I am back after a long time , courtesy my loyal companion which is none other than lethargy. This time around i am going to write a tutorial on installing CentOS OpenVPN on a vps. This will be graphical like my other tutorials so that if you follow through , you install CentOS OpenVPN successfully and use it. The big question is why i should install openvpn on vps? Well for me the biggest reason is that i want to change my ip to watch stuff like Hulu and BBC iPlayer which is restricted in my country. Another benefit of CentOS OpenVPN is the security it offers by encrypting traffic on public networks like public wifi spots which are not very safe otherwise. There might be some other business benefits which i am not aware of.
Requirements:
You will need to buy a VPS with vanilla install of Centos 32 bit as OS to install CentOS OpenVPN . The minimum memory is 64 mb but i would recommend 128 mb to be on the safe side. You will buy vps with an IP of the country u wish to see content from. For example if you want to watch HULU or other american restricted content , you will buy vps with IP located in USA . If you want to watch BBC content , you will need to buy vps from UK hosting companies. If you just want to byepass content filters in your country , then any vps outside your country will do once you successfully install CentOS OpenVPN.
You will also need to download and install Putty which you can find here.
Step 1.
Log in to your VPS using Putty.
On the next screen login with user root and your root password.
Step 2:
You also need to ensure that TUN/TAP interface is installed and enabled by your vps provider to install CentOS OpenVPN. In order to check if TUN/TAP is installed or not , issue the follow command and see the output. If the output is something like this ” File Descriptor is in bad state” , then TUN/TAP is installed . Otherwise contact your VPS provider to install it or correctly install it.
cat /dev/net/tun
Step 2
In order to install CentOS OpenVPN server on the vps we need to add extra respository named EPEL. Issue the following command to add the repository on Centos 32 bit.
rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
Then issue the following command
yum update
After the Centos OS updates , issue the following command to install OpenVPN server on the VPS
yum install openvpn
Step 3
CentOS OpenVPN uses easy-rsa as its encryption tools. In order for them to work correctly , they are required to be moved to openvpn directory. Issue the following command.
cp -R /usr/share/openvpn/easy-rsa/ /etc/openvpn
Step 4.
Next we need to configure public key infrastructure variables. This is about time you learn basic commands of linux text editor called VI . Issue the following command.
vi /etc/openvpn/easy-rsa/2.0/vars
In order to edit the file , hit letter i on your computer. This will take the editor in insert mode. At the end of the file change the email to email of your choice. Leave the other options as it is . After finishing editing hit escape button , and then write :wq and hit enter. Your changes will be saved.
Step 5
Now is the time to initialize Public key infrastructure and build our own Certificate Authority. Issue the following commands one by one.
cd /etc/openvpn/easy-rsa/2.0/ . /etc/openvpn/easy-rsa/2.0/vars . /etc/openvpn/easy-rsa/2.0/clean-all . /etc/openvpn/easy-rsa/2.0/build-ca
After the last command , you will be presented with different options , just keep on hitting enter button because we have already set the values in the previous step 4.
Step 6
In this step to install CentOS OpenVPN we are going to build Server Keys and certificates etc. Issue the following command.
. /etc/openvpn/easy-rsa/2.0/build-key-server server
Just hit enter as many times as it is asked for and twice you will need to enter y when offered with the options of y/n ( meaning yes or no.. you dont have any option but yes 
Step 7
In the next step we are going to create client keys. Issue the following command.
. /etc/openvpn/easy-rsa/2.0/build-key client1
And as in the previous step , just hit enter as many times as asked for and twice y.
Step 8
In this step , we are going to generate Diffie Hellman Parameters which are needed for key exchange and authentication with CentOS OpenVPN server on VPS. Issue the following command.
. /etc/openvpn/easy-rsa/2.0/build-dh
It will take some time and you will see the following output.
Step 9
In this step , we are going to relocate the client keys to the Client PC. You will need WinScp ftp client and transfer keys to any folder of your choice on your computer using sftp protocol. You will need your vps IP and root login and password to login using WinScp.
Step 10
Next we need to relocate the following files to /etc/openvpn directory on VPS server
- ca.crt
- ca.key
- dh1024.pem
- server.crt
- server.key
We can do so by issuing the following commands one by one
cd /etc/openvpn/easy-rsa/2.0/keys cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn
Step 11
In this step we are going to configure the client.conf file on the VPS server which we will subequently use to connect to CentOS OpenVPN server. Issue the following commands.
cp /usr/share/doc/openvpn-2.1.4/sample-config-files/server.conf /etc/openvpn/ cp /usr/share/doc/openvpn-2.1.4/sample-config-files/client.conf ~/ cd ~/
Next we need to edit the client.conf file. Issue the following command
vi ~/client.conf
Here we will edit the IP of the VPS server and change client.crt and client.key to client1.crt and client1.key.
Save hitting escape and then :wq and exit Vi editor.
Step 12
Now is the time to start the Openvpn server and make it start even after boot. Issue the following commands.
/etc/init.d/openvpn start
chkconfig openvpn on
Next we are going to edit the server.conf file . Issue the following command
vi /etc/openvpn/server.conf
In order to tunnel traffic through vps server uncomment the following line by deleting the starting semicolon
push "redirect-gateway def1 bypass-dhcp"
save the file with :wq
Next issue the following command
vi /etc/sysctl.conf
Change
net.ipv4.ip_forward = 0
to
net.ipv4.ip_forward = 1
Now we set this variable for the current session by issuing the following command.
echo 1 > /proc/sys/net/ipv4/ip_forward
Next we need to configure IPTables for Nating the traffic through CentOS OpenVPN VPS. Issue the following commands one by one.
Edit the file and make it look like this
#!/bin/sh
#
# [...]
#
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT –to 46.20.xxx.xx
touch /var/lock/subsys/local
Instead of 46.20.xxx.xx , use your own VPS IP above.
Step 14
Now we will install dnsmasq package so that our browser traffic is also routed through the Openvpn on our Centos VPS server. Issue the following commands one by one.
yum install dnsmasq /etc/init.d/dnsmasq start chkconfig dnsmasq on
Step 15
We need to edit server.conf one last time and add the following line. Issue the command
vi /etc/openvpn/server.conf
and add the following line to the file
push "dhcp-option DNS 10.8.0.1"
Hit escape and then :wq to save the file.
Finally we restart the CentOS openvpn server by issuing the following command.
/etc/init.d/openvpn restart
Now on the client side on your pc , you need to download openvpn client from here and install it.
Log in to your server again with winScp and rename the file client.conf on root to client1.conf and transfer it to your PC where you transferred other three files in step 9.
In the programmes Folder on your C drive , go to the OpenVPN folder and then copy all the four files copied to your PC into config/vpn folder. Rename the files client1.config to client1.ovpn .
Now double click openvpn gui and in the task pane at right right click the icon and click on Connect. Here you go.. Enjoy your centos vps as CentOS Openvpn server. Now you can browse with a changed IP address. You should visit any IP identification site like whatismyip.com and see your ip. You IP should be that of your vps. If it is not so , then you missed some steps or did make a mess of some steps of this easiest tutorial on installing openvpn on Centos VPS. My VPS Ip address is of UK. so i can watch BBC iplayer stuff on my computer in Pakistan which otherwise is not possible.
Hi ComputerGuru. thanks for the easy step by step tutorial. I have 1 question. I followed your tutorial and i’m successfully connected to my vpn, but none of my ports are open. i can’t accept incoming connections. do you know how i can fix that? thanks
my assigned ip is 10.8.0.6 and the last few logs of the openvpn log say this
Wed Jul 13 13:23:41 2011 C:\WINDOWS\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jul 13 13:23:41 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jul 13 13:23:41 2011 Route addition via IPAPI succeeded [adaptive]
Wed Jul 13 13:23:41 2011 C:\WINDOWS\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 10.8.0.5
Wed Jul 13 13:23:41 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jul 13 13:23:41 2011 Route addition via IPAPI succeeded [adaptive]
Wed Jul 13 13:23:41 2011 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Jul 13 13:23:41 2011 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Jul 13 13:23:41 2011 Route addition via IPAPI succeeded [adaptive]
Wed Jul 13 13:23:41 2011 Initialization Sequence Completed
What do you mean by incoming connections. you have already connected to openvpn server. ?
you can open utorrent port ( whichever it is ) by doing the following. Example in this case is port 80 . You can change the port number of your utorrent port
Open flle /etc/sysconfig/iptables:
# vi /etc/sysconfig/iptables
Append rule as follows:
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
after saving the file , do a restart of iptables
# /etc/init.d/iptables restart
And for doing all this you will need to learn basic commands of linux text editor Vi. or any editor of your choice.
Thanks Guru, is there any way to have all ports open and make this a lot easier? I’m not having much luck with that last part. Still no incoming connections on utorrent.
problem solved
iptables -t nat -A PREROUTING -i eth0 -d SERVERIP -p tcp –dport 6881 -j DNAT –to 10.8.0.6
iptables -t nat -A PREROUTING -i eth0 -d SERVERIP -p udp –dport 6881 -j DNAT –to 10.8.0.6
iptables -A FORWARD -m state –state NEW,ESTABLISHED,RELATED -i eth0 -p tcp –dport 6881 -j ACCEPT
iptables -A FORWARD -m state –state NEW,ESTABLISHED,RELATED -i eth0 -p udp –dport 6881 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 10.8.0.0/24 -j SNAT –to SERVERIP
Hello,
Hello,
I followed this tutorial to install openvpn
I have a problem with step 12
when I run the command:
/etc/init.d/openvpn start
I have this error message
Code:
-bash-3.2# /etc/init.d/openvpn start
Starting openvpn: [FAILED]
Can you help mel?
thank you
Hey would you like to help me setup the vpn for me on my vps, I will pay you good, haha
please email me
thanks for the tuto but I get stuck at:
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
I get bad argument ” -state”
As I’m not a linux pro could you help?
How did you fix this error? I also get error message “Bad argument”. Please help it’s urgent. thanks a lot
Note that it’s not -state (single dash), but –state (two dashes). That will fix the problem.
I found my error and the vnp is working fine, Thanks again fork that tutorial.
Hi,
I got the same error. What was your solution?
here the solution:
iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
use ” –” before the second state RELATED,ESTA…
Could you explain what your error was? (same situation)
It is double dash, not single dash: –state, not -state
Just After
“Now is the time to start the Openvpn server and make it start even after boot. Issue the following commands.
/etc/init.d/openvpn start”
I get
starting openvpn: [FAILED]
what may be the problem? i’ve followed all the instructions. i’ve also tried /sbin/service openvpn
Thx
I am getting the same as Jonathan… it states that openvpn failed to start when running the command and I can’t get it to run.
Hello,
Could you be more specific on how to forward a port.
Thanks
thx for you article
but i am facing a little problem
the problem is that my external IP did not change ( only the internal only ) , i checked it using
http://www.whatismyip.org
When I try this command: “/etc/init.d/dnsmasq start” I get this error message:
Starting dnsmasq:
dnsmasq: failed to create listening socket: Address already in use
[FAILED]
What’s the solution? Thanks
Hi, i want to ask, if i use 3 users so i should regenerate the key right?
can you tell me from the step where I should start? thanks
Everything works great !
Thanks bro.
Jonathan:
It is a little late, but if you are still having problems bringing up the service, check if you have in /etc/openvpn more than one .conf file. The daemon tries to start a service for each .conf encountered in /etc/openvpn. If you happen to have, for example, the client.conf in /etc/openvpn the service will not start.
Thank you, that solved the problem I was having.
in step 5 when I type . /etc/openvpn/easy-rsa/2.0/build-ca the system have a error
error on line 146 of . /etc/openvpn/easy-rsa/2.0/openss1.cnf
21581:error:0E065068:configuration file routines:STR_COPY:variable has no value:
conf_def.c:629:line 146
coul some body help me please
Thnks
Hi
Thanks for this. I have followed it through and seem to have a working install on my VPS server.
Only problem is I cannot get OpenVPN to work on my Windows 7 PC!
Seems to be a problem with the TAP Driver.
Have you any ideas?
Also is it possible to setup a router to use the VPN Server?
Thanks
DR
when connecting openvp client
i get this error at the end of the log
Sun Nov 27 03:57:19 2011 IMPORTANT: OpenVPN’s default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sun Nov 27 03:57:19 2011 Re-using SSL/TLS context
Sun Nov 27 03:57:19 2011 LZO compression initialized
Sun Nov 27 03:57:19 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Nov 27 03:57:19 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Sun Nov 27 03:57:19 2011 Local Options hash (VER=V4): ’41690919′
Sun Nov 27 03:57:19 2011 Expected Remote Options hash (VER=V4): ’530fdded’
Sun Nov 27 03:57:19 2011 UDPv4 link local: [undef]
Sun Nov 27 03:57:19 2011 UDPv4 link remote: 173.204.51.171:1194
Sun Nov 27 03:58:19 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Nov 27 03:58:19 2011 TLS Error: TLS handshake failed
what could be the problem
i also have this problem
dnsmasq: failed to create listening socket: Address already in use
hi ComputerGuru,
I went through all the steps and I have connected to my VPS server. but my wireless external ip address has not changed yet and I am not able to surf the net
where to buy vps?.. the cheapest one like $10.00 ^_^!..
@ amin forget about dnsmasq , it should work even without dnsmasq.
@ amir you need to give care to Step 12 , something went wrong there.
@ ron one such website is lowendstock.com .
when I run the /etc/init.d/dnsmasq start, I got this message:
dnsdomainname: Unknown host
Starting dnsmasq: [ OK ]
Also I got the error message in openvpn log, vpn can connect, but still no traffic
Sat Dec 31 22:33:15 2011 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Sat Dec 31 22:33:15 2011 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [status=160 if_index=19]
Sat Dec 31 22:33:15 2011 Route addition via IPAPI failed [adaptive]
Sat Dec 31 22:33:15 2011 Route addition fallback to route.exe
The problem of dnsmasq has been solved after correcting the host name in /etc/resolv.conf. But I still have the problem with routing.
After following the steps ..to “STEP 12 /etc/init.d/openvpn start” my openvpn could not startup …it did show “FAILED!!”
Please what did i do wrong .
Thanks
Hi,
Thanks a lot for this tutorial i followed all the steps and i can connect to my vpn successfully but when i open any URL it redirect me to the webserver that installed on the same server with the vpn? is there any idea why it act like this?
I have a CentOS 64 VPS using cPanel (not vanilla). Can this be installed on that?
Hello ! After step 2 ….result this:
http://yum.pbone.net/56/i386/repodata/repomd.xml: [Errno 14] HTTP Error 407: Proxy Authentication Required
Trying other mirror.
Cannot open/read repomd.xml file for repository: 56i386
failure: repodata/repomd.xml from 56i386: [Errno 256] No more mirrors to try.
Error: failure: repodata/repomd.xml from 56i386: [Errno 256] No more mirrors to try.
What to do ?
Hi
i followed your guide but couldnt do the dnsmasq as you stated it will work with out it
i can connect it says client1 connected asigned ip is 10.8.0.6 but i cant surf the net my internet stops working until i disconnect from the openvpn
i have csf firewall running and i disabled it to see if it was the firewall but the same still happened
please help me out
thank
Hi
For anyone stuck at Step 2 EPEL link is broken. Use this instead:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
sorry i mean i.p’s
plz hw can i configure multi server so that i can combine like 5 i.p’s different on a portable openvpn…..
help thankz
Hey thanks for this. But I ended up with some errors. I tried fixing them but to no success. I Googled more and I found this: http://www.l337fx.com/openvpn-vz-vps-bash-script-centos.html
Does that bash script would work ? Please help ! I really need the OpenVPN to be installed
Oh and my OS is CentOS 6
Hello Guys for the broken link epel use this one for the 32 bit centos rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
amd for the step 12 use this command the last one iptables -t nat -A POSTROUTING -j SNAT –to-source YOURVPSIP
i want to know something guys the client.conf on root i didn’t find it on me server and one help?
i can’t think more than that TIRED!
I get this message on my PC when I try to connect to my vps
‘unable to connect because your sertificate no yet falid’
How to solve that
Hi i am facing this issue please help on this
3 06:02:19 silicon-india openvpn[24436]: 192.168.0.238:1044 TLS Error: TLS handshake failed
Jun 3 06:02:19 silicon-india openvpn[24436]: 192.168.0.238:1044 SIGUSR1[soft,tl s-error] received, client-instance restarting
Jun 3 06:02:20 silicon-india openvpn[24436]: MULTI: multi_create_instance calle d
Jun 3 06:02:20 silicon-india openvpn[24436]: 192.168.0.238:1108 Re-using SSL/TL S context
Jun 3 06:02:20 silicon-india openvpn[24436]: 192.168.0.238:1108 LZO compression initialized
Jun 3 06:02:20 silicon-india openvpn[24436]: 192.168.0.238:1108 Control Channel MTU parms [ L:1538 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jun 3 06:02:20 silicon-india openvpn[24436]: 192.168.0.238:1108 Data Channel MT U parms [ L:1538 D:1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ]
Jun 3 06:02:20 silicon-india openvpn[24436]: 192.168.0.238:1108 Local Options S tring: ‘V4,dev-type tun,link-mtu 1538,tun-mtu 1500,proto UDPv4,comp-lzo,cipher B F-CBC,auth MD5,keysize 128,key-method
Dude you are awsome!!!
Thank you so much for your step-by-step guide. This is really the best how-to I found in the web. And believe me, I was really looking very hard.
*thumbsup*
I get connected but when browsing, my vps is in USA, but I keep working as overseas overseas, like the tunneling had no effect. What should I check ?
Please
Thanks
Thanks. Great guide!
For people wanting to use openvpn over hhtp proxy you need to edit server.conf and client.conf/ovpn and put ; in front of “proto udp”
and remove the ; from in front of “proto tcp”.
Also for Windows 7 – b4bit users. See the following link – http://www.jpuddy.net/2009/using-openvpn-in-windows-7-64-bit/
Hi,
Excellent tuto. On the last step, i’ve got: connected – assigned to IP 10.8.0.6
All seems working but i canno’t surf. My browser try to connect to whatismyipaddress.com/ but this site never appears; I’ve got connection but internet doesn’t run clearly.
Kind Regards.
Dude. Thank you SO much. After following ~10 other tutorials, on several VPS’s including OpenVPN-AS and still couldn’t get it working. THIS tutorial helped heaps. <3
Hi,
Excellent, OpenVPN-AS support Mac OS X etc (lion 10.7.x,10.8.x)
thk
I’m stuck at step 3 and step 4.
Look, http://content.screencast.com/users/sanctus.ct/folders/Snagit/media/411fc143-5138-41a2-aec0-15508934eff6/06.10.2013-22.22.png
And help plz.
P.S. I’m using centos 86-64 btw.