TOP

Setup a Tun/Tap OpenVPN Server on OpenVZ in Under 5 Minutes

How can I install a VPN server on my VPS in order to access the internet through it? If you want to skip the background and methodology behind the script, skip to the section called “Installing OpenVPN on OpenVZ.”

One of the pre-requisites to run common PPTP and IPSEC VPN protocols is PPP. Due to the nature of OpenVZ virtualization, it requires it’s own custom version of the Linux Kernel to run. As a result, ppp is not available for us to use.

So, OpenVPN is the simplest way to get a VPN server running on your VPS since it utilizes the TUN interface /dev/net/tun and creates a tunnel to your client software running on your PC. Then, using simple IPTables rules, you can masquerade or NAT your traffic to your public interface. Sounds complicated? to a degree it can be (depending on your linux knowledge level).

So we have come up with  a script that will allow you to install a “simple” version of OpenVPN server and allow you to download the appropriate configuration file (.ovpn & certificate) to import into the OpenVPN client software. This requires no configuration from your side other than running the script and answering some questions in the wizard.

Installing OpenVPN on OpenVZ

The following script will do the following things:

  1. It will check to ensure tun/tap is enabled. If it isn’t you will need to contact your support department and have it enabled before continuing.
  2. It will download and install the RPMForge Repository for CentOS (where OpenVPN packages are located)
  3. It will use YUM and install all the required packages (openvpn openssl openssl-devel)

Once the required packages are installed the script will create a sample easy to use configuration for OpenVPN and put the required files you will need for your Client to connect in /root/openvpn-keys.tgz

It will set OpenVPN to run on boot and create the necessary iptables NAT rules to route your traffic to your primary Public IP address and save it so it will remember when iptables is restarted.

Installation Steps

Download the following script (tested and supported on CentOS 5 32bit) and run as root:  OpenVPN Install Script

or

Type the following commands as root:

cd ~
wget http://www.openvz.ca/scripts/install-openvpn.sh
chmod 700 install-openvpn.sh
./install-openvpn.sh

Wizard Instructions:

  • When asked to enter a “Passphrase” do not enter one, leave it blank and just press “enter”
  • When asked for Country Code, Province, City… These do not have the be accurate. Any values will do.
  • When asked if you want to build/sign the generated certificates enter yes (y).
  • It is normal for it to ask you two times for the same information (Since you are generating both client/server keys)

The final step is to download the /root/openvpn-keys.tgz archive, unzip it on your PC and import the .ovpn file in your OpenVPN Client (you can download it here if you haven’t already). This will create a simple button in your client and allow you to quickly establish a VPN connection to your VPS whenever you need it.

Questions? Contact Us or post a comment on this blog so we can clarify anything not mentioned.

pre-requisites

18 comments. Leave a Reply

  1. I assume that if I want to uninstall OpenVPN installed with your script, all I have to do is a simple ‘yum remove openvpn’, right?

    • finally,i found how to setup a Tun/Tap for vpn on my vps,thanks.

  2. Mo

    Be advised, you have to update the command “cd /usr/share/doc/…/openvpn-2.x.x/easy-rsa/2.0” to whatever the latest version that CentOS downloads.

    and you have to change “. ../vars” to “. ./vars”, that’s only way i was able to get it to work.

    the line above “iptables-save > …” needs to be tweaked with as well. i’m working on that right now.

    • Thanks Mo

      I will make those updates!

  3. Omar

    Great guide, I’m going to try this today.

    Also, the VPS has been amazing so far. Absolutely no downtime or lag. Great job guys.

  4. I’ve tried running the install script, but the resulting openvpn-keys.tgz file only has the .ovpn file in it. There are no certificates in there.

    • Hey, I just had a look. It’s because I hardcoded the version of OpenVPN in the script. I’m updating it now. Try again.

  5. The script has been updated: Going forward if anyone has issues with it, please ensure that line 40 contains the latest version of OpenVPN in the directory structure (As of today it is openvpn-2.1.4).

    Ensure that lines 34-36 are the proper RPMforge repo for your distribution. (IE: 32bit and 64bit distros require a different RPM).

    Also make sure you are not installing this on a Debian based system as it will not work.

    Thanks for the feedback so far!

  6. Oliver

    This seems to work ok for me.
    However, I’m completely unable to load webpages.
    Steam seems to work and servers DID load when I first connected but now it’s slightly problematic.
    Do you know how to fix the DNS issues? It’s REALLY bugging me.

    • Hey Oliver:

      You can specify any DNS server you want in the openvpn config file that gets generated by the script. Just open it up, find the DNS server line and specify which ever ones you want. When you’re done just restart the openvpn daemon and reconnect your clients.

      Using google dns 8.8.8.8 is a good way to check as it’s generally always available.

  7. Sun

    I have problem:
    ——————————————————–
    /var/log/messege:
    Aug 23 12:53:33 sun openvpn[23994]: [MyIP]:1194 Re-using SSL/TLS context
    Aug 23 12:53:33 sun openvpn[23994]: [MyIP]:1194 LZO compression initialized
    Aug 23 12:54:33 sun openvpn[23994]: [MyIP]:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Aug 23 12:54:33 sun openvpn[23994]: [MyIP]:1194 TLS Error: TLS handshake failed

    ——————————————————–
    iptables:
    Table: mangle
    empty

    Table: filter
    Chain INPUT (policy ACCEPT)
    num target prot opt source destination
    1 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:1194
    2 ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:1194

    Chain FORWARD (policy ACCEPT)
    num target prot opt source destination
    1 ACCEPT all — 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT)

    Table: nat
    Chain PREROUTING (policy ACCEPT)
    Chain POSTROUTING (policy ACCEPT)
    num target prot opt source destination
    1 SNAT all — 0.0.0.0/0 0.0.0.0/0 to:[VenetIP]

    Chain OUTPUT (policy ACCEPT)

    ——————————————————–
    ifconfig
    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:106 errors:0 dropped:0 overruns:0 frame:0
    TX packets:106 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:11439 (11.1 KiB) TX bytes:11439 (11.1 KiB)

    tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:10.10.10.1 P-t-P:10.10.10.2 Mask:255.255.255.255
    UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:100
    RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

    venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
    UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
    RX packets:218978 errors:0 dropped:0 overruns:0 frame:0
    TX packets:218862 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:161097986 (153.6 MiB) TX bytes:194263178 (185.2 MiB)

    venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
    inet addr:x.x.x.x P-t-P:x.x.x.x Bcast:x.x.x.x Mask:255.255.255.255
    UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

    What i have to do?

    • Config looks good to me. Seems the issue may be with the certificate files. Make sure you loaded the right ones on the client side, and make sure the server is using the same ones.

      Regards,

  8. Daniel

    I get the following error

    http://imghst.info/2/4qhes6.png

    [img]http://imghst.info/2/4qhes6.png[/img]

    • If you’re a customer of ours, please open a ticket and we will help you out.

  9. Aram

    Hi,
    Do you have a version of this script for Debian?

    • Not at the moment unfortunately…

      I may work on one in my spare time and post it.

  10. I’ve had issues with your script (on a different host, mind you), especially with the DNS not working on clients’ machines. I modified it slightly, if anyone wants to take a look: http://blog.yasyf.com/2012/08/01/openvpn-server-on-a-centos-openvz-vps/

  11. nick

    Hello. i have followed your steps , but i dont get prompted to enter password neither add city details etc. i have download the file that you said , but when i try to connect with openvpn client , i get the error message : not an access server

Leave a Reply

Your email is never published nor shared.

You may use these HTML tags and attributes:<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>