Setup a OpenVPN server on Centos 6

February 02, 2013 at 07:40 AM | categories: Sysadmin, Tips, Security, Centos | View Comments

EPEL Repository

OpenVPN 2 is available for Centos from the EPEL repository, so you need to have EPEL enabled.

If you do not have EPEL enabled run:

rpm -Uvh


To install OpenVPN run:

yum install openvpn lzo -y


Setup the SSL CA and keys:

cp -r /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/open-rsa

Create and customize the vars file /etc/openvpn/open-rsa/vars, Make sure you change the KEY_ values to your own settings

export EASY_RSA="`pwd`"
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
export KEY_DIR="/etc/openvpn/keys"
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
export KEY_SIZE=1024
export CA_EXPIRE=3650
export KEY_EXPIRE=3650
export KEY_PROVINCE="Gauteng"
export KEY_CITY="Johannesburg"
export KEY_ORG="Topdog-software"
export KEY_EMAIL=""
export KEY_CN="Topdog-software OpenVPN CA"
export KEY_NAME="tdss"
export KEY_OU="Topdog-software"

Create the keys directory:

mkdir /etc/openvpn/keys

Create the CA:

cd /etc/openvpn/open-rsa
source ./vars

Create the servers SSL certificate (replace with name of your server):


Generate Diffie Hellman parameters:


Create the leases file:

touch /etc/openvpn/ipp.txt

Create the configuration file /etc/openvpn/server.conf:

port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/
key keys/
dh keys/dh1024.pem
cipher AES-128-CBC
ifconfig-pool-persist ipp.txt
client-config-dir ccd
keepalive 10 120
status /var/log/openvpn-status.log
verb 3

Create iptables rules to allow traffic through:

-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A FORWARD -i tun+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o tun+ -j ACCEPT

Enable packet forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Make it permanent add the following to /etc/sysctl.conf:

net.ipv4.ip_forward = 1

Your OpenVPN should be ready to go, start OpenVPN:

service openvpn start

Client configuration

Each client requires a certificate & key pairing, lets create one:


Copy the, ca.crt and files to the OpenVPN keys directory on the client.

Create the client OpenVPN configuration /etc/openvpn/server.conf:

remote 1194
remote-cert-tls server 
dev tun0 
proto udp
resolv-retry infinite 
ca keys/ca.crt 
cert keys/
key keys/
cipher AES-128-CBC
status /var/log/openvpn-client.log

Static addresses

If you want some clients to get static addresses:

mkdir /etc/openvpn/ccd

Create a client file for each of the clients you want to get a static address in /etc/openvpn/ccd the file name should match the CN in the client certificate.


blog comments powered by Disqus