OpenVPN Install on CentOS 6 Server

I recently had a need to install a VPN service in a OpenVZ container. Since I normally only use Hardware emulating VM’s I ran into quite a few issues in terms of low-level networking support on this Container Virtualisation System. Turns out that you are stuck with a TUN/TAP solution as most services won’t enable PPP services on their infrastructure. Also Ethernet bridging is not available (at least on the service I used) so you’re stuck with NAT IP masquerading. Considering the options I thought best served with using OpenVPN server.

Install Server

yum --enablerepo=epel -y install openvpn

Server configuration

cp /usr/share/doc/openvpn-*/sample-config-files/server.conf /etc/openvpn/
These are the contents of /etc/openvpn/server.conf
local XXX.XXX.XXX.XXX #Server External IP
port 1194
proto udp
dev tun
ca ca.crt
cert SERVER.crt
key SERVER.key #keep file secret
dh dh1024.pem
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS" #using Google Public DNS
push "dhcp-option DNS" #using Google Public DNS
keepalive 10 120
max-clients 5
user nobody
group nobody
status openvpn-status.log
log /var/log/openvpn.log
verb 3

mkdir -p /etc/openvpn/easy-rsa/keys
cd /etc/openvpn/easy-rsa
cp -rf /usr/share/openvpn/easy-rsa/2.0/* .
vim vars
#Set the country (KEY_COUNTRY)
#locality (KEY_CITY)
#organisation name (KEY_ORG)
#support email (KEY_EMAIL)

Create certificate authority


The CA key and certificate should not be in the keys directory inside the easy-rsa directory.

Create certificate for the server

./build-key-server NAME_OF_SERVER
Answer the questions and commit the certificate into the database

Create the Diffie Hellman files

These files are used for the actual key exchange to ensure the confidentiality over an insecure channel, aka the Internet. Based on the length of the key used (KEY_SIZE) it may take a while.

Copy crypto files

cd keys/
cp ca.crt SERVER.crt SERVER.key dh1024.pem /etc/openvpn/

Create the certificate for each client

./build-key NOTEBOOK
./build-key MOBILE

Enable IP Forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

NAT Masquerading Setup

iptables -t nat -A POSTROUTING -s -o venet0 -j MASQUERADE

Start OpenVPN

/etc/init.d/openvpn start
chkconfig openvpn on



apt-get install network-manager-openvpn




  • Ensure that the client settings reflect EXACTLY the server setting (I learned the hard way wasting a lot of time on troubleshooting the fact that routing would not work – turned out to be a client setting ‘comp-lzo’ !)
  • Ensure TUN/TAP services are enabled for your OpenVZ container (
    ERROR: Linux ip link set failed: external program exited with error status: 255


Installing Poptop (pptpd) VPN Server on CentOS 6

For roaming mobile clients PPTP (Point-to-Point Tunneling Protocol) is still the quickest way to get VPN connections to tunnel traffic over a secure link.


I always prefer installation via a yum repository as this will ensure patches are applied during regular system updates

sudo rpm --import
sudo rpm -Uvh
sudo yum install ppp pptpd -y


Note: replace $USERNAME and $PASSWORD with actual values

IP configuration
echo "localip" >> /etc/pptpd.conf
echo "remoteip" >> /etc/pptpd.conf

DNS configuration
echo "ms-dns" >> /etc/ppp/options.pptpd
echo "ms-dns" >> /etc/ppp/options.pptpd

Authentication configuration
echo "$USERNAME pptpd $PASSWORD *" >> /etc/ppp/chap-secrets

Firewall config
service iptables start
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
echo "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE" >> /etc/rc.local
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables restart
service iptables save
chkconfig iptables on

Start ppptd
chkconfig pptpd on
service pptpd start