Howto install OpenVPN 2 on CentOS 6

These are my notes on howto install OpenVPN 2 on CentOS 6, more specifically OpenVPN 2.3.2 on CentOS 6.5.  My notes build on the DigitalOcean community guide and are accurate as of 25 April 2014.  The guide was a helpful starting point but I’ve managed to shorten a couple of the steps and updated some to take into account directories having moved, etc.

To start off you need to be on the console of the server you wish to run OpenVPN on.  I ran all of these commands as the root user, you may need to su or sudo as necessary.

  1. rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
  2. yum install openvpn -y
  3. cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
  4. nano-w /etc/openvpn/server.conf
    1. Replace
      1. ;push “redirect-gateway def1 bypass-dhcp”
      2. push “redirect-gateway def1 bypass-dhcp”
    2. Add
      1. push “dhcp-option DNS 8.8.8.8”
      2. push “dhcp-option DNS 8.8.4.4”
    3. Replace
      1. ;user nobody
        ;group nobody
      2. user nobody
        group nobody
    4. Replace
      1. dh dh1024.pem
      2. dh dh2048.pem
    5. Save and exit nano
  5. yum install easy-rsa -y
  6. mkdir -p /etc/openvpn/easy-rsa/keys
  7. cp -R /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
  8. nano-w /etc/openvpn/easy-rsa/vars
    1. Replace values as necessary
      1. export KEY_COUNTRY=”US
        export KEY_PROVINCE=”CA
        export KEY_CITY=”SanFrancisco
        export KEY_ORG=”Fort-Funston
        export KEY_EMAIL=”me@myhost.mydomain
        export KEY_OU=”MyOrganizationalUnit
    2. Save and exit nano
  9. cd /etc/openvpn/easy-rsa
  10. source ./vars
  11. ./clean-all
  12. ./build-ca
  13. ./build-key-server server
  14. ./build-dh
  15. cd /etc/openvpn/easy-rsa/keys
  16. cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
  17. cd /etc/openvpn/easy-rsa
  18. ./build-key client
  19. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0-j MASQUERADE
    1. if unsure of eth0 (network interface) use ifconfig to look it up first
  20. service iptables save
  21. nano-w /etc/sysctl.conf
    1. Replace
      1. net.ipv4.ip_forward = 0
      2. net.ipv4.ip_forward = 1
    2. Save and exit nano
  22. service openvpn start
  23. chkconfig openvpn on
  24. Download the following files to your client
    1. /etc/openvpn/easy-rsa/keys/ca.crt
    2. /etc/openvpn/easy-rsa/keys/client.crt
    3. /etc/openvpn/easy-rsa/keys/client.key
  25. In same directory on client create client.ovpn
    1. Insert replacing items in bold as necessary
      1. client
        dev tun
        proto udp
        remote X.X.X.X 1194
        resolv-retry infinite
        nobind
        persist-key
        persist-tun
        comp-lzo
        verb 3
        <ca>
        Contents of ca.crt
        </ca>
        <cert>
        Contents of client.crt
        </cert>
        <key>
        Contents of client.key
        </key>

Hope some of you find this useful, any issues please leave a comment.