This procedure can be used to install OpenVPN and/or PPTP VPN access on a Redhat Enterprise Linux v6 server or OpenVZ RHEL v6 virtual server. For OpenVZ you also require root access to the physical server or you need your service provider to enable virtual server access to tun and ppp on the physical server for you. This install procedure was tested on CentOS v6 using the 64bit distribution. I have not tried on v5 or 32bit distribution. For pptp on an OpenVZ virtual server I believe your OS needs to be the same bit type as the physical server. Ie. if the OpenVZ physical server is 64bit then your virtual server OS must also be 64bit in order for pptp to work
Software used:
CentOS v6 x86_64
Linux commands executed at a command prompt are in courier font.
Let's get started
If you are installing Linux from scratch using Anaconda via install CD select "minimal" and proceed with the install which will install with no groups. Skip down to the yum -y update part.
Otherwise, it is assumed you already have a server with a base CentOS installation before you begin. Do NOT install a GUI such as Gnome or KDE. We only want to be running in console text mode not GUI graphics mode. If you already have a desktop or server GUI installed you will want to exit to console mode. You do that by typing init 3 from a terminal or console window. You will need to be logged in as root in order to do this so if not you can su root. All instructions in this guide are assuming you are always logged in as root.
Get rid of all installed groups except 'Yum Utilities' so we are starting with a clean slate. Check the delete list before entering 'y' to make sure none of these remove 'sshd' or 'yum' (they don't but check just in case things change with newer revisions).
yum grouplist installed
Installed Groups:
DNS Name Server
Editors
Legacy Network Server
Mail Server
Network Servers
System Tools
Text-based Internet
Web Server
Windows File Server
Yum Utilities
DNS Name Server
Editors
Legacy Network Server
Mail Server
Network Servers
System Tools
Text-based Internet
Web Server
Windows File Server
Yum Utilities
DNS Name Server'
yum groupremove 'Editors'
yum groupremove 'Legacy Network Server'
yum groupremove 'Mail Server'
yum groupremove 'Network Servers'
yum groupremove 'System Tools'
yum groupremove 'Text-based Internet'
yum groupremove 'Web Server'
yum groupremove 'Windows File Server'
yum groupremove 'Editors'
yum groupremove 'Legacy Network Server'
yum groupremove 'Mail Server'
yum groupremove 'Network Servers'
yum groupremove 'System Tools'
yum groupremove 'Text-based Internet'
yum groupremove 'Web Server'
yum groupremove 'Windows File Server'
Now update the base install
yum groupinstall core
yum groupinstall base
yum update
yum groupinstall base
yum update
Check if tun is active
Required for OpenVPN
cat /dev/net/tun
File descriptor in bad state
If you see something like device not found that means tun is not active and we need to load it. With root access to the physical server load tun.
File descriptor in bad state
If you see something like device not found that means tun is not active and we need to load it. With root access to the physical server load tun.
modprobe tun
at which point
lsmod | grep tun
should return something like
tun 19221 2
at which point
lsmod | grep tun
should return something like
tun 19221 2
Create a file so that this occurs automatically on reboot. Again, this needs to be done on the physical server. Not on the virtual server if that is what you are running.
nano /etc/sysconfig/modules/vpn.modules
nano /etc/sysconfig/modules/vpn.modules
#!/bin/sh
/sbin/modprobe tun
/sbin/modprobe tun
Make it executable
chmod +x /etc/sysconfig/modules/vpn.modules
chmod +x /etc/sysconfig/modules/vpn.modules
If you are using a virtual server on OpenVZ you also need to do the following on the physical server so that the virtual server can use the tun device (change CTID=101 to your container ID):
CTID=101
vzctl set $CTID --devnodes net/tun:rw --save
vzctl set $CTID --devices c:10:200:rw --save
vzctl set $CTID --capability net_admin:on --save
vzctl exec $CTID mkdir -p /dev/net
vzctl exec $CTID chmod 600 /dev/net/tun
CTID=101
vzctl set $CTID --devnodes net/tun:rw --save
vzctl set $CTID --devices c:10:200:rw --save
vzctl set $CTID --capability net_admin:on --save
vzctl exec $CTID mkdir -p /dev/net
vzctl exec $CTID chmod 600 /dev/net/tun
You may need to reboot the virtual server afterwards.
Check if ppp is active
Do this on the virtual server if using OpenVZ virtual server. This is required for pptp to work:
yum install ppp
pppd
yum install ppp
pppd
You should see gibberish similar to the following which will continue for about 30seconds then return to command prompt.
~�}#�!}!}!} }4}"}&} } } } }%}&)Q�}4}'}"}(}"p})
~�}#�!}!}!} }4}"}&} } } } }%}&)Q�}4}'}"}(}"p})
If you get an error message instead you may need to load the ppp modules on the physical server
modprobe ppp_async
modprobe ppp_deflate
modprobe ppp_mppe
at which point
lsmod | grep ppp
should return something like
ppp_mppe 6420 2
ppp_deflate 9793 2
zlib_deflate 21977 1 ppp_deflate
ppp_async 15169 1
crc_ccitt 6337 1 ppp_async
ppp_generic 30165 6 ppp_deflate,ppp_async
slhc 10561 1 ppp_generic
modprobe ppp_async
modprobe ppp_deflate
modprobe ppp_mppe
at which point
lsmod | grep ppp
should return something like
ppp_mppe 6420 2
ppp_deflate 9793 2
zlib_deflate 21977 1 ppp_deflate
ppp_async 15169 1
crc_ccitt 6337 1 ppp_async
ppp_generic 30165 6 ppp_deflate,ppp_async
slhc 10561 1 ppp_generic
Create a file or add to existing file so that the ppp modules are automatically loaded on reboot. Again, this is required on the physical server only.
nano /etc/sysconfig/modules/vpn.modules
nano /etc/sysconfig/modules/vpn.modules
#!/bin/sh
/sbin/modprobe ppp_async
/sbin/modprobe ppp_deflate
/sbin/modprobe ppp_mppe
Make it executable
chmod +x /etc/sysconfig/modules/vpn.modules
/sbin/modprobe ppp_async
/sbin/modprobe ppp_deflate
/sbin/modprobe ppp_mppe
Make it executable
chmod +x /etc/sysconfig/modules/vpn.modules
If you are using a VPS on OpenVZ virtual server you also need to do the following on the physical server so that the VPS container can use the ppp device (change CTID=101 to your container ID):
CTID=101
vzctl set $CTID --features ppp:on --save
vzctl set $CTID --devices c:108:0:rw --save
vzctl exec $CTID mknod /dev/ppp c 108 0
vzctl exec $CTID chmod 600 /dev/ppp
CTID=101
vzctl set $CTID --features ppp:on --save
vzctl set $CTID --devices c:108:0:rw --save
vzctl exec $CTID mknod /dev/ppp c 108 0
vzctl exec $CTID chmod 600 /dev/ppp
You may need to reboot the virtual server afterwards.
Install packages
if not using a physical server this is done on the virtual server
yum install yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel ppp
Install OpenVPN
We currently use the repoforge repository for Openvpn. Using the epel or Openvpn repositories are not recommended because they currently do not include the openvpn pam authentication module which is used for the preferred authentication method. If you use one of those repositories you will have to alter this procedure to use a different Openvpn authentication method.
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
or for 64bit OS use
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm
or for 64bit OS use
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
yum install openvpn
Install pptp
rpm -Uvh http://poptop.sourceforge.net/yum/stable/rhel6/x86_64/pptpd-1.3.4-2.el6.x86_64.rpm
Configure OpenVPN
cp -R /usr/share/doc/openvpn*/easy-rsa/ /etc/openvpn/
nano /etc/openvpn/easy-rsa/2.0/vars
change
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
to
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
nano /etc/openvpn/easy-rsa/2.0/vars
change
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
to
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Create the certificate:
cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all
chmod 755 *
source ./vars
./vars
./clean-all
Build Certificate Authority
./build-ca
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter
Country Name: may be filled or press enter
State or Province Name: may be filled or press enter
City: may be filled or press enter
Org Name: may be filled or press enter
Org Unit Name: may be filled or press enter
Common Name: your server hostname
Email Address: may be filled or press enter
Generate certificate & private key for server
./build-key-server server
Almost the same as build.ca
Common Name: server
A challenge password: leave blank
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y
Common Name: server
A challenge password: leave blank
Optional company name: fill or enter
sign the certificate: y
1 out of 1 certificate requests: y
Generate Diffie Hellman parameters
./build-dh
Create Server Config file
See /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf for reference. You can also copy that file over and edit if you prefer:
nano /etc/openvpn/server.conf
And enter the following:
And enter the following:
local 11.22.33.44 #- your_server_ip goes here
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
# if you install openvpn with a repository other than rpmforge the following module may not be installed and openvpn may not start
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.9.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
# if you install openvpn with a repository other than rpmforge the following module may not be installed and openvpn may not start
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.9.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3
See if openvpn starts
service openvpn start
if this doesn't work double check the server.conf file
if this doesn't work double check the server.conf file
configure start on reboot
chkconfig openvpn on
Configure pptp
nano /etc/pptpd.conf
make sure the following lines are added if they do not already exist.
require-mschap-v2
require-mppe-128
ms-dns 8.8.4.4
ms-dns 8.8.8.8
# replace the following with your server IP
localip 11.22.33.44
# replace the following with the desired private IP
# and range handed out to connecting pptp clients
# the private IP should not be on the same subnet
# as openvpn to avoid problems.
remoteip 10.10.0.1-100
make sure the following lines are added if they do not already exist.
require-mschap-v2
require-mppe-128
ms-dns 8.8.4.4
ms-dns 8.8.8.8
# replace the following with your server IP
localip 11.22.33.44
# replace the following with the desired private IP
# and range handed out to connecting pptp clients
# the private IP should not be on the same subnet
# as openvpn to avoid problems.
remoteip 10.10.0.1-100
Create OpenVPN usernames and passwords
useradd username -s /bin/false
passwd username
passwd username
If you wanted to delete a user you would use:
userdel username
userdel username
Now create a server.ovpn config file and enter the following:
client
dev tun
proto udp
remote 11.22.33.44 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
verb 3
dev tun
proto udp
remote 11.22.33.44 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
verb 3
Make sure you change 11.22.33.44 to your server IP.
Download ca.crt file in /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in the same directory as your server.ovpn in your OpenVPN client
Now download a OpenVPN client and import your config file and enter your username and password created above
Create pptp usernames and passwords
nano /etc/ppp/chap-secrets
username1 pptpd password1 *
username2 pptpd password2 *
where the format is [username] [space] [server] [space] [password] [space][IP addresses]
username2 pptpd password2 *
where the format is [username] [space] [server] [space] [password] [space][IP addresses]
start pptp
service pptpd start
enable start on reboot
chkconfig pptpd on
enable start on reboot
chkconfig pptpd on
Configure IPTables NAT
This is required for Openvpn and pptp.
If using a phyical server
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
If using a phyical server
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
If using an OpenVZ virtual server
iptables -t nat -A POSTROUTING -j SNAT --to-source 11.22.33.44
and replace 11.22.33.44 with your virtual server ip
iptables -t nat -A POSTROUTING -j SNAT --to-source 11.22.33.44
and replace 11.22.33.44 with your virtual server ip
If you have other iptables rules that prevent everything by default you also need to open up the required ports. pptp also requires gre protocol enabled (ie. iptables -A INPUT -i eth0 -p gre -j ACCEPT)
service iptables save
Enable IP packet forwarding
This is required for Openvpn and pptp
nano /etc/sysctl.conf
and change the following line
net.ipv4.ip_forward = 1
run the following to enable the change immediately
and change the following line
net.ipv4.ip_forward = 1
run the following to enable the change immediately
sysctl -p
Troubleshooting
If you have problems connecting to some websites via pptp such as godaddy.com whereas other websites such as google.com work fine you may have an mtu problem. If you do a search you will find a lot of posts instructing people to add an mtu setting to various configuration files. However, none of that seems to affect the mtu setting of the ppp device that is created when clients connect. To see if you have this problem do an ifconfig while a pptp client is connected. You will see a venet0 or eth0 device with an mtu of 1500 or perhaps some other number. However your mtu for the connected client (first client is ppp0, second is ppp1 etc.) device might be something like 1396.
In order to verify this fix works, from command line type ifconfig ppp0 mtu 1500 assuming we want to fix the first connected client (ie. ppp0) and assuming our mtu for venet0 or eth0 is 1500. If that works add the following to /etc/ppp/ip-up. Alternatively, create a file /etc/ppp/ip-up.local and chmod +x /etc/ppp/ip-up.local. Adding the following makes the change occur automatically each time a client connects via pptp because a new pppX device is created each time a client connects.
/sbin/ifconfig $1 mtu 1500
Where "$1" is the pppX variable of each connecting client as assigned in /etc/ppp/ip-up script.
Where "$1" is the pppX variable of each connecting client as assigned in /etc/ppp/ip-up script.
Change the 1500 to whatever mtu your venet0 or eth0 is set to. If you try put that mtu setting somewhere else such as /etc/ppp/options.pptpd or /etc/ppp/options it will NOT effect the mtu setting of connecting clients and therefore will not solve this particular problem.
No comments:
Post a Comment