GUIDE

How to roll your own OpenVPN server on a VPS using CentOS 6

Part 1 – the basics

In addition to using third party VPN providers, we have shown you how to turn your own PC into an OpenVPN server using free Hamachi and Privoxy software. Another popular VPN option is to rent a VPS, and run that as a VPN server.

A Virtual Private Server (VPS) is more or less exactly what it sounds like – you rent some of the resources on a physical server run by a VPS company, which provides a closed environment that acts as if it was a complete physical remote server. You can install any operating system on a VPS (as long as the provider allows it), and basically treat the VPS as your own personal remote server.

In Part 1 (basics) of this tutorial we will show you how to install OpenVPN Access Server software onto a VPS running CentOS 6 (a popular Linux distribution offered pre-installed by most VPS providers), and how to connect to it using the OpenVPN Connect client.

In Part 2 (advanced) we will show you how to build OpenVPN certificates so that peers can securely authenticate with each other, and you can connect to the server using the regular OpenVPN client. We will also explain how to change the encryption ciphers used.

Advantages of VPN on a VPS

  • Acts as a proxy server, so great for accessing georestricted services as long the VPS is located in the country you wish to access the services from
  • The VPS provides a private IP address, so the IP address will not be blocked by services such as Hulu, or by most firewalls. This makes it a great anti-censorship option (and will work against IP blocks in China, although will not defend against other censorship measures such as packet sniffing)
  • All traffic between your computer and the VPS goes through an encrypted VPN tunnel. As long as the VPS is located outside an adversary’s area of influence (for example if someone in Iran wishes to evade government censorship and so sets up a VPS server located in Europe) it will provide a high degree of privacy
  • VPN on VPS also protects against hackers when using public WiFi hotspots
  • Can be cheaper than VPN.

Disadvantages

  • Because the VPS provides a static IP address that belongs to you, a global adversary (such as the NSA or police forces with an international reach) can easily trace internet activity back to you
  • Not suitable for copyright piracy – copyright holders will send DMCA notices (and similar) to your VPS provider. Unlike VPN providers who often keep no logs and use shared IPs to shield customers from these, VPS providers almost all take very dim view of piracy, and will likely shut down your account (and very possibly pass on your details to the copyright holder)
  • Not for the technically fainthearted – we hope to make the setup process as painless as possible with these tutorials, but it does require a reasonable degree of technical know-how, and will require getting our hands dirty with a command line.

What you will need

  1. A VPS server with CentOS 6 (32- or 64-bit) installed, and a minimum of 218MB RAM. We may review suitable VPS services in the future, but for this tutorial we have chosen VPSCheap.net – mainly because it offers VPS plans from $1.99 per month
  2. An SSH client – OSX and Linux users have one already, in the form of Terminal. Windows users can download the excellent PuTTY (which we use for this demo).

Installing OpenVPN Access Server on the VPS

1. Open your SSH client and connect to your VPS server using the IP address supplied by your VPS provider.

putty 1Terminal users should enter ssh -l user ip.address and enter your details when you get the response:

ip.address/
/username
/

2. Login as root and enter the password you were given by your VPS provider. Note that in PuTTY the typed password remains hidden, so just type it and hit <enter>.

putty 23. Before proceeding you should check that tap/tun is enabled. Enter cat /dev/net/tun (in PuTTY you can paste by right-clicking).

If tap/tun is enabled you should receive the response: cat: /dev/net/tun: File descriptor in bad state

putty 3Any other response means that tap/tun is not enabled. We had to login to our VPS account control panel to enable it.

4. Next we need to download the OpenVPN Server Access package. Enter:

wget http://swupdate.openvpn.org/as/openvpn-as-2.1.4-CentOS6.i386.rpm (CentOS 6 32-bit) or

wget http://swupdate.openvpn.org/as/openvpn-as-2.1.4-CentOS6.x86_64.rpm(CentOS 6 64-bit)

Note that these links may change as the OpenVPN software gets updated. Please see the official OpenVPN CentOS downloads page for the latest links.

You should see the response pictured below.

putty 45. We now need to install the package using the ‘rpm’ command. Check the line that says ‘Saving to’ (see arrow in screenshot above) to verify package name, and enter:

rpm -i <package name>

e.g. rpm -i openvpnas-1.8.5-1.centos6 x86_64.rpm

putty 5The output should look as shown above. Make a note of the Admin UI address and Client UI addresses – you will need them in a minute!

6. Setup a password. Enter passwd openvpn, and whatever password you want at the prompt (and again to confirm it).

putty 6Oops – our password is not very strong, but it will do for now!

7. Paste the Admin UI address into your web browser (from step 5 above), and enter Username: ‘openvpn’ and whatever password you selected into the Admin Login (you may need to ‘Agree to end User License Agreement’ the first time you login).

openvpn 18. You should now see the OpenVPN Access Server configuration page.

Openvpn installedCongratulations, you have installed OpenVPN Server Access on your VPS!

Connecting to your VPS using OpenVPN Connect

We now need to setup OpenVPN at your end. OpenVPN Connect is a VPN client that creates a simple OpenVPN connection between your PC and the VPS server, without the need for certificate authentication.

By default, the connection is protected by 128-bit Blowfish Cipher-Block Chaining (BF-CBC) encryption. The Blowfish cipher was created by Bruce Schneier, who has since recommended switching to stronger standards such as AES. However, for most purposes it is fine (and in part two of this tutorial we show you how to change encryption ciphers.)

1. Paste the Client UI address into your web browser (from step 5 above), ensure that ‘Connect’ is selected from the dropdown menu, and enter your Username (‘openvpn’) and password.

openvpn client login2. You will be prompted to download the OpenVPN Connect client…

openvpn client login 2The correct client for your OS should download automatically. If this does not happen for any reason, reload the page and you will be offered a choice of OpenVPN connect clients (including for iOS and Android.)

openvpn connect clients3. Install and run OpenVPN Connect as normal, then click the OpenVPN Connect icon in the notification bar and select ‘Connect to <your Client UI address>’

OpenVPN Connect 14. Enter your username (openvpn) and password.

openvpn connect 25. Click ‘Yes’ at the warning (you need do this only once).

openvpn connect 36. And yay! You are now connected to your VPS via OpenVPN.

openvpn connect 4The OpenVPN connect icon turns green so you can see whether you are connected at a glance

We popped along to ipleak.net to test everything was working properly, and our IP address appears to be that of our VPS. Yay!

ip checkFor causal users and most situations this simple OpenVPN connection should be more than enough.

Once you are finished here, check out Part 2 of this tutorial, in which we learn how to add other users, and improve security by changing the encryption cipher and building our own OpenVPN certificates.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage


86 responses to “How to roll your own OpenVPN server on a VPS using CentOS 6

  1. Very nice, very helpful article. Thanks for writing it.

    I must point out though that a VPS VPN won’t guarantee access to certain sites/services that have chosen to fascistically block entire IP blocks of known hosting companies.

    The better known the hosting company, the more likely scum services like Hulu will recognize and block. Even Wikipedia blocks known hosting companies from editing articles.

    The internet has become a place where you have to constantly come up with workarounds to get things done. What a shame.

    1. Hi forcedalias,

      Yes. When I wrote this article I was not aware that in addition to blocking IP belonging to known VPN providers, some services also block IPs of hosting providers. Very sad.

  2. How to change the port from 943 to some other port because my vps supports only certain port range……… i am not able to access the admin and client page because of this…..

  3. Hi sir very appreciated your tut but i have some issue connecting to downloads its always says timeout… Connecting to “download.openvpn.net|173.193.224.173|:443 connection timeout”

    what would be the solution for that

  4. Dear sir
    I am connected openVPN client to openVPN server. but I need open all websites through only client computer internet . my purpose is only unblock UDP Port 5060 through openVPN server internet. its possible?
    Best Regards
    Martin

    1. Hi Martin,

      As per the official How-to under “Creating configuration files for server and clients”, modify (or add) the following lines to the server configuration file (changing to 5060).

      remote my-server-1 1194
      ;remote my-server-2 1194

      Also ensure the line

      proto udp

      is included in order to listen on UDP.

  5. Hi there!

    Your procedure works perfectly. Thanks for writing that up.

    I have a problem though, not with the vpnvps but with Netflix.

    My situation:
    I am a retired dutch guy and my vps is located in the Netherlands. Since I’m a lot of time living in France I had a VPN via PIA so I could watch Dutch television and Netflix like in Holland.

    Recently Netflix discovers when users are using a VPN (or proxy?) and blocks entry to content due to regional legal aspects. I imagined they used a list of known (commercial) vpn ip addresses for their blocking mechanism. That was the reason I installed the vpn server on my own vps.

    No success… So I think Netflix knows when a client is using a proxy or using software like OpenVPN.

    Question: do you have any idea how I could pass that Netflix control?

    Thanks in advance for your reply.

    1. Hi violacase,

      The problem with rolling your own VPN is that by default DNS requests are still handled by your ISP (this is known as a DNS leak). VPN providers usually operate their own DNS servers in order to address this issue, but this is not easy to do yourself. Changing your DNS settings to a US OpenNIC address is a workaround that might fix your problem. It is also worth checking that you you are not suffering a WebRTC leak or other form of IP leak that is giving away your real location.

  6. Thanks sir great tutorial pls tell me what we can use this self made vpn with router on client end like tplink or mikrotik .

    Pls waiting your kind reply .

    1. Hi Muhammad

      BestVPN does not have an article on setting up a router as an OpenVPN server (yet!), but I think this should help you.

  7. Hi Douglas,

    Thanks a lot for your article, it helped a lot.
    I am now connected to my vps over vpn (openvpn), but ipleak does not give me the same ip as the vpn ip provided by my vps supplier (1&1).
    I am using this vpn but also a LAN network from my company in order to have the Internet connection (ISP).
    Actually, I need to share a sql server database over vpn but right now I am sharing it over Internet via remote connection in sql server settings.
    Can you help please?

    1. Hi Marie,

      The problem is likely to be that you are suffering a DNS leak. Commercial VPN services run their own DNS servers, and route all DNS requests through these. When you roll your own VPN, however, DNS resolution still relies on your ISP or a third party (such as Google DNS or OpenNIC). It is also possible that your are suffering a WebRTC Leak. Please see A Complete Guide to IP Leaks for more discussion on these issues. There is no easy solution to the DNS server problem when you use your own VPN server, but you can use OpenNIC to at least have DNS requests resolved in the correct country. Please see How to Change your DNS Settings – A Complete Guide for instructions on how to do this.

        1. Hi Chuck,

          Hmm. I take it that you have performed all the other steps, and that the output for them looks correct? Its only a small thing, but I suggest copying and pasting the Admin UI into your browser URL bar, rather than typing it, as this leaves less room for error…

    1. Hi Pete,

      Are you using your SSH client or browser? I don’t have a VPS server running at the moment to test the link in an SSH client, but as far as I know the server should still be up and running..

  8. hi douglas, i just install the VPN exactly like your tutorials here, everythings look fine until the https (which i dont’ yet buy / create letsencrypt that you suggested)…

    well the main problem for me is i can’t connect the server, i tried disable my firewall, anti virus and everything but still failed to connect, i’ve checked my TUN/TAP and i talk with my webhost and they said everythings are fine and its enable just like they said.

    i click the icon in the tray icon > click the connect (myserverIP) > enter the username (openvpn) > password > and click connect … but it says: could not established connection with the VPN server… Tried many times, hope you could help me …

    Even though its been 2 years but i still need your help to solve my problems.
    ThankQ…

    1. Hi mreshane,

      Hmm. Can you login to your OpenVPN Access Server configuration page? Have you tried logging in from a different computer (or even your phone)? Please note that I’m away on holiday for the rest of this week, but will try to help when I return to work.

      1. I’ve set up everything and was working for me the first night. But then I turned off my pc and came back and now I can’t connect to it? It trys to connect then just says has disconnected.

  9. Hello,
    Whenever I go to my Open VPN site, I get a warning that the connection is not secure (I type HTTPS). Is there a way to make the connection secure with this set up?

    1. Hi Max,

      To use SSL you need an HTTPS certificate for your website. It is very likely that your VPS provider can sell you one, or you can buy one from a third part seller. You can also get a free certificate through the EFF’s Let’s Encrypt program. It is also possible to create a self-signed certificate (instructions for doing this in CentOS6 available at 6″>here.) If you used a self-signed cert then you will still probably receive security alerts from your browser (at least until you white-list the website,) but the connection will be secured by SSL.

        1. Hi Max,

          If you have more than one IP address then no, but if you mean from the same IP then probably (although TBO I’m not 100% sure.)

  10. Hi,

    Ip X and Z belongs to the same one Vps. When im trying to go through the entire process again but with ip Z this time ( after entering rpm -i ) it says that open vpn is already installed on this server and nothing else happens. On my OpenVPN Connect i can only choose and connect to Ip X but not Z. I feel like i must to change something in Admin UI to be able to use second ip ( z) but not really sure what….

    1. Hi Dari,

      I’m afraid that I’m not sure, off the top of my head, and I no longer have a VPS running to investigate. It’s a bit of a nuclear option, but if you look through the previous comments on here, I have given some advice to Andrei on how to remove OpenVPN so you can start again. May I ask why it is so important to connect to ip Z instead of ip X?

        1. Hi Dari,

          I may not be understanding you correctly, but if you roll your own VPN then you will have just 1 IP (that of your VPS). To access the internet from multiple IPs, you are best t using a commercial VPN service (some of which offer static IPs, should you need this.)

  11. This tutorial is great, I set up a few VPN connections. But now I have a problem, everyting was ok, but part “7. Paste the Admin UI…” isn’t working for me, when I put Admin UI, I just get in my browser this “Internal Server Error
    An error occurred rendering the requested page. Additionally, an error occurred rendering the error page.”.

    1. Hi Carl,

      Mm… that’s interesting! I’m not really sure what to suggest, as this should not be a problem… have you tried using a different browser? If all else fails you can follow the steps I outlined to Andre up-thread on how to uninstall OpenVPN on your VPS, and start again.

  12. hello, first of all thanks for your guide.

    but i have 1 question.

    My vps has 2 static ips for example ip X and ip Z
    i used ip X to install openvpn. When im using my OpenVPN Connect i can only connect to ip X ( the one i used to install open vpn ) So how do i switch from ip X to Z in my openvpn connect client ?

    1. Hi dari.

      Perhaps I am a little confused. If you have OpenVPN installed on ip X, and your desktop OpenVPN Connect client connects to ip X, then why would you want it to connect to ip Z when you do not have OpenVPN installed on ip Z? To install OpenVPN on ip Z you will need to go through the entire process again, entering your ip Z address in your SSH client (step 1.) I no longer have OpenVPN Connect installed on my system, but you should able to specify a new IP address to connect to usingthe options menus (although for this to work you will need OpenVPN setup for that IP address.)

  13. please how can i open port for you applications i want to open port like 3344, 5566 9744 many more for my different application so i can communicate with my applications.
    also i can check http://canyouseeme.org/ and see my port open once my applications running thanks

  14. Perfect. Following your this tutorial, now I have my own VPN.
    But I have a problem in access it using Android mobile.
    Can you help?

    1. Hi yoshi,

      This should be straightforward using OpenVPN Connect for Android. To download this, follow the advice listed under Step 2 of ‘Connecting to your VPS using OpenVPN Connect’. If you have another problem then I will need more details before I can help.

  15. Ok I installed it and worked. But my vps has restarted and I don’t know how to start the process again. If I follow the install procedure it tells me it is already installed. It’s installed but not running… How to get it running again after a restart of the vps ? Thx!

        1. Hi Andrei,

          You can try removing openvpn. Run ‘rpm -q –scripts openvpn’ to verify openvpn package name, then uninstall using the command ‘yum remove package_name’ (or ‘rpm -e package_name’). You should then be able reinstall openvpn (step 5 onwards). If this fails then a more nuclear option would be to contact your VPS provider, ask it to reset your VPS, and start from the beginning…

          1. Hye douglas, it seems like im in trouble just like andre here, what do you mean by reset? i have the ability to reset my own vps but if i do that all my files will be deleted right?

            is there any other way rather then reset my vps server?

            Best Regards,
            mreshane.

          2. Hi mreshane,

            Yup, that is what I mean, and yup, it will delete all your files (which is why I refer to this as the “nuclear option”). There might well be other solutions, but it is difficult for me to suggest them without really understanding why you are having problems.

  16. Hi there,
    I tried to install the openvpnas. when I type ‘rpm -i openvpnas-1.8.5-1.centos6.i686.rpm’ I got a feedback message which stating ‘Automatic configuration failed, see /usr/local/openvpn_as/init.log
    You can configure manually using the /usr/local/openvpn_as/bin/ovpn-init tool.’
    Could anyone help me to solve this?
    Thank you very much

    1. Hi Daniel,

      First thing I notice is, have you checked the package name (line that says ‘Saving to’, see step 5). Are you sure it should not be …i386.rpm (instead of …i686)?

      If the package name is correct (or the above was just a typo in your message), you could send me the /usr/local/openvpn_as/init.log to have a look at. I cannot promise that I will be able to help however.

      1. Yes, I’m sure its 686.
        Now, I just realised that my VPS is running on 64bit.
        Tried to install using the other link ‘x86_64.rpm’ but it says the data conflicting. Tried to follow the instruction you gave to previous questions, got stuck in ‘yum remove openvpnas-1.8.5-1-CentOS6.i386.rpm’ it says ‘-bash: yum: command not found’
        I need help. Sorry for this question might you find out silly or stupid, I have no experience in this server thing before nor computer programming skill.
        Thanks in advance.

        1. Hi Daniel,

          Try using /usr/bin/yum instead of just yum (it could be that /usr/bin has been removed from the path.) You can check whether yum is installed by entering which yum /usr/bin/yum. If yum is not installed, then follow the steps outlined here.

  17. Great tutorial, do you recommend setting the cent os firewall to any particular settings? I notice when I try to access ftp while connected to VPN, it doesn’t work. Do you know if there is a setting for that as well? Thanks so much.

    1. Hi Jesse,
      I think the most likely culprit here is CentOS’s built-in firewall, which is probably blocking your ftp client. Articles here and here explain how to configure your iptables….

  18. Would this guide work on Centos 6.5 or 7 it seems that the VPS provider I am very interested in buying (mainly because location and price) provides only this os.

    Ps. Your guide look so simple and easy I came across few of them and this one is by far the easiest method.

      1. Yes they are. I managed to set it up on Centos 6,5. I actually risk and bought the vps before you answered 🙂

        Thanks again.

  19. Great guide. Thanks

    I have a question. I need to set up 2 vpns. Is it possible to set them up on the same vps ? Some of the vps providers offer 2 or more IP addresses. If it is possible what would be the procedure please ?

    1. Hi Przemek.

      If a VPS provider offers 2 IP addresses, then this should be easy – simply login to the different addresses as per step 1, and proceed from there. I should also note that since we paid just $1.99 per month for a VPS plan, if you have any problems then it may just be easier to rent 2 vps servers…

  20. Well everything was fine .. until the setup picked up .. the internal server IP .. not the external (public) to make it it’s own admin IP! … how can this be solved please ?

    Thanks a lot in advance.

    1. Hi Gon,

      Hmm… I no longer have a VPS running to check this, but I believe you can use the ‘/usr/local/openvpn_as/bin/ovpn-init’ tool to manually reconfigure the OpenVPN settings…

  21. It says something with :

    When I enter: rpm -i openvpnas-1.8.5-1.centos6 x86_64.rpm

    It says:

    file /usr/local/openvpn_as/sbin/ucarp from install of openvpn-as-0:1.8.5 -CentOS6.4.x86_64 conflicts with file from package openvpn-as-0:1.8.5-CentOS6.4. i386

    help!

    1. Hi erexo,

      It seems to me that you have either installed CentOS6.4. i386, but are running the command to rpm (install) the x86_64 version of openvpn, or that you have already installed i386 version of openvpn, and are then trying to install the x86_64 version on top of it.

      Can you first verify whether you are running the x86_64 (64-bit) or i386 (32-bit) version of CentOS6? Type:

      uname -a

      This should return something like:

      Linux office.rackaid.net 2.6.32-220.2.1.el6.x86_64 #1 SMP
      Fri Dec 23 02:21:33 CST 2011 ×86_64 ×86_64 ×86_64 GNU/Linux

      The end of the first line should tell you which version is installed (e.g. .x86_64) in the example above.

      You can also check to see which packages you already have installed by typing:

      [root@centos63 ~]# rpm -qa –last

      Now… If you have CentOS6.i386 installed, but not openvpn, then go back to Step 4 and download and install the correct version of openvpn.

      If you already have openvpn installed, then uninstall it using:

      yum remove openvpnas-1.8.5-1-CentOS6.i386.rpm

      (ensure package name is correct)

      You can the reinstall the openvpn i386 package as per step 5. I hope that helps.

  22. I wanted to say “thanks for this” but sadly it doesn’t work for me at all. Installing using rpm -i simply returned a command prompt, no messages at all. Can’t even find whether anything installed successfully, any conf files etc.

    I’ve got a fairly standard CentOS system – I don’t know what’s going wrong. The worst thing is when I have no information to diagnose with. Download? Yep. Typed install cmd? Yep. Anything else? Nope 🙁

    1. Hi John,
      I’m sorry the tutorial is not working for you, although it does describe all the steps I took to get it working for me. Without examining logs of your PuTTY output, it is impossible for me to pinpoint your problem, although I suspect the best place to start is to verify that openvpn has been successfully downloaded before trying to install it.

      You can do this by navigating to the download folder using ‘CD’ (in this tutorial it is just in the root folder), and typing ‘ls’ (more info on Linux commands can be found at http://www.comptechdoc.org/os/linux/usersguide/linux_ugbasics.html). I’m sorry that I can’t be of more help.

  23. Hi i want to build my own double vpn let say something like this. one vps russia and vps in spain . same like vpn providers sells double vpn . just want to have my personal one . thanks for the answer.

    1. Hi jan,

      Could you clarify a little about what you are looking for? Chaining two commercial services? Running a VPN within a VM, which then connects through a second VPN running on the host computer? Setting up your own ‘double VPN’ on a VPS server? Something else? Let us know, and we’ll see what we can do.

  24. Hi, Douglas.
    I have a question to you. How to make similar, only that instead of “VPS Cheap – Hosting” was displayed for example Sky, Virgin, AT&T. In the general any existing ISP? On how many really to realize it on any VPS?

    1. Hi Christopher,

      I am afraid that I’m not sure I understand your question. You rent a VPS from a VPS provider (we used VPS Cheap, but the process is pretty much identical regardless of which provider you choose). Your ISP (e.g. Sky, Virgin, AT&T) is completely different – it supplies your internet connection. By creating a VPN to your VPS you encrypt your internet traffic so that your ISP cannot ‘see’ that traffic…

Leave a Reply

Your email address will not be published. Required fields are marked *