How to install and configure OpenVPN on OpenVZ

This howto will show you how to install OpenVPN inside an OpenVZ VPS on Ubuntu.

OpenVZ supports VPN inside a container via kernel TUN/TAP module and device.
First thing you need to do is to enable TUN/TAP if you didn’t already:

Go to Hypanel – Machine Settings -> Enable TUN/TAP

Ubuntu 10.04

First, install the openvpn package:

sudo apt-get install openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn/
sudo gunzip server.conf.gz
This will copy and unpack the example server config. The sample config uses the ip range 10.8.0.0 and subnet 255.255.255.255
Edit the server.conf file with your favorite editor:
nano /etc/openvpn/server.conf

Now you need to uncomment the following (remove the “;” in front of the line):
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 208.67.222.222″
push “dhcp-option DNS 208.67.220.220″

Copy the necessary files to to create our certificates:

sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
cd /etc/openvpn/easy-rsa

We need to adjust the vars file, which contains the settings for the certificates.
Please keep in mind that the ‘country’ field may only contain 2 letters.

Open the vars file and go to the end.
The default file contains:

# These are the default values for fields
# which will be placed in the certificate.
# Don’t leave any of these fields blank.
export KEY_COUNTRY=”US”
export KEY_PROVINCE=”CA”
export KEY_CITY=”SanFrancisco”
export KEY_ORG=”Fort-Funston”
export KEY_EMAIL=”me@myhost.mydomain”

You can modify these values if you like.
After that create the necessary key and CA’s:

Creating server certificates

cd /etc/openvpn/easy-rsa/
source vars
./clean-all
./pkitool –initca
./pkitool –server server

This will build your proper certificates based up the example files slightly editted. I recommend this for non-advanced users and first-timers.

Creating client certificates

cd /etc/openvpn/easy-rsa/
source vars
./pkitool hostname

Remember to replace hostname with the name of the client you want to connect. This can be used as an identifier for example “client1”

You’ll need to do 1 thing more to fix the routing. That is to route the traffic from tun0 to the interface that provides internet (venet0:0 by default).

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT –to-source your_vps_ip
iptables-save

Since we can’t use the MASQUERADE command, we need to use SNAT. Also only full interfaces are supported (So venet0:0 isn’t compatible with the -o option). That’s why I cover this on a static IP based configuration. This will route all network traffic on 10.8.0.0 to the internet-supplying interface.

sudo /etc/init.d/openvpn restart

Configure your VPN client on your computer:

The client will need the following files
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/lvpsbl.crt
/etc/openvpn/easy-rsa/keys/lvpsbl.key

Create a config file, for example lvpsbl.ovpn and change the certificate settings to include the files above:

In the line “remote hostname 1194″ change “hostname” with your VPS hostname that will match the certificate.
Also change the ssl settings in case you used a different name for the client certificates then lvpsbl:

#Sample config file

client
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote hostname 1194
;remote my-server-2 1194

# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don’t need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It’s best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert ilvpsbl.crt
key lvpsbl.key

# Verify server certificate by checking
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don’t enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20

When this is done, import the client files into your favorite openVPN client and you should be ready to go.
To confirm the connection you can try to ping the server locally (10.8.0.1) or connect to the internet through a web browser.

Leave a Comment