Douglas Crawford

Douglas Crawford

October 24, 2014

Part 1 – the basics

In addition to using third party VPN providers, we have shown you how to turn your own PC into an OpenVPN server using free Hamachi and Privoxy software. Another popular VPN option is to rent a VPS, and run that as a VPN server.

A Virtual Private Server (VPS) is more or less exactly what it sounds like – you rent some of the resources on a physical server run by a VPS company, which provides a closed environment that acts as if it was a complete physical remote server. You can install any operating system on a VPS (as long as the provider allows it), and basically treat the VPS as your own personal remote server.

In Part 1 (basics) of this tutorial we will show you how to install OpenVPN Access Server software onto a VPS running CentOS 6 (a popular Linux distribution offered pre-installed by most VPS providers), and how to connect to it using the OpenVPN Connect client.

In Part 2 (advanced) we will show you how to build OpenVPN certificates so that peers can securely authenticate with each other, and you can connect to the server using the regular OpenVPN client. We will also explain how to change the encryption ciphers used.

Advantages of VPN on a VPS

  • Acts as a proxy server, so great for accessing georestricted services as long the VPS is located in the country you wish to access the services from
  • The VPS provides a private IP address, so the IP address will not be blocked by services such as Hulu, or by most firewalls. This makes it a great anti-censorship option (and will work against IP blocks in China, although will not defend against other censorship measures such as packet sniffing)
  • All traffic between your computer and the VPS goes through an encrypted VPN tunnel. As long as the VPS is located outside an adversary’s area of influence (for example if someone in Iran wishes to evade government censorship and so sets up a VPS server located in Europe) it will provide a high degree of privacy
  • VPN on VPS also protects against hackers when using public WiFi hotspots
  • Can be cheaper than VPN.

Disadvantages

  • Because the VPS provides a static IP address that belongs to you, a global adversary (such as the NSA or police forces with an international reach) can easily trace internet activity back to you
  • Not suitable for copyright piracy – copyright holders will send DMCA notices (and similar) to your VPS provider. Unlike VPN providers who often keep no logs and use shared IPs to shield customers from these, VPS providers almost all take very dim view of piracy, and will likely shut down your account (and very possibly pass on your details to the copyright holder)
  • Not for the technically fainthearted – we hope to make the setup process as painless as possible with these tutorials, but it does require a reasonable degree of technical know-how, and will require getting our hands dirty with a command line.

What you will need

  1. A VPS server with CentOS 6 (32- or 64-bit) installed, and a minimum of 218MB RAM. We may review suitable VPS services in the future, but for this tutorial we have chosen VPSCheap.net – mainly because it offers VPS plans from $1.99 per month
  2. An SSH client – OSX and Linux users have one already, in the form of Terminal. Windows users can download the excellent PuTTY (which we use for this demo).

Installing OpenVPN Access Server on the VPS

1. Open your SSH client and connect to your VPS server using the IP address supplied by your VPS provider.

putty 1Terminal users should enter ssh -l user ip.address and enter your details when you get the response:

ip.address/
/username
/

2. Login as root and enter the password you were given by your VPS provider. Note that in PuTTY the typed password remains hidden, so just type it and hit enter.

putty 23. Before proceeding you should check that tap/tun is enabled. Enter cat /dev/net/tun (in PuTTY you can paste by right-clicking).

If tap/tun is enabled you should receive the response: cat: /dev/net/tun: File descriptor in bad state

putty 3Any other response means that tap/tun is not enabled. We had to login to our VPS account control panel to enable it.

4. Next we need to download the OpenVPN Server Access package. Enter:

wget http://swupdate.openvpn.org/as/openvpn-as-2.1.4-CentOS6.i386.rpm (CentOS 6 32-bit) or

wget http://swupdate.openvpn.org/as/openvpn-as-2.1.4-CentOS6.x86_64.rpm(CentOS 6 64-bit)

Note that these links may change as the OpenVPN software gets updated. Please see the official OpenVPN CentOS downloads page for the latest links.

You should see the response pictured below.

putty 45. We now need to install the package using the ‘rpm’ command. Check the line that says ‘Saving to’ (see arrow in screenshot above) to verify package name, and enter:

rpm -i package name

e.g. rpm -i openvpnas-1.8.5-1.centos6 x86_64.rpm

putty 5The output should look as shown above. Make a note of the Admin UI address and Client UI addresses – you will need them in a minute!

6. Setup a password. Enter passwd openvpn, and whatever password you want at the prompt (and again to confirm it).

putty 6Oops – our password is not very strong, but it will do for now!

7. Paste the Admin UI address into your web browser (from step 5 above), and enter Username: ‘openvpn’ and whatever password you selected into the Admin Login (you may need to ‘Agree to end User License Agreement’ the first time you login).

openvpn 18. You should now see the OpenVPN Access Server configuration page.

Openvpn installedCongratulations, you have installed OpenVPN Server Access on your VPS!

Connecting to your VPS using OpenVPN Connect

We now need to setup OpenVPN at your end. OpenVPN Connect is a VPN client that creates a simple OpenVPN connection between your PC and the VPS server, without the need for certificate authentication.

By default, the connection is protected by 128-bit Blowfish Cipher-Block Chaining (BF-CBC) encryption. The Blowfish cipher was created by Bruce Schneier, who has since recommended switching to stronger standards such as AES. However, for most purposes it is fine (and in part two of this tutorial we show you how to change encryption ciphers.)

1. Paste the Client UI address into your web browser (from step 5 above), ensure that ‘Connect’ is selected from the dropdown menu, and enter your Username (‘openvpn’) and password.

openvpn client login2. You will be prompted to download the OpenVPN Connect client…

openvpn client login 2The correct client for your OS should download automatically. If this does not happen for any reason, reload the page and you will be offered a choice of OpenVPN connect clients (including for iOS and Android.)

openvpn connect clients3. Install and run OpenVPN Connect as normal, then click the OpenVPN Connect icon in the notification bar and select ‘Connect to your Client UI address’

OpenVPN Connect 14. Enter your username (openvpn) and password.

openvpn connect 25. Click ‘Yes’ at the warning (you need do this only once).

openvpn connect 36. And yay! You are now connected to your VPS via OpenVPN.

openvpn connect 4The OpenVPN connect icon turns green so you can see whether you are connected at a glance

We popped along to ipleak.net to test everything was working properly, and our IP address appears to be that of our VPS. Yay!

ip checkFor causal users and most situations this simple OpenVPN connection should be more than enough.

Once you are finished here, check out Part 2 of this tutorial, in which we learn how to add other users, and improve security by changing the encryption cipher and building our own OpenVPN certificates.

Douglas Crawford
April 25th, 2018

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

104 responses to “How to roll your own OpenVPN server on a VPS using CentOS 6

  1. Hello
    I follwo this turotiul. I try to install on vps. I lak them and ebable TAP/Tun.
    But My open vpn server not start.
    I see these error msg in web gui
    process started and then immediately exited: [‘Tue Nov 14 04:55:03 2017 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)’]
    service failed to start or returned error status
    process started and then immediately exited: [‘Tue Nov 14 04:55:03 2017 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)’]
    service failed to start or returned error status
    process started and then immediately exited: [‘Tue Nov 14 04:55:03 2017 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)’]
    service failed to start or returned error status
    process started and then immediately exited: [‘Tue Nov 14 04:55:03 2017 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)’]
    service failed to start or returned error status

    [root@shetu /]# cat /dev/net/tun
    cat: /dev/net/tun: File descriptor in bad state

    1. Hi shetu,

      Hmm. It looks like your VPS may not support TUN/TAP. I suggest you contact your VPS provider to see if this is the case.

  2. Hello, Sir , I have configured it by following your step , but when ‘am unable to connect to internet while using vpn except the server. Please tell me why is that happening.

    1. Hi A.k,

      If I understand correctly, you can connect to the VPN server, but when you do this you cannot connect to the internet? Hmm. Without being able to look at your setup in person, I’m not sure how much I can help. The best advice I can give is probably to start over again…

    1. Hi Karim,

      For a simple OpenVPN setup designed for personal use (as described here), there is no need for Iptables or Fail2ban. Fail2ban would make the setup more secure as it would prevent brute-force attempts on your password, but under most conditions I would consider its use overkill for a personal VPN server.

  3. Christopher,

    Great article, really helps a newbie like me get acclimated to this technology. I have an Asus RT-N66U so I went ahead and created an Access Server, then installed and connected my computer to it through the OpenVPN client. It shows my VPN’d IP address in the connection balloon. But when I went to http://www.ipleak.net that you mentioned above, it shows my regular IP address, not my assigned VPN IP address. Do you know why it’s doing that, am I not connected to my VPN server?

  4. Hi Douglas,

    your article has been very helpful for me to set up my own VPN. Thank you!
    My router does not allow OPENVPN connection (grrrr :(). Do you have any tutorial about how to set up a L2TP VPN connection on my VPS?
    After I can do VPN chaining: L2TP VPN on my router —> OPENVPN on my OS.

    Thanks in advance!

    Kind regards,
    Veronique

    1. Hi Veronique,

      Thanks! I’m afraid that I don’t currently have a guide for setting up an L2TP VPN connection on my VPS, although I will put it in my (admittedly very long) to-do list. In what way does you router not allow OpenVPN? Can you not either open the ports that OpenVPN is using on the router, or change the ports that OpenVPN uses?

      – You could chain like that, but I can’t see what advantage it would bring (and it would slow down your internet considerably).

Leave a Reply

Your email address will not be published. Required fields are marked *