I have searched this forum and i don't find any OPENVPN tutorial, so i'll write tutorial how to make OPENVPN running on CentOS, hope it will be useful.

Here i'm using OpenVZ VPS with CentOS 5.5 32bit, and about the memory requirement? Don't worry, OPENVPN doesn't eat your memory too much, i have 50 user running in my 128MB vps and it only eats 25MB memory :D

First thing you have to do is check whether tun/tap is active or not by typing
#cat /dev/net/tun

cat: /dev/net/tun: File descriptor in bad state
take a look at the status above, "File descriptor in bad state" means tun/tap is active, otherwise please ask your provider to activate it

Install required modules
#yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel

Download OPENVPN repo
#wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

for 32bit
#wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm

for 64bit
#wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.x86_64.rpm

Build the rpm packages
#rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
#rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm
#rpm -Uvh rpmforge-release-0.5.2-2.el5.rf.i386.rpm

*remember to change i386 to x86_64 if you're using 64bit

Install OPENVPN
#yum install openvpn

Copy OPENVPN easy-rsa folder to /etc/openvpn/
#cp -R /usr/share/doc/openvpn-2.1.4/easy-rsa/ /etc/openvpn/

Now let's create the certificate
#cd /etc/openvpn/easy-rsa/2.0
#chmod 755 *
#source ./vars
#./vars
#./clean-all

Build CA
#./build-ca

Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter

Build key server
#./build-key-server server


Almost the same with ./build.ca but check the changes and additional
Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y


Build Diffie Hellman (wait a moment until the process finish)
#./build-dh

Now i'm gonna create UDP port 1194 configuration for OPENVPN, use any text editor you like
#nano /etc/openvpn/1194.conf

local 123.123.123.123 #- your_server_ip
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 1.2.3.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 4.2.2.1"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3

before you save the configuration, make sure that the "plugin /usr/share/.. /pam.d/login" is one line

Start the OPENVPN with 1194.conf
#openvpn /etc/openvpn/1194.conf &

here's the status if OPENVPN successfully started

Mon Feb 21 02:23:20 2011 UDPv4 link remote:
Mon Feb 21 02:23:20 2011 MULTI: multi_init called, r=256 v=256
Mon Feb 21 02:23:20 2011 IFCONFIG POOL: base=1.2.3.4 size=62
Mon Feb 21 02:23:20 2011 Initialization Sequence Completed

Make OPENVPN 1194.conf running in background
#bg

Enable ipv4 forward
#echo 1 > /proc/sys/net/ipv4/ip_forward

Route iptables
#iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT --to 123.123.123.123

*1.2.3.0 is allocated ip for OPENVPN client
*123.123.123.123 is your server ip

Now we create username and password for authorization
#useradd username -s /bin/false
#passwd username

Download ca.crt file in /etc/openvpn/easy-rsa/2.0/keys/ directory, you can use sftp client

Download and install OPENVPN client for windows, download the latest stable release OPENVPN version 2.1.4 from here (http://openvpn.net/index.php/open-source/downloads.html#latest-stable)

After you finished installing OPENVPN, move ca.crt (file that you previously downloaded from /etc/openvpn/easy-rsa/2.0/keys/) to OPENVPN config folder in your program files (\Program Files\OpenVPN\config\)

Also create client configuration file in OPENVPN config directory, here's the example:

client
dev tun
proto udp #- protocol
remote 123.123.123.123 1194 #- SERVER IP and OPENVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
verb 3

save with anyname.ovpn or 1194.ovpn

http://i56.tinypic.com/aktvet.jpg

Run OPENVPN Client on your Windows, connect with your username and password.

http://i55.tinypic.com/2vwz9di.jpg
http://i53.tinypic.com/2883y0y.jpg

Check your IP Address in browser and Voila!!! You're IP is now changed to your server IP

[U]note:
- Never fails make OPENVPN on CentOS with this tutorial
- Those configurations above are basic configuration, you can check OPENVPN website for another configuration
- If you're using Win 7, before installing OPENVPN client, right click on the installer, properties, run as administrator and change compatibility to Windows XP SP3
- If you wanna add another port, maybe TCP so you can run OPENVPN over proxy, just create new configuration for server, adjust the following lines:

port: your preferred port
protocol: tcp or udp
client's ip: 1.2.4.0 or 1.2.5.0 ; 1.2.6.0 ; and so on

also new configuration for client

proto xxxx #- change xxxx to tcp or udp
remote 123.123.123.123 yyyy #- change yyyy to OPENVPN port

and then run the command
#iptables -t nat -A POSTROUTING -s 1.2.4.0/24 -j SNAT --to 123.123.123.123

Ref: Uncle G

Great Tutorial and It's help me alot there ..:agree: .Big Thanks Btw, I have some question



Now we create username and password for authorization
#useradd username -s /bin/false
#passwd username


How to remove user which I had added ? Can we use this software to access VPN
( openvpn.net/index.php?option=com_content&id=357 ) or it's for Openvpn access server product use only ?

THanks,
Symon Lim

To delete a user: userdel username

Great Tutorial and It's help me alot there ..:agree: .Big Thanks Btw, I have some question




How to remove user which I had added ? Can we use this software to access VPN
( openvpn.net/index.php?option=com_content&id=357 ) or it's for Openvpn access server product use only ?

THanks,
Symon Lim

thanks mate, your question has been answered :D

To delete a user: userdel username

thank you mod :D

edit:

anyway i forgot to mention, if you want to open new port, after create new configuration, run again the conf.

e.g. your conf name is 443.conf
#openvpn /etc/openvpn/443.conf &
#bg

Thanks Net & lxspcby :D

thanks lxspcby :)

Thanks a lot for your effort i really see it so easy
But everything was Okay till get to the step
openvpn /etc/openvpn/1194.conf &

i got that ERROR!!:

[root@c252 keys]# openvpn /etc/openvpn/1194.conf &
[1] 17726
[root@c252 keys]# Mon Mar 7 09:11:12 2011 OpenVPN 2.1.4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 2 2010
Mon Mar 7 09:11:12 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Mar 7 09:11:12 2011 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so '[/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so] [/etc/pam.d/login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Mon Mar 7 09:11:12 2011 Diffie-Hellman initialized with 1024 bit key
Mon Mar 7 09:11:12 2011 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Mon Mar 7 09:11:12 2011 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Mar 7 09:11:12 2011 Socket Buffers: R=[137216->131072] S=[137216->131072]
Mon Mar 7 09:11:12 2011 ROUTE: default_gateway=UNDEF
Mon Mar 7 09:11:12 2011 Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
Mon Mar 7 09:11:12 2011 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Mon Mar 7 09:11:12 2011 Cannot allocate TUN/TAP dev dynamically
Mon Mar 7 09:11:12 2011 Exiting

I think TUN/TAP is Allowed!!

[root@c252 keys]# cat /dev/net/tun
cat: /dev/net/tun: No such device
[root@c252 keys]# ls -al /dev/net/tun
crw------- 1 root root 10, 200 Mar 7 07:01 /dev/net/tun

did you read my post about allowed TUN/TAP?!!!!

Thanks for the tutorial lxspcby, it's time I got my hands dirty :)

I've followed all the instructions and have got it almost working. I had a problem with server time at first but my host corrected that, and now I can connect with openvpn.

The problem I get now though is the assigned IP address, is there somewhere to set it or change the default? I get an IP of 1.2.3.6 but I would've expected it to be my server IP. When I try to connect to www I just get '... not found...' for everything. When I disconnect it all goes back to normal and works OK.

I guess I must've boo boo'd somewhere. Any advice welcome.

Yes! the problem was with my VPS provider i think they didn't know how to allow it finally they did :)
now i get this Error!

[root@c252 ~]# openvpn /etc/openvpn/1194.conf &
[1] 11599
[root@c252 ~]# Mon Mar 7 16:32:38 2011 OpenVPN 2.1.4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 2 2010
Mon Mar 7 16:32:38 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Mar 7 16:32:38 2011 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so '[/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so] [/etc/pam.d/login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Mon Mar 7 16:32:38 2011 Diffie-Hellman initialized with 1024 bit key
Mon Mar 7 16:32:38 2011 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Mon Mar 7 16:32:38 2011 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Mar 7 16:32:38 2011 Socket Buffers: R=[137216->131072] S=[137216->131072]
Mon Mar 7 16:32:38 2011 TCP/UDP: Socket bind failed on local address 204.93.197.23:53: Address already in use
Mon Mar 7 16:32:38 2011 Exiting

i tryied to allow the port UDP 53

[root@c252 ~]# iptables -A INPUT -p udp --dport 53 -j ACCEPT
[root@c252 ~]# /etc/init.d/iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@c252 ~]# /etc/init.d/iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]

but nothing new :( the same Error!

Thanks for the tutorial lxspcby, it's time I got my hands dirty :)

I've followed all the instructions and have got it almost working. I had a problem with server time at first but my host corrected that, and now I can connect with openvpn.

The problem I get now though is the assigned IP address, is there somewhere to set it or change the default? I get an IP of 1.2.3.6 but I would've expected it to be my server IP. When I try to connect to www I just get '... not found...' for everything. When I disconnect it all goes back to normal and works OK.

I guess I must've boo boo'd somewhere. Any advice welcome.

umm... 1.2.3.6 is auto assigned ip for client, can't change it. anyway what port did you use? have you forward the ip and route iptables?

Yes! the problem was with my VPS provider i think they didn't know how to allow it finally they did :)
now i get this Error!

[root@c252 ~]# openvpn /etc/openvpn/1194.conf &
[1] 11599
[root@c252 ~]# Mon Mar 7 16:32:38 2011 OpenVPN 2.1.4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 2 2010
Mon Mar 7 16:32:38 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Mar 7 16:32:38 2011 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so '[/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so] [/etc/pam.d/login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Mon Mar 7 16:32:38 2011 Diffie-Hellman initialized with 1024 bit key
Mon Mar 7 16:32:38 2011 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Mon Mar 7 16:32:38 2011 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Mar 7 16:32:38 2011 Socket Buffers: R=[137216->131072] S=[137216->131072]
Mon Mar 7 16:32:38 2011 TCP/UDP: Socket bind failed on local address 204.93.197.23:53: Address already in use
Mon Mar 7 16:32:38 2011 Exiting

i tryied to allow the port UDP 53

[root@c252 ~]# iptables -A INPUT -p udp --dport 53 -j ACCEPT
[root@c252 ~]# /etc/init.d/iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@c252 ~]# /etc/init.d/iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]

but nothing new :( the same Error!

i think you're setting is not correct mate. if you want to connect to port 53 then youropenvpnconfig.conf must be:

local 123.123.123.123 #- your_server_ip
port 53 #- port
proto udp #- udp or tcp protocol

after that run command
#openvpn /etc/openvpn/youropenvpnconfig.conf &
#bg
#iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT --to 123.123.123.123

for client configuration (*.ovpn)
client
dev tun
proto udp #- protocol
remote 123.123.123.123 53 #- SERVER IP and OPENVPN Port

just like that, all configuration is in your openvpn.conf, not in iptables. also remember to stop the services which using port 53 first.

umm... 1.2.3.6 is auto assigned ip for client, can't change it. anyway what port did you use? have you forward the ip and route iptables?

I'm not sure I understand the question, sorry, could you be more specific? I did this bit:
[QUOTE]Make OPENVPN 1194.conf running in background
#bg

Enable ipv4 forward
#echo 1 > /proc/sys/net/ipv4/ip_forward

Route iptables
#iptables -t nat -A POSTROUTING -s (My own IP)/24 -j SNAT --to (server IP)



I used port #1194 as specified.

[QUOTE=lxspcby;7322817]umm... 1.2.3.6 is auto assigned ip for client, can't change it. anyway what port did you use? have you forward the ip and route iptables?

I'm not sure I understand the question, sorry, could you be more specific? I did this bit:



I used port #1194 as specified.

what OS do you use? i mean your PC, is it XP or Seven? so far the problem i've ever experienced was just with my PC's OS. just like i said before if you're using Seven don't forget to install openvpn as administrator and set it to XP SP 3 compatibility.

but if that's not your current problem, you can pm me your vps login (root) and password with fresh installed CentOS, i'll try to install openvpn and after that you can see my command history.

[QUOTE=iDeq;7322914]

what OS do you use? i mean your PC, is it XP or Seven? so far the problem i've ever experienced was just with my PC's OS. just like i said before if you're using Seven don't forget to install openvpn as administrator and set it to XP SP 3 compatibility.

but if that's not your current problem, you can pm me your vps login (root) and password with fresh installed CentOS, i'll try to install openvpn and after that you can see my command history.
I'm using Win XP SP3 on a single core Athlon 3200+, it's an old comp. I do have kloxo installed, I did that first as I want to run web proxies too, would that make a difference?

I'm using Win XP SP3 on a single core Athlon 3200+, it's an old comp. I do have kloxo installed, I did that first as I want to run web proxies too, would that make a difference?

it should be no problem, but i usually running openvpn with no other apps installed, and if i want to run another apps in the same box i'll install and run the openvpn first.

I guess I did it the wrong way round then. Will I have to re-install the iso for a fresh copy of centOS and start again? I've only been playing with kloxo so far I haven't got any real proxies on yet, only test sites. And will tun/tap have to be re-enabled? Will the re-install wipe it out? Do you still want a look?

More (dumb) questions: How do I uninstall openvpn from the server? And how to I switch it off/disable it and re-enable it (for security purposes)?

i usually reinstall the OS and start again from the beginning. tun/tap will forever be enabled no matter how many times you reinstall the OS.

If you want to uninstall openvpn you can run command
#yum remove openvpn

and to stop it
#service openvpn stop

also you can pm me your vps login if you want, but only with fresh OS.

If I re-install I'd have to re-do all the other changes I've made to the config too so I'll pass thanks. I can't find any PM options either, so maybe I'm not worthy yet or need more posts or something.

I might just uninstall and re-install open vpn, that might work, or I might just give up. I don't know yet if I'm keeping this vps, I only wanted to practice on it, I have another one with live sites and wanted to install openvpn to that but if I can't do it to this one first I won't bother.

Thanks for your help anyway, you're a star :D

haha... just keep your spirit, don't give up.

If I re-install I'd have to re-do all the other changes I've made to the config too so I'll pass thanks. I can't find any PM options either, so maybe I'm not worthy yet or need more posts or something.

I might just uninstall and re-install open vpn, that might work, or I might just give up. I don't know yet if I'm keeping this vps, I only wanted to practice on it, I have another one with live sites and wanted to install openvpn to that but if I can't do it to this one first I won't bother.

Thanks for your help anyway, you're a star :D

you can donate your vps to me :stickout:
i need one for me to practice managing vps :blush: :stickout::stickout:
lol

you can donate your vps to me :stickout:
i need one for me to practice managing vps :blush: :stickout::stickout:
lol

I've not finished with it yet :stickout:

Curvehost have some great deals on atm (cheaper on DP) go get yourself one :D

I've not finished with it yet :stickout:

Curvehost have some great deals on atm (cheaper on DP) go get yourself one :D

its ok.. i'm gonna get one as soon as i receive my debit card and verified my paypal account

Hi,

great tutorial! 2 questions are left!

Is there a web interface too like https://156.156.200.10:1194 (imaginary IP here)?

Another question: can this be used on an iPhone?

In fact, I just want to have a VPN to my CENTOS server for my (not jailbroken) iPhone since I'm often in China and web access is blocked to many sites.

Just in case openVPN can not support iPhones - what software or method can?

OpenVPN isn't natively supported on the iPhone (at least when I was still using my 3gs), I'm pretty sure it supports Cisco and PPTP style VPNs.
Edit: found this URL for you http://support.apple.com/kb/HT1288

If you want a web interface for OpenVPN configuration you can look at the modules for Webmin or the commercial solution from OpenVPN called OpenVPN-AS

yes you can use webmin for setting openvpn with user interface, but i think that's not necessary because it can still be managed with ssh.

is it possible to use apache and openvpn, both listening at port 80???

is it possible to use apache and openvpn, both listening at port 80???

you have to shutdown apache first or change apache port if you wanna use port 80

in #nano /etc/openvpn/1194.conf I type ^O but it's not to save please help

it is ctrl + x ; y ; enter, mate :D

or if you use vi, ctrl + c ; :wq ; enter

how to create multi access in openvpn??

let's say we bought 2 servers from different provider

how can we connect those 2 with 1 same user and password....

thanks we're new in creating vps

thank you in advance :stickout:

multi access means one vps for multi user, so just add user and set password.

but with 2 vpn connect together in same client pc, i don't really get it.

we currently using vpn service w/ 20 servers


if we bought premium account we can access this 20 servers with same account... but if we speedtest it seems different vps hosting provider from server 1 -20..

we wanna know how could this happen?

ah, you mean you can easily switch from one to another vps rite (not simultaneously)? i think openvpn doesn't support autoswitch like that, if you wanna use more than one vps, you can create folder in openvpn config directory for each *.ovpn and *.crt (per vps), then you can choose which vps you want to connect.

or how can we create a site which our client will register and all the info like user name at password will stored also in our vps database...

umm.. i think you need a or some php/asp script which can create user and set password (useradd and passwd), also store the data in database, i don't know how to implement bash to php code as i'm not php programmer :D

thank you sir for quick reply

i hope somebody will help us for creating better service

thanks

Hi , thanks for the guide , you helped fix a couple problems for me .
I'd like to know , is there a way to restrict the bandwidth speed and/or data usage for some or all users ?

Also , any scripts to automate the process of starting openvpn at startup ?

Best Regards,
Aloy

Hi , thanks for the guide , you helped fix a couple problems for me .
I'd like to know , is there a way to restrict the bandwidth speed and/or data usage for some or all users ?

Also , any scripts to automate the process of starting openvpn at startup ?

Best Regards,
Aloy

i think i haven't found any script like that, but it can be created if you're understand php or asp, i would love to create the script but i'm not php programmer :D

if you want the openvpn auto start after booting, add the following line to /etc/rc.d/rc.local

openvpn /etc/openvpn/yourconfiguration.conf start & bg

hello it's me again... where can i find authentication password and user name for bitvise?

thanks

ok now i login but it says no such file or directory
after i put #cat/dev/net/tun

ok now i login but it says no such file or directory
after i put #cat/dev/net/tun

that means your tun/tap driver is not active yet, you need to ask your provider to activate it.

so it means even we don't install CentOS

just ask our provider to activate it for us?

so it means even we don't install CentOS

just ask our provider to activate it for us?

yep that's rite.

hi there i got problem when installing vps

this is my error..

[root@vps ~]#cp =R/usr/share/doc/openvpn-2.1.4/easy-rsa/ /etc/openvpn/
cp: cannot stat `=R/usr/share/doc/openvpn-2.1.4/easy-rsa/': No such file or directory

hi there i got problem when installing vps

this is my error..

check whether if "/usr/share/doc/openvpn-2.1.4/easy-rsa/" exist or not. also it is -R, not =R

This one Anyone can help me?..




[root@vps ~]#rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm
error: Failed dependencies:
liblzo2.so.2 is needed by (installed) openvpn-2.1.4-2.el5.rf.i386
[root@vps ~]#

Hmm. Thnks for this. Hope this will work on me. ;)

This one Anyone can help me?..

have you rebuild the lzo?
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm

Hmm. Thnks for this. Hope this will work on me. ;)

yes mate

yes.. i build lzo.. im just wondering i use XEN VPS is there any conflict because of configuration?

Now i'm gonna create UDP port 1194 configuration for OPENVPN, use any text editor you like
#nano /etc/openvpn/1194.conf


i stock in here when i put
#nano /etc/openvpn/1194.conf

then may current browser changes

Thanks for this, it worked fine for me!

yes.. i build lzo.. im just wondering i use XEN VPS is there any conflict because of configuration?

umm... i don't know, did you install it on fresh OS? last time i helped someone install openvpn on xen vps and it is running smoothly.

Now i'm gonna create UDP port 1194 configuration for OPENVPN, use any text editor you like
#nano /etc/openvpn/1194.conf


i stock in here when i put
#nano /etc/openvpn/1194.conf

then may current browser changes

hi there, can you please be more specific? i don't get you mate :confused:

Thanks for this, it worked fine for me!

you're welcome

we ask our providerto activate out tun/tap


Mon Mar 21 12:36:37 2011 Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)Mon Mar 21 12:36:37 2011 Note: Attempting fallback to kernel 2.2 TUN/TAP interfaceMon Mar 21 12:36:37 2011 Cannot allocate TUN/TAP dev dynamicallyMon Mar 21 12:36:37 2011 Exiting<font face="'times new roman', '

we do suggest you to set pygrub kernel and do OS reload to fix the issue.



our provider sent as this message...we're wondering about this

can anyone here has an idea?

Right Now my ISP is closing all the ports to connect to OpenVPN !!! :(
it is a way of proxy which they use when the credit is over i used to use the openvpn to pass that proxy without paying ;))
but now 53 UDP & 1194 UDP are closed :(
do you have an idea how to make a cheek for the open UDP ports to use ?!!

we ask our providerto activate out tun/tap


Mon Mar 21 12:36:37 2011 Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)Mon Mar 21 12:36:37 2011 Note: Attempting fallback to kernel 2.2 TUN/TAP interfaceMon Mar 21 12:36:37 2011 Cannot allocate TUN/TAP dev dynamicallyMon Mar 21 12:36:37 2011 Exiting<font face="'times new roman', '

we do suggest you to set pygrub kernel and do OS reload to fix the issue.



our provider sent as this message...we're wondering about this

can anyone here has an idea?

did you custom your kernel? if yes you need to do as your provider suggested.

Right Now my ISP is closing all the ports to connect to OpenVPN !!! :(
it is a way of proxy which they use when the credit is over i used to use the openvpn to pass that proxy without paying ;))
but now 53 UDP & 1194 UDP are closed :(
do you have an idea how to make a cheek for the open UDP ports to use ?!!

it's called port scanning mate, i think you shouldn't do that, illegal.

hi there thanks for replying to us eric and i were getting setup this vps but we encountered that problem the tun tap and ip tables is not enabled and quick web our vps provider reply

we do suggest you to set pygrub kernel and do OS reload to fix the issue.

we dont know how to setup the kernel
TS please help us.. thank you.. Paul

hi there thanks for replying to us eric and i were getting setup this vps but we encountered that problem the tun tap and ip tables is not enabled and quick web our vps provider reply

we do suggest you to set pygrub kernel and do OS reload to fix the issue.

we dont know how to setup the kernel
TS please help us.. thank you.. Paul

you were also suggested to reload OS to fix the issue, try to reload the OS and then check tun/tap driver before start installing openvpn, check if iptables has been installed or not, and ask your provider to activate nat iptables module

anyway what's the result when you're typing 'cat /dev/net/tun' ?

hi TS. this is the result when i type cat /dev/net/tun


cat: /dev/net/tun: No such device

hi TS. this is the result when i type cat /dev/net/tun

so i told clearly in the first post mate, please ask your provider to activate tun/tap driver first, see the result from that command in the first post if it's active.

Does this remove the need of specific user certs? If not, could you add a section on how to do that?

Does this remove the need of specific user certs? If not, could you add a section on how to do that?

yep, it only need one ca.crt, one (or more) *.ovpn config (depends on your needs), and user/pass to authenticate each user.

yep, it only need one ca.crt, one (or more) *.ovpn config (depends on your needs), and user/pass to authenticate each user.

Thanks for the clarification ;)

hi i change my xen vps CentOS to Debian and my tun tap now is enabled. my question is.. how can i install

# yum -y install gcc make zlib-devel pam-devel openssl-devel rpm-build autoconf.noarch nano openssl lzo2

i got error that -bash file not found..

i think i had wrong command and not supported rpm in Debian..
what do you think TS? please help me.. thank you..

hi i change my xen vps CentOS to Debian and my tun tap now is enabled. my question is.. how can i install


i got error that -bash file not found..

i think i had wrong command and not supported rpm in Debian..
what do you think TS? please help me.. thank you..

debian = apt-get

you can do googling those equivalent packages for debian.

for Debian you may use this command:
apt-get install openvpn libssl-dev openssl .

Yum and Apt-get are able to automatically detect dependancies like lzo , etc. and install them without your having to specify them .

hi there TS>. i stuck on this when i completed nano conf..

Mon Feb 21 02:23:20 2011 UDPv4 link remote: [undef]
Mon Feb 21 02:23:20 2011 MULTI: multi_init called, r=256 v=256
Mon Feb 21 02:23:20 2011 IFCONFIG POOL: base=1.2.3.4 size=62
Mon Feb 21 02:23:20 2011 Initialization Sequence Completed

i dont know what to do next.. ;there is no [root@vps 2.0]# like this appear on my screen im just wondering how can i put next step code: #echo 1 > /proc/sys/net/ipv4/ip_forward?

lolxD sorry im noob in linux .. how can i proceed to next steps.?? thanks

hi there TS>. i stuck on this when i completed nano conf..


i dont know what to do next.. ;there is no like this appear on my screen im just wondering how can i put next step code: #echo 1 > /proc/sys/net/ipv4/ip_forward?

lolxD sorry im noob in linux .. how can i proceed to next steps.?? thanks

bg mate, you need to make it run in background

I think installed openvpn correctly, I can connect to it, but I'm not able to visit any websites or ping.

I can visit my VPS' cpanel though.

What am I missing?

I think installed openvpn correctly, I can connect to it, but I'm not able to visit any websites or ping.

I can visit my VPS' cpanel though.

What am I missing?

GOT IT WORKING!! yah, i messed up the iptables.

cat: /dev/net/tun: Permission denied

can anyone recognize this message or why i got this message?\


thanks :((

he ther anyone can help me..

i got error here



[root@vps ~]# rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm
error: Failed dependencies:
liblzo2.so.2 is needed by (installed) openvpn-2.1.4-2.el5.rf.i386

just to install openvpn you actually doesn't need to install lzo, autoconf etc separately.

1. add rpmfoge repository.
2. just yum install openvpn and it will install all it's need.
3. then create all the cert and config as you need.

correct me if i'm wrong..

Hi
try use those
wget http://www.up2vps.com/box/pptpd.sh
sh pptpd.sh

give me update :)

but we got same error sir

rror: Failed dependencies:
liblzo2.so.2 is needed by (installed) openvpn-2.1.4-2.el5.rf.i386

[root@vps 2.0]# chmod 755*
chmod: missing operand after `755*'
Try `chmod --help' for more information.


help

Wed Mar 30 01:47:34 2011 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so '[/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so] [/etc/pam.d/login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Wed Mar 30 01:47:34 2011 Diffie-Hellman initialized with 1024 bit key
Wed Mar 30 01:47:34 2011 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Wed Mar 30 01:47:34 2011 TLS-Auth MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Mar 30 01:47:34 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Mar 30 01:47:34 2011 TCP/UDP: Socket bind failed on local address 64.120.175.119:80: Cannot assign requested address
Wed Mar 30 01:47:34 2011 Exiting


huhuhu help

Wed Mar 30 01:47:34 2011 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so '[/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so] [/etc/pam.d/login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Wed Mar 30 01:47:34 2011 Diffie-Hellman initialized with 1024 bit key
Wed Mar 30 01:47:34 2011 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Wed Mar 30 01:47:34 2011 TLS-Auth MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Mar 30 01:47:34 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Mar 30 01:47:34 2011 TCP/UDP: Socket bind failed on local address 64.120.175.119:80: Cannot assign requested address
Wed Mar 30 01:47:34 2011 Exiting


huhuhu help

Check if port 80 used or not

netstat -ln

Nice share :good

Thank you

is my ssh ip ad is my server ip or ns1, ns2,ns3,ns4 ip ad are the one i can use?
thanks

[root@vps openvpn]# openvpn /etc/openvpn/server.conf
Wed Mar 30 04:45:03 2011 PLUGIN_INIT: could not load plugin shared object /usr/share/openvpn/lib/openvpn-auth-pam.so: /usr/share/openvpn/lib/openvpn-auth-pam.so: cannot open shared object file: No such file or directory: No such file or directory (errno=2)
Wed Mar 30 04:45:03 2011 Exiting


what was my error?

is my ssh ip ad is my server ip or ns1, ns2,ns3,ns4 ip ad are the one i can use?
thanks

every public ip (could be accessed from internet) on your server could be used. The problem is the port used by other application or not.

Check the port you want to use first..

netstat -ln << use this command

[root@vps openvpn]# netstat -ln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 :::22 :::* LISTEN
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
so im using port 22??

local (ssh ip ad) #- your_server_ip
port 22 #- port

like this format?

when i delete
cipher BF-CBC
duplicate-cn
this error occur
[root@vps openvpn]# openvpn /etc/openvpn/server.conf
Wed Mar 30 05:10:17 2011 OpenVPN 2.1.4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar 10 2011
Wed Mar 30 05:10:17 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Mar 30 05:10:17 2011 Diffie-Hellman initialized with 1024 bit key
Wed Mar 30 05:10:17 2011 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Mar 30 05:10:17 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Mar 30 05:10:17 2011 TCP/UDP: Socket bind failed on local address [undef]:80: Address already in use
Wed Mar 30 05:10:17 2011 Exiting

RTNETLINK answers: File exists
Wed Mar 30 05:35:33 2011 ERROR: Linux route add command failed: external program exited with error status: 2
Wed Mar 30 05:35:33 2011 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Mar 30 05:35:33 2011 Listening for incoming TCP connection on [undef]:1194
Wed Mar 30 05:35:33 2011 TCPv4_SERVER link local (bound): [undef]:1194
Wed Mar 30 05:35:33 2011 TCPv4_SERVER link remote: [undef]
Wed Mar 30 05:35:33 2011 MULTI: multi_init called, r=256 v=256
Wed Mar 30 05:35:33 2011 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Mar 30 05:35:33 2011 MULTI: TCP INIT maxclients=1024 maxevents=1028
Wed Mar 30 05:35:33 2011 Initialization Sequence Completed
Wed Mar 30 05:36:07 2011 TCP/UDP: Closing socket
Wed Mar 30 05:36:07 2011 Closing TUN/TAP interface
Wed Mar 30 05:36:07 2011 /sbin/ip addr del dev tun1 local 10.8.0.1 peer 10.8.0.2
Wed Mar 30 05:36:07 2011 PLUGIN_CLOSE: /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
Wed Mar 30 05:36:07 2011 SIGINT[hard,] received, process exiting


now i got this error

Hi
try use those
wget http://www.up2vps.com/box/pptpd.sh
sh pptpd.sh

give me update :)

is it openvpn or pptp vpn ?

@eric6630
you know, i'm confused about your questions (all of it), but i think you missed something from the beginning of installation, so try to read the tutorial step by step carefully

[root@vps ~]# openvpn /etc/openvpn/server.conf &
[1] 17920
[root@vps ~]# Wed Mar 30 05:55:15 2011 OpenVPN 2.1.4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar 10 2011
Wed Mar 30 05:55:15 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Mar 30 05:55:15 2011 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so '[/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so] [/etc/pam.d/login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Wed Mar 30 05:55:15 2011 Diffie-Hellman initialized with 1024 bit key
Wed Mar 30 05:55:15 2011 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not-required may accept clients which do not present a certificate
Wed Mar 30 05:55:15 2011 TLS-Auth MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Wed Mar 30 05:55:15 2011 Socket Buffers: R=[87380->131072] S=[16384->131072]
Wed Mar 30 05:55:15 2011 ROUTE default_gateway=208.43.151.49
Wed Mar 30 05:55:15 2011 TUN/TAP device tun1 opened
Wed Mar 30 05:55:15 2011 TUN/TAP TX queue length set to 100
Wed Mar 30 05:55:15 2011 /sbin/ip link set dev tun1 up mtu 1500
Wed Mar 30 05:55:15 2011 /sbin/ip addr add dev tun1 local 10.8.0.1 peer 10.8.0.2
Wed Mar 30 05:55:15 2011 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
RTNETLINK answers: File exists
Wed Mar 30 05:55:15 2011 ERROR: Linux route add command failed: external program exited with error status: 2
Wed Mar 30 05:55:15 2011 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Mar 30 05:55:15 2011 Listening for incoming TCP connection on [undef]:1194
Wed Mar 30 05:55:15 2011 TCPv4_SERVER link local (bound): [undef]:1194
Wed Mar 30 05:55:15 2011 TCPv4_SERVER link remote: [undef]
Wed Mar 30 05:55:15 2011 MULTI: multi_init called, r=256 v=256
Wed Mar 30 05:55:15 2011 IFCONFIG POOL: base=10.8.0.4 size=62
Wed Mar 30 05:55:15 2011 MULTI: TCP INIT maxclients=1024 maxevents=1028
Wed Mar 30 05:55:15 2011 Initialization Sequence Completed



After you finished installing OPENVPN, move ca.crt (file that you previously downloaded from /etc/openvpn/easy-rsa/2.0/keys/) to OPENVPN config folder in your program files (\Program Files\OpenVPN\config\)

Download ca.crt file in /etc/openvpn/easy-rsa/2.0/keys/ directory, you can use sftp client

how can i do that using putty?
i can't use bitvise it seems its not compatilble with my vps

how can i do that using putty?
i can't use bitvise it seems its not compatilble with my vps

are you sure about that? so far i know bitvise tunnelier has a same function with putty, plus it is include sftp.

wait sir let me upload it the screen shot

sendspace.com/file/xlgink

can i add you on my ym list?

here is the screen shot

why i got this error i guess this is the root of my problem


[root@vps]#rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm
error: failed dependencies:

i just do skip this step maybe this was my problem

nice share !! hello sir mr thread starter,, can i ask something,, i got 4 vps i use them as vpn servers,, i only use 1 certs to all of them and it worked fine,,my problem is i got 4 kloxo panels,,i need to switch to each panel to create user for each server,, can anyone help me to configure example: server1 = panel1 server2 =panel2 server3= panel3 server4 = panel4
i want even panel1 creates the user and pass it can still access all servers,, and even panel 4 creates user and pass it can still connect to other 3 servers...can anyone help me how it works?

but we got same error sir

rror: Failed dependencies:
liblzo2.so.2 is needed by (installed) openvpn-2.1.4-2.el5.rf.i386

are you use 32bit? try use 64bit

is it openvpn or pptp vpn ?

@eric6630
you know, i'm confused about your questions (all of it), but i think you missed something from the beginning of installation, so try to read the tutorial step by step carefully

sorry it's pptp

are you use 32bit? try use 64bit

ok i will reinstall my OS to centOS 64bit

thanks for info sir

We got any OpenVPN gurus here that can create control panels for adding and deleting of users?

how can i do if my port 1194 is bind.. this is my error.. thanks

how can i do if my port 1194 is bind.. this is my error.. thanks

Hi there.. im here new too ^^

like i know ok, for the OpenVPN you can create the anyport that you want...

so its not depend on the 1194 PORT....

you can use another port if you think that port is used in BIND

#iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT --to 123.123.123.123

*1.2.3.0 is allocated ip <<<< what ip ad should we use here?????
*123.123.123.123 is your server ip


1.2.3.0/24 <<<< and what is this 24 for? our port?

thanks

#iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT --to 123.123.123.123

*1.2.3.0 is allocated ip <<<< what ip ad should we use here?????
*123.123.123.123 is your server ip


1.2.3.0/24 <<<< and what is this 24 for? our port?

thanks

yes 1.2.3.0 is allocated ip.. for "/ 24 " its used for to create the USER ip.. when it connect to the server...

yes 1.2.3.0 is allocated ip.. for "/ 24 " its used for to create the USER ip.. when it connect to the server...

so we don't actually need put anything just 1.2.3.0 am i right?

we just need put our ssh ad on SNAT --to >>>>123.123.123.123<<<?

is that what you mean?

#iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT --to 123.123.123.123

*1.2.3.0 is allocated ip <<<< what ip ad should we use here?????
*123.123.123.123 is your server ip


1.2.3.0/24 <<<< and what is this 24 for? our port?

thanks

so the implemantation like this

iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT --to YOUR-VPS-IP

just open your VPS firewall and pointing it to your VPS IP

can you check our server?

we will give you our ssh and root pass...

Would be cool if there was a guide for linking OpenVPN to RADIUS.

Would be cool if there was a guide for linking OpenVPN to RADIUS.

Could have a look at something like - http://www.roessner-network-solutions.com/beliebte-seiten-und-artikel/openvpn-radius-mysqlldap-howto/

Could have a look at something like - http://www.roessner-network-solutions.com/beliebte-seiten-und-artikel/openvpn-radius-mysqlldap-howto/

Any idea how that can be used for CentOS5?

we now connected to our server but the speed is too slow sometimes it hard to browse always failed

help us how to debug this issues

thanks

Thanks, very thanks
Great tutorial

we now connected to our server but the speed is too slow sometimes it hard to browse always failed

help us how to debug this issues

thanks

hi eric
i hope i can help you....

for windows7 your should run the OPENVPN as administrators...

if you have run as administrators

sometime with my experience for my clients, it can connect but cannot browse.. its say the DNS issues..

you can download for a software name .. DNS jumper...

try that.. i hope it can make it work

where can we download dns jumper?
i will use wget fucntion?

if it's browsing issue on windows 7

add this to your client config :

route-method exe
route-delay 2

thanks what if we dont create client config?

what was the diff. between no client and w/ config?

i mean client certificate?

your .ovpn file in your computer that's the client's config..

how to unbind port?

tcp/udp: socket bind failed on local address ******:80 already in use

i wanna use port 80

please help

i use netstat -ln

tcp 0 0 :::80 :::* listening
en

tcp 0 0 :::20 :::* listening
en

help please help

thanks

check what application using that port

netstat -ntulp

then stop that application

tcp 0 0 137.0.0.2:25 0.0.0.0:* listening
EN 13243/sendmail: acc
tcp 0 0 :::80 :::* listening
EN 231425/httpd
tcp 0 0 :::222 :::* listening
EN 212240/sshd
[root@vps]#

how will i know what apps are using port 80? and what command for make it stop?

thanks

tcp 0 0 :::80 :::* listening
EN 231425/httpd

service httpd stop

iptables -t nat -A POSTROUTING -s 192.168.2.3 -j SNAT --to 123.123.123.123


how can i delete this line?

i forgot to change 123.123.123.123 that address im connected now but

i cant browse, the ip that connected are 1.2.3.6 and openvpn are green

but the ip that connected are 1.2.3.6

please help me
thanks

or how can i delete iptables?

or how can i delete iptables?

iptables -t nat -L
iptables -t nat -X
iptables -t nat -F
iptables -t nat -L

iptables -t nat -X POSTROUTING -s 10.8.0.0/24 -j SNAT --to 123.123.123.123

illegal option "-s' with this command sir

pease help me

iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT --to 123.123.123.123

what are your openvpn client's IP actually? 1.2.3.0/24 or 10.8.0.0/24?

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 123.123.123.123

i config it this way i forgot to change 123.123.123.123 to my server ip then
i dont mind it then enter same command but this time i change it with my server ip

then im connected but on openvpn icon i was connected with 1.2.3.6

please help me how i can resolve this issues

thanks

post here your server config

wow thank you sir wait i guess i got idea

thank you very much sir

nice i figured it out sir thanks

what was the difference between 1 line

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 123.123.123.123

or with multiple line like

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 123.123.123.123

iptables -t nat -A POSTROUTING -s 10.8.0.1/24 -j SNAT --to 123.123.123.123

iptables -t nat -A POSTROUTING -s 10.8.0.2/24 -j SNAT --to 123.123.123.123

iptables -t nat -A POSTROUTING -s 10.8.0.3/24 -j SNAT --to 123.123.123.123

and so on.....

sir when i try
openvpn /etc/openvpn/1194.conf &


i do get
[root@205382 ~]# Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/1194.conf:13: /etc/pam.d/login (2.1.4)
Use --help for more information.

[1]+ Exit 1 openvpn /etc/openvpn/1194.conf
[root@205382 ~]#



so i have a problem with my 1194.conf

and here the file

local HERE MY IP #- your_server_ip
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
/etc/pam.d/login
client-cert-not-required
username-as-common-name
server 1.2.3.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 66.96.208.21"
push "dhcp-option DNS 64.191.100.61"
push "dhcp-option DNS 64.191.100.53"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3


i add my ip but i see tht my vps has 3 dns so i add them

can u tell me what wrong and how to fix that ??

plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
/etc/pam.d/login


it should be in one line

plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login

hi

why we keep disconnecting after i and my 5 friends are using our server.. if im the only 1 using, it is very stable but when someone join the connection fails..

please help

were using xen vps

please how to fix that issue?

thanks

Thanks for your tutorial. Unfortunately, I can't seem to get it working. I have a KVM VPS with CentOS 5.5. I've tried it with 32 bit and 64 bit with the same results.

Everything goes fine until I try to connect my client, and it waits for a while at "UDPv4 link remote: [serverip]:53" and then gives me the following error:

"TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed"

I'm not sure if this is a serverside problem or clientside. I'm a complete noob, so I'm not sure where to start.

The following are things I wasn't sure if I filled in correctly:


In #./build-ca, I typed "vps" for common name, which is what my VPS hostname is.

I'm not sure if I should change the DNS info in the config file.

In the "iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT --to 123.123.123.123" part, I left the 1.2.3.0 as it was because I'm not sure what that is, and I put in the same server IP address that I ssh into for the 123.123.123.123. I also tried this with 10.8.0.0 for the first IP with no luck.


I tried to check that my clientside ports were open, but each tool I used to do that had a connection error, timed out, or just hangs indefinitely. I'm not sure if there's some craziness going on in my router firewall or if I'm just too noobish to understand how to do it. I think I successfully forwarded the port I was using in one of my attempts and it didn't make a difference. I'm hoping to use this VPN in a variety of situations, so I'm hoping to use a port that doesn't commonly need to be forwarded, anyway.

Thanks in advance to any help anyone can provide.

Thanks for your tutorial. Unfortunately, I can't seem to get it working. I have a KVM VPS with CentOS 5.5. I've tried it with 32 bit and 64 bit with the same results.

Everything goes fine until I try to connect my client, and it waits for a while at "UDPv4 link remote: [serverip]:53" and then gives me the following error:

"TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed"

I'm not sure if this is a serverside problem or clientside. I'm a complete noob, so I'm not sure where to start.

The following are things I wasn't sure if I filled in correctly:


In #./build-ca, I typed "vps" for common name, which is what my VPS hostname is.

I'm not sure if I should change the DNS info in the config file.

In the "iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT --to 123.123.123.123" part, I left the 1.2.3.0 as it was because I'm not sure what that is, and I put in the same server IP address that I ssh into for the 123.123.123.123. I also tried this with 10.8.0.0 for the first IP with no luck.

I tried to check that my clientside ports were open, but each tool I used to do that had a connection error, timed out, or just hangs indefinitely. I'm not sure if there's some craziness going on in my router firewall or if I'm just too noobish to understand how to do it. I think I successfully forwarded the port I was using in one of my attempts and it didn't make a difference. I'm hoping to use this VPN in a variety of situations, so I'm hoping to use a port that doesn't commonly need to be forwarded, anyway.

Thanks in advance to any help anyone can provide.

did you check if openVPN is running? do you have iptables installed and working properly? What about TUN/TAP? 90% of problems come from iptables

yes 1.2.3.0 is allocated ip.. for "/ 24 " its used for to create the USER ip.. when it connect to the server...

so does it mean 24 user's can connect to our server and for 25 user cannot login??????

so does it mean 24 user's can connect to our server and for 25 user cannot login??????

/24 means it have 24bits subnet mask.. 255.255.255.0, number of host with this setting would be 254.

Nice br0! Thanks.

nice what?

push "dhcp-option DNS 208.67.222.222" <<< is this primary DNS? can i change this?

push "dhcp-option DNS 4.2.2.1" <<<is this the secondary DNS? can i change this also?

our provider provide us DNS depend on where our vps location is

where can i put that?

thanks

push "dhcp-option DNS 208.67.222.222" <<< is this primary DNS? can i change this?

push "dhcp-option DNS 4.2.2.1" <<<is this the secondary DNS? can i change this also?

our provider provide us DNS depend on where our vps location is

where can i put that?

thanks

of course you can change that.

sir how can we set our client or prevent peer to peer connection
in our vps?
we don't want our customer use a certain server for torrent
is there any command for that?

thanks more power

Thank you for the tutorial.

When I try to start my openvpn, it failed.

Error log from messages,

Apr 6 14:41:55 localhost openvpn[13708]: OpenVPN 2.1.4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar 10 2011
Apr 6 14:41:55 localhost openvpn[13708]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 6 14:41:55 localhost openvpn[13708]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Apr 6 14:41:55 localhost openvpn[13708]: Exiting

Could you help me fix this? thank you.

mr. ts can you give us tutorial about ICMP?

im planning to use ICMP connection using tcp

i search from google and there's no clear way how to do this

please....

and sorry about this coz i cant create new thread, it seems i dont have enough privilage to do that.. thanks

how can i access my 2nd config
my first conf was proto tcp

and my 2bd conf was udp..


my problem is how can i access my udp.conf

im trying to connect by ttl fialed

on tcp my first setup it was running smootly

thanks

I followed your guide..worked well to connect using tunnelblick. However, there is no internet connection when I connect with VPN? could you help me on this? thank you.

I followed your guide..worked well to connect using tunnelblick. However, there is no internet connection when I connect with VPN? could you help me on this? thank you.

hei.. actually its seen your issue for your OPENVPN problems

have you forward the IPTABLES ?

pleae do this stepp

echo 1 > /proc/sys/net/ipv4/ip_forward

and then

make sure you have configure your iptables

for xen

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

for OPENVZ

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to your.ip.addres.com

Hi,

I am trying to set this up on my VPS, but I'm not sure if I'm doing it right because I get this error

[root@gamingx 2.0]# openvpn /etc/openvpn/1194.conf &
[1] 9571
Sun Apr 10 07:48:17 2011 OpenVPN 2.1.4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar 10 2011
Sun Apr 10 07:48:17 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Apr 10 07:48:17 2011 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so '[/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so] [/etc/pam.d/login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Sun Apr 10 07:48:17 2011 Diffie-Hellman initialized with 1024 bit key
Sun Apr 10 07:48:17 2011 Cannot load certificate file /etc/openvpn/easy-rsa/2.0/keys/server.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Sun Apr 10 07:48:17 2011 Exiting

Never mind, I got it working. I had changed the server name so I kept getting that error. Nice tutorial btw.

Sorry for the successive posts. I managed to setup the VPN as you've outlined in the steps, apart from the small glitches everything went smoothly. But I still can't verify if the VPN is working. I checked the browser for the IP address and it is still showing up my own IP address rather than the server IP address. I am managing to connect to the VPN, but I get this errors in the OpenVPN window:


Sun Apr 10 09:55:15 2011 ERROR: Windows route add command failed [adaptive]: returned error code 1
Sun Apr 10 09:55:15 2011 C:\WINDOWS\system32\route.exe ADD 1.2.3.1 MASK 255.255.255.255 1.2.3.5
Sun Apr 10 09:55:15 2011 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=26]
Sun Apr 10 09:55:15 2011 Route addition via IPAPI failed [adaptive]
Sun Apr 10 09:55:15 2011 Route addition fallback to route.exe
The requested operation requires elevation.

hei.. actually its seen your issue for your OPENVPN problems

have you forward the IPTABLES ?

pleae do this stepp

echo 1 > /proc/sys/net/ipv4/ip_forward

and then

make sure you have configure your iptables

for xen

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

for OPENVZ

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to your.ip.addres.com

Thank you Erwin. I did executed those steps in the command prompt.

I also added them in /etc/init.d/openvpn...

It connects and no internet as usual. Could you help me to fix this? thank you!

Also when I tried ipconfig getifaddr en0 in the mac terminal, it still shows my home ip after successful connection to VPN. :(

I would like to point out that this tutorial is great and makes it easy for anyone wanting to setup Openvpn on a Cent OS VPS or dedicated server quickly and easily.

how can i create 2 .ovpn using same ip?
the 1st .ovpn is tcp and the other one udp?

thanks

how can i create 2 .ovpn using same ip?
the 1st .ovpn is tcp and the other one udp?

thanks

yes you can, the tutorial is on post #1

local 123.123.123.123 #- your_server_ip
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 1.2.3.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 4.2.2.1"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3

sir i will gonna create new config and add
port: your preferred port
protocol: tcp or udp
client's ip: 1.2.4.0 or 1.2.5.0 ; 1.2.6.0 ; and so on
sir where should i put this client ip???

server section
server 1.2.4.0 255.255.255.0

client
dev tun
remote ????.????.????.????
proto tcp
port 80
resolv-retry infinite
script-security 2
lport 80
bind
persist-key
persist-tun
ca ca.crt
comp-lzo
cipher none
auth SHA1
keysize 256
comp-lzo
verb 3
dhcp-option DNS 156.154.71.1
dhcp-option DNS 216.146.36.36
dhcp-option DNS 8.8.8.8
dhcp-option DNS 8.8.4.4
mute 5
tun-mtu 1500
mssfix 1450
auth-user-pass password.txt
reneg-sec 0
keepalive 10 120
push "route 255.255.255.255 net_gateway"
route-method exe
route-delay 2
reneg-sec 0
script-security 2 system
win-sys env

sir i saw this client config
i tried to use this client config but always reconnecting, do i need to change my server config?

how????
thanks

local ???.???.???.???
port 80
proto tcp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3

this is my server config..

how can i change this to be match with the one i saw? thanks

those are more complex setting, you can read it at openvpn.net manual

Where is the log file located for the OpenVPN server?

C:\Program Files\OpenVPN\log

is this what you looking for?

Where is the log file located for the OpenVPN server?

/etc/openvpn/yourlogname.log

if you say

/etc/openvpn/yourlogname.log

i think that only log for the userlogin only...


is there anyone know

how to log the user destination url ?

what is the user doing ?

because some user may doing a fraud or do like upload a copyright material..

with openvpn i get hard to trace for that problem

Thanks for posting this! i'm going to need it very soon

where does the client's username and password get stored??

Can I do useradd username yourotherbinstuffhere
and then passwd username, set the password
whilst openvpn is running in the background, then connect w/ that user info?

Can I do useradd username yourotherbinstuffhere
and then passwd username, set the password
whilst openvpn is running in the background, then connect w/ that user info?

yes you can do that.

client log

Wed Apr 20 10:31:34 2011 Expected Remote Options hash (VER=V4): '77cf0943'
Wed Apr 20 10:31:34 2011 Attempting to establish TCP connection with ***.***.***.***:80
Wed Apr 20 10:31:38 2011 TCP: connect to ***.***.***.***80 failed, will try again in 5 seconds: Connection refused (WSAECONNREFUSED)
Wed Apr 20 10:31:43 2011 SIGTERM[hard,init_instance] received, process exiting

does anyone has idea how to solve this issue?

thanks

client log



does anyone has idea how to solve this issue?

thanks

done thanks

how can we connect multiple ip using same port?

thanks

Nice tutorial..

When i run the command
iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT --to 123.123.123.123 with the 123.123.123.123 replaced with my servers ip i get the out put
iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Any one able to help me with what i need to do to fix this, google has produced no results for me.

Nice tutorial..

thanks.

When i run the command
iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT --to 123.123.123.123 with the 123.123.123.123 replaced with my servers ip i get the out put
iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Any one able to help me with what i need to do to fix this, google has produced no results for me.

i guess that's because you have no nat iptables module, ask your provider to enable it.

someone can help me?

win client log:

Sun Apr 24 21:54:26 2011 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 8 2010
Sun Apr 24 21:54:32 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Apr 24 21:54:32 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sun Apr 24 21:54:33 2011 LZO compression initialized
Sun Apr 24 21:54:33 2011 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Apr 24 21:54:33 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Apr 24 21:54:33 2011 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Apr 24 21:54:33 2011 Local Options hash (VER=V4): 'd3a7571a'
Sun Apr 24 21:54:33 2011 Expected Remote Options hash (VER=V4): '5b1533a2'
Sun Apr 24 21:54:33 2011 UDPv4 link local: [undef]
Sun Apr 24 21:54:33 2011 UDPv4 link remote: 123.123.123.123:1194
Sun Apr 24 21:55:33 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Apr 24 21:55:33 2011 TLS Error: TLS handshake failed
Sun Apr 24 21:55:33 2011 TCP/UDP: Closing socket
Sun Apr 24 21:55:33 2011 SIGUSR1[soft,tls-error] received, process restarting

Note: I think its cause I din't change the xxx ip "123.123.123.123" I gonna edit that...

sir i do with that error i reboot my server then you can edit again 1194.conf and try run it again make sure you change 123.123.123.123 to your ip

sir i do with that error i reboot my server then you can edit again 1194.conf and try run it again make sure you change 123.123.123.123 to your ip

Its working now, I just change everything (Re-install everything lol) now i wanna know if this work for multi-clients? or just for a single one at same time?

yup it is working on multi clients

OK I have a 2 more questions...

1. How to start openvpn with my conf at the boot?
2. Even if I start openvpn with my conf manual, I need to do the iptables step again, how to save this?

OK I have a 2 more questions...

1. How to start openvpn with my conf at the boot?
2. Even if I start openvpn with my conf manual, I need to do the iptables step again, how to save this?

I dont know why I can't edit my post... so... forget my last post I find how to put everything to boot without scripts :)

can i install it on windows server ?

I believe it will be more easier when you install it on a window server via RDP.
Not sure is it true or not, haven't try it. ;)

HI is there anyone know to limit bandwith..

i mean i can limit my client bandwith example 10mb/month..

i have been install kloxo in my vps, but how to integrate it to openvpn ?

2. is there any one know how to back up user ?
because im gonna want to migrate my client in my first server to the second servers

thanks

HI is there anyone know to limit bandwith..

i mean i can limit my client bandwith example 10mb/month..

i have been install kloxo in my vps, but how to integrate it to openvpn ?

2. is there any one know how to back up user ?
because im gonna want to migrate my client in my first server to the second servers

thanks

I'm asking me that too...

Edit: I was looking for something like "50gb pear month for this user @ 10Mbps unmetered or 100gb p/m for this user @ 100Mbps unmetered)

could someone please explain about MTU ?

appreciate

hello

udp or tcp cant bind port and even tried to restart openvpn this error occur

[root@tigervpn ~]# service openvpn start
Starting openvpn: [FAILED]
[root@tigervpn ~]#



[root@tigervpn ~]# service openvpn restart
Shutting down openvpn: [ OK ]
Starting openvpn: [FAILED]

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 25977/xinetd
tcp 0 0 174.37.12.34:53 0.0.0.0:* LISTEN 25931/named
tcp 0 0 75.126.49.45:53 0.0.0.0:* LISTEN 25931/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 25931/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 25966/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 25977/xinetd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 25931/named
tcp 0 0 127.0.0.1:7776 0.0.0.0:* LISTEN 30343/php
tcp 0 0 0.0.0.0:7777 0.0.0.0:* LISTEN 26113/kloxo.httpd
tcp 0 0 0.0.0.0:7778 0.0.0.0:* LISTEN 26113/kloxo.httpd
tcp 0 0 0.0.0.0:7779 0.0.0.0:* LISTEN 30343/php
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 26162/mysqld
udp 0 0 174.37.12.34:53 0.0.0.0:* 25931/named
udp 0 0 75.126.49.45:53 0.0.0.0:* 25931/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 25931/named
udp 0 0 174.37.12.34:1194 0.0.0.0:* 25997/openvpn
udp 0 0 75.126.49.45:1194 0.0.0.0:* 23686/openvpn
[root@tigervpn ~]#


can anyone knows the best solution for this?

thank you

this guide doesnt make any sense. its not secure. the client doesnt even provide a cert because you left the step out where you generate a user cert. and the server just accept any incoming cert because of client-cert-not-required. also username-as-common-name doesnt make sense in the same way.

if you want to config this right:
- generate a user cert and copy it to the openvpn client config dir
- add user cert lines to client config

- comment client-cert-not-required, username-as-common-name in server config
- add script-security 1 to server config

hi
if we use UDP how can we optimize the speed of our vpn?

I do not to instal OpenVP?

Hello,

I did follow the instructions, the installation went great,

and I did install "OpenVPN GUI" in my Win7 , and connected to the openvpn account, the window in the taskbar seems connected:

Thu May 19 01:26:50 2011 username/94.71.99.244:57555 MULTI: Learn: 1.2.3.6 -> username/94.71.99.244:57555
Thu May 19 01:26:50 2011 username/94.71.99.244:57555 MULTI: primary virtual IP for username/94.71.99.244:57555: 1.2.3.6
Thu May 19 01:26:53 2011 username/94.71.99.244:57555 PUSH: Received control message: 'PUSH_REQUEST'
Thu May 19 01:26:53 2011 username/94.71.99.244:57555 SENT CONTROL [username]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 4.2.2.1,route 1.2.3.1,topology net30,ping 5,ping-restart 30,ifconfig 1.2.3.6 1.2.3.5' (status=1)

the problem is that after I do connect I can only ping the openvpn server's ip, and 1.2.3.6,
I cannot ping or connect with anything else like google.com

is that a problem with my OpenVPN configuration or with my windows ?

Can anyone help me I am getting following error and not getting connected.


Fri May 20 23:51:09 2011 NOTE: OpenVPN 2.1 requires '--script-security
2' or higher to call user-defined scripts or executables
Fri May 20 23:51:09 2011 LZO compression initialized
Fri May 20 23:51:09 2011 Control Channel MTU parms [ L:1574 D:138
EF:38 EB:0 ET:0 EL:0 ]
Fri May 20 23:51:09 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri May 20 23:51:09 2011 Data Channel MTU parms [ L:1574 D:1450 EF:42
EB:135 ET:32 EL:0 AF:3/1 ]
Fri May 20 23:51:09 2011 Local Options hash (VER=V4): 'd3a7571a'
Fri May 20 23:51:09 2011 Expected Remote Options hash (VER=V4): '5b1533a2'
Fri May 20 23:51:09 2011 UDPv4 link local: [undef]
Fri May 20 23:51:09 2011 UDPv4 link remote: IP.132:53
Fri May 20 23:52:10 2011 TLS Error: TLS key negotiation failed to
occur within 60 seconds (check your network connectivity)
Fri May 20 23:52:10 2011 TLS Error: TLS handshake failed
Fri May 20 23:52:10 2011 TCP/UDP: Closing socket
Fri May 20 23:52:10 2011 SIGUSR1[soft,tls-error] received, process restarting
Fri May 20 23:52:10 2011 Restart pause, 2 second(s)


Please help me.

Hello,

I did follow the instructions, the installation went great,

and I did install "OpenVPN GUI" in my Win7 , and connected to the openvpn account, the window in the taskbar seems connected:

Thu May 19 01:26:50 2011 username/94.71.99.244:57555 MULTI: Learn: 1.2.3.6 -> username/94.71.99.244:57555
Thu May 19 01:26:50 2011 username/94.71.99.244:57555 MULTI: primary virtual IP for username/94.71.99.244:57555: 1.2.3.6
Thu May 19 01:26:53 2011 username/94.71.99.244:57555 PUSH: Received control message: 'PUSH_REQUEST'
Thu May 19 01:26:53 2011 username/94.71.99.244:57555 SENT CONTROL [username]: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 208.67.222.222,dhcp-option DNS 4.2.2.1,route 1.2.3.1,topology net30,ping 5,ping-restart 30,ifconfig 1.2.3.6 1.2.3.5' (status=1)

the problem is that after I do connect I can only ping the openvpn server's ip, and 1.2.3.6,
I cannot ping or connect with anything else like google.com

is that a problem with my OpenVPN configuration or with my windows ?

hi there..

make sure you enable the firewall in your VPS...

enable the firewall
1. Enabling packet forwarding dengan command:
[root@orangperawang openvpn]#echo 1 > /proc/sys/net/ipv4/ ip_forward

2.Edit NAT table for MASQUERADING
For dedicated server / XEN :
[root@abc openvpn] #iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

for OPENVPNZ platform
[root@orangperawang openvpn]#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to destination.ip

Hello,

thank you for your reply.

the following did the trick:

[root@orangperawang openvpn]#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to destination.ip[/QUOTE]

thank you!



hi there..

make sure you enable the firewall in your VPS...

enable the firewall
1. Enabling packet forwarding dengan command:
[root@orangperawang openvpn]#echo 1 > /proc/sys/net/ipv4/ ip_forward

2.Edit NAT table for MASQUERADING
For dedicated server / XEN :
[root@abc openvpn] #iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

for OPENVPNZ platform
[root@orangperawang openvpn]#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to destination.ip

I followed the tutorial and vpn is working fine. However, US only services don't allow me to watch content. For instance ABC says "You appear to be outside the United States or its territories. " although geoip lookout places my ip in California.
Hulu indicates a connection error. Any ideas?

When i ran

openvpn

here is what i got back


by the management channel.
--management-client-user u : When management interface is a unix socket, only
allow connections from user u.
--management-client-group g : When management interface is a unix socket, only
allow connections from group g.
--management-client-auth : gives management interface client the responsibility
to authenticate clients after their client certificat e
has been verified.
--management-client-pf : management interface clients must specify a packet
filter file for each connecting client.
--plugin m [str]: Load plug-in module m passing str as an argument
to its initialization function.

Multi-Client Server options (when --mode server is used):
--server network netmask : Helper option to easily configure server mode.
--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to
easily configure ethernet bridging server mode.
--push "option" : Push a config file option back to the peer for remote
execution. Peer must specify --pull in its config file.
--push-reset : Don't inherit global push list for specific
client instance.
--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets
to be dynamically allocated to connecting clients.
--ifconfig-pool-linear : Use individual addresses rather than /30 subnets
in tun mode. Not compatible with Windows clients.
--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool
data to file, at seconds intervals (default=600).
If seconds=0, file will be treated as read-only.
--ifconfig-push local remote-netmask : Push an ifconfig option to remote,
overrides --ifconfig-pool dynamic allocation.
Only valid in a client-specific config file.
--iroute network [netmask] : Route subnet to client.
Sets up internal routes only.
Only valid in a client-specific config file.
--disable : Client is disabled.
Only valid in a client-specific config file.
--client-cert-not-required : Don't require client certificate, client
will authenticate using username/password.
--username-as-common-name : For auth-user-pass authentication, use
the authenticated username as the common name,
rather than the common name from the client cert.
--auth-user-pass-verify cmd method: Query client for username/password and
run script cmd to verify. If method='via-env', pass
user/pass via environment, if method='via-file', pass
user/pass via temporary file.
--opt-verify : Clients that connect with options that are incompatible
with those of the server will be disconnected.
--auth-user-pass-optional : Allow connections by clients that don't
specify a username/password.
--no-name-remapping : Allow Common Name and X509 Subject to include
any printable character.
--client-to-client : Internally route client-to-client traffic.
--duplicate-cn : Allow multiple clients with the same common name to
concurrently connect.
--client-connect cmd : Run script cmd on client connection.
--client-disconnect cmd : Run script cmd on client disconnection.
--client-config-dir dir : Directory for custom client config files.
--ccd-exclusive : Refuse connection unless custom client config is found.
--tmp-dir dir : Temporary directory, used for --client-connect return file.
--hash-size r v : Set the size of the real address hash table to r and the
virtual address table to v.
--bcast-buffers n : Allocate n broadcast buffers.
--tcp-queue-limit n : Maximum number of queued TCP output packets.
--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server
as well as pushes it to connecting clients.
--learn-address cmd : Run script cmd to validate client virtual addresses.
--connect-freq n s : Allow a maximum of n new connections per s seconds.
--max-clients n : Allow a maximum of n simultaneously connected clients.
--max-routes-per-client n : Allow a maximum of n internal routes per client.
--port-share host port : When run in TCP mode, proxy incoming HTTPS sessions
to a web server at host:port.

Client options (when connecting to a multi-client server):
--client : Helper option to easily configure client mode.
--auth-user-pass [up] : Authenticate with server using username/password.
up is a file containing username/password on 2 lines,
or omit to prompt from console.
--pull : Accept certain config file options from the peer as if they
were part of the local config file. Must be specified
when connecting to a '--mode server' remote host.
--auth-retry t : How to handle auth failures. Set t to
none (default), interact, or nointeract.
--server-poll-timeout n : when polling possible remote servers to connect to
in a round-robin fashion, spend no more than n seconds
waiting for a response before trying the next server.
--explicit-exit-notify [n] : On exit/restart, send exit signal to
server/remote. n = # of retries, default=1.

Data Channel Encryption Options (must be compatible between peers):
(These options are meaningful for both Static Key & TLS-mode)
--secret f [d] : Enable Static Key encryption mode (non-TLS).
Use shared secret file f, generate with --genkey.
The optional d parameter controls key directionality.
If d is specified, use separate keys for each
direction, set d=0 on one side of the connection,
and d=1 on the other side.
--auth alg : Authenticate packets with HMAC using message
digest algorithm alg (default=SHA1).
(usually adds 16 or 20 bytes per packet)
Set alg=none to disable authentication.
--cipher alg : Encrypt packets with cipher algorithm alg
(default=BF-CBC).
Set alg=none to disable encryption.
--prng alg [nsl] : For PRNG, use digest algorithm alg, and
nonce_secret_len=nsl. Set alg=none to disable PRNG.
--keysize n : Size of cipher key in bits (optional).
If unspecified, defaults to cipher-specific default.
--engine [name] : Enable OpenSSL hardware crypto engine functionality.
--no-replay : Disable replay protection.
--mute-replay-warnings : Silence the output of replay warnings to log file.
--replay-window n [t] : Use a replay protection sliding window of size n
and a time window of t seconds.
Default n=64 t=15
--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.
--replay-persist file : Persist replay-protection state across sessions
using file.
--test-crypto : Run a self-test of crypto features enabled.
For debugging only.

TLS Key Negotiation Options:
(These options are meaningful only for TLS-mode)
--tls-server : Enable TLS and assume server role during TLS handshake.
--tls-client : Enable TLS and assume client role during TLS handshake.
--key-method m : Data channel key exchange method. m should be a method
number, such as 1 (default), 2, etc.
--ca file : Certificate authority file in .pem format containing
root certificate.
--capath dir : A directory of trusted certificates (CAs and CRLs).
--dh file : File containing Diffie Hellman parameters
in .pem format (for --tls-server only).
Use "openssl dhparam -out dh1024.pem 1024" to generate.
--cert file : Local certificate in .pem format -- must be signed
by a Certificate Authority in --ca file.
--key file : Local private key in .pem format.
--pkcs12 file : PKCS#12 file containing local private key, local certificate
and optionally the root CA certificate.
--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).
: Use --show-tls to see a list of supported TLS ciphers.
--tls-timeout n : Packet retransmit timeout on TLS control channel
if no ACK from remote within n seconds (default=2).
--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.
--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.
--reneg-sec n : Renegotiate data chan. key after n seconds (default=3600).
--hand-window n : Data channel key exchange must finalize within n seconds
of handshake initiation by any peer (default=60).
--tran-window n : Transition window -- old key can live this many seconds
after new key renegotiation begins (default=3600).
--single-session: Allow only one session (reset state on restart).
--tls-exit : Exit on TLS negotiation failure.
--tls-auth f [d]: Add an additional layer of authentication on top of the TLS
control channel to protect against DoS attacks.
f (required) is a shared-secret passphrase file.
The optional d parameter controls key directionality,
see --secret option for more info.
--askpass [file]: Get PEM password from controlling tty before we daemonize.
--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.
--crl-verify crl: Check peer certificate against a CRL.
--tls-verify cmd: Execute shell command cmd to verify the X509 name of a
pending TLS connection that has otherwise passed all other
tests of certification. cmd should return 0 to allow
TLS handshake to proceed, or 1 to fail. (cmd is
executed as 'cmd certificate_depth X509_NAME_oneline')
--tls-remote x509name: Accept connections only from a host with X509 name
x509name. The remote host must also pass all other tests
of verification.
--ns-cert-type t: Require that peer certificate was signed with an explicit
nsCertType designation t = 'client' | 'server'.
--remote-cert-ku v ... : Require that the peer certificate was signed with
explicit key usage, you can specify more than one value.
value should be given in hex format.
--remote-cert-eku oid : Require that the peer certificate was signed with
explicit extended key usage. Extended key usage can be encoded
as an object identifier or OpenSSL string representation.
--remote-cert-tls t: Require that peer certificate was signed with explicit
key usage and extended key usage based on RFC3280 TLS rules.
t = 'client' | 'server'.

PKCS#11 Options:
--pkcs11-providers provider ... : PKCS#11 provider to load.
--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authenticati on
path. Set for each provider.
--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.
0 : Try to determind automatically (default ).
1 : Use Sign.
2 : Use SignRecover.
4 : Use Decrypt.
8 : Use Unwrap.
--pkcs11-cert-private [0|1] ... : Set if login should be performed before
certificate can be accessed. Set for each prov ider.
--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1
cache until token is removed.
--pkcs11-id-management : Acquire identity from management interface.
--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-p kcs11-ids

SSL Library information:
--show-ciphers : Show cipher algorithms to use with --cipher option.
--show-digests : Show message digest algorithms to use with --auth option.
--show-engines : Show hardware crypto accelerator engines (if available).
--show-tls : Show all TLS ciphers (TLS used only as a control channel).

Generate a random key (only for non-TLS static key encryption mode):
--genkey : Generate a random key to be used as a shared secret,
for use with the --secret option.
--secret file : Write key to file.

Tun/tap config mode (available with linux 2.4+):
--mktun : Create a persistent tunnel.
--rmtun : Remove a persistent tunnel.
--dev tunX|tapX : tun/tap device
--dev-type dt : Device type. See tunnel options above for details.
--user user : User to set privilege to.
--group group : Group to set privilege to.

PKCS#11 standalone options:
--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.
--verb option can be added *BEFORE* this.


So what does this mean? Installed correctly?


ALSO

When i ran this

yum install openvpn

This is what i got


Package openvpn-2.1.4-1.el5.x86_64 already installed and latest version
Nothing to do

What does that mean?

When i ran

openvpn

here is what i got back


by the management channel.
--management-client-user u : When management interface is a unix socket, only
allow connections from user u.
--management-client-group g : When management interface is a unix socket, only
allow connections from group g.
--management-client-auth : gives management interface client the responsibility
to authenticate clients after their client certificat e
has been verified.
--management-client-pf : management interface clients must specify a packet
filter file for each connecting client.
--plugin m [str]: Load plug-in module m passing str as an argument
to its initialization function.

Multi-Client Server options (when --mode server is used):
--server network netmask : Helper option to easily configure server mode.
--server-bridge [IP netmask pool-start-IP pool-end-IP] : Helper option to
easily configure ethernet bridging server mode.
--push "option" : Push a config file option back to the peer for remote
execution. Peer must specify --pull in its config file.
--push-reset : Don't inherit global push list for specific
client instance.
--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets
to be dynamically allocated to connecting clients.
--ifconfig-pool-linear : Use individual addresses rather than /30 subnets
in tun mode. Not compatible with Windows clients.
--ifconfig-pool-persist file [seconds] : Persist/unpersist ifconfig-pool
data to file, at seconds intervals (default=600).
If seconds=0, file will be treated as read-only.
--ifconfig-push local remote-netmask : Push an ifconfig option to remote,
overrides --ifconfig-pool dynamic allocation.
Only valid in a client-specific config file.
--iroute network [netmask] : Route subnet to client.
Sets up internal routes only.
Only valid in a client-specific config file.
--disable : Client is disabled.
Only valid in a client-specific config file.
--client-cert-not-required : Don't require client certificate, client
will authenticate using username/password.
--username-as-common-name : For auth-user-pass authentication, use
the authenticated username as the common name,
rather than the common name from the client cert.
--auth-user-pass-verify cmd method: Query client for username/password and
run script cmd to verify. If method='via-env', pass
user/pass via environment, if method='via-file', pass
user/pass via temporary file.
--opt-verify : Clients that connect with options that are incompatible
with those of the server will be disconnected.
--auth-user-pass-optional : Allow connections by clients that don't
specify a username/password.
--no-name-remapping : Allow Common Name and X509 Subject to include
any printable character.
--client-to-client : Internally route client-to-client traffic.
--duplicate-cn : Allow multiple clients with the same common name to
concurrently connect.
--client-connect cmd : Run script cmd on client connection.
--client-disconnect cmd : Run script cmd on client disconnection.
--client-config-dir dir : Directory for custom client config files.
--ccd-exclusive : Refuse connection unless custom client config is found.
--tmp-dir dir : Temporary directory, used for --client-connect return file.
--hash-size r v : Set the size of the real address hash table to r and the
virtual address table to v.
--bcast-buffers n : Allocate n broadcast buffers.
--tcp-queue-limit n : Maximum number of queued TCP output packets.
--tcp-nodelay : Macro that sets TCP_NODELAY socket flag on the server
as well as pushes it to connecting clients.
--learn-address cmd : Run script cmd to validate client virtual addresses.
--connect-freq n s : Allow a maximum of n new connections per s seconds.
--max-clients n : Allow a maximum of n simultaneously connected clients.
--max-routes-per-client n : Allow a maximum of n internal routes per client.
--port-share host port : When run in TCP mode, proxy incoming HTTPS sessions
to a web server at host:port.

Client options (when connecting to a multi-client server):
--client : Helper option to easily configure client mode.
--auth-user-pass [up] : Authenticate with server using username/password.
up is a file containing username/password on 2 lines,
or omit to prompt from console.
--pull : Accept certain config file options from the peer as if they
were part of the local config file. Must be specified
when connecting to a '--mode server' remote host.
--auth-retry t : How to handle auth failures. Set t to
none (default), interact, or nointeract.
--server-poll-timeout n : when polling possible remote servers to connect to
in a round-robin fashion, spend no more than n seconds
waiting for a response before trying the next server.
--explicit-exit-notify [n] : On exit/restart, send exit signal to
server/remote. n = # of retries, default=1.

Data Channel Encryption Options (must be compatible between peers):
(These options are meaningful for both Static Key & TLS-mode)
--secret f [d] : Enable Static Key encryption mode (non-TLS).
Use shared secret file f, generate with --genkey.
The optional d parameter controls key directionality.
If d is specified, use separate keys for each
direction, set d=0 on one side of the connection,
and d=1 on the other side.
--auth alg : Authenticate packets with HMAC using message
digest algorithm alg (default=SHA1).
(usually adds 16 or 20 bytes per packet)
Set alg=none to disable authentication.
--cipher alg : Encrypt packets with cipher algorithm alg
(default=BF-CBC).
Set alg=none to disable encryption.
--prng alg [nsl] : For PRNG, use digest algorithm alg, and
nonce_secret_len=nsl. Set alg=none to disable PRNG.
--keysize n : Size of cipher key in bits (optional).
If unspecified, defaults to cipher-specific default.
--engine [name] : Enable OpenSSL hardware crypto engine functionality.
--no-replay : Disable replay protection.
--mute-replay-warnings : Silence the output of replay warnings to log file.
--replay-window n [t] : Use a replay protection sliding window of size n
and a time window of t seconds.
Default n=64 t=15
--no-iv : Disable cipher IV -- only allowed with CBC mode ciphers.
--replay-persist file : Persist replay-protection state across sessions
using file.
--test-crypto : Run a self-test of crypto features enabled.
For debugging only.

TLS Key Negotiation Options:
(These options are meaningful only for TLS-mode)
--tls-server : Enable TLS and assume server role during TLS handshake.
--tls-client : Enable TLS and assume client role during TLS handshake.
--key-method m : Data channel key exchange method. m should be a method
number, such as 1 (default), 2, etc.
--ca file : Certificate authority file in .pem format containing
root certificate.
--capath dir : A directory of trusted certificates (CAs and CRLs).
--dh file : File containing Diffie Hellman parameters
in .pem format (for --tls-server only).
Use "openssl dhparam -out dh1024.pem 1024" to generate.
--cert file : Local certificate in .pem format -- must be signed
by a Certificate Authority in --ca file.
--key file : Local private key in .pem format.
--pkcs12 file : PKCS#12 file containing local private key, local certificate
and optionally the root CA certificate.
--tls-cipher l : A list l of allowable TLS ciphers separated by : (optional).
: Use --show-tls to see a list of supported TLS ciphers.
--tls-timeout n : Packet retransmit timeout on TLS control channel
if no ACK from remote within n seconds (default=2).
--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.
--reneg-pkts n : Renegotiate data chan. key after n packets sent and recvd.
--reneg-sec n : Renegotiate data chan. key after n seconds (default=3600).
--hand-window n : Data channel key exchange must finalize within n seconds
of handshake initiation by any peer (default=60).
--tran-window n : Transition window -- old key can live this many seconds
after new key renegotiation begins (default=3600).
--single-session: Allow only one session (reset state on restart).
--tls-exit : Exit on TLS negotiation failure.
--tls-auth f [d]: Add an additional layer of authentication on top of the TLS
control channel to protect against DoS attacks.
f (required) is a shared-secret passphrase file.
The optional d parameter controls key directionality,
see --secret option for more info.
--askpass [file]: Get PEM password from controlling tty before we daemonize.
--auth-nocache : Don't cache --askpass or --auth-user-pass passwords.
--crl-verify crl: Check peer certificate against a CRL.
--tls-verify cmd: Execute shell command cmd to verify the X509 name of a
pending TLS connection that has otherwise passed all other
tests of certification. cmd should return 0 to allow
TLS handshake to proceed, or 1 to fail. (cmd is
executed as 'cmd certificate_depth X509_NAME_oneline')
--tls-remote x509name: Accept connections only from a host with X509 name
x509name. The remote host must also pass all other tests
of verification.
--ns-cert-type t: Require that peer certificate was signed with an explicit
nsCertType designation t = 'client' | 'server'.
--remote-cert-ku v ... : Require that the peer certificate was signed with
explicit key usage, you can specify more than one value.
value should be given in hex format.
--remote-cert-eku oid : Require that the peer certificate was signed with
explicit extended key usage. Extended key usage can be encoded
as an object identifier or OpenSSL string representation.
--remote-cert-tls t: Require that peer certificate was signed with explicit
key usage and extended key usage based on RFC3280 TLS rules.
t = 'client' | 'server'.

PKCS#11 Options:
--pkcs11-providers provider ... : PKCS#11 provider to load.
--pkcs11-protected-authentication [0|1] ... : Use PKCS#11 protected authenticati on
path. Set for each provider.
--pkcs11-private-mode hex ... : PKCS#11 private key mode mask.
0 : Try to determind automatically (default ).
1 : Use Sign.
2 : Use SignRecover.
4 : Use Decrypt.
8 : Use Unwrap.
--pkcs11-cert-private [0|1] ... : Set if login should be performed before
certificate can be accessed. Set for each prov ider.
--pkcs11-pin-cache seconds : Number of seconds to cache PIN. The default is -1
cache until token is removed.
--pkcs11-id-management : Acquire identity from management interface.
--pkcs11-id serialized-id 'id' : Identity to use, get using standalone --show-p kcs11-ids

SSL Library information:
--show-ciphers : Show cipher algorithms to use with --cipher option.
--show-digests : Show message digest algorithms to use with --auth option.
--show-engines : Show hardware crypto accelerator engines (if available).
--show-tls : Show all TLS ciphers (TLS used only as a control channel).

Generate a random key (only for non-TLS static key encryption mode):
--genkey : Generate a random key to be used as a shared secret,
for use with the --secret option.
--secret file : Write key to file.

Tun/tap config mode (available with linux 2.4+):
--mktun : Create a persistent tunnel.
--rmtun : Remove a persistent tunnel.
--dev tunX|tapX : tun/tap device
--dev-type dt : Device type. See tunnel options above for details.
--user user : User to set privilege to.
--group group : Group to set privilege to.

PKCS#11 standalone options:
--show-pkcs11-ids provider [cert_private] : Show PKCS#11 available ids.
--verb option can be added *BEFORE* this.


So what does this mean? Installed correctly?


ALSO

When i ran this

yum install openvpn

This is what i got


Package openvpn-2.1.4-1.el5.x86_64 already installed and latest version
Nothing to do

What does that mean?

That means you have OpenVPN installed, try running
service openvpn start to see if it works

That means you have OpenVPN installed, try running
to see if it works

Isn't that same as starting openvpn by entering

openvpn

Anyways i enetered

service openvpn start

and got this back

Starting openvpn [ok]

Does that mean everything is fine?

Hello
I config my openvpn server and client , and I can connect my client to server but after connecting , my client ip wasn't change !
Please help
thanks a lot

thanks for this tutorial

Hello
I config my openvpn server and client , and I can connect my client to server but after connecting , my client ip wasn't change !
Please help
thanks a lot

can you post your server side config?

did you use server 1.2.3.0 255.255.255.0

or use iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT --to 123.123.123.123

thx for this tutorial but i installed the server side and everything gose right but when i run the client it says missing sth in the config.. i copy/paste it and edited only ip and port but still wont connect .. :/

i got openVZ vps

Thanks for such a nice and detailed tutorial, it really will help many of the people around.

A nice piece in WHT forum. Very detailed tutorial

Hi, I am about to purchase a VPS to run OpenVPN on it.

Which OS and 32 or 64 bits should give me the best results?

Thanks

Hello all,

for OpenVZ CentOS box you can try this simple OpenVPN auto installer

wget http://joglohosting.com/scripts/openvpn-installer.sh
sh openvpn-installer.sh

and then follow the instruction :D

Hi, could someone answer my question? Thanks

Is there a way to optimize the speed of OpenVPN server?
Any one know how to make remote mySQL database for authenticating vpn users?:D

Thanks for great post. :)

Excellent guide, I got this up and running on linux VPS, i can easily connect to the vpn from windows.

Can you post the openvpn command line to connect using the terminal in ubuntu?

Thanks for the tutorial, I got my VPN up and running :)

One question though, after running this command

"Make OPENVPN 1194.conf running in background
#bg

"

Do I still need to do something to run the OpenVPN server after a reboot?

Hello?

Any help guys?

Also I'd like to know if I have a second IP for my VPS how can I use that IP as well for an OpenVPN connection? Do I create a new server certificate and client certificate and add the information to the IPTable?

What I'd like to know is that if I have a second dedicated/static IP for the same VPS is it possible to switch between which IP I want to use with OpenVPN when I authenticate with a user + pass combination? If so how can I do this?

I am having a problem after typing this step
Install required modules
#yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel

I am keep getting

-bash: yum: command not found


Please help me out :/

I am having a problem after typing this step
Install required modules
#yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel

I am keep getting

-bash: yum: command not found


Please help me out :/

What distro do you use? Ensure that you're using CentOS (yum is centos/RHEL command)

I'll try this and post results here, the guide looks promising however. :)

#!/bin/bash
### Database Informations
DBUSER='user'
DBPASS='pass'
DBHOST='localhost' #use ip kng external ang mysql server nyo if not localhost lng
DBNAME='dbase'

user_name=`head -n1 $1 | tail -1` #first line -> Username
pass_word=`head -n2 $1 | tail -1 ` #second line -> Password

user_query=`mysql -u $DBUSER -p$DBPASS -D $DBNAME -h $DBHOST --skip-column-name -e "SELECT username FROM user WHERE ( (active = '1') AND (username = '$user_name') AND (password = PASSWORD('$pass_word')) );" $DBNAME`

if [ "$user_query" == "$user_name" ]; then
exit 0
else
exit 1
fi


hi

im using this kind of script for authentication process
the problem is, no one could connect authentication failed
does anyone know what was the problem?

in using ubuntu 10.10, mysql and phpmyadmin

i hope someone could help me

thank you

Thank you very much for this great tut

thanks great TUT :D

Thanks for guide.............

its asking for user/pass everytime i connect.

how i can set that when i connect from OpenVPN, it just direct connects to my server. it should not ask for user/pass.

Thanks for the tutorial!

How can I assign dedicated IP to specific users?

Thanks for this great tutorial.

I have done evrything on the vps side and my vps can get connected and i have created 443 and 1194 port but none of them working with my openvpn pc program, and their's no defect on my pc's side, tell me please what can i do to get it worked? how to check if 'iptables' support is enabled or disabled ?

Thanks for the guide. I am having problems configuring the client on vmware windows xp machine. After I connect, I can ping the server from client but I cannot ping the client from server. I tried everything for the last two days, please help.

Here's the routing table from client after connection:

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 128.0.0.0 1.2.3.5 1.2.3.6 1
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 10
1.2.3.1 255.255.255.255 1.2.3.5 1.2.3.6 1
1.2.3.4 255.255.255.252 1.2.3.6 1.2.3.6 30
1.2.3.6 255.255.255.255 127.0.0.1 127.0.0.1 30
1.255.255.255 255.255.255.255 1.2.3.6 1.2.3.6 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
128.0.0.0 128.0.0.0 1.2.3.5 1.2.3.6 1
184.82.244.1xx 255.255.255.255 192.168.1.1 192.168.1.5 1
192.168.1.0 255.255.255.0 192.168.1.5 192.168.1.5 10
192.168.1.5 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.5 192.168.1.5 10
224.0.0.0 240.0.0.0 1.2.3.6 1.2.3.6 30
224.0.0.0 240.0.0.0 192.168.1.5 192.168.1.5 10
255.255.255.255 255.255.255.255 1.2.3.6 1.2.3.6 1
255.255.255.255 255.255.255.255 192.168.1.5 192.168.1.5 1
Default Gateway: 1.2.3.5

And here is the routing table on the server:

Destination Gateway Genmask Flags Metric Ref Use Iface
1.2.3.2 * 255.255.255.255 UH 0 0 0 tun0
1.2.3.0 1.2.3.2 255.255.255.0 UG 0 0 0 tun0
184.82.244.0 * 255.255.255.0 U 0 0 0 venet0
169.254.0.0 * 255.255.0.0 U 0 0 0 venet0
default * 0.0.0.0 U 0 0 0 venet0


Thanks in advance.

Hi,

Thanx for the great tutorial.

Everything was working fine and i was browsing well through vpn until I rebooted my vpn.

There after I can connect to vpn but it doesn't let me browse any sites.

I also edited /etc/rc.local to automate process and iptables also show all traffic routed to my ip. What may have gone wrong?

maybe the problem is the ip forwarding rules in iptables.
you can save the iptables by using the following command :

# iptables save
or
# /etc/init.d/iptables save

is there any script or something , from which, i can do this things :-

1. create Certificates.
2. make certificates for some validity i.e. after 30 days, it will be of no use.


also pls give me some good tutorial for using same client configs on multiple servers.

Copy OPENVPN easy-rsa folder to /etc/openvpn/
#cp -R /usr/share/doc/openvpn-2.1.4/easy-rsa/ /etc/openvpn/

Hey guys, when I run the above command, I get the following error:

cp: cannot stat `/usr/share/doc/openvpn-2.1.4/easy-rsa/': No such file or directory

i am running CentOs 5.6. Any help?

Never mind, I got it.

I have a Problem :

i have a VPS with Centos 5 OS, and install openvpn-as-1.8.3-CentOS5.i386.rpm on centos, but when click to Start server From Admin Server web UIs, recive this Error :

iptables service not started because of error (SVC_RUN_EXCEPT)

anyBody Help me?????

After running OpenVPN , it asks me for a username and password .. I couldn't find anything about it on tutorial , any help on that?

Regards,,

Okey , nevermind with the login .. I didn't read well through the tutorial. I have created a username via the putty and when using on OpenVPN , this following script appears but the program stuck there it never proceed further.


Fri Dec 16 02:24:47 2011 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 8 2010
Fri Dec 16 02:24:51 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 16 02:24:51 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Dec 16 02:24:52 2011 LZO compression initialized
Fri Dec 16 02:24:52 2011 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Dec 16 02:24:52 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Fri Dec 16 02:24:52 2011 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Fri Dec 16 02:24:52 2011 Local Options hash (VER=V4): 'd3a7571a'
Fri Dec 16 02:24:52 2011 Expected Remote Options hash (VER=V4): '5b1533a2'
Fri Dec 16 02:24:52 2011 UDPv4 link local: [undef]
Fri Dec 16 02:24:52 2011 UDPv4 link remote: SERVERIP:1194

Also, how to enable plugin /usr/share/.. /pam.d/login .. didn't find any good result on google for that

Thanks
Regards,,,

In case you get into a situation where the iptables got funky, do a cleanup
iptables -F
iptables -F -t nat

Awesome tutorial... I just setup my first attempt on tcp, and yeah, successful..

Thanks you.

can anyone tell me that how i can use WHMCS's user/pass with this type of authentication??

and is it possible to host whmcs on other server and host my OpenVPN on other server??

can anyone tell me that how i can use WHMCS's user/pass with this type of authentication??

and is it possible to host whmcs on other server and host my OpenVPN on other server??

This is my question as well. How to control my openvpn users by limiting bandwidth, creating new user account and suspend an account using cpanel/WHM?

Thank you in advance...

Great Tutorial

Hi can someone help me what mistake i have make here?

root@xxxx [/usr/share/openvpn/plugin/lib]# openvpn /etc/openvpn/1194.conf &
[1] 24734
root@xxxx [/usr/share/openvpn/plugin/lib]# Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/1194.conf:13: /etc/pam.d/login (2.2.0)
Use --help for more information.

nvm already fix that problem but i get this:

Wed Jan 11 03:24:32 2012 OpenVPN 2.2.0 x86_64-redhat-linux-gn u [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jun 6 2011
Wed Jan 11 03:24:32 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables
Wed Jan 11 03:24:32 2012 PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn -auth-pam.so '[/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so] [/etc/pam.d/lo gin]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Wed Jan 11 03:24:32 2012 Diffie-Hellman initialized with 1024 bit key
Wed Jan 11 03:24:32 2012 WARNING: POTENTIALLY DANGEROUS OPTION --client-cert-not -required may accept clients which do not present a certificate
Wed Jan 11 03:24:32 2012 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jan 11 03:24:32 2012 Socket Buffers: R=[129024->131072] S=[129024->131072]
Wed Jan 11 03:24:32 2012 ROUTE default_gateway=64.37.60.1
Wed Jan 11 03:24:32 2012 TUN/TAP device tun0 opened
Wed Jan 11 03:24:32 2012 TUN/TAP TX queue length set to 100
Wed Jan 11 03:24:32 2012 /sbin/ip link set dev tun0 up mtu 1500
Wed Jan 11 03:24:32 2012 /sbin/ip addr add dev tun0 local 1.2.3.1 peer 1.2.3.2
Wed Jan 11 03:24:32 2012 /sbin/ip route add 1.2.3.0/24 via 1.2.3.2
Wed Jan 11 03:24:32 2012 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET: 32 EL:0 AF:3/1 ]
Wed Jan 11 03:24:32 2012 UDPv4 link local (bound): 64.37.60.24:1194
Wed Jan 11 03:24:32 2012 UDPv4 link remote: [undef]
Wed Jan 11 03:24:32 2012 MULTI: multi_init called, r=256 v=256
Wed Jan 11 03:24:32 2012 IFCONFIG POOL: base=1.2.3.4 size=62
Wed Jan 11 03:24:32 2012 Initialization Sequence Completed

its giving this error on yum openvpn

yum install openvpn
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirror.choopa.net
* extras: mirror.rackspace.com
* rpmforge: ftp-stud.fht-esslingen.de
* updates: mirror.atlanticmetro.net
rpmforge | 1.1 kB 00:00
rpmforge/primary | 4.0 MB 00:01
rpmforge 11146/11146
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package openvpn.i386 0:2.2.0-3.el5.rf will be installed
--> Processing Dependency: liblzo2.so.2 for package: openvpn-2.2.0-3.el5.rf.i386
--> Processing Dependency: libssl.so.6 for package: openvpn-2.2.0-3.el5.rf.i386
--> Processing Dependency: libcrypto.so.6 for package: openvpn-2.2.0-3.el5.rf.i386
--> Processing Dependency: libpkcs11-helper.so.1 for package: openvpn-2.2.0-3.el5.rf.i386
--> Running transaction check
---> Package lzo.i386 0:1.08-4.rf will be updated
---> Package lzo.i386 0:2.04-1.el5.rf will be an update
---> Package openssl098e.i686 0:0.9.8e-17.el6.centos will be installed
---> Package pkcs11-helper.i386 0:1.08-1.el5.rf will be installed
--> Processing Dependency: libgnutls.so.13 for package: pkcs11-helper-1.08-1.el5.rf.i386
--> Processing Dependency: libgnutls.so.13(GNUTLS_1_3) for package: pkcs11-helper-1.08-1.el5.rf.i386
--> Finished Dependency Resolution
Error: Package: pkcs11-helper-1.08-1.el5.rf.i386 (rpmforge)
Requires: libgnutls.so.13(GNUTLS_1_3)
Error: Package: pkcs11-helper-1.08-1.el5.rf.i386 (rpmforge)
Requires: libgnutls.so.13
You could try using --skip-broken to work around the problem
** Found 6 pre-existing rpmdb problem(s), 'yum check' output follows:
bandmin-1.6.1-5.noarch has missing requires of perl(bandmin.conf)
bandmin-1.6.1-5.noarch has missing requires of perl(bmversion.pl)
bandmin-1.6.1-5.noarch has missing requires of perl(services.conf)
exim-4.69-30_cpanel_maildir.i386 has missing requires of perl(SafeFile)
frontpage-2002-SR1.2.i386 has missing requires of libexpat.so.0
sendmail-cf-8.14.4-8.el6.noarch has missing requires of sendmail = ('0', '8.14.4', '8.el6')

Hi there


great tutorial

can someone install openvpn on my dedicated server please


am willing to pay $10 -$15


thanks

Hi there


great tutorial

can someone install openvpn on my dedicated server please


am willing to pay $10 -$15


thanks

do you need any other protocols like pptp, l2tp?

good tutorial
:agree:
i want try this :)

can you post your server side config?

did you use server 1.2.3.0 255.255.255.0

or use iptables -t nat -A POSTROUTING -s 1.2.3.0/24 -j SNAT --to 123.123.123.123

same here ip not changing still showing my isp ips not vpn server ips :confused:

Excellent tutorial, thanks for sharing has been a great help for me

Thank you for share the tutorial. Will this also work on fedora?

Great tutorial. Got it working finally.

How can I change the port as I have tried editing config file on server and in openvpn directory but it gives error on connecting - states connection reset by peer.

If i will make another user, do i need to do #useradd username -s /bin/false
again or #useradd username

This is weird! I made 8080 port, than I can be able to connect and browse.

I made 443 and 1194 port, I can be able to connect, but cannot browse lol..

What would be the problem guru?