Page 1 of 4 1234 LastLast
Results 1 to 25 of 93
  1. #1

    HOWTO OpenVPN setup guide for FC3, FC4, FC5, CentOS and others,connecting via Windows

    Hi,

    I have had great difficulty in setting up OpenVPN, so I thought, when I finally do get it to work, I will write a HOWTO, so other can hopefully benefit…

    This guide was done using a FC4 VPS, running on Xen, it will work on OpenVZ, all you need to do is ask your VPS provider to install “tun support”.

    1. First of all get a few additional repos, If you already have your repos setup, skip this step

    If you have Fedora 3, follow these steps,

    http://stanton-finley.net/fedora_cor...notes.html#Yum

    If you have Fedora 4, follow these steps,

    http://stanton-finley.net/fedora_cor...notes.html#Yum

    If you have Fedora 5, follow these steps,

    http://stanton-finley.net/fedora_cor...notes.html#Yum

    If you have CentOS, follow the “additional third party CentOS repos”


    http://www.osresources.com/11_6_en.html


    Then issue these commands, each line is a new command, anything beginning with "#" are comments so dont try to execute those.

    Code:
    yum update
    
    yum install openssl openssl-devel
    # openssl and openssl-devel may be installed already… so don’t worry



    2. Right, now you want to install OpenVPN, here are the commands,

    Code:
    yum install openvpn -y
    
    #Now check that it works
    
    service openvpn start
    service openvpn stop

    3. A few things to setup before you can make certificates, issue these commands,

    Code:
    find / -name "easy-rsa"
    
    #you should get an output like this…
    
    /usr/share/doc/openvpn-2.0.7/easy-rsa
    
    #Now, make a copy of the easy-rsa directory, to /etc/openvpn/ ( make sure you #have put the right version number in i.e. mine was -2.0.7, change if needed)
    
    cp -R /usr/share/doc/openvpn-2.0.7/easy-rsa /etc/openvpn/
    
    cd /etc/openvpn/easy-rsa
    
    chmod 777 *
    
    mkdir /etc/openvpn/keys


    4. You need to edit the vars file, located in /etc/openvpn/easy-rsa
    You can use any editor you like, I used vi.

    Change the line
    Code:
    export KEY_DIR=$D/keys
    to

    Code:
    export KEY_DIR=/etc/openvpn/keys
    Also at the bottom of this file you will see something similar to this,

    Code:
    export KEY_COUNTRY=US
    export KEY_PROVINCE=CA
    export KEY_CITY=SOMEWHERE
    export KEY_ORG="My Org"
    export KEY_EMAIL=me@mydomain.com
    Change this to your own values.

    5. Now its time to make the certificates, enter these commands

    Code:
    . ./vars
    Code:
    ./clean-all
    Code:
    ./build-ca
    # just hit enter to the defaults apart from Common Name, this must be unique
    # call it something like mydomain-ca

    Code:
    ./build-key-server server
    Code:
    ./build-key client1
    # remember that common name must be unique e.g. use mydomain-client1
    # and YES you want to sign the keys

    Code:
    ./build-key client2
    # do this step for as many clients as you need.

    Code:
    ./build-dh

    6. We are almost done now… right we need to create a few config files, you can download my template from here,

    Code:
    cd /etc/openvpn
    Code:
    wget www.designpc.co.uk/downloads/server.conf
    # make sure you change a few things in the server.conf file, like DNS
    # servers

    Code:
    touch server-tcp.log
    ~ this makes the log file..

    Code:
    touch ipp.txt
    this makes the IP reservation list.


    7. You need to make a few changes to OpenVPN itself. Go to..

    Code:
    cd /etc/init.d/
    edit the openvpn file

    #Uncomment this line (line 119)
    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    Add these lines below it, changing 123.123.123.123 to your public IP address,

    Code:
    iptables -t nat -A POSTROUTING -s 192.168.2.3 -j SNAT --to 123.123.123.123
    	iptables -t nat -A POSTROUTING -s 192.168.2.4 -j SNAT --to 123.123.123.123
    	iptables -t nat -A POSTROUTING -s 192.168.2.5 -j SNAT --to 123.123.123.123
    	iptables -t nat -A POSTROUTING -s 192.168.2.6 -j SNAT --to 123.123.123.123
    	iptables -t nat -A POSTROUTING -s 192.168.2.7 -j SNAT --to 123.123.123.123
    	iptables -t nat -A POSTROUTING -s 192.168.2.8 -j SNAT --to 123.123.123.123
    	iptables -t nat -A POSTROUTING -s 192.168.2.9 -j SNAT --to 123.123.123.123
    	iptables -t nat -A POSTROUTING -s 192.168.2.10 -j SNAT --to 123.123.123.123
    Now install iptables if you don’t have it already,

    Code:
    yum install iptables
    
    #test it
    
    service iptables start
    service iptables stop

    8. Now for the client config files. If your client is a Windows machine, make sure you have installed OpenVPN, use the gui version, downloadable from here;

    http://www.designpc.co.uk/downloads/....3-install.exe

    You need to copy a few files from the server to your client machine, here is the list, located in /etc/openvpn/keys/

    ## WARNING ## Use a secure way of transferring these files off the server, something like WinSCP.

    ca.crt
    client1.csr
    client1.key
    client1.crt

    Put these files in this directory C:\Program Files\OpenVPN\config\

    Now you need to make a client config, here is an example..


    PHP Code:
    client
    dev tun
    proto tcp

    #Change my.publicdomain.com to your public domain or IP address
    remote my.publicdomain.com 1194

    resolv
    -retry infinite
    nobind
    persist
    -key
    persist
    -tun


    ca ca
    .crt
    cert client1
    .crt
    key client1
    .key

    ns
    -cert-type server

    #DNS Options here, CHANGE THESE !!
    push "dhcp-option DNS 123.123.123.123"
    push "dhcp-option DNS 123.123.123.124"

    comp-lzo

    verb 3 
    Make sure you edit any of the lines with comments above them.

    Call this file client1.opvn and put it in C:\Program Files\OpenVPN\config\

    Make sure the file extension is .opvn not .txt

    To connect right click on OpenVPN in the taskbar >> Connect

    To test ping 192.168.2.1

    If you get a response, you in business
    ...........................................................................................

    Credits

    Stanton Finley, for all the YUM configs
    OpenVPN.net

    If I have made any mistakes, please post and I will correct.

    Thanks

  2. #2
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Great guide! Thank you for the post.

  3. #3
    Join Date
    Aug 2004
    Location
    Houston, TX
    Posts
    1,375
    I have 2 Network cards on my VPN box and are able to get this working fine to route from remote access to pass all through our public interface, but I cannot access anything through the private interface or the private interface itself.

    Does anyone know where I would add some sort of route or such for this?
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!
    Shared Hosting | Reseller Hosting | Dedicated | Virtual Premium Servers
    Server Locations in: Dallas | Los Angeles | Singapore | Amsterdam

  4. #4
    Join Date
    Jul 2006
    Posts
    87
    Hey great tutorial! I really appreciate it... however when I try to start OpenVPN after all the config I get:

    Code:
    Starting openvpn: iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    Hmmm? Any ideas? I am running FC5 inside a OpenVZ VPS. As well, what OpenVPN icon are you talking about?

    Thanks,
    http://www.jdaigle.net/ - My portfolio
    http://www.logicdeck.com/ - Awesome tutorials and webmaster resources!

  5. #5
    Cannot get it to work.My server has RHEL4.
    i forwarded this url to the host but to no use.They cannot figure out how to get it to work.They emailed me saying that the tutorial is outdated and it does not work for RHEL

  6. #6
    Quote Originally Posted by Rodney-E2 View Post
    I have 2 Network cards on my VPN box and are able to get this working fine to route from remote access to pass all through our public interface, but I cannot access anything through the private interface or the private interface itself.

    Does anyone know where I would add some sort of route or such for this?
    Theres a trick to getting local networking.. working, I believe its disabled by default, may be wrong, check openvpn.net docs
    Stuart Munro

  7. #7
    Quote Originally Posted by HL-Justin View Post
    Hey great tutorial! I really appreciate it... however when I try to start OpenVPN after all the config I get working


    Hmmm? Any ideas? I am running FC5 inside a OpenVZ VPS. As well, what OpenVPN icon are you talking about?

    Thanks,
    You need your vps proviser to install the NAT module I believe, very easy on their part, it should work just fine...

    Also who is your provider?

    Cheers
    Stuart Munro

  8. #8
    Quote Originally Posted by ramesh80 View Post
    Cannot get it to work.My server has RHEL4.
    i forwarded this url to the host but to no use.They cannot figure out how to get it to work.They emailed me saying that the tutorial is outdated and it does not work for RHEL
    I thought RHEL was pretty much the same as CentOS, which is what I did the tutorial on...

    What version of openvpn you using, also, why is it not working, any log files? Also are you connecting from a linux or windows machine?

    Cheers
    Stuart Munro

  9. #9

    Starting openvpn: [FAILED]

    Thanks for the article.
    Could you please help me with this problem?

    after installing openvpn it gives an error message

    Code:
    [root@host ~]# service openvpn start
    Starting openvpn:                                          [FAILED]
    I've followed the guide completely and restarted the OS
    But it doesn't work.
    The OS is CentOS 4

  10. #10
    What is the meaning of your SNAT rules? Do you have some specific need or something (which is not said in the text). You can route your users with one SNAT rule... or with one MASQ rule.

    Btw I don't like these kind of tutorials, because they only list commands and explain nothing. Yes, we all know how to "do something", but why are we doing it? what will be achived once we do it? why is that? how does the thing work? etc. A proper how-to is one that explains "why is something" and not just "do iptables .... and your done". A begginer does not prosper from this kind of text because he learns nothing.... yes he can be trained to repeat those commands and install many VPN systems (so can a monkey), but the first time when he runs into problems and errors he will have no idea what to do. Because he didn't learn anything from the tutorial.
    Last edited by nixadm; 10-12-2007 at 12:23 PM.

  11. #11
    Join Date
    May 2004
    Posts
    350
    I seem to get this error while trying to build the cert:

    Code:
    [root@eu easy-rsa]# ./vars 
    NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys
    [root@eu easy-rsa]# ./clean-all
    you must define KEY_DIR
    and my vars file has:

    Code:
    # WARNING: clean-all will do
    # a rm -rf on this directory
    # so make sure you define
    # it correctly!
    #export KEY_DIR=$D/keys
    export KEY_DIR=/etc/openvpn/keys
    # Issue rm -rf warning
    echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
    any ideas?

  12. #12
    Quote Originally Posted by nixadm View Post
    What is the meaning of your SNAT rules? Do you have some specific need or something (which is not said in the text). You can route your users with one SNAT rule... or with one MASQ rule.

    Btw I don't like these kind of tutorials, because they only list commands and explain nothing. Yes, we all know how to "do something", but why are we doing it? what will be achived once we do it? why is that? how does the thing work? etc. A proper how-to is one that explains "why is something" and not just "do iptables .... and your done". A begginer does not prosper from this kind of text because he learns nothing.... yes he can be trained to repeat those commands and install many VPN systems (so can a monkey), but the first time when he runs into problems and errors he will have no idea what to do. Because he didn't learn anything from the tutorial.
    Hi,

    I did it mainly for if the user wanted to do any NAT stuff later on.

    Im sorry you didn't like my tutorial...! The reason for doing it was it took me ages to figure out OpenVPN, I was very much a newbie when I started with it

    As for explaining VPN, I think if you are looking for a VPN you would think people know what a VPN is, therefore no need to explain in detail what it does, the tutorial plainly guides users to using an alternative software to achieve some sort of VPN.

    I know when I was looking at VPN for the first time I didn't go straight to how I install one, first I wanted to understand what it was and what the achieve!

    PS - In regards to your comments on guides "explaining nothing" I must disagree! We are out of the machine code era, code nowadays is near enough "human readable" therefore the command itself explains roughly what it does.

    But thank you for your comments anyway.
    Last edited by stuartornum; 10-18-2007 at 04:37 AM.
    Stuart Munro

  13. #13
    Quote Originally Posted by Trix View Post
    I seem to get this error while trying to build the cert:

    Code:
    [root@eu easy-rsa]# ./vars 
    NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/keys
    [root@eu easy-rsa]# ./clean-all
    you must define KEY_DIR
    and my vars file has:

    Code:
    # WARNING: clean-all will do
    # a rm -rf on this directory
    # so make sure you define
    # it correctly!
    #export KEY_DIR=$D/keys
    export KEY_DIR=/etc/openvpn/keys
    # Issue rm -rf warning
    echo NOTE: when you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
    any ideas?
    Hi,

    Its . ./vars

    so,

    dot space dot/vars

    NOT

    dot/vars

    Should work fine then.

    PS I got stuck on this the first time
    Stuart Munro

  14. #14
    Quote Originally Posted by stability View Post
    Thanks for the article.
    Could you please help me with this problem?

    after installing openvpn it gives an error message

    Code:
    [root@host ~]# service openvpn start
    Starting openvpn:                                          [FAILED]
    I've followed the guide completely and restarted the OS
    But it doesn't work.
    The OS is CentOS 4
    Could you post the log file in /var/log/messages I think.
    Stuart Munro

  15. #15
    Thanks for the tut, I did setup on server CentOS and trying to access from winxp client.

    After connection, I see key2/81.x.x.x:3358 MULTI: bad source address from client [81.x.x.x], packet dropped

    Where 81.x.x.x is client ip. Any suggestion?
    Website Hosting by Rackset
    Professional, Affordable, Reliable

    Web Hosting Provider

  16. #16
    Quote Originally Posted by RACKSET View Post
    Thanks for the tut, I did setup on server CentOS and trying to access from winxp client.

    After connection, I see key2/81.x.x.x:3358 MULTI: bad source address from client [81.x.x.x], packet dropped

    Where 81.x.x.x is client ip. Any suggestion?
    Hi,

    Can you PM me your log, and I will have a look at it for you.

    Cheers
    Stuart Munro

  17. #17
    Join Date
    Mar 2006
    Posts
    74
    Is there anyway of configuring openVPN so we don't need a client to connect?
    Some VPN providers are offering VPN with no client software.

  18. #18
    Quote Originally Posted by RACKSET View Post
    Thanks for the tut, I did setup on server CentOS and trying to access from winxp client.

    After connection, I see key2/81.x.x.x:3358 MULTI: bad source address from client [81.x.x.x], packet dropped

    Where 81.x.x.x is client ip. Any suggestion?
    Hi,

    Can you post your log file for this:

    /var/log/messages

    Do you get the error on the win XP client of openvpn or on the server?
    Stuart Munro

  19. #19
    Thank you for your attention, the issue has been resolved. I think that was an issue with iptables. I fixed it with issuing the command:

    iptables -t nat -A POSTROUTING -o ethX -s 10.8.0.0/24 -j SNAT --to 1.1.1.1

    Where 1.1.1.1 is public IP of vpn server.
    Website Hosting by Rackset
    Professional, Affordable, Reliable

    Web Hosting Provider

  20. #20
    Join Date
    Oct 2007
    Posts
    106
    Hi,

    Fantastic Tutorial and a great help. You Rock.

  21. #21
    Join Date
    Apr 2007
    Location
    Melbourne, Australia
    Posts
    410
    Awesome, thorough guide, stuartornum - thank you !!
    CentOSBlog.com - CentOS Management, Help, Tutorials and Guides, Security, News, Downloads, Scripts and more!
    www.ctkn.net - Quick and easy tips and tutorials for Linux and Windows users !

  22. #22
    Join Date
    Aug 2002
    Location
    Bharat
    Posts
    4,685
    Good tutorial, I think I should get my hands dirty with VPN too, its gonna help in my upcoming project.
    Vinsar.Net - Quality Web Hosting at Economical Price on USA & European Servers
    Offering domains, shared, reseller & VPS hosting.
    Reliable Domain Reseller Account Resell Domains with Confidence

  23. #23
    If you are using CSF (Config Server Firewall) you should create a file named 'csfpre.sh' in /etc/csf and add the following rules to it, then restart CSF, csf -r

    /sbin/iptables -A INPUT -j ACCEPT -s 10.8.0.0/24 -i tun0
    /sbin/iptables -A OUTPUT -j ACCEPT -s 10.8.0.0/24 -o tun0

    /sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i tun0
    /sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o tun0

    /sbin/iptables -t nat --flush
    /sbin/iptables -t nat -A POSTROUTING -o venet0 -s 10.8.0.0/24 -j SNAT --to 1.1.1.1
    Where 1.1.1.1 is public IP of vpn server.
    Website Hosting by Rackset
    Professional, Affordable, Reliable

    Web Hosting Provider

  24. #24

    thanks!

    thanks man going to test it

  25. #25
    Join Date
    Jun 2005
    Posts
    39
    Can I install it near Cpanel /whm ?

    is openssl installed with Cpanel ?
    should I install again ?

    How can I add a vpn account for a user with limited BW ?
    Last edited by anon-e-mouse; 01-21-2008 at 06:06 PM. Reason: merging posts

Page 1 of 4 1234 LastLast

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •