OpenVPN on OpenVZ on CentOS 6.4

openvz-openvpn icon

YES, that is correct, you are reading it right, we can certainly configure OpenVPN if you have a VPS (Virtual Private Server) with you. And believe me, it does work, I have tested it myself on my VPS. Check list that you must follow is the following and then I will explain each one of the below mentioned points in detail.

1. Make sure TUN/TAP is enabled.

2. I have tested it on CentOS 6.4 but the steps should be similar in other Linux distros as well.

3. Well, there are no more points. You were expecting more, were you?

1. Make sure TUN/TAP is enabled: Most of the VPS providers provide it (at least low end providers). If your VPS is providing you with the SolusVM panel, then surely you can enable/disable it from that very panel. If your provider provided you with VirtPanel, then my friends, you need to contact your provider to turn that module “ON” for you. If any other Panel is provided, I would recommend you to contact your provider. One other way using which you can check if ‘TUN‘ module is enabled for your VPS is as follows:

Connect to your VPS via SSH and run the following command:

$ sudo cat /dev/net/tun

If you get anything except : “cat: /dev/net/tun: File descriptor in bad state“; that means the TUN module is not enabled for your VPS.

If you are a provider and want to add this module to your client’s VPS, you may follow the steps below:

# lsmod | grep tun //If nothing shows up, you probably need to load the TUN module.

# modprobe tun //This will load the TUN module on the host machine.

Next, you need to make the TUN available for a specific container:

CTID=101 //CTID here is the container number

vzctl set $CTID --devnodes net/tun:rw --save

vzctl set $CTID –devices c:10:200:rw --save

vzctl set $CTID –capability net_admin:on --save

vzctl exec $CTID mkdir -p /dev/net

vzctl exec $CTID mknod /dev/net/tun c 10 200

vzctl exec $CTID chmod 600 /dev/net/tun

After this is done, try to run “cat /dev/net/tun” inside the container again and you should be able to get the necessary results. If everything goes well, then you have successfully enabled the TUN module for your VPS container. Pat yourself on your back

Now that we have TUN enabled for our VPS container, it’s time to dive in and configure OpenVPN.

1: Log into your VPS container with the normal user. I would recommend to use ‘sudo’ instead of actually logging into as ‘root’.

2: Install the required packages:

$ sudo yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel

3: Get the ‘LZO’ rpm from the following link.

$ wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

Here, I have used rpmforge repo to install the OpenVPN version 2.2.2.
4: Install the rpmforge repo:
For CentOS 6 32-bit:

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm

For CentOS 6 64-bit:

wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

5: Next, we need to build the RPM for lzo that we have downloaded previously.

$ rpmbuild --rebuild lzo-1.08-4.rf.src.rpm

6: If that is successful, then install the RPM of ‘lzo’ and also install the ‘rpmforge’ repo.

$ sudo rpm -Uvh lzo-*.rpm
$ sudo rpm -Uvh rpmforge-release*

7: If you have made this far, we are already half way there. Now, it’s time to install ‘openvpn’ package.

$ sudo yum install openvpn

8: Next, copy the ‘easy-rsa‘ directory from ”/usr/share/doc/openvpn-2.2.2/” to “/etc/openvpn”

cp-R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/

NOTE: ‘easy-rsa’ directory is available with the openvpn versions 2.2.2 and prior to that. If you have used EPEL repo to install openvpn (which is the latest stable version available for Red Hat type operating systems), ‘easy-rsa’ is not available with the deault installation of openvpn and you need to download it from a different source such as ‘github’. To download that source directory from ‘github’, you may run the following from the terminal directly.

$ sudo git clone https://github.com/OpenVPN/easy-rsa.git
$ sudo git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/easy-rsa

By default, ‘easy-rsa’ will be placed at inside the directory in which you ran the commands above.

9: After that, change directory into: “/etc/openvpn/easy-rsa/2.0″ and make the following changes to “vars” file:

$ cd /etc/openvpn/easy-rsa/2.0/
exportKEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

Save the file after making the above change.
10: Create the necessary certificates and then build the CA file. Run the following command in the exact order. Make sure no errors are faced, if you face any error feel free to ask in the comments section.

cd/etc/openvpn/easy-rsa/2.0
source ./vars
./vars
./clean-all
./build-ca

11: Build the key for the server.

./build-key-server server

NOTE: When you are asked to fill the various fields (that are normally asked when generating a certificate), do not worry and fill in the fields as mentioned in the example or you may leave the fields blank and the default values will be filled in automatically.

12: Next, we need to generate the “Diffie Hellman” key. Diffie Hellman key exchange is a cryptographic keys exchange method that allows two parties/nodes to establish a shared secret key over an insecure communication channel that have no knowledge of each others existence.

$ sudo ./build-dh

For in-depth knowledge of D-H key exchange, you may refer to the following articles:

http://www.ietf.org/rfc/rfc2631.txt
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

13: Create OpenVPN over all configuration file:

$ sudo vim /etc/openvpn/server.conf
port 1194 # default port
proto udp # default protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt # Make sure to change the path if you change the name of the certificates
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login # Comment this line if you are using FreeRADIUS
#plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf # Uncomment this line if you are using FreeRADIUS
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0 # This will be the IP of the client after connecting to the VPN server,for example, 10.8.0.3
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1111.log
verb 3

14: For the first time, let’s start the ‘openvpn’ service. If you face any issues while restarting, have a look at “/var/log/messages” and find the errors related to openvpn. You can diagnose that file further as all the logs related to openvpn are saved in that file by default.

$ sudo /etc/init.d/openvpn start

15: You would also need to turn on the IP forwarding from the following file.

$ sudo vim /etc/sysctl.conf
net.ipv4.ip_forward = 1

NOTE: To make the change effective immediately, run “sysctl -p” from the terminal as ‘root’ user.

16: Next step is to create a username and password on the VPN server with which your clients can log in.

$ sudo useradd vpnuser1 -s /bin/false # “-s /bin/false” will not allow that user to log into the shell locally or remotely, it will only be for the vpn session

$ sudo passwd vpnuser1

17: We are almost there, hang on there for a few more minutes, it’s time to route some traffic using iptables.

NOTE: These rules are specifically for the Virtual Private Server which are running on OpenVZ technology and have TUN module enabled.

$ sudo iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source <<VPN server’s public IP>>
$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source <<VPN server’s public IP>>
$ sudo service iptables save

18: Create a configuration file for the client (file.ovpn) which will be used from your client’s computer to connect to the VPN server.

client
dev tun
proto udp
remote 123.123.123.123 1194 # – Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
reneg-sec 0
verb 3

Save the above file with any name you want but make sure that the extension is ” .ovpn “.

Also your clients need to have the file from the server called “ca.crt” which you can locate from the location mentioned below.

/etc/openvpn/easy-rsa/2.0/keys/ca.crt

NOTE: To make the above file available to your clients, you may configure FTP server and share this file with the clients. (make sure to configure your FTP server to be accessed by authenticated clients, in other words, protect the access using username and passwords and SSL certificates).

Make sure to let your clients know to save both the files (file.ovpn and ca.crt) in the same folder, install the openvpn client and access VPN server using the username and password that you (as the VPN administrator) have provided them.

Security: For the people who take security very seriously (we all should), below is the proof that all the traffic is encrypted from the point a client connects to the VPN till he disconnects.

As usual, if you have any further queries, feel free to leave a comment. Hope you enjoy configuring your very own VPN Server.

Leave a Reply

Your email address will not be published. Required fields are marked *