====== OpenVPN ======
The following guide shows how to install and configure OpenVPN for use on your VPS.

===== Installation =====
==== Debian ====
As root:
<code>apt-get install openvpn</code>
==== CentOS ====
As root:
<code>
rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
yum update
yum install openvpn
</code>

===== Configuration =====
==== Certificate Configuration ====
To configure OpenVZ, simply run the following commands as root.
<code>
cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/ /etc/openvpn/ca
cd /etc/openvpn/ca
nano -w vars
</code>
Note: newer versions of openvpn do not ship easy-rsa in the package anymore. You can download the latest version of easy-rsa from github at the following address: [[https://github.com/OpenVPN/easy-rsa/archive/master.zip]]

It is recommended to change the default RSA key size to 2048 on the line ''export KEY_SIZE=1024''.

For centos, the path would be ''/usr/share/openvpn/easy-rsa/2.0/''. The sample configuration files will also be in the ''/usr/share/openvpn'' path.

With ''vars'' open, edit the values as needed (city, etc), then use ''Ctrl-X'' to save and exit nano.
<code>
source ./vars
./clean-all
./build-ca
./build-key-server server
./build-dh
</code>

Now generate a client certificate. You'll make one of these per client, use a different name for each one.
<code>
./build-key <CLIENTNAME>
</code>

Choose 'Yes' to sign and commit the keys.  If desired, the passwords may be left empty (recommended).

==== Server Configuration ====
Copy the example configuration file to /etc/openvpn
<code>
cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
cd /etc/openvpn
gunzip server.conf.gz
</code>

Change the lines for ca, cert, key, and dh to point to the files created by easy-rsa, which will look like the following:
<code>
ca /etc/openvpn/ca/keys/ca.crt
cert /etc/openvpn/ca/keys/server.crt
key /etc/openvpn/ca/keys/server.key  # This file should be kept secret
dh /etc/openvpn/ca/keys/dh1024.pem
</code>

Uncomment the lines for user, group, and maxclients. Set max-clients to something reasonable.
<code>
user nobody
group nogroup
max-clients 10
</code>

If you want all traffic to be routed over the vpn (true in most cases, including US VPN), uncomment the following line
<code>
push "redirect-gateway def1 bypass-dhcp"
</code>

Under redirect-gateway, add the following two lines, to add DNS to clients on connect.
<code>
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 4.2.2.2"
</code>

If you plan on using the us vpn, change the server line to use 10.0.0.0
<code>
server 10.0.0.0 255.255.255.0
</code>

Otherwise add the following rule to your firewall.
<code>
iptables -t nat -A POSTROUTING -s <SERVER_NET> -j SNAT --to <EXTERNAL IP>
</code>
You may need this to be more specific if you're routing over more than one interface. In that case, adding -o venet0 (openvz) or -o eth0 (kvm) may be appropriate.

If your iptables policy for the FORWARD chain is not set to ACCEPT, you may need the following rules:
<code>
iptables -A FORWARD -o <venet0 or eth0> -i tun0 -j ACCEPT
iptables -A FORWARD -o tun0 -i <venet0 or eth0> -m state --state RELATED,ESTABLISHED -j ACCEPT
</code>

Without comments, the final config should look something like this
<code>
$ egrep -v '^(#|;|$)' /etc/openvpn/server.conf
</code>
<code>
port 1194
proto udp
dev tun
ca /etc/openvpn/ca/keys/ca.crt
cert /etc/openvpn/ca/keys/server.crt
key /etc/openvpn/ca/keys/server.key  # This file should be kept secret
dh /etc/openvpn/ca/keys/dh1024.pem
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 4.2.2.2"
keepalive 10 120
comp-lzo
max-clients 10
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
</code>

Start it as root
<code>
/etc/init.d/openvpn start
</code>

==== Client Configuration ====

For all but the smallest vpn servers, you'll want a different certificate per client. Refer to the Certificate Configuration above for how to generate client keys.

Copy the example configuration file to the working directory. Replace CLIENTNAME with the name you picked for the certificate above.
<code>
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf $HOME/client-<CLIENTNAME>.ovpn
</code>

Put the certificate, ca, and key inline in the client config file. Change the first line of the following script to match CLIENTNAME from above and execute it.
<code>
clientname=<CLIENTNAME>
clientfile=$HOME/client-${clientname}.ovpn
echo "<ca>" >> $clientfile
openssl x509 -in /etc/openvpn/ca/keys/ca.crt >> $clientfile
echo "</ca>" >> $clientfile
echo "<cert>" >> $clientfile
openssl x509 -in /etc/openvpn/ca/keys/${clientname}.crt >> $clientfile
echo "</cert>" >> $clientfile
echo "<key>" >> $clientfile
openssl rsa -in /etc/openvpn/ca/keys/${clientname}.key >> $clientfile
echo "</key>" >> $clientfile
</code>

Remove the following lines for ca, cert, and key
<code>
ca ca.crt
cert client.crt
key client.key
</code>

Change the server address to the address or hostname of your server.
<code>
remote <SERVER NAME> 1194
</code>

Now send the client config to the user/machine where it will be used and test it by starting openvpn.


==== Things to check if it doesn't work ====
===Check that your ip_forwarding is on.===
<code>
cat /proc/sys/net/ipv4/ip_forward
</code>

If not, edit /etc/sysctl.conf and uncomment or add the following line.
<code>
net.ipv4.ip_forward=1
</code>
Then apply the changes
<code>
sysctl -p
</code>

===Check that the tun device is available. It should report the second line.===
<code>
$ cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state
</code>

If it isn't available on a KVM, you'll have to modprobe tun. It is available on all of the ovz nodes.