Step by step tutorial to install OpenVPN on redhat/centos 6.X servers in the Amazon EC2 Cloud.
Login to the Amazon EC2 Cloud
Install the following
# yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel -y
Next download LZO RPM and the repo RPMForge has to be configured
# wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
Prior to adding correct repo to OpenVPN Server Check if the server supports 64 bit or 32 bit using the command
# getconf LONG_BIT
if it is 32 download
# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-1.el6.rf.i686.rpm
if it is 64 bit then download
# wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
Next build the package lzo
# rpmbuild –rebuild lzo-1.08-4.rf.src.rpm
# rpm -Uvh lzo-*.rpm
# rpm -Uvh rpmforge-release*
Post the above initial configuration install OpenVPN
# yum install openvpn -y
Copy easy-rsa folder to /etc/openvpn/
# cp -R /usr/share/doc/openvpn-2.2.2/easy-rsa/ /etc/openvpn/
Edit
# vi /etc/openvpn/easy-rsa/2.0/vars
Replace the line
export KEY_CONFIG=’$EASY_RSA/whichopensslcnf $EASY_RSA’
with
export KEY_CONFIG=/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Now create certificates
# cd /etc/openvpn/easy-rsa/2.0
# chmod 755 *
# source ./vars
# ./vars
# ./clean-all
Next build the ca file
# ./build-ca 
Fill the Details as per your organization or Personal Details
Country Name: enter your country details or Just Press Enter for Defaults
State or Province Name: Enter your State or Just Press Enter for Defaults
City: Enter your City or Just Press Enter for Defaults
Org Name: Enter your Organization Name or Just Press Enter for Defaults
Org Unit Name: Enter your Org Unit Name or Just Press Enter for Defaults
Common Name: Enter a Name for Your VPN Server
Email Address: Enter your admin email details
Build Key Server
# ./build-key-server server
Values can be entered same as you entered for the command ./build.ca
with few changes
Common Name: server
A challenge password: press enter to leave it blank
Optional company name: Optional value
sign the certificate: y
1 out of 1 certificate requests: y
build Diffie Hellman
# ./build-dh
Edit /etc/openvpn/server.conf and insert the lines followed by
# vi /etc/openvpn/server.conf
port 1194 #- port proto udp #- protocol dev tun tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 reneg-sec 0 ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt cert /etc/openvpn/easy-rsa/2.0/keys/server.crt key /etc/openvpn/easy-rsa/2.0/keys/server.key dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login #- Comment this line if you are using FreeRADIUS #plugin /etc/openvpn/radiusplugin.so /etc/openvpn/radiusplugin.cnf #- Uncomment this line if you are using FreeRADIUS client-cert-not-required username-as-common-name server 10.8.0.0 255.255.255.0 push “redirect-gateway def1” push “dhcp-option DNS 8.8.8.8” push “dhcp-option DNS 8.8.4.4” keepalive 5 30 comp-lzo persist-key persist-tun status 1194.log verb 3
Start the OpenVPN Service
# service openvpn start
enable IP forwarding in the file /etc/sysctl.conf
Edit and save the file /etc/sysctl.conf
# vi /etc/sysctl.conf
Replace
net.ipv4.ip_forward = 0
as
net.ipv4.ip_forward = 1
load the modified changes
sysctl -p
Create a Normal Username ( i have used linuxbrainbox ) which will also allow to login to OpenVPN
# useradd linuxbrainbox -s /bin/false
create password for the user linuxbrainbox
# passwd linuxbrainbox
Route command for iptables
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# iptables -t nat -A POSTROUTING -o venet0 -j SNAT –to-source 54.84.***.***
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT –to-source 54.84.***.***
Note : Replace 54.84.***.*** with your OpenVPN Server’s Public IP
Save Iptables
# service iptables save
Client Side Configuration
on a windows Client
Create a file server.opvn and copy the below
client dev tun proto udp remote 54.84.***.*** 1194 # – Replace with Your OpenVPN Server IP & Port resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ca ca.crt auth-user-pass comp-lzo reneg-sec 0 verb 3Save the above file in the OpenVPN installed config directory
Using winscp ( file copy software from windows client and linux machine) and logging in to the openvpn server copy the file ca.crt from the folder /etc/openvpn/easy-rsa/2.0/keys/ca.crt to the OpenVPN config folder of your windows client machine
Now Check logging in with username linuxbrainbox and its password ( which i created on the server side: replace with the username you created in the server side)
One important point to be noted if after connecting to the VPN if client machine is not getting the internet do the following once again
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
Prior to connecting to VPN check IP Address using www.whatismyip.com
After connecting to OpenVPN Check your IP Address once again using www.whatismyip.com to be using the OpenVPN Server Internet Service Provider IP Address
Just wanted to say thanks. Your directions were a little sloppy but 100% helpful in getting OpenVPN working on EC2!
Thanks Mauvis, Happy you could get OpenVPN Working.