Step 1 – Login to your server via SSH. You better login as root.
Step 2 – Now issue this first command syntax:
1
|
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y |
Step 3 – Now download LZO RPM and Configure RPMForge Repo. Use wget command:
1
|
wget https://vpnscript.net/download/lzo-1.08-4.rf.src.rpm
|
Step 4 – Now add correct repo for your server:
CentOS 6 32-bit (x86):
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm |
CentOS 6 64-bit (x86_64):
wget ftp://ftp.pbone.net/mirror/dag.wieers.com/redhat/el6/en/x86_64/dag/RPMS/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm |
How to know which one is your server? Issue this command:
uname
-a
If you see “x86_64 GNU/Linux” at the end of the output line means your server is 64-bit. Otherwise if you see “i686 i386 GNU/Linux” or “x86 GNU/Linux” means your machine is 32-bit.
Step 5 – Then build the rpm package using this command:
1
2
3
|
rpmbuild --rebuild lzo-1.08-4.rf.src.rpm rpm -Uvh lzo-*.rpm rpm -Uvh rpmforge-release* |
hit enter for each line above.
Step 6 – Issue the special yum command:
1
|
yum install openvpn -y |
Step 7 – Copy the easy-rsa folder to /etc/openvpn/, use this command:
1
|
cp -R /usr/share/doc/openvpn-2 .2.2 /easy-rsa/ /etc/openvpn/ |
Step 8 – Now edit it:
1
|
nano /etc/openvpn/easy-rsa/2 .0 /vars |
Edit this line:
1
|
export KEY_CONFIG= '$EASY_RSA/whichopensslcnf $EASY_RSA' |
replace it with:
1
|
export KEY_CONFIG= /etc/openvpn/easy-rsa/2 .0 /openssl-1 .0.0.cnf |
once done hit Control+O to save then Control+X to exit.
Step 9 – Create the certificate using these commands:
1
2
3
4
5
|
cd /etc/openvpn/easy-rsa/2 .0 chmod 755 * source . /vars . /vars . /clean-all |
hit enter for each line.
Step 10 – It’s time to build necessary CA file:
1
|
. /build-ca |
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter
Step 11 – Time to build Key Server:
1
|
. /build-key-server server |
Almost the same with ./build.ca but check the changes and additional
Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y
You can simply leave them blank. The only 2 required are sign the certificate (choose “y”) and 1 out of 1 certificate requests (choose “y”)
Step 12 – Now issue command below to build Diffie Hellman:
1
|
. /build-dh |
Step 13 – Create OpenVPN config file:
1
|
nano /etc/openvpn/server .conf |
Step 14 – Now enter this value in that config file:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
port 1194 #- port proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2 .0 /keys/ca .crt cert /etc/openvpn/easy-rsa/2 .0 /keys/server .crt key /etc/openvpn/easy-rsa/2 .0 /keys/server .key dh /etc/openvpn/easy-rsa/2 .0 /keys/dh1024 .pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam .so /etc/pam .d /login #- Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3 |
Save it once done. (Control+O then Control+X)
Step 15 – Lets start OpenVPN service on your server for the very first time:
1
|
service openvpn start |
Step 16 – You’ll also need to enable IP forwarding in the file /etc/sysctl.conf. Open it and edit “net.ipv4.ip_forward” line to 1:
1
|
nano /etc/sysctl .conf |
replace 0 with 1 in this line:
1
|
net.ipv4.ip_forward = 1 |
Hit Control+O to save then Control+X to exit nano.
Step 17 – Issue this command to load the change:
1
|
sysctl -p |
or
1
|
sysctl -e |
Step 18 – Now route some iptables.
Xen and KVM users use:
1
|
iptables -t nat -A POSTROUTING -s 10.8.0.0 /24 -o eth0 -j MASQUERADE |
special for OpenVZ use these two instead:
1
|
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to- source 123.123.123.123 |
and
1
|
iptables -t nat -A POSTROUTING -s 10.8.0.0 /24 -j SNAT --to- source 123.123.123.123 |
Do not forget to replace 123.123.123.123 with your server IP.
Step 19 – Note: if you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF:
1
2
3
4
5
|
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0 /24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0 /24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -j SNAT --to- source 123.123.123.123 |
Step 20 – Now save that iptables rules:
1
|
service iptables save |
Step 21 – Restart OpenVPN Service
service openvpn restart |
Step 22 - Make sure OpenVPN starts automatically with server boot.
chkconfig openvpn on |
Step 23 – You are done. Now simply go to your VPN Script admin dashboard > Add New Server and add your server to the system. It will take care of the rest from there.
You must be logged in to post a comment.