Installing OpenVPN server on CentOS / Amazon Linux

I prefer to route all my traffic through a vpn server, so I can allow traffic based on just the ip address of my vpn server instead of all ip addresses of the different locations I work at. OpenVPN is a very safe and easy to setup vpn solution. This howto will guide you through the process of installing and configuring OpenVPN on CentOS or Amazon Linux.

Install the OpenVPN and Git packages.

yum install openvpn git  

Now we can setup the /etc/openvpn folder. We are doing this by copying the easy-rsa files from the openvpn repository and copying the sample server config file from the openvpn folder.

git clone https://github.com/OpenVPN/easy-rsa /tmp/easy-rsa  
cp -r /tmp/easy-rsa/easyrsa3 /etc/openvpn/easy-rsa  
cp /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/server.conf /etc/openvpn/  

The vars file will be used to create the self-signed certificates. Edig the /etc/openvpn/easy-rsa/vars to contain the following values (you can replace the values with your own values).

export KEY_COUNTRY="US"  
export KEY_PROVINCE="NY"  
export KEY_CITY="New York"  
export KEY_ORG="Organization Name"  
export KEY_EMAIL="administrator@example.com"  
export KEY_CN=droplet.example.com  
export KEY_NAME=server  
export KEY_OU=server  

Next thing is creating the Certificate Authority so we can sign our server and client cetificates.

cd /etc/openvpn/easy-rsa  
$ ./easyrsa init-pki
$ ./easyrsa build-ca
$ ./easyrsa gen-dh

This will create the server certificate. If you need to set a password on the certificate, you can remove nopass.

$ ./easyrsa build-server-full server nopass

Copy the files to the /etc/openvpn folder.

cp pki/ca.crt pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/  

Update the openvpn server configuration file /etc/openvpn/server.conf. Update the values with these values. These settings will use the Google DNS servers, and configure OpenVPN so it will drop privileges when started.

ca ca.crt  
cert server.crt  
key server.key 

dh dh.pem

push "redirect-gateway def1 bypass-dhcp"

push "dhcp-option DNS 8.8.8.8"  
push "dhcp-option DNS 8.8.4.4"

user nobody  
group nobody  

Edit /etc/sysctl.conf to enable packet forwarding.

net.ipv4.ip_forward = 1  
$ sysctl -p

And finally we can start the OpenVPN daemon. Remember that OpenVPN runs on tcp and udp port 1194, so these ports should be opened in the firewall.

service openvpn restart  

Next thing will be to create the client certificates. If you need to set a password on the certificate, you can remove nopass:

$ ./easyrsa build-client-full client nopass

Copy the following files to the client:

  • /etc/openvpn/easy-rsa/pki/ca.crt
  • /etc/openvpn/easy-rsa/pki/issued/client.crt
  • /etc/openvpn/easy-rsa/pki/private/client.key
  • /usr/share/doc/openvpn-2.3.2/sample/sample-config-files/client.conf

Edit client.conf and update the remote attribute with the address of the vpn server (change my-server with the dns name or ip address).

remote my-server 1194  

Now the client should create a tunnel with the openvpn server and forward packets. You can check your ip address easily with http://ifconfig.me/.


These are some common errors:

nsCertType ERROR

If you are getting the following error on the client, the server certification isn't containing the server type attribute:

Fri Jan 07 09:46:13 2011 VERIFY nsCertType ERROR: /C=###/ST=###/L=###/O=###/emailAddress=###@###.com/CN=###, require nsCertType=SERVER  

This can be fixed by either adding the attribute, or removing the check from the client. Adding the attribute to the server certificate (add following lines to openssl.conf):

[server]
nsCertType=server  

Or by disabling the type check on the client by commenting the following line:

; ns-cert-type server

Failed to update databases

If you are getting the following error:

failed to update database  
TXT_DB error number 2  

This is because the certificate has been already created by the server. You need to either revoke it or remove it from the pki/index.txt.