How to Install OpenVPN and PPTP on RHEL v6

Sections: 

OpenVPNThis procedure can be used to install OpenVPN and/or PPTP VPN access on a Redhat Enterprise Linux v6 server or OpenVZ RHEL v6 virtual server.  For OpenVZ you also require root access to the physical server or you need your service provider to enable virtual server access to tun and ppp on the physical server for you. This install procedure was tested on CentOS v6 using the 64bit distribution.  I have not tried on v5 or 32bit distribution.  For pptp on an OpenVZ virtual server I believe your OS needs to be the same bit type as the physical server.  Ie. if the OpenVZ physical server is 64bit then your virtual server OS must also be 64bit in order for pptp to work

Software used: CentOS v6 x86_64 Linux commands executed at a command prompt are in courier font. Let's get started If you are installing Linux from scratch using Anaconda via install CD select "minimal" and proceed with the install which will install with no groups.   Skip down to the yum -y update part. Otherwise, it is assumed you already have a server with a base CentOS installation before you begin.  Do NOT install a GUI such as Gnome or KDE.  We only want to be running in console text mode not GUI graphics mode.  If you already have a desktop or server GUI installed you will want to exit to console mode.  You do that by typing init 3 from a terminal or console window.  You will need to be logged in as root in order to do this so if not you can su root.  All instructions in this guide are assuming you are always logged in as root. Get rid of all installed groups except 'Yum Utilities' so we are starting with a clean slate.  Check the delete list before entering 'y' to make sure none of these remove 'sshd' or 'yum' (they don't but check just in case things change with newer revisions).

yum grouplist installed

Installed Groups: DNS Name Server Editors Legacy Network Server Mail Server Network Servers System Tools Text-based Internet Web Server Windows File Server Yum Utilities DNS Name Server

yum groupremove 'Editors'
yum groupremove 'Legacy Network Server'
yum groupremove 'Mail Server'
yum groupremove 'Network Servers'
yum groupremove 'System Tools'
yum groupremove 'Text-based Internet'
yum groupremove 'Web Server'
yum groupremove 'Windows File Server'

Now update the base install

yum groupinstall core
yum groupinstall base
yum update

Check if tun is active Required for OpenVPN

cat /dev/net/tun
File descriptor in bad state If you see something like device not found that means tun is not active and we need to load it.  With root access to the physical server load tun.
 
modprobe tun
 
at which point
lsmod | grep tun
should return something like tun          19221  2

Create a file so that this occurs automatically on reboot.  Again, this needs to be done on the physical server. Not on the virtual server if that is what you are running.

nano /etc/sysconfig/modules/vpn.modules
 
#!/bin/sh
/sbin/modprobe tun

Make it executable

chmod +x /etc/sysconfig/modules/vpn.modules

If you are using a virtual server on OpenVZ you also need to do the following on the physical server so that the virtual server can use the tun device (change CTID=101 to your container ID):

CTID=101
vzctl set $CTID --devnodes net/tun:rw --save
vzctl set $CTID --devices c:10:200:rw --save
vzctl set $CTID --capability net_admin:on --save
vzctl exec $CTID mkdir -p /dev/net
vzctl exec $CTID chmod 600 /dev/net/tun

You may need to reboot the virtual server afterwards. Check if ppp is active Do this on the virtual server if using OpenVZ virtual server.  This is required for pptp to work:

yum install ppp
pppd

You should see gibberish similar to the following which will continue for about 30seconds then return to command prompt. ~�}#�!}!}!} }4}"}&} } } } }%}&)Q�}4}'}"}(}"p}) If you get an error message instead you may need to load the ppp modules on the physical server

modprobe ppp_async
modprobe ppp_deflate
modprobe ppp_mppe
at which point
lsmod | grep ppp
should return something like
ppp_mppe         6420  2 ppp_deflate        9793  2 zlib_deflate         21977  1 ppp_deflate ppp_async          15169  1 crc_ccitt              6337  1 ppp_async ppp_generic        30165  6 ppp_deflate,ppp_async slhc                     10561  1 ppp_generic
Create a file or add to existing file so that the ppp modules are automatically loaded on reboot.  Again, this is required on the physical server only.
 
nano /etc/sysconfig/modules/vpn.modules
#!/bin/sh
/sbin/modprobe ppp_async
/sbin/modprobe ppp_deflate
/sbin/modprobe ppp_mppe

Make it executable

chmod +x /etc/sysconfig/modules/vpn.modules

If you are using a VPS on OpenVZ virtual server you also need to do the following on the physical server so that the VPS container can use the ppp device (change CTID=101 to your container ID):

CTID=101
vzctl set $CTID --features ppp:on --save
vzctl set $CTID --devices c:108:0:rw --save
vzctl exec $CTID mknod /dev/ppp c 108 0
vzctl exec $CTID chmod 600 /dev/ppp

You may need to reboot the virtual server afterwards. Install packages if not using a physical server this is done on the virtual server

yum install yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel ppp

Install OpenVPN We currently use the repoforge repository for Openvpn.  Using the epel or Openvpn repositories are not recommended because they currently do not include the openvpn pam authentication module which is used for the preferred authentication method.  If you use one of those repositories you will have to alter this procedure to use a different Openvpn authentication method. rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm or for 64bit OS use rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

yum install openvpn

Install pptp

rpm -Uvh http://poptop.sourceforge.net/yum/stable/rhel6/pptp-release-current.noarch.rpm
yum install pptpd

Configure OpenVPN

cp -R /usr/share/doc/openvpn*/easy-rsa/ /etc/openvpn/
nano /etc/openvpn/easy-rsa/2.0/vars

change

export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

to

export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf

Create the certificate:

cd /etc/openvpn/easy-rsa/2.0
chmod 755 *
source ./vars
./vars
./clean-all

Build Certificate Authority

./build-ca Country Name: may be filled or press enter State or Province Name: may be filled or press enter City: may be filled or press enter Org Name: may be filled or press enter Org Unit Name: may be filled or press enter Common Name:your server hostname Email Address: may be filled or press enter

Generate certificate & private key for server

./build-key-server server

Almost the same as build.ca Common Name: server A challenge password: leave blank Optional company name: fill or enter sign the certificate: y 1 out of 1 certificate requests: y Generate Diffie Hellman parameters

./build-dh

Create Server Config file See /usr/share/doc/openvpn-2.2.2/sample-config-files/server.conf for reference.  You can also copy that file over and edit if you prefer:

nano /etc/openvpn/server.conf

And enter the following:

local 11.22.33.44 #- your_server_ip goes here
port 1194 #- port
proto udp #- protocol
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem

# if you install openvpn with a repository other than rpmforge the following module may not be installed and openvpn may not start
# plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login0
client-cert-not-required
username-as-common-name
server 10.9.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status 1194.log
verb 3

See if openvpn starts

service openvpn start

if this doesn't work double check the server.conf file configure start on reboot

chkconfig openvpn on

Configure pptp

nano /etc/pptpd.conf

make sure the following lines are added if they do not already exist.

# replace the following with your server IP
localip 11.22.33.44
# replace the following with the desired private IP
# and range handed out to connecting pptp clients
# the private IP should not be on the same subnet
# as openvpn to avoid problems.
remoteip 10.10.0.1-100

Add DNS servers

nano /etc/ppp/options.pptp

make sure the following google DNS servers are added or use alternative DNS servers.

ms-dns 8.8.4.4
ms-dns 8.8.8.8

Create OpenVPN usernames and passwords

useradd username -s /bin/false
passwd username

If you wanted to delete a user you would use: userdel username Now create a server.ovpn config file and enter the following:

client
dev tun
proto udp
remote 11.22.33.44 1194 # - Your server IP and OpenVPN Port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
verb 3

Make sure you change 11.22.33.44 to your server IP. Download ca.crt file in /etc/openvpn/easy-rsa/2.0/keys/ directory and place it in the same directory as your server.ovpn in your OpenVPN client Now download a OpenVPN client and import your config file and enter your username and password created above Create pptp usernames and passwords

nano /etc/ppp/chap-secrets
username1  pptpd  password1  *
username2  pptpd  password2  *
where the format is [username] [space] [server] [space] [password] [space][IP addresses]

start pptp

service pptpd start

enable start on reboot

chkconfig pptpd on

Configure IPTables NAT This is required for Openvpn and pptp. If using a phyical server

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

If using an OpenVZ virtual server

iptables -t nat -A POSTROUTING -j SNAT --to-source 11.22.33.44

and replace 11.22.33.44 with your virtual server ip If you have other iptables rules that prevent everything by default you also need to open up the required ports.  pptp also requires gre protocol enabled (ie. iptables -A INPUT -i eth0 -p gre -j ACCEPT)

service iptables save

Enable IP packet forwarding This is required for Openvpn and pptp

nano /etc/sysctl.conf

and change the following line

net.ipv4.ip_forward = 1

run the following to enable the change immediately

sysctl -p

Troubleshooting If you have problems connecting to some websites via pptp such as godaddy.com whereas other websites such as google.com work fine you may have an mtu problem.  If you do a search you will find a lot of posts instructing people to add an mtu setting to various configuration files.  However, none of that seems to affect the mtu setting of the ppp device that is created when clients connect.  To see if you have this problem do an ifconfig while a pptp client is connected.  You will see a venet0 or eth0 device with an mtu of 1500 or perhaps some other number.  However your mtu for the connected client (first client is ppp0, second is ppp1 etc.) device might be something like 1396. In order to verify this fix works, from command line type ifconfig ppp0 mtu 1500 assuming we want to fix the first connected client (ie. ppp0) and assuming our mtu for venet0 or eth0 is 1500.  If that works add the following to /etc/ppp/ip-up. Alternatively, create a file /etc/ppp/ip-up.local and chmod +x /etc/ppp/ip-up.local.  Adding the following makes the change occur automatically each time a client connects via pptp because a new pppX device is created each time a client connects.

/sbin/ifconfig $1 mtu 1500

Where "$1" is the pppX variable of each connecting client as assigned in /etc/ppp/ip-up script. Change the 1500 to whatever mtu your venet0 or eth0 is set to.  If you try put that mtu setting somewhere else such as /etc/ppp/options.pptpd or /etc/ppp/options it will NOT effect the mtu setting of connecting clients and therefore will not solve this particular problem.