YES, that is correct, you are reading it right, we can certainly configure OpenVPN if you have a VPS (Virtual Private Server) with you. And believe me, it does work, I have tested it myself on my VPS. Check list that you must follow is the following and then I will explain each one of the below mentioned points in detail.
1. Make sure TUN/TAP is enabled.
2. I have tested it on CentOS 6.4 but the steps should be similar in other Linux distros as well.
3. Well, there are no more points. You were expecting more, were you?
1. Make sure TUN/TAP is enabled: Most of the VPS providers provide it (at least low end providers). If your VPS is providing you with the SolusVM panel, then surely you can enable/disable it from that very panel. If your provider provided you with VirtPanel, then my friends, you need to contact your provider to turn that module “ON” for you. If any other Panel is provided, I would recommend you to contact your provider. One other way using which you can check if ‘TUN‘ module is enabled for your VPS is as follows:
Connect to your VPS via SSH and run the following command:
$ sudo cat /dev/net/tun
If you get anything except : “cat: /dev/net/tun: File descriptor in bad state“; that means the TUN module is not enabled for your VPS.
If you are a provider and want to add this module to your client’s VPS, you may follow the steps below:
# lsmod | grep tun //If nothing shows up, you probably need to load the TUN module.
# modprobe tun //This will load the TUN module on the host machine.
Next, you need to make the TUN available for a specific container:
CTID=101 //CTID here is the container number vzctl set $CTID --devnodes net/tun:rw --save vzctl set $CTID –devices c:10:200:rw --save vzctl set $CTID –capability net_admin:on --save vzctl exec $CTID mkdir -p /dev/net vzctl exec $CTID mknod /dev/net/tun c 10 200 vzctl exec $CTID chmod 600 /dev/net/tun
After this is done, try to run “cat /dev/net/tun” inside the container again and you should be able to get the necessary results. If everything goes well, then you have successfully enabled the TUN module for your VPS container. Pat yourself on your back
Now that we have TUN enabled for our VPS container, it’s time to dive in and configure OpenVPN.
1: Log into your VPS container with the normal user. I would recommend to use ‘sudo’ instead of actually logging into as ‘root’.
2: Install the required packages:
$ sudo yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel
3: Get the ‘LZO’ rpm from the following link.
$ wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
Here, I have used rpmforge repo to install the OpenVPN version 2.2.2.
4: Install the rpmforge repo:
For CentOS 6 32-bit:
For CentOS 6 64-bit:
5: Next, we need to build the RPM for lzo that we have downloaded previously.
$ rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
6: If that is successful, then install the RPM of ‘lzo’ and also install the ‘rpmforge’ repo.
$ sudo rpm -Uvh lzo-*.rpm $ sudo rpm -Uvh rpmforge-release*
7: If you have made this far, we are already half way there. Now, it’s time to install ‘openvpn’ package.
$ sudo yum install openvpn
8: Next, copy the ‘easy-rsa‘ directory from ”/usr/share/doc/openvpn-2.2.2/” to “/etc/openvpn”
cp-R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
NOTE: ‘easy-rsa’ directory is available with the openvpn versions 2.2.2 and prior to that. If you have used EPEL repo to install openvpn (which is the latest stable version available for Red Hat type operating systems), ‘easy-rsa’ is not available with the deault installation of openvpn and you need to download it from a different source such as ‘github’. To download that source directory from ‘github’, you may run the following from the terminal directly.
$ sudo git clone https://github.com/OpenVPN/easy-rsa.git $ sudo git clone git://openvpn.git.sourceforge.net/gitroot/openvpn/easy-rsa
By default, ‘easy-rsa’ will be placed at inside the directory in which you ran the commands above.
9: After that, change directory into: “/etc/openvpn/easy-rsa/2.0″ and make the following changes to “vars” file:
$ cd /etc/openvpn/easy-rsa/2.0/ exportKEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Save the file after making the above change.
10: Create the necessary certificates and then build the CA file. Run the following command in the exact order. Make sure no errors are faced, if you face any error feel free to ask in the comments section.
cd/etc/openvpn/easy-rsa/2.0 source ./vars ./vars ./clean-all ./build-ca
11: Build the key for the server.
NOTE: When you are asked to fill the various fields (that are normally asked when generating a certificate), do not worry and fill in the fields as mentioned in the example or you may leave the fields blank and the default values will be filled in automatically.
12: Next, we need to generate the “Diffie Hellman” key. Diffie Hellman key exchange is a cryptographic keys exchange method that allows two parties/nodes to establish a shared secret key over an insecure communication channel that have no knowledge of each others existence.
$ sudo ./build-dh
For in-depth knowledge of D-H key exchange, you may refer to the following articles:
13: Create OpenVPN over all configuration file:
$ sudo vim /etc/openvpn/server.conf port 1194 # default port proto udp # default protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt # Make sure to change the path if you change the name of the certificates cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login # Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf # Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 # This will be the IP of the client after connecting to the VPN server,for example, 10.8.0.3 push "redirect-gateway def1" push "dhcp-option DNS 220.127.116.11" push "dhcp-option DNS 18.104.22.168" keepalive 5 30 comp-lzo persist-key persist-tun status 1111.log verb 3
14: For the first time, let’s start the ‘openvpn’ service. If you face any issues while restarting, have a look at “/var/log/messages” and find the errors related to openvpn. You can diagnose that file further as all the logs related to openvpn are saved in that file by default.
$ sudo /etc/init.d/openvpn start
15: You would also need to turn on the IP forwarding from the following file.
$ sudo vim /etc/sysctl.conf net.ipv4.ip_forward = 1
NOTE: To make the change effective immediately, run “sysctl -p” from the terminal as ‘root’ user.
16: Next step is to create a username and password on the VPN server with which your clients can log in.
$ sudo useradd vpnuser1 -s /bin/false # “-s /bin/false” will not allow that user to log into the shell locally or remotely, it will only be for the vpn session $ sudo passwd vpnuser1
17: We are almost there, hang on there for a few more minutes, it’s time to route some traffic using iptables.
NOTE: These rules are specifically for the Virtual Private Server which are running on OpenVZ technology and have TUN module enabled.
$ sudo iptables -t nat -A POSTROUTING -o venet0 -j SNAT --to-source <<VPN server’s public IP>> $ sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source <<VPN server’s public IP>> $ sudo service iptables save
18: Create a configuration file for the client (file.ovpn) which will be used from your client’s computer to connect to the VPN server.
client dev tun proto udp remote 22.214.171.124 1194 # – Your server IP and OpenVPN Port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo reneg-sec 0 verb 3
Save the above file with any name you want but make sure that the extension is ” .ovpn “.
Also your clients need to have the file from the server called “ca.crt” which you can locate from the location mentioned below.
NOTE: To make the above file available to your clients, you may configure FTP server and share this file with the clients. (make sure to configure your FTP server to be accessed by authenticated clients, in other words, protect the access using username and passwords and SSL certificates).
Make sure to let your clients know to save both the files (file.ovpn and ca.crt) in the same folder, install the openvpn client and access VPN server using the username and password that you (as the VPN administrator) have provided them.
Security: For the people who take security very seriously (we all should), below is the proof that all the traffic is encrypted from the point a client connects to the VPN till he disconnects.
As usual, if you have any further queries, feel free to leave a comment. Hope you enjoy configuring your very own VPN Server.