This howto will show you how to install OpenVPN inside an OpenVZ VPS on Ubuntu.
OpenVZ supports VPN inside a container via kernel TUN/TAP module and device.
First thing you need to do is to enable TUN/TAP if you didn’t already. To do that just exec the following commands:
vzctl set $CTID --devnodes net/tun:rw --save vzctl set $CTID --devices c:10:200:rw --save vzctl set $CTID --capability net_admin:on --save vzctl exec $CTID mkdir -p /dev/net vzctl exec $CTID mknod /dev/net/tun c 10 200
Next we will need to install the openvpn package:
sudo apt-get install openvpn
Next, copy and unpack the example server config.
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn cd /etc/openvpn/ sudo gunzip server.conf.gz
The sample config uses the ip range 10.8.0.0 and subnet 255.255.255.255
Edit the server.conf file with your favorite editor:
Now you need to uncomment the following (remove the “;” in front of the line):
push “redirect-gateway def1 bypass-dhcp” push “dhcp-option DNS 22.214.171.124? push “dhcp-option DNS 126.96.36.199?
Copy the necessary files to create our certificates:
sudo mkdir /etc/openvpn/easy-rsa/ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ cd /etc/openvpn/easy-rsa
We need to adjust the vars file, which contains the settings for the certificates.
Please keep in mind that the ‘country’ field may only contain 2 letters.
Open the vars file and go to the end.
The default file contains:
# These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="SanFrancisco" export KEY_ORG="Fort-Funston" export KEY_EMAIL="firstname.lastname@example.org"
You can modify these values if you like.
After that create the necessary key and CA’s.
Creating server certificates:
cd /etc/openvpn/easy-rsa/ source vars ./clean-all ./pkitool --initca ./pkitool --server server
This will build your proper certificates based up the example files slightly edited. I recommend this for non-advanced users and first-timers.
Creating client certificates:
cd /etc/openvpn/easy-rsa/ source vars ./pkitool hostname
Remember to replace hostname with the name of the client you want to connect. This can be used as an identifier for example “client1”
You’ll need to do 1 thing more to fix the routing. That is to route the traffic from tun0 to the interface that provides internet (venet0:0 by default).
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source your_vps_ip iptables-save
Since we can’t use the MASQUERADE command, we need to use SNAT. Also only full interfaces are supported (So venet0:0 isn’t compatible with the -o option). That’s why I cover this on a static IP based configuration. This will route all network traffic on 10.8.0.0 to the internet-supplying interface.
sudo /etc/init.d/openvpn restart
Configure your VPN client on your computer:
The client will need the following files:
/etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/easy-rsa/keys/lvpsbl.crt /etc/openvpn/easy-rsa/keys/lvpsbl.key
Create a config file, for example lvpsbl.ovpn and change the certificate settings to include the files above:
In the line “remote hostname 1194” change “hostname” with your VPS hostname that will match the certificate.
Also change the ssl settings in case you used a different name for the client certificates then lvpsbl:
#Sample config file client dev tun # Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote hostname 1194 ;remote my-server-2 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don’t need to bind to # a specific local port number. nobind # Downgrade privileges after initialization (non-Windows only) ;user nobody ;group nobody # Try to preserve some state across restarts. persist-key persist-tun ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It’s best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca ca.crt cert ilvpsbl.crt key lvpsbl.key # Verify server certificate by checking ns-cert-type server # If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1 # Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x # Enable compression on the VPN link. # Don’t enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 3 # Silence repeating messages ;mute 20
When this is done, import the client files into your favorite openVPN client and you should be ready to go. To confirm the connection you can try to ping the server locally (10.8.0.1) or connect to the internet through a web browser.