This procedure can be used to install OpenVPN and/or PPTP VPN access on a Redhat Enterprise Linux v6 server or OpenVZ RHEL v6 virtual server. For OpenVZ you also require root access to the physical server or you need your service provider to enable virtual server access to tun and ppp on the physical server for you. This install procedure was tested on CentOS v6 using the 64bit distribution. I have not tried on v5 or 32bit distribution. For pptp on an OpenVZ virtual server I believe your OS needs to be the same bit type as the physical server. Ie. if the OpenVZ physical server is 64bit then your virtual server OS must also be 64bit in order for pptp to work
Software used: CentOS v6 x86_64 Linux commands executed at a command prompt are in courier font. Let’s get started If you are installing Linux from scratch using Anaconda via install CD select “minimal” and proceed with the install which will install with no groups. Skip down to the yum -y update part. Otherwise, it is assumed you already have a server with a base CentOS installation before you begin. Do NOT install a GUI such as Gnome or KDE. We only want to be running in console text mode not GUI graphics mode. If you already have a desktop or server GUI installed you will want to exit to console mode. You do that by typing init 3 from a terminal or console window. You will need to be logged in as root in order to do this so if not you can su root. All instructions in this guide are assuming you are always logged in as root. Get rid of all installed groups except ‘Yum Utilities’ so we are starting with a clean slate. Check the delete list before entering ‘y’ to make sure none of these remove ‘sshd’ or ‘yum’ (they don’t but check just in case things change with newer revisions).
yum grouplist installed
Installed Groups: DNS Name Server Editors Legacy Network Server Mail Server Network Servers System Tools Text-based Internet Web Server Windows File Server Yum Utilities DNS Name Server
yum groupremove 'Editors' yum groupremove 'Legacy Network Server' yum groupremove 'Mail Server' yum groupremove 'Network Servers' yum groupremove 'System Tools' yum groupremove 'Text-based Internet' yum groupremove 'Web Server' yum groupremove 'Windows File Server'
Now update the base install
yum groupinstall core yum groupinstall base yum update
Check if tun is active Required for OpenVPN
cat /dev/net/tun
modprobe tun
lsmod | grep tun
Create a file so that this occurs automatically on reboot. Again, this needs to be done on the physical server. Not on the virtual server if that is what you are running.
nano /etc/sysconfig/modules/vpn.modules
#!/bin/sh /sbin/modprobe tun
Make it executable
chmod +x /etc/sysconfig/modules/vpn.modules
If you are using a virtual server on OpenVZ you also need to do the following on the physical server so that the virtual server can use the tun device (change CTID=101 to your container ID):
CTID=101 vzctl set $CTID --devnodes net/tun:rw --save vzctl set $CTID --devices c:10:200:rw --save vzctl set $CTID --capability net_admin:on --save vzctl exec $CTID mkdir -p /dev/net vzctl exec $CTID chmod 600 /dev/net/tun
You may need to reboot the virtual server afterwards. Check if ppp is active Do this on the virtual server if using OpenVZ virtual server. This is required for pptp to work:
yum install ppp pppd
You should see gibberish similar to the following which will continue for about 30seconds then return to command prompt. ~�}#�!}!}!} }4}"}&} } } } }%}&)Q�}4}'}"}(}"p}) If you get an error message instead you may need to load the ppp modules on the physical server
modprobe ppp_async modprobe ppp_deflate modprobe ppp_mppe
lsmod | grep ppp
nano /etc/sysconfig/modules/vpn.modules
#!/bin/sh /sbin/modprobe ppp_async /sbin/modprobe ppp_deflate /sbin/modprobe ppp_mppe
Make it executable
chmod +x /etc/sysconfig/modules/vpn.modules
If you are using a VPS on OpenVZ virtual server you also need to do the following on the physical server so that the VPS container can use the ppp device (change CTID=101 to your container ID):
CTID=101 vzctl set $CTID --features ppp:on --save vzctl set $CTID --devices c:108:0:rw --save vzctl exec $CTID mknod /dev/ppp c 108 0 vzctl exec $CTID chmod 600 /dev/ppp
You may need to reboot the virtual server afterwards. Install packages if not using a physical server this is done on the virtual server
yum install yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel ppp
Install OpenVPN We currently use the repoforge repository for Openvpn. Using the epel or Openvpn repositories are not recommended because they currently do not include the openvpn pam authentication module which is used for the preferred authentication method. If you use one of those repositories you will have to alter this procedure to use a different Openvpn authentication method. rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm or for 64bit OS use rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
yum install openvpn
Install pptp
rpm -Uvh http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm yum install pptpd
Configure OpenVPN
cp -R /usr/share/doc/openvpn*/easy-rsa/ /etc/openvpn/ nano /etc/openvpn/easy-rsa/2.0/vars
change
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
to
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Create the certificate:
cd /etc/openvpn/easy-rsa/2.0 chmod 755 * source ./vars ./vars ./clean-all
Build Certificate Authority
/build-ca Country Name: may be filled or press enter State or Province Name: may be filled or press enter City: may be filled or press enter Org Name: may be filled or press enter Org Unit Name: may be filled or press enter Common Name:your server hostname Email Address: may be filled or press enterGenerate certificate & private key for server
./build-key-server server
Almost the same as build.ca Common Name: server A challenge password: leave blank Optional company name: fill or enter sign the certificate: y 1 out of 1 certificate requests: y Generate Diffie Hellman parameters
./build-dh
Create Server Config file See /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf for reference. You can also copy that file over and edit if you prefer:
nano /etc/openvpn/server.conf
And enter the following:
local 11.22.33.44 #- your_server_ip goes here
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
# if you install openvpn with a repository other than rpmforge the following module may not be installed and openvpn may not start
# plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login0 client-cert-not-required username-as-common-name server 10.9.0.0 255.255.255.0 push "redirect-gateway def1" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DNS 8.8.4.4" keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3See if openvpn starts
service openvpn start
if this doesn’t work double check the server.conf file configure start on reboot
chkconfig openvpn on
Configure pptp
nano /etc/pptpd.conf
make sure the following lines are added if they do not already exist.
# replace the following with your server IP localip 11.22.33.44 # replace the following with the desired private IP # and range handed out to connecting pptp clients # the private IP should not be on the same subnet # as openvpn to avoid problems. remoteip 10.10.0.1-100
Add DNS servers
nano /etc/ppp/options.pptp
make sure the following google DNS servers are added or use alternative DNS servers.
ms-dns 8.8.4.4 ms-dns 8.8.8.8
Create OpenVPN usernames and passwords
useradd username -s /bin/false passwd username
If you wanted to delete a user you would use: userdel username Now create a server.ovpn config file and enter the following:
client dev tun proto udp remote 11.22.33.44 1194 # - Your server IP and OpenVPN Port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo verb 3
Make sure you change 11.22.33.44 to your server IP. Download ca.crt file in /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in the same directory as your server.ovpn in your OpenVPN client Now download a OpenVPN client and import your config file and enter your username and password created above Create pptp usernames and passwords
nano /etc/ppp/chap-secrets
username1 pptpd password1 * username2 pptpd password2 * where the format is [username] [space] [server] [space] [password] [space][IP addresses]
start pptp
service pptpd start
enable start on reboot
chkconfig pptpd on
Configure IPTables NAT This is required for Openvpn and pptp. If using a phyical server
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
If using an OpenVZ virtual server
iptables -t nat -A POSTROUTING -j SNAT --to-source 11.22.33.44
and replace 11.22.33.44 with your virtual server ip If you have other iptables rules that prevent everything by default you also need to open up the required ports. pptp also requires gre protocol enabled (ie. iptables -A INPUT -i eth0 -p gre -j ACCEPT)
service iptables save
Enable IP packet forwarding This is required for Openvpn and pptp
nano /etc/sysctl.conf
and change the following line
net.ipv4.ip_forward = 1
run the following to enable the change immediately
sysctl -p
Troubleshooting If you have problems connecting to some websites via pptp such as godaddy.com whereas other websites such as google.com work fine you may have an mtu problem. If you do a search you will find a lot of posts instructing people to add an mtu setting to various configuration files. However, none of that seems to affect the mtu setting of the ppp device that is created when clients connect. To see if you have this problem do an ifconfig while a pptp client is connected. You will see a venet0 or eth0 device with an mtu of 1500 or perhaps some other number. However your mtu for the connected client (first client is ppp0, second is ppp1 etc.) device might be something like 1396. In order to verify this fix works, from command line type ifconfig ppp0 mtu 1500 assuming we want to fix the first connected client (ie. ppp0) and assuming our mtu for venet0 or eth0 is 1500. If that works add the following to /etc/ppp/ip-up. Alternatively, create a file /etc/ppp/ip-up.local and chmod +x /etc/ppp/ip-up.local. Adding the following makes the change occur automatically each time a client connects via pptp because a new pppX device is created each time a client connects.
/sbin/ifconfig $1 mtu 1500
Where “$1” is the pppX variable of each connecting client as assigned in /etc/ppp/ip-up script. Change the 1500 to whatever mtu your venet0 or eth0 is set to. If you try put that mtu setting somewhere else such as /etc/ppp/options.pptpd or /etc/ppp/options it will NOT effect the mtu setting of connecting clients and therefore will not solve this particular problem.
