We have made a small and dirty bash script which installs and configures OpenVPN on CentOS 5 32bit. The VPN server’s primary (and only) use is for safe browsing i.e. tunneling all your traffic through your VPS. The script also generates your client configuration file along with the necessary keys for authentication.
Requirements
1. CentOS 5 32bit minimal OS template
2. TUN/TAP device enabled on your VPS
3. iptables NAT support
You will have to open a ticket to request a TUN/TAP device to be enabled on your VPS. If you’re not a customer of ours and your host’s support staff doesn’t know how to do this, you may tell them to execute the following commands on the hardware node where your VPS is hosted.
Make sure they will replace ‘YOUR_VEID’ with your VPS’s VEID and you will be ready to roll
vzctl stop YOUR_VEID
vzctl set YOUR_VEID --devices c:10:200:rw --save
vzctl set YOUR_VEID --capability net_admin:on --save
vzctl start YOUR_VEID
vzctl exec YOUR_VEID "mkdir -p /dev/net; mknod /dev/net/tun c 10 200; chmod 600 /dev/net/tun"
# iptables support
vzctl stop YOUR_VEID
vzctl set YOUR_VEID --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save
vzctl start YOUR_VEID
Make sure they will replace ‘YOUR_VEID’ with your VPS’s VEID and you will be ready to roll
Login to your VPS as root and execute the following commands
You will be prompted to enter values for your server and client certificate, feel free to accept (hit enter) the default values. Its not recommended to setup a password for your server certificate as you will have to type in the password each time you wish to start/restart the openvpn daemon.
You can however set a password for your client’s certificate since it offers extra level of protection in case your certificate and key files are compromised. You will be prompted for that password each time you connect on your VPS’s VPN.
wget http://vpsnoc.com/scripts/install-openvpn.sh
chmod +x install-openvpn.sh
./install-openvpn.sh
You will be prompted to enter values for your server and client certificate, feel free to accept (hit enter) the default values. Its not recommended to setup a password for your server certificate as you will have to type in the password each time you wish to start/restart the openvpn daemon.
You can however set a password for your client’s certificate since it offers extra level of protection in case your certificate and key files are compromised. You will be prompted for that password each time you connect on your VPS’s VPN.
After the script finished installing openvpn (should be very quick) the client keys and the openvpn clientconfiguration file will be archived in /root/keys.tgz
You may use a sftp/scp client such as winscp or filezilla to download the archive on your computer.
You may use a sftp/scp client such as winscp or filezilla to download the archive on your computer.
If you already haven’t installed openvpn for windows you may do so now.
You may use winrar or 7zip to extract the content of keys.tgz in C:Program FilesOpenVPNconfigVPN (create a folder named VPN there)
After you have extracted the files from keys.tgz in the above folder, you may start openvpn-gui from the start menu, right click the tray icon, go to VPN and click connect. After the icon turns green all your traffic will be forwarded through your VPS, no extra configuration on your browser/IM client/email client is required.
You may use winrar or 7zip to extract the content of keys.tgz in C:Program FilesOpenVPNconfigVPN (create a folder named VPN there)
After you have extracted the files from keys.tgz in the above folder, you may start openvpn-gui from the start menu, right click the tray icon, go to VPN and click connect. After the icon turns green all your traffic will be forwarded through your VPS, no extra configuration on your browser/IM client/email client is required.
If you’re facing issues make sure that your computer clock is synchronized, if so make sure that your VPS’s clock is correct as well. If it’s not you will have to ask your host to sync it.
For any other issues and feedback please e-mail us at support@vpsnoc.com
You may use and modify this script however you see fit, provided that you do not edit the original copyright.
#!/bin/bash
# Quick and dirty OpenVPN install script
# Tested on Centos 5.x 32bit, openvz minimal CentOS OS templates
# Please submit feedback and questions at support@vpsnoc.com
# John Malkowski vpsnoc.com 01/04/2010
ip=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-venet0:0 | awk -F= '{print $2}'`
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -iv rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rm -rf rpmforge-release-0.3.6-1.el5.rf.i386.rpm
yum -y install openvpn openssl openssl-devel
cd /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
chmod +rwx *
. ../vars
./clean-all
source ./vars
echo -e "nnnnnnn" | ./build-ca
clear
echo "####################################"
echo "Feel free to accept default values"
echo "Wouldn't recommend setting a password here"
echo "Then you'd have to type in the password each time openVPN starts/restarts"
echo "####################################"
./build-key-server server
./build-dh
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/
clear
echo "####################################"
echo "Feel free to accept default values"
echo "This is your client key, you may set a password here but it's not required"
echo "####################################"
./build-key client1
cd keys/
client="
client
remote $ip 1194
dev tun
comp-lzo
ca ca.crt
cert client1.crt
key client1.key
route-delay 2
route-method exe
redirect-gateway def1
dhcp-option DNS 10.8.0.1
verb 3"
echo "$client" > $HOSTNAME.ovpn
tar czf keys.tgz ca.crt ca.key client1.crt client1.csr client1.key $HOSTNAME.ovpn
mv keys.tgz /root
opvpn='
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
group nobody
daemon'
echo "$opvpn" > /etc/openvpn/openvpn.conf
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
sed -i 's/eth0/venet0/g' /etc/sysconfig/iptables # dirty vz fix for iptables-save
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
/etc/init.d/openvpn start
clear
echo "OpenVPN has been installed
Download /root/keys.tgz using winscp or other sftp/scp client such as filezilla
Create a directory named vpn at C:Program FilesOpenVPNconfig and untar the content of keys.tgz there
Start openvpn-gui, right click the tray icon go to vpn and click connect
For support/bug reports email us at support@vpsnoc.com"
No comments:
Post a Comment