Step 1 – Login to your server via SSH. You better login as root.
Step 2 – Now issue this first command syntax:
|
1
|
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y |
Step 3 – Now download LZO RPM and Configure RPMForge Repo. Use wget command:
|
1
|
wget https://vpnscript.net/download/lzo-1.08-4.rf.src.rpm
|
Step 4 – Now add correct repo for your server:
CentOS 6 32-bit (x86):
| wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.i686.rpm |
CentOS 6 64-bit (x86_64):
| wget ftp://ftp.pbone.net/mirror/dag.wieers.com/redhat/el6/en/x86_64/dag/RPMS/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm |
How to know which one is your server? Issue this command:
uname -a
If you see “x86_64 GNU/Linux” at the end of the output line means your server is 64-bit. Otherwise if you see “i686 i386 GNU/Linux” or “x86 GNU/Linux” means your machine is 32-bit.
Step 5 – Then build the rpm package using this command:
|
1
2
3
|
rpmbuild --rebuild lzo-1.08-4.rf.src.rpmrpm -Uvh lzo-*.rpmrpm -Uvh rpmforge-release* |
hit enter for each line above.
Step 6 – Issue the special yum command:
|
1
|
yum install openvpn -y |
Step 7 – Copy the easy-rsa folder to /etc/openvpn/, use this command:
|
1
|
cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/ |
Step 8 – Now edit it:
|
1
|
nano /etc/openvpn/easy-rsa/2.0/vars |
Edit this line:
|
1
|
export KEY_CONFIG='$EASY_RSA/whichopensslcnf $EASY_RSA' |
replace it with:
|
1
|
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf |
once done hit Control+O to save then Control+X to exit.
Step 9 – Create the certificate using these commands:
|
1
2
3
4
5
|
cd /etc/openvpn/easy-rsa/2.0chmod 755 *source ./vars./vars./clean-all |
hit enter for each line.
Step 10 – It’s time to build necessary CA file:
|
1
|
./build-ca |
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter
Step 11 – Time to build Key Server:
|
1
|
./build-key-server server |
Almost the same with ./build.ca but check the changes and additional
Common Name: server
A challenge password: leave
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y
You can simply leave them blank. The only 2 required are sign the certificate (choose “y”) and 1 out of 1 certificate requests (choose “y”)
Step 12 – Now issue command below to build Diffie Hellman:
|
1
|
./build-dh |
Step 13 – Create OpenVPN config file:
|
1
|
nano /etc/openvpn/server.conf |
Step 14 – Now enter this value in that config file:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
port 1194 #- portproto udp #- protocoldev tuntun-mtu 1500tun-mtu-extra 32mssfix 1450reneg-sec 0ca /etc/openvpn/easy-rsa/2.0/keys/ca.crtcert /etc/openvpn/easy-rsa/2.0/keys/server.crtkey /etc/openvpn/easy-rsa/2.0/keys/server.keydh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pemplugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUSclient-cert-not-requiredusername-as-common-nameserver 10.8.0.0 255.255.255.0push "redirect-gateway def1"push "dhcp-option DNS 8.8.8.8"push "dhcp-option DNS 8.8.4.4"keepalive 5 30comp-lzopersist-keypersist-tunstatus 1194.logverb 3 |
Save it once done. (Control+O then Control+X)
Step 15 – Lets start OpenVPN service on your server for the very first time:
|
1
|
service openvpn start |
Step 16 – You’ll also need to enable IP forwarding in the file /etc/sysctl.conf. Open it and edit “net.ipv4.ip_forward” line to 1:
|
1
|
nano /etc/sysctl.conf |
replace 0 with 1 in this line:
|
1
|
net.ipv4.ip_forward = 1 |
Hit Control+O to save then Control+X to exit nano.
Step 17 – Issue this command to load the change:
|
1
|
sysctl -p |
or
|
1
|
sysctl -e |
Step 18 – Now route some iptables.
Xen and KVM users use:
|
1
|
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE |
special for OpenVZ use these two instead:
|
1
|
iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source 123.123.123.123 |
and
|
1
|
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 123.123.123.123 |
Do not forget to replace 123.123.123.123 with your server IP.
Step 19 – Note: if you have CSF on the same server you need to open your OpenVPN port (Usually 1194) through the firewall and run the below commands for CSF:
|
1
2
3
4
5
|
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPTiptables -A FORWARD -s 10.8.0.0/24 -j ACCEPTiptables -A FORWARD -j REJECTiptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADEiptables -t nat -A POSTROUTING -j SNAT --to-source 123.123.123.123 |
Step 20 – Now save that iptables rules:
|
1
|
service iptables save |
Step 21 – Restart OpenVPN Service
service openvpn restart |
Step 22 - Make sure OpenVPN starts automatically with server boot.
chkconfig openvpn on |
Step 23 – You are done. Now simply go to your VPN Script admin dashboard > Add New Server and add your server to the system. It will take care of the rest from there.
You must be logged in to post a comment.