openvpn debian
Instalasi OpenVPN ini dikerjakan pada mesin Debian.
Harusnya juga bisa untuk turunan Debian lainnya seperti Ubuntu, Mint, dll.
Tujuan saya menggunakan OpenVPN biasanya untuk
tunneling aja, menggunakan IP address luar, mem-bypass restriksi oleh ISP, dll. Fitur enkripsi dan login menggunakan
certificate akan saya disable supaya koneksi semakin ringan dan stabil, lalu
sebagai gantinya proses login nanti akan menggunakan username & password.
Enkripsi cuma akan menambah overhead di trafik.
Cek dulu TUN / TAP sudah enabled apa belum;
|
root@starscream:~# cat /dev/net/tun
cat:
/dev/net/tun: File
descriptor in bad state
|
Kalau outputnya seperti di atas, berarti TUN / TAP
sudah enabled. Jadi kita bisa lanjut ke proses instalasi.
|
apt-get
install openvpn pam-devel
|
Pada beberapa instalasi Debian terbaru, mungkin akan
muncul error seperti ini:
|
E: Unable to locate package pam-devel
|
Kalau kasusnya seperti itu, paket pam-devel ngga perlu diinstall.
Copy contoh file konfigurasi yang udah ada ke
/etc/openvpn untuk selanjutnya kita edit;
|
cp -R
/usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/
|
|
|
chmod -R
755 /etc/openvpn/
|
|
|
cd /etc/openvpn/easy-rsa/2.0/
|
Lalu kita edit file vars (optional). Biasanya saya
edit jadi seperti ini;
|
vi vars
|
|
|
# Increase this to
2048 if you
# are paranoid. This
will slow
# down TLS
negotiation performance
# as well as the
one-time DH parms
# generation
process.
export KEY_SIZE=384
# In how many days
should the root CA key expire?
export CA_EXPIRE=3650
# In how many days
should certificates expire?
export KEY_EXPIRE=3650
# These are the
default values for fields
# which will be
placed in the certificate.
# Don't leave any of
these fields blank.
export KEY_COUNTRY="ID"
export KEY_PROVINCE="JKT"
export KEY_CITY="Jakarta"
export KEY_ORG="lifebit.me"
export KEY_EMAIL="scylla@lifebit.me"
export KEY_CN=vpn.lifebit.me
export KEY_NAME=lifebit.me
export KEY_OU=lifebit.me
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=666666
|
|
setelah di-edit dan save, lalu;
|
source ./vars
|
|
|
./vars
|
|
|
./clean-all
|
|
|
./build-ca
|
|
|
Generating a 384 bit RSA private key
.++++++++++++++++++
................++++++++++++++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter
information that will be incorporated
into your certificate request.
What you are about to enter is what is
called a Distinguished Name or a DN.
There are quite a few fields but you
can leave some blank
For some fields there will be a default value,
If you enter '.', the field
will be left blank.
-----
Country Name (2 letter
code) [ID]:
State or Province Name (full name) [JKT]:
Locality Name (eg, city) [Jakarta]:
Organization Name (eg, company) [lifebit.me]:
Organizational Unit Name (eg, section) [lifebit.me]:
Common Name (eg, your
name or your server's hostname) [vpn.lifebit.me]:
Name [lifebit.me]:
Email Address
[scylla@lifebit.me]:
|
|
|
./build-key-server
vpn.lifebit.me
|
|
Perhatikan ketika execute perintah build-key-server di
atas, value nya harus sama dengan Common Name, atau KEY_CN yaitu vpn.lifebit.me
|
Generating a 384 bit RSA private key
............++++++++++++++++++
..++++++++++++++++++
writing new private key to 'vpn.lifebit.me.key'
-----
You are about to be asked to enter
information that will be incorporated
into your certificate request.
What you are about to enter is what is
called a Distinguished Name or a DN.
There are quite a few fields but you
can leave some blank
For some fields there will be a default value,
If you enter '.', the field
will be left blank.
-----
Country Name (2 letter
code) [ID]:
State or Province Name (full name) [JKT]:
Locality Name (eg, city) [Jakarta]:
Organization Name (eg, company) [lifebit.me]:
Organizational Unit Name (eg, section) [lifebit.me]:
Common Name (eg, your
name or your server's hostname) [vpn.lifebit.me]:
Name [lifebit.me]:
Email Address
[scylla@lifebit.me]:
Please enter the
following 'extra' attributes
to be sent with your
certificate request
A challenge password []:
An optional company name
[]:
Using configuration from
/etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request
matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'ID'
stateOrProvinceName :PRINTABLE:'JKT'
localityName :PRINTABLE:'Jakarta'
organizationName :PRINTABLE:'lifebit.me'
organizationalUnitName:PRINTABLE:'lifebit.me'
commonName :PRINTABLE:'vpn.lifebit.me'
name :PRINTABLE:'lifebit.me'
emailAddress :IA5STRING:'scylla@lifebit.me'
Certificate is to be certified
until Jan 4 06:27:10 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1
certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
|
|
|
./build-dh
|
|
Selanjutnya kita buat file konfigurasi server;
|
cd /etc/openvpn
|
|
|
vi udp53.conf
|
|
Pada konfigurasi server saya isinya kurang lebih
seperti ini;
|
port 53
proto udp
dev tun
ca easy-rsa/2.0/keys/ca.crt
cert easy-rsa/2.0/keys/vpn.lifebit.me.crt
key easy-rsa/2.0/keys/vpn.lifebit.me.key
dh easy-rsa/2.0/keys/dh384.pem
plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.53.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway
def1"
push "dhcp-option
DNS 8.8.4.4"
push "dhcp-option
DNS 208.67.220.220"
keepalive 2
30
comp-lzo
cipher none
persist-key
persist-tun
status udp53.log
verb 3
|
Setelah di-edit dan save, restart service openvpn;
|
/etc/init.d/openvpn
restart
|
Sampai sini service OpenVPN udah start dan client bisa
login, tapi belum bisa melakukan koneksi ke internet karena belum diforward.
Untuk itu edit file /etc/rc.local;
|
vi /etc/rc.local
|
dan tambahkan script ini;
|
echo 1
> /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -t
nat -F
iptables -t
nat -A POSTROUTING -s 10.53.0.0/24 -j SNAT --to 209.141.55.165
|
10.53.0.0/24 adalah alamat jaringan local VPN yang
saya masukkan di konfigurasi udp53.conf tadi, sedangkan 209.141.55.165 adalah
IP public server saya. Setelah di-edit dan save, lalu;
|
sh /etc/rc.local
|
Langkah selanjutnya kita buat user untuk login ke VPN;
|
useradd -m
-s /bin/false
scylla
|
Konfigurasi di sisi server udah selesai, sekarang
lakukan konfigurasi client. Karena aplikasi client untuk konek ke OpenVPN
server ada beberapa macam (OpenVPN, Viscosity, dll) dan beda platform (Linux, Windows,
Mac OSX) maka saya cuma akan menampilkan konfigurasinya secara general aja.
Gimana cara install, konfigurasinya di mana, dll, cari dan coba2 sendiri ya.
Atau bisa juga ditanyakan di kolom komentar di bawah.
|
## Contoh
konfigurasi OpenVPN client (*.ovpn) ##
client
dev tun
proto udp #protocol
remote 209.141.55.165 53 #IP address
server dan port
resolv-retry
infinite
route-method
exe
nobind
persist-key
persist-tun
ca ca.crt
#file ini yang kita download dari server, dan
diletakkan di folder yang sama.
auth-user-pass
comp-lzo
cipher none #disable enkripsi
verb 3
|
Di sisi client, yang kita butuhkan cuma file ca.crt
yang ada di server tadi, jadi jangan lupa untuk dicopy / download dulu ke
client.
Sumber :
Subscribe to:
Post Comments
(
Atom
)
No comments :
Post a Comment