A friend asked me to setup openvpn on a openvz VPS he had, First thing we needed to do which he had already done is contact host to add support for tun/tap devices, for idea of what host had to do here it is: Host Setup His website is leadingvpn.com so lets use that for this, obviously change to your own domain. We will be doing this for Centos 6 64bit
Basically for a quick rundown of what to do on a centos host:
echo "modprobe tun" >> /etc/rc.d/rc.local; modprobe tun echo "modprobe ipt_mark" >> /etc/rc.d/rc.local; modprobe ipt_mark echo "modprobe ipt_MARK" >> /etc/rc.d/rc.local; modprobe ipt_MARK CTID=101 (change to your CTID) vzctl set $CTID --devnodes net/tun:rw --save vzctl set $CTID --devices c:10:200:rw --save vzctl set $CTID --capability net_admin:on --save vzctl exec $CTID mkdir -p /dev/net vzctl exec $CTID chmod 600 /dev/net/tun vzctl restart $CTID
#Now in container lets run these 2 lines as well as add them to startup
myip=1.1.1.1 (change to your ip address) iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source $myip iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source $myip echo "iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source $myip" >> /etc/rc.d/rc.local echo "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source $myip" >> /etc/rc.d/rc.local
#enable forwarding
sysctl net.ipv4.ip_forward = 1 echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
#We need to enable right repository for this OS install
#Remember to change to right rpm for your OS
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm cd /etc/yum.repos.d wget http://repos.openvpn.net/repos/yum/conf/repos.openvpn.net-CentOS6-snapshots.repo yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openvpn openssl-devel -y cp -R /usr/share/doc/openvpn*/easy-rsa/ /etc/openvpn/ cd /etc/openvpn/easy-rsa/2.0 chmod 755 * nano vars
#change following:
export KEY_SIZE=4096 export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="LeadingVPN" export KEY_EMAIL="admin@leadingvpn.com" #export KEY_CN=changeme #export KEY_NAME=changeme #export KEY_OU=changeme #export PKCS11_MODULE_PATH=changeme #export PKCS11_PIN=1234
#run ./build-dh command before going for lunch
source ./vars ./clean-all ./build-dh ./pkitool --initca ./pkitool --server secure.leadingvpn.com openvpn --genkey --secret keys/ta.key
#build as many client certificates as needed(if you need to add more just cd into here and add another vpn to sign against the above)
./pkitool client1.leadingvpn.com ./pkitool client2.leadingvpn.com
#make directories and copy directory files
rm -rf /etc/openvpn/secure /etc/openvpn/client1 /etc/openvpn/client2 mkdir /etc/openvpn/secure (server file directory) mkdir /etc/openvpn/client1 (client1 directory) mkdir /etc/openvpn/client2 (client2 directory) cd /etc/openvpn/easy-rsa/2.0/keys cp ca.crt ca.key ta.key dh4096.pem secure.leadingvpn.com.crt secure.leadingvpn.com.key /etc/openvpn/secure (files needed for server, ca.key if want to be CA to) cp ca.crt ta.key client1.leadingvpn.com.crt client1.leadingvpn.com.key /etc/openvpn/client1 (client1 client1.leadingvpn.com) cp ca.crt ta.key client2.leadingvpn.com.crt client2.leadingvpn.com.key /etc/openvpn/client2 (client2 client2.leadingvpn.com) cd /etc/openvpn nano secure.conf
TO BE CONTINUED….