun:rw --save
vzctl set $CTID --devices c:10:200:rw --save
vzctl set $CTID --capability net_admin:on --save
vzctl exec $CTID mkdir -p /dev/net
vzctl exec $CTID chmod 600 /dev/net/tun
vzctl restart $CTID

#Now in container lets run these 2 lines as well as add them to startup

myip= (change to your ip address)
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source $myip
iptables -t nat -A POSTROUTING -s -j SNAT --to-source $myip
echo "iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source $myip" >> /etc/rc.d/rc.local
echo "iptables -t nat -A POSTROUTING -s -j SNAT --to-source $myip" >> /etc/rc.d/rc.local

#enable forwarding

sysctl net.ipv4.ip_forward = 1
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf

#We need to enable right repository for this OS install
#Remember to change to right rpm for your OS

rpm -Uvh
cd /etc/yum.repos.d
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openvpn openssl-devel -y
cp -R /usr/share/doc/openvpn*/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
nano vars

#change following:

export KEY_SIZE=4096
export KEY_CITY="SanFrancisco"
export KEY_ORG="LeadingVPN"
export KEY_EMAIL=""
#export KEY_CN=changeme
#export KEY_NAME=changeme
#export KEY_OU=changeme
#export PKCS11_MODULE_PATH=changeme
#export PKCS11_PIN=1234

#run ./build-dh command before going for lunch

source ./vars
./pkitool --initca
./pkitool --server
openvpn --genkey --secret keys/ta.key

#build as many client certificates as needed(if you need to add more just cd into here and add another vpn to sign against the above)


#make directories and copy directory files

rm -rf /etc/openvpn/secure /etc/openvpn/client1 /etc/openvpn/client2 
mkdir /etc/openvpn/secure    (server file directory)
mkdir /etc/openvpn/client1  (client1 directory)
mkdir /etc/openvpn/client2     (client2 directory)
cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key ta.key dh4096.pem /etc/openvpn/secure  (files needed for server, ca.key if want to be CA to)
cp ca.crt ta.key /etc/openvpn/client1 (client1
cp ca.crt ta.key /etc/openvpn/client2 (client2
cd /etc/openvpn
nano secure.conf