Howto install OpenVPN 2 on CentOS 6

These are my notes on howto install OpenVPN 2 on CentOS 6, more specifically OpenVPN 2.3.2 on CentOS 6.5. My notes build on the DigitalOcean community guide and are accurate as of 25 April 2014. The guide was a helpful starting point but I’ve managed to shorten a couple of the steps and updated some to take into account directories having moved, etc.

To start off you need to be on the console of the server you wish to run OpenVPN on. I ran all of these commands as the root user, you may need to su or sudo as necessary.

  1. rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
  2. yum install openvpn -y
  3. cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn
  4. nano-w /etc/openvpn/server.conf
    1. Replace
      1. ;push “redirect-gateway def1 bypass-dhcp”
      2. push “redirect-gateway def1 bypass-dhcp”
    2. Add
      1. push “dhcp-option DNS 8.8.8.8”
      2. push “dhcp-option DNS 8.8.4.4”
    3. Replace
      1. ;user nobody
        ;group nobody
      2. user nobody
        group nobody
    4. Replace
      1. dh dh1024.pem
      2. dh dh2048.pem
    5. Save and exit nano
  5. yum install easy-rsa -y
  6. mkdir -p /etc/openvpn/easy-rsa/keys
  7. cp -R /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
  8. nano-w /etc/openvpn/easy-rsa/vars
    1. Replace values as necessary
      1. export KEY_COUNTRY=”US
        export KEY_PROVINCE=”CA
        export KEY_CITY=”SanFrancisco
        export KEY_ORG=”Fort-Funston
        export KEY_EMAIL=”me@myhost.mydomain
        export KEY_OU=”MyOrganizationalUnit
    2. Save and exit nano
  9. cd /etc/openvpn/easy-rsa
  10. source ./vars
  11. ./clean-all
  12. ./build-ca
  13. ./build-key-server server
  14. ./build-dh
  15. cd /etc/openvpn/easy-rsa/keys
  16. cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
  17. cd /etc/openvpn/easy-rsa
  18. ./build-key client
  19. iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0-j MASQUERADE
    1. if unsure of eth0 (network interface) use ifconfig to look it up first
  20. service iptables save
  21. nano-w /etc/sysctl.conf
    1. Replace
      1. net.ipv4.ip_forward = 0
      2. net.ipv4.ip_forward = 1
    2. Save and exit nano
  22. service openvpn start
  23. chkconfig openvpn on
  24. Download the following files to your client
    1. /etc/openvpn/easy-rsa/keys/ca.crt
    2. /etc/openvpn/easy-rsa/keys/client.crt
    3. /etc/openvpn/easy-rsa/keys/client.key
  25. In same directory on client create client.ovpn
    1. Insert replacing items in bold as necessary
      1. client
        dev tun
        proto udp
        remote X.X.X.X 1194
        resolv-retry infinite
        nobind
        persist-key
        persist-tun
        comp-lzo
        verb 3
        <ca>
        Contents of ca.crt
        </ca>
        <cert>
        Contents of client.crt
        </cert>
        <key>
        Contents of client.key
        </key>

Hope some of you find this useful, any issues please leave a comment.

Fix broken portage on RPS running OVH Release 2

It was always going to happen.

With my current web host (OVH) when setting up my server (RPS) I chose to run it using their custom version of gentoo Linux (OVH Release 2). They offer a number of choices but this seemed like the best pick because it was their release running on their hardware so I figured it would just get the job done.

That was all fine until I went and broke it. Well, when I say broke it, I didn’t break it exactly so much as stupidly try to update it so that it would be running the latest shiny version of things.

This was out not a sensible plan and the net upshot was that I broke the portage system. Impressively though gentoo didn’t fall over despite my ineptitude and kept serving up my websites (including this one) without issue. The only thing was, I had no idea how to put things right!

So, after much tinkering behind the scenes (with gentoo still managing to keep going despite me doing my best to knock lumps out of it and wreck it completely) I managed to get things back on a proper footing, i.e. a working Release 2 running the latest patches from OVH.

Here’s what I did to fix the mess I created which I’m sharing because I thought it might be useful to other people out there who have also “tinkered” with their RPS and struggle, as I did, to read all the technical support that’s mainly found in French on the OVH RPS forums.

Disclaimer: These commands worked for me but they might not work for you so if you decide to use them backup everything on your RPS first because I’m not responsible for any commands you issue to your server!

  1. Firstly SSH into your RPS with root access. This will land you in the home directory.
  2. Run the command: echo “2.10” > /etc/ovhrelease as this will fool the OVH updater into thinking you’re running an earlier version of Release 2.
  3. Run: eselect profile list
  4. Look at the list and find the number of the profile that matches: default-linux/x86/2007.0/desktop on my RPS it was 4.
  5. Run: eselect profile set <> where <<NUMBER>> is the profile number you looked up at step 5, e.g. for me it was eselect profile set 4
  6. Remove any pre-existing upgrade scripts with: rm -rf patch-2.*.sh to make sure that you get a clean update.
  7. Restore and run the OVH patch-all scripts with: wget ftp://ftp.ovh.net/made-in-ovh/release/patch-all.sh -O patch-all.sh; sh patch-all.sh
  8. Now, that should, ditch the broken portage tree and run every automatic update script since they released 2.10. I found that this upon reaching patch 2.19 it was necessary to change the profile again.
  9. Run: eselect profile list again
  10. Look at the list and find the number of the profile that matches: default/linux/x86/2008.0/desktop on my RPS it was 9.
  11. Run: eselect profile set <<NUMBER>> where <<NUMBER>> is the profile number you looked up at step 5, e.g. for me it was eselect profile set 9
  12. Run: sh patch-all.sh
  13. This should finish the patches and bring you up to current which at the time of writing is 2.30.

Hopefully this will be of some use to those out there like me who just can’t help tinkering with things!

Connecting to a linux share from windows

I’ve been having one of those annoying problems connecting to my NAS that I wasn’t able to pin down. Finally after a bit of a rummage on the internet I stumbled across the following on Tomshardware.com:

Hi all,
I have a similar problem with Ubuntu Server and Windows Vista and Seven.
I have created a share on Samba with user and password. I opened some ports on the firewall to allow access outside.
I can see the share and mapping the disk with this command:

NET USE Z: \\publicIP\share “PASSWORD” /USER:user

The problem is that: When I’m opening a file (Excel for example) this file is always in ready only mode. With Windows XP everything works fine.
Can this fix resolve my problems?

Control Panel – Administrative Tools – Local Security Policy
Local Policies – Security Options
Network security: LAN Manager authentication level
Send LM & NTLM responses
Minimum session security for NTLM SSP
Disable Require 128-bit encryption

I basically had the same issue.

With mine it all came down to the fact that windows didn’t like “multiple” connections using different usernames, in my case one username and one anonymous access.

So, if anyone else comes across this bloody simple yet irritating problem do the following:

  1. Run “net use” from a command prompt to see if you are already connected to \\share on your windows PC.
  2. If you are then sever that connection using “net use” again with an added “/delete” switch.
  3. Reconnect using the login and password using either “net use” or explorer.

Sounds simple but it took me ages to figure out purely because I wasn’t logging in to begin with!