OpenVPN Server On CentOS 5.2

So your users need access to Exchange and data from outside your organisation. Sure you can set up RPC over HTTPS and various other tools to access the data. I just find OpenVPN very good, convenient and reliable.

And after battling to find a good simple HOWTO, I put this together. It's a quick and nasty but it works!:)

Firstly, ensure you are root, and just in case the OpenVPN is not in the base repository, add the rpmforge repo (these steps you can find elsewhere).

If you use selinux you will need this:

#semanage port -a -t openvpn_port_t -p tcp 1723
yum install openvpn
cd /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/ 
cd /etc/openvpn/easy-rsa/2.0/ 
. ../vars
chmod +rwx * 
source ./vars
vi ../vars 

(At the bottom of the files change the values to match the site.)

vi vars 

(At the bottom of the files change the values to match the site.)


(This builds the CA certificate.)

source ./vars 
./build-key-server server 

(This builds the server.key file.)

vi /etc/openvpn/openvpn.conf 

(For slow lines UDP is faster. Use the below as a starting point:)

port 1723 # (1194 is the default but on some APN networks this is blocked)
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
push "dhcp-option DNS"
push "dhcp-option DNS"
#push "dhcp-option WINS"
push "route"
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group users
status openvpn-status.log
verb 3
duplicate-cn # (this means several users can use the same key)  

cp keys/{ca.crt,ca.key,server.crt,server.key} /etc/openvpn/
./build-dh (builds the dh1024)
cp keys/dh1024.pem /etc/openvpn/
/etc/init.d/openvpn start
chkconfig --list | grep vpn

(Make sure it is set to start at boot.)

./build-key <name>

(Repeat and rinse if you want several individual client keys.)

cd keys/
zip ca.crt ca.key <name>.crt <name>.csr <name>.key
yum install -y nail
nail -s “Keys" -a [email protected]

netstat -ntpl | grep 1723

Set the iptables firewall rules to allow with these rules:

        # External Interface for VPN
        # VPN Interface
        ### OpenVPN
       $IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
        $IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
        # Allow TUN interface connections to OpenVPN server
        # OpenVPN
        $IPTABLES -A FORWARD -i $EXTIF -o $VPNIF -m state --state ESTABLISHED,RELATED -j

Follow the client side instructions from here...


Installing OpenVPN GUI On Windows XP / Vista

Once the OpenVPN server has been setup and the client key(s) made available to you for installation, follow these steps to roll the VPN out to the clients:

-Download the client software here: The tested version is 1.0.3. Version 2.0.9 works on Vista with the following in the client.ovpn file:

route-method exe
route-delay 2

-Install the program.

-Under C:\Program Files\OpenVPN\config place the following:

(you might need to edit this file later)
<name>.crt (eg. johnl.crt)

-Edit the client.ovpn file and ensure that the following fields match up for the site / user:

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote <myserver> 1723
;remote my-server-2 1194
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert <name>.crt
key <name>.key

-Start OpenVPN and the client machine should connect. This is done by right clicking the OpenVPN in the task tray and clicking 'connect' or after starting the program via the start menu.

Share this page:

Suggested articles

34 Comment(s)

Add comment


By: Anonymous

Hi, nice post!

Just wanted to let you know that your first iptables-rule repeats itself:

$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j
        $IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j

Is it just a double pasting error or was the second line supposed to do something else?


By: Anonymous

what's up with all the iptables definitions extif extip universe and all that?

By: barik

Thank you very much.

I made it working.

Openvpn is the best ;-)=)


Hi Guys,

Thanks for your input. I have updated the intro accordingly. Mirostz - I have never used that command to check my server so not sure why you are getting this error.

Perhaps check a few basics like does the service start successfully?

Check that the service is running on the correct port - in your case a 'netstat -ntlp | grep 1194'. On one of my setups (using port 1723) it looks like so:

[[email protected] ~]# netstat -ntlp | grep 1723
tcp        0      0      *                   LISTEN      2310/openvpn        
[[email protected] ~]#

Check for any messages in messages like 'grep vpn /var/log/messages'

Let us know if you get any further:)



Hi Barik,

I have seen this before and frankly I just followed the hints the message gave me. Unfortunately I can't give you a concrete answer as firstly I don't have a test box to replicate your situation and secondly most of my setups are one key/multi user. I know thats not ideal but it works.

Try follow the hints they give you and I will gladly update the howto if you come right.



Thanks, I have added this to the howto...

By: dzikus

And You do it incorrectly, this should be: . ../vars not: ../vars


Yes I realised that last night but was rushing:)

Thanks again, I have changed it.



By: Anonymous

thanks so much for this how to, i now have my centos 5.3 running openvpn. but i am having problem connecting to it using my window client. pls can you me out.

By: Anonymous

There is a typo in your how-to. You probably mean mail and not nail

 yum install -y nail
nail -s “Keys" -a [email protected]



No, I meant nail:) I normally find it handy for sending attachments quickly and I guess it's just a habit...



The ./build-key newuser should work on it's own.

Are their any messages in the logs?

Also you may have to hash out "duplicate-cn"?


By: barik

Hi ,

Thank you for your quick response.

here is what happens when I do ./buil-key newuser

cd /etc/openvpn/easy-rsa/2.0/
[[email protected] 2.0]# ./build-key newuser1
  Please edit the vars script to reflect your configuration,
  then source it with "source ./vars".
  Next, to start with a fresh PKI configuration and to delete any
  previous certificates and keys, run "./clean-all".
  Finally, you can run this tool (pkitool) to build certificates/keys.
[[email protected] 2.0]# 

By: barik

Hi ,

 I would like to ask here , if it possible. How to add additional keys for new users to the operation system

Currently I have openvpn 2.0.9 on Centos 5.2 and all seems to be working fine , yes including iptables. The problem I currently have is how to add additional users to the system.

This is what I do

1. cd /etc/openvpn/easy-rsa/2.0

2 ./clean-all

3. source./vars

4. ./build-ca

5.  ./build-key newuser

6. ./build-dh

7.  cp keys/dh1024.pem  /etc/openvpn


Am I missing something ?


Thank you guys





By: selinux

Why you disable SELINUX? CentOS 5.2 include selinux policy also for OpenVPN. Selinux works great with OpenVPN with default install. If you change port, you need only add this port to selinux context:

#semanage port -a -t openvpn_port_t -p tcp 1723

PS: SELINUX is great security enhancement for linux and I dont know why most people turn it off after install.

By: Anonymous

I have problems with aplying firewall rules, could you describe it better please?



Essentially you just need to allow in, out and forwarding of all traffic on port 1723, and possibly your tun0 interface (if you use multiple interfaces).

Otherwise try turning off the firewall temporarily to test the VPN is actually working. In this howto I described using a script for your firewall although the default centos setup will use /etc/sysconfig/iptables.


By: babyadministrator

You could just use  smoothwall express

By: doman

what has smoothwall firewall to do with VPN server system? If your post was about VPN - I don't understand it. If it was about SELinux - I still don't understand it.

By: dzikus

You don't need to chmod +x ./vars, you should only do:

 $ . ./vars

This is include to vars included in file "vars" :)


 Thanks dzikus, I have changed the howto accordingly:)

By: mirostz

Hello guys I have a very strange problem i can not find anything about it in google. So i want to ask here can someone help me. I have installed and configured everything as i should lzo and openvpn are installed. I have generated all the keys for the server and i have done the server.conf file like this:
dev tun
proto tcp
port 1194

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

user nobody
group nogroup


#status openvpn-status.log
#verb 3

push “redirect-gateway def1?

#log-append /var/log/openvpn

my crt and key files are in the same directory as my config file. but when i do
]# openvpn –config server.conf
Options error: Unrecognized option or missing parameter(s) in server.conf:5: ca (2.0.9)
Use –help for more information.

I get this unusual error and i can not find out why it this happening whats wrong with ca ca.crt line
Please help me.

By: Johann

The author may wish to edit the HOWTO to point out that in the first steps, the user must at least "sudo" if not su - .



Instead of using the clients of 3 separate files (ca, cert, key) you can use a common file format PKCS12. To do this, generate a key client comand: 
build-key-pkcs12 client1 
This will create a normal set of files, and a new file .p12 - it is this combined file.It can be used in the client configuration file as a single comand: pkcs12 client1

Warning: don't set a password when generate key.


?????? ????????????? ?? ???????? 3-?? ?????????? ?????? (ca, cert, key) ????? ???????????? ?????? ???? ??????? PKCS12. ??? ????? ???? ???????????? ???? ??????? ????????:
build-key-pkcs12 client1
????? ?????? ? ??????? ???????? ??????, ? ????? ???? .p12 - ??? ? ???? ???? ??????????????? ????. ??? ????? ???????????? ? ??????? ??????? ????? ???????? pkcs12 ?????? ???? ?????? ca, cert, key.
????? ??? ????????? ????? ????? ????? ?????? ?????? ??? ?????? ?????????? ?????, ? ????? ?????? ?????? ??? ??? ????????? ?????????? ????? ????????????? ?????? ??? ??????? ? ?????????? ????? (????????! ??? ?????? ?????? ??? ??????? ???????, ?.?. ?? ?? ?????? ????????? ?????? ? ?? ?????? ?????????? ??????????.). ??????? ????? ????? ?????, ??? ???????????? ????? ????? ?????????????? ????????/???????/?????????? ?????? ?????? ?????????? ?????.



I am aware of the EPEL repos but did not need them for this setup.

Best Regards



Hello m8, nice tutorial ... you are missing rpm -ihv before yum install openvpn

By: debian38

Nice tutorial???

 It should be forbidden to allow this kind of tutorial... 

1) we build two times the ca keys... Why??

 2) "UDP is faster on slow lines...". Lol, you did not understand the transport layer. UDP is *always* faster, because it works with datagrams (like IP). REMEMBER WORKING WITH TCP over TCP is an HERESY. And this tutorial use TCP!! Imagine an error of transmission in your TCP tunnel, it is restransmitted inside the tunnel of course, but the TCP packets encapsulating your tunnel are re-transmitted too.....

 3) The better for the end. When you archive your keys for your clients, I recommend you to NOT provide the root ca.key (key signing machine only!!!)

 If you did not understand these comments, don't install a VPN...

By: Anonymous

wow. what a douche reply. Work on your engrish before insulting people.

By: Daniel

 I've installed openvpn on my server everything is setup correctly and i've also created client key on server.


But the problem is when I setup openvpn client on windows  it's gives following error. I've copied all key,crt,csr  files to openvpn config folder on windows machine


here is error

OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct  1 2006
 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
 WARNING: No server certificate verification method has been enabled.  See for more info.
Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Local Options hash (VER=V4): '3514370b'
 Expected Remote Options hash (VER=V4): '239669a8'
UDPv4 link local: [undef]
 UDPv4 link remote:



so is there any configuration remain on server side

 which ip address i should use in openvpn.conf file and which ip i should use in windows machine for client.ovpn file

 suppose my server ip is, so tell me should i use this ip for openvpn.conf  server parameter as well as for remote parameter for windows machine in client.ovpn file in config folder.


Please help !!

By: Anonymous VPN

I want to know if I want to user logon with username & password, how should I do ??? 


And I found the Anonymous VPN service provider for commercial.


By: Mochammad RIvai

now i use openvpn from 13 site '

 and this good new . there are stabil ...

thank you

By: pavels

Thanks. However client configuration is way incomplete


Revoking a certificate means to invalidate a previously signed certificate so that it can no longer be used for authentication purposes.

Typical reasons for wanting to revoke a certificate include:

    * The private key associated with the certificate is compromised or stolen.
    * The user of an encrypted private key forgets the password on the key.
    * You want to terminate a VPN user's access.

As an example, we will revoke the client2 certificate, which we generated above in the "key generation".
First open up a shell or command prompt window and cd to the easy-rsa directory as you did in the "key generation". On Linux/BSD/Unix:

. ./vars
./revoke-full client2

The revoke-full script will generate a CRL (certificate revocation list) file called crl.pem in the keys subdirectory. The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:

crl-verify /etc/openvpn/crl/crl.pem

Now all connecting clients will have their client certificates verified against the CRL, and any positive match will result in the connection being dropped.
 get info from


Pls let me know OpenVPN support dynamic ip address or not .