Instalasi OpenVPN
Install openvpn
Install openvpn di Ubuntu
apt-get install openvpn cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/
Pada Ubuntu 8.10 akan di terlihat folder
/etc/openvpn/1.0 /etc/openvpn/2.0
Mungkin ada baiknya untuk pengguna Ubuntu 8.10, 9.04, 9.10 untuk memilih kita akan menggunakan konfigurasi 1.0 atau 2.0 dengan cara mengcopy
cp -Rf /etc/openvpn/2.0/* /etc/openvpn
Alternatif lain yang lebih susah, compile openvpn dari source code
cp openvpn-2.0.9.tar.gz /usr/local/src cd /usr/local/src tar zxvf openvpn-2.0.9.tar.gz cd openvpn-2.0.9 ./configure make make install
Anda tidak perlu mengcompile dari source code, jika sudah menginstalasi openvpn menggunakan apt-get install
Edit file vars di /etc/openvpn
# cd /etc/openvpn/ # vi vars #this is to ensure secure data export KEY_SIZE=1024 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY=ID export KEY_PROVINCE=DKI export KEY_CITY=Jakarta export KEY_ORG="Kerm.IT" export KEY_EMAIL="onno@indo.net.id"
Membuat Certificate Authority (CA)
cd /etc/openvpn/ . ./vars ./clean-all ./build-ca Country Name (2 letter code) [ID]: State or Province Name (full name) [DKI]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [Kerm.IT]: Organizational Unit Name (eg, section) []:Kerm.IT Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org Email Address [onno@indo.net.id]:
Lihat keys apakah sudah di generate
ls -l /etc/openvpn/ ls -l /etc/openvpn/keys
Akan tampak file berikut
ca.crt ca.key index.txt serial
Membuat Server Key
# ./build-key-server server Country Name (2 letter code) [ID]: State or Province Name (full name) [DKI]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [Kerm.IT]: Organizational Unit Name (eg, section) []:Kerm.IT Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org Email Address [onno@indo.net.id]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:Kerm.IT Using configuration from /etc/openvpn/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'ID' stateOrProvinceName :PRINTABLE:'DKI' localityName :PRINTABLE:'Jakarta' organizationName :PRINTABLE:'Kerm.IT' organizationalUnitName:PRINTABLE:'Kerm.IT' commonName :PRINTABLE:'yc0mlc.ampr.org' emailAddress :IA5STRING:'onno@indo.net.id' Certificate is to be certified until Jan 13 03:34:36 2018 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Buat Key User
Membuat key untuk user admin maupun user lainnya jika di perlukan
# ./build-key admin 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Buat key untuk user lain jika di perlukan
./build-key-pass username ./build-key username
Membuat DH Parameter dari key
./build-dh
# openvpn --genkey --secret keys/ta.key
# openvpn --genkey --secret keys/ca.key # openvpn --genkey --secret keys/ta.key
Test key
Test key
# openvpn --genkey --secret key # openvpn --test-crypto --secret key
Test sambungan di 2 windows
Test yang sangat berguna melihat sambungan OpenVPN dari dua (2) Windows.
cd /etc/openvpn cp -Rf /usr/share/doc/openvpn/examples/sample-config-files/ /etc/openvpn/ cp -Rf /usr/share/doc/openvpn/examples/sample-keys/ /etc/openvpn/ openvpn --config sample-config-files/loopback-client openvpn --config sample-config-files/loopback-server
Jika di perlukan kita dapat menginstalasi OpenVPN Administrator. Contoh menginstalasi OpenVPN-Admin
# apt-get install mono openvpn-admin
Edit Server.conf
# vi /etc/openvpn/server.conf
isinya kurang lebih
# OpenVPN Server config file # Which local IP address should OpenVPN listen on? (optional) local 192.168.0.3 # Which TCP/UDP port should OpenVPN listen on? port 1194 # TCP or UDP server? proto udp # "dev tun" will create a routed IP tunnel, which is what we want dev tun # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. ca keys/ca.crt cert keys/server.crt key keys/server.key # This file should be kept secret # Diffie hellman parameters. dh keys/dh1024.pem # Configure server mode and supply a VPN subnet server 192.168.111.0 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. ifconfig-pool-persist ipp.txt # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. # push âroute 172.10.1.0 255.255.255.0" # push âroute 192.168.0.0 255.255.255.0" # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN ; push "redirect-gateway" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. ;push "dhcp-option DNS 172.10.1.2" # Uncomment this directive to allow different # clients to be able to âseeâ client-to-client # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an âHMAC firewallâ # to help block DoS attacks and UDP port flooding. ; tls-auth keys/ta.key 0 # This file is secret # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES # Enable compression on the VPN link. ; comp-lzo # The maximum number of concurrently connected # clients we want to allow. max-clients 250 # It's a good idea to reduce the OpenVPN # daemonâs privileges after initialization. user nobody group nogroup # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Output a short status file showing status openvpn-status.log log-append openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. mute 20
Cara menjalankan VPN Server
Mengaktifkan VPN Server dengan server.conf (from www.openvpn.org)
# openvpn --config /etc/openvpn/server.conf