Difference between revisions of "Instalasi OpenVPN"

From OnnoWiki
Jump to navigation Jump to search
Line 1: Line 1:
 
 
== Membuat Server OpenVPN ==
 
== Membuat Server OpenVPN ==
  
Line 100: Line 99:
 
         Data Base Updated
 
         Data Base Updated
  
./build-key-pass username  
+
Buat key untuk user lain jika di perlukan
./build-key username  
+
 
 +
./build-key-pass username  
 +
./build-key username  
 +
 
 +
./build-dh
 +
# openvpn --genkey --secret keys/ta.key
  
./build-dh
 
openvpn --genkey --secret keys/ta.key
 
  
 +
# openvpn --genkey --secret keys/ca.key
 +
# openvpn --genkey --secret keys/ta.key
  
openvpn --genkey --secret keys/ca.key
 
openvpn --genkey --secret keys/ta.key
 
  
 +
Test key
 +
# openvpn --genkey --secret key
 +
# openvpn --test-crypto --secret key
  
test key
 
# openvpn --genkey --secret key
 
# openvpn --test-crypto --secret key
 
  
 +
Test sambungan di 2 windows
 +
# cd /etc/openvpn
 +
# cp -Rf /usr/share/doc/openvpn/examples/sample-config-files/ /etc/openvpn/
 +
# cp -Rf /usr/share/doc/openvpn/examples/sample-keys/ /etc/openvpn/
 +
# openvpn --config sample-config-files/loopback-client
 +
# openvpn --config sample-config-files/loopback-server
  
test di 2 windows
 
# cd /etc/openvpn
 
# cp -Rf /usr/share/doc/openvpn/examples/sample-config-files/ /etc/openvpn/
 
# cp -Rf /usr/share/doc/openvpn/examples/sample-keys/ /etc/openvpn/
 
# openvpn --config sample-config-files/loopback-client
 
# openvpn --config sample-config-files/loopback-server
 
  
  
 +
Contoh menginstalasi OpenVPN-Admin
 +
# apt-get install mono openvpn-admin
  
Example OpenVPN-Admin
 
# apt-get install mono openvpn-admin
 
  
 +
Cara menjalankan VPN Server dengan server.conf (from www.openvpn.org)
 +
# openvpn --config /etc/openvpn/server.conf
  
Operational Server server.conf (from www.openvpn.org)
+
Cara menjalankan VPN client dengan client.conf (from www.openvpn.org)
# openvpn --config /etc/openvpn/server.conf
+
# openvpn --config /etc/openvpn/client.conf
  
Operational Client client.conf (from www.openvpn.org)
 
# openvpn --config /etc/openvpn/client.conf
 
  
 +
Edit Server.conf
  
# vi /etc/openvpn/server.conf
+
# vi /etc/openvpn/server.conf
  
#OpenVPN Server config file
+
isinya kurang lebih
# Which local IP address should OpenVPN listen on? (optional)
+
 
# local 10.1.1.2
+
#OpenVPN Server config file
local 192.168.0.2
+
# Which local IP address should OpenVPN listen on? (optional)
# Which TCP/UDP port should OpenVPN listen on?
+
# local 10.1.1.2
port 1194
+
local 192.168.0.2
# TCP or UDP server?
+
# Which TCP/UDP port should OpenVPN listen on?
proto tcp
+
port 1194
# "dev tun" will create a routed IP tunnel, which is what we want
+
# TCP or UDP server?
dev tun
+
proto tcp
# Windows needs the TAP-Win32 adapter name
+
# "dev tun" will create a routed IP tunnel, which is what we want
# from the Network Connections panel if you
+
dev tun
# have more than one. On XP SP2 or higher,
+
# Windows needs the TAP-Win32 adapter name
# you may need to selectively disable the
+
# from the Network Connections panel if you
# Windows firewall for the TAP adapter.
+
# have more than one. On XP SP2 or higher,
# Non-Windows systems usually don't need this.
+
# you may need to selectively disable the
;dev-node MyTap
+
# Windows firewall for the TAP adapter.
# SSL/TLS root certificate (ca), certificate
+
# Non-Windows systems usually don't need this.
# (cert), and private key (key). Each client
+
;dev-node MyTap
# and the server must have their own cert and
+
# SSL/TLS root certificate (ca), certificate
# key file. The server and all clients will
+
# (cert), and private key (key). Each client
# use the same ca file.
+
# and the server must have their own cert and
ca keys/ca.crt
+
# key file. The server and all clients will
cert keys/server.crt
+
# use the same ca file.
key keys/server.key # This file should be kept secret
+
ca keys/ca.crt
# Diffie hellman parameters.
+
cert keys/server.crt
dh keys/dh1024.pem
+
key keys/server.key # This file should be kept secret
# Configure server mode and supply a VPN subnet
+
# Diffie hellman parameters.
server 192.168.1.0 255.255.255.0
+
dh keys/dh1024.pem
# Maintain a record of client <-> virtual IP address
+
# Configure server mode and supply a VPN subnet
# associations in this file.
+
server 192.168.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
+
# Maintain a record of client <-> virtual IP address
# Push routes to the client to allow it
+
# associations in this file.
# to reach other private subnets behind
+
ifconfig-pool-persist ipp.txt
# the server. Remember that these
+
# Push routes to the client to allow it
# private subnets will also need
+
# to reach other private subnets behind
# to know to route the OpenVPN client
+
# the server. Remember that these
# address pool (10.8.0.0/255.255.255.0)
+
# private subnets will also need
# back to the OpenVPN server.
+
# to know to route the OpenVPN client
# push “route 172.10.1.0 255.255.255.0"
+
# address pool (10.8.0.0/255.255.255.0)
# push “route 192.168.0.0 255.255.255.0"
+
# back to the OpenVPN server.
# If enabled, this directive will configure
+
# push “route 172.10.1.0 255.255.255.0"
# all clients to redirect their default
+
# push “route 192.168.0.0 255.255.255.0"
# network gateway through the VPN, causing
+
# If enabled, this directive will configure
# all IP traffic such as web browsing and
+
# all clients to redirect their default
# and DNS lookups to go through the VPN
+
# network gateway through the VPN, causing
push “redirect-gateway”
+
# all IP traffic such as web browsing and
# Certain Windows-specific network settings
+
# and DNS lookups to go through the VPN
# can be pushed to clients, such as DNS
+
push “redirect-gateway”
# or WINS server addresses.
+
# Certain Windows-specific network settings
;push “dhcp-option DNS 172.10.1.2′′
+
# can be pushed to clients, such as DNS
# Uncomment this directive to allow different
+
# or WINS server addresses.
# clients to be able to “see” each other.
+
;push “dhcp-option DNS 172.10.1.2′′
client-to-client
+
# Uncomment this directive to allow different
# Ping every 10 seconds, assume that remote
+
# clients to be able to “see” each other.
# peer is down if no ping received during
+
client-to-client
# a 120 second time period.
+
# Ping every 10 seconds, assume that remote
keepalive 10 120
+
# peer is down if no ping received during
# For extra security beyond that provided
+
# a 120 second time period.
# by SSL/TLS, create an “HMAC firewall”
+
keepalive 10 120
# to help block DoS attacks and UDP port flooding.
+
# For extra security beyond that provided
tls-auth keys/ta.key 0 # This file is secret
+
# by SSL/TLS, create an “HMAC firewall”
# Select a cryptographic cipher.
+
# to help block DoS attacks and UDP port flooding.
# This config item must be copied to
+
tls-auth keys/ta.key 0 # This file is secret
# the client config file as well.
+
# Select a cryptographic cipher.
;cipher BF-CBC # Blowfish (default)
+
# This config item must be copied to
cipher AES-128-CBC # AES
+
# the client config file as well.
;cipher DES-EDE3-CBC # Triple-DES
+
;cipher BF-CBC # Blowfish (default)
# Enable compression on the VPN link.
+
cipher AES-128-CBC # AES
# comp-lzo
+
;cipher DES-EDE3-CBC # Triple-DES
# The maximum number of concurrently connected
+
# Enable compression on the VPN link.
# clients we want to allow.
+
# comp-lzo
max-clients 250
+
# The maximum number of concurrently connected
# It’s a good idea to reduce the OpenVPN
+
# clients we want to allow.
# daemon’s privileges after initialization.
+
max-clients 250
user nobody
+
# It’s a good idea to reduce the OpenVPN
group nogroup
+
# daemon’s privileges after initialization.
# The persist options will try to avoid
+
user nobody
# accessing certain resources on restart
+
group nogroup
# that may no longer be accessible because
+
# The persist options will try to avoid
# of the privilege downgrade.
+
# accessing certain resources on restart
persist-key
+
# that may no longer be accessible because
persist-tun
+
# of the privilege downgrade.
# Output a short status file showing
+
persist-key
status openvpn-status.log
+
persist-tun
log-append openvpn.log
+
# Output a short status file showing
# Set the appropriate level of log
+
status openvpn-status.log
# file verbosity.
+
log-append openvpn.log
#
+
# Set the appropriate level of log
# 0 is silent, except for fatal errors
+
# file verbosity.
# 4 is reasonable for general usage
+
#
# 5 and 6 can help to debug connection problems
+
# 0 is silent, except for fatal errors
# 9 is extremely verbose
+
# 4 is reasonable for general usage
verb 4
+
# 5 and 6 can help to debug connection problems
# Silence repeating messages. At most 20
+
# 9 is extremely verbose
# sequential messages of the same message
+
verb 4
# category will be output to the log.
+
# Silence repeating messages. At most 20
mute 20
+
# sequential messages of the same message
 +
# category will be output to the log.
 +
mute 20  
  
  
Line 241: Line 246:
 
== Setup Client OpenVPN di Linux ==
 
== Setup Client OpenVPN di Linux ==
  
 +
 +
Install aplikasi GUI utuk client
  
 
  # apt-get install kvpnc
 
  # apt-get install kvpnc
 
  # apt-get install network-manager-openvpn openvpn
 
  # apt-get install network-manager-openvpn openvpn
  
 +
Copy setting OpenVPN
  
 
  # cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/
 
  # cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/
Line 253: Line 261:
 
  # , ./vars
 
  # , ./vars
 
  # ./clean-all
 
  # ./clean-all
 +
 +
Copy key client dari Server
  
 
  # scp -r root@192.168.0.2:/etc/openvpn/keys/ca.crt /etc/openvpn/keys
 
  # scp -r root@192.168.0.2:/etc/openvpn/keys/ca.crt /etc/openvpn/keys
Line 259: Line 269:
  
  
Operational Client (client.conf from www.openvpn.org)
+
Menjalankan VPN Client (client.conf from www.openvpn.org)
 
  # openvpn --config /etc/openvpn/client.conf
 
  # openvpn --config /etc/openvpn/client.conf
  
 +
 +
Edit Client.conf
  
 
  # vi /etc/openvpn/client.conf
 
  # vi /etc/openvpn/client.conf
# Specify that we are a client and that we
 
# will be pulling certain config file directives
 
# from the server.
 
client
 
  
# Use the same setting as you are using on
+
isinya kurang lebih
# the server.
+
 
# On most systems, the VPN will not function
+
# Specify that we are a client and that we
# unless you partially or fully disable
+
# will be pulling certain config file directives
# the firewall for the TUN/TAP interface.
+
# from the server.
;dev tap
+
client
dev tun
+
 
 +
# Use the same setting as you are using on
 +
# the server.
 +
# On most systems, the VPN will not function
 +
# unless you partially or fully disable
 +
# the firewall for the TUN/TAP interface.
 +
;dev tap
 +
dev tun
  
# Windows needs the TAP-Win32 adapter name
+
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
+
# from the Network Connections panel
# if you have more than one.  On XP SP2,
+
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
+
# you may need to disable the firewall
# for the TAP adapter.
+
# for the TAP adapter.
;dev-node MyTap
+
;dev-node MyTap  
  
# Are we connecting to a TCP or
+
# Are we connecting to a TCP or
# UDP server?  Use the same setting as
+
# UDP server?  Use the same setting as
# on the server.
+
# on the server.
;proto tcp
+
;proto tcp
proto udp
+
proto udp  
  
# The hostname/IP and port of the server.
+
# The hostname/IP and port of the server.
# You can have multiple remote entries
+
# You can have multiple remote entries
# to load balance between the servers.
+
# to load balance between the servers.
;remote my-server-1 1194
+
;remote my-server-1 1194
;remote my-server-2 1194
+
;remote my-server-2 1194
remote 192.168.0.2 1194
+
remote 192.168.0.2 1194
  
# Choose a random host from the remote
+
# Choose a random host from the remote
# list for load-balancing.  Otherwise
+
# list for load-balancing.  Otherwise
# try hosts in the order specified.
+
# try hosts in the order specified.
;remote-random
+
;remote-random
  
# Keep trying indefinitely to resolve the
+
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
+
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
+
# on machines which are not permanently connected
# to the internet such as laptops.
+
# to the internet such as laptops.
resolv-retry infinite
+
resolv-retry infinite
  
# Most clients don't need to bind to
+
# Most clients don't need to bind to
# a specific local port number.
+
# a specific local port number.
nobind
+
nobind
  
# Downgrade privileges after initialization (non-Windows only)
+
# Downgrade privileges after initialization (non-Windows only)
user nobody
+
user nobody
group nogroup
+
group nogroup
  
# Try to preserve some state across restarts.
+
# Try to preserve some state across restarts.
persist-key
+
persist-key
persist-tun
+
persist-tun
  
# If you are connecting through an
+
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
+
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
+
# server, put the proxy server/IP and
# port number here.  See the man page
+
# port number here.  See the man page
# if your proxy server requires
+
# if your proxy server requires
# authentication.
+
# authentication.
;http-proxy-retry # retry on connection failures
+
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
+
;http-proxy [proxy server] [proxy port #]
  
# Wireless networks often produce a lot
+
# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
+
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
+
# to silence duplicate packet warnings.
;mute-replay-warnings
+
;mute-replay-warnings
  
# SSL/TLS parms.
+
# SSL/TLS parms.
# See the server config file for more
+
# See the server config file for more
# description.  It's best to use
+
# description.  It's best to use
# a separate .crt/.key file pair
+
# a separate .crt/.key file pair
# for each client.  A single ca
+
# for each client.  A single ca
# file can be used for all clients.
+
# file can be used for all clients.
ca keys/ca.crt
+
ca keys/ca.crt
cert keys/client.crt
+
cert keys/client.crt
key keys/client.key
+
key keys/client.key
  
# Verify server certificate by checking
+
# Verify server certificate by checking
# that the certicate has the nsCertType
+
# that the certicate has the nsCertType
# field set to "server".  This is an
+
# field set to "server".  This is an
# important precaution to protect against
+
# important precaution to protect against
# a potential attack discussed here:
+
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
+
#  http://openvpn.net/howto.html#mitm
#
+
#
# To use this feature, you will need to generate
+
# To use this feature, you will need to generate
# your server certificates with the nsCertType
+
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
+
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
+
# script in the easy-rsa folder will do this.
;ns-cert-type server
+
;ns-cert-type server
  
# If a tls-auth key is used on the server
+
# If a tls-auth key is used on the server
# then every client must also have the key.
+
# then every client must also have the key.
;tls-auth ta.key 1
+
;tls-auth ta.key 1
  
# Select a cryptographic cipher.
+
# Select a cryptographic cipher.
# If the cipher option is used on the server
+
# If the cipher option is used on the server
# then you must also specify it here.
+
# then you must also specify it here.
;cipher x
+
;cipher x
  
# Enable compression on the VPN link.
+
# Enable compression on the VPN link.
# Don't enable this unless it is also
+
# Don't enable this unless it is also
# enabled in the server config file.
+
# enabled in the server config file.
comp-lzo
+
comp-lzo
  
# Set log file verbosity.
+
# Set log file verbosity.
verb 3
+
verb 3
  
# Silence repeating messages
+
# Silence repeating messages
;mute 20
+
;mute 20

Revision as of 10:28, 13 February 2008

Membuat Server OpenVPN

Install openvpn di Ubuntu

# apt-get install openvpn
# cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/


Alternatif lain yang lebih susah, compole openvpn dari source code

# cp openvpn-2.0.9.tar.gz /usr/local/src
# cd /usr/local/src
# tar zxvf openvpn-2.0.9.tar.gz
# cd openvpn-2.0.9
# ./configure
# make
# make install

Edit file vars di /etc/openvpn

# cd /etc/openvpn/
# vi vars
     #this is to ensure secure data
     export KEY_SIZE=1024
     # These are the default values for fields
     # which will be placed in the certificate.
     # Don't leave any of these fields blank.
     export KEY_COUNTRY=ID
     export KEY_PROVINCE=DKI
     export KEY_CITY=Jakarta
     export KEY_ORG="Kerm.IT"
     export KEY_EMAIL="onno@indo.net.id"


Buat Certificate Authority (CA)

# cd /etc/openvpn/
. ./vars
./clean-all
./build-ca
       Country Name (2 letter code) [ID]:
       State or Province Name (full name) [DKI]:
       Locality Name (eg, city) [Jakarta]:
       Organization Name (eg, company) [Kerm.IT]:
       Organizational Unit Name (eg, section) []:Kerm.IT
       Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org
       Email Address [onno@indo.net.id]:


Lihat keys apakah sudah di generate

# ls -l /etc/openvpn/
# ls -l /etc/openvpn/keys
       ca.crt
       ca.key
       index.txt
       serial


Buat Server Key

# ./build-key-server server
       Country Name (2 letter code) [ID]:
       State or Province Name (full name) [DKI]:
       Locality Name (eg, city) [Jakarta]:
       Organization Name (eg, company) [Kerm.IT]:
       Organizational Unit Name (eg, section) []:Kerm.IT
       Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org
       Email Address [onno@indo.net.id]:
       Please enter the following 'extra' attributes
       to be sent with your certificate request
       A challenge password []:123456
       An optional company name []:Kerm.IT
       Using configuration from /etc/openvpn/openssl.cnf
       Check that the request matches the signature
       Signature ok
       The Subject's Distinguished Name is as follows
       countryName           :PRINTABLE:'ID'
       stateOrProvinceName   :PRINTABLE:'DKI'
       localityName          :PRINTABLE:'Jakarta'
       organizationName      :PRINTABLE:'Kerm.IT'
       organizationalUnitName:PRINTABLE:'Kerm.IT'
       commonName            :PRINTABLE:'yc0mlc.ampr.org'
       emailAddress          :IA5STRING:'onno@indo.net.id'
       Certificate is to be certified until Jan 13 03:34:36 2018 GMT (3650 days)
       Sign the certificate? [y/n]:y
       1 out of 1 certificate requests certified, commit? [y/n]y
       Write out database with 1 new entries
       Data Base Updated

Buat key untuk user admin maupun user lainnya jika di perlukan

# ./build-key admin
       1 out of 1 certificate requests certified, commit? [y/n]y
       Write out database with 1 new entries
       Data Base Updated

Buat key untuk user lain jika di perlukan

./build-key-pass username 
./build-key username 
./build-dh
# openvpn --genkey --secret keys/ta.key


# openvpn --genkey --secret keys/ca.key
# openvpn --genkey --secret keys/ta.key


Test key

# openvpn --genkey --secret key
# openvpn --test-crypto --secret key


Test sambungan di 2 windows

# cd /etc/openvpn
# cp -Rf /usr/share/doc/openvpn/examples/sample-config-files/ /etc/openvpn/
# cp -Rf /usr/share/doc/openvpn/examples/sample-keys/ /etc/openvpn/
# openvpn --config sample-config-files/loopback-client
# openvpn --config sample-config-files/loopback-server


Contoh menginstalasi OpenVPN-Admin

# apt-get install mono openvpn-admin


Cara menjalankan VPN Server dengan server.conf (from www.openvpn.org)

# openvpn --config /etc/openvpn/server.conf

Cara menjalankan VPN client dengan client.conf (from www.openvpn.org)

# openvpn --config /etc/openvpn/client.conf


Edit Server.conf

# vi /etc/openvpn/server.conf

isinya kurang lebih

#OpenVPN Server config file
# Which local IP address should OpenVPN listen on? (optional)
# local 10.1.1.2
local 192.168.0.2
# Which TCP/UDP port should OpenVPN listen on?
port 1194
# TCP or UDP server?
proto tcp
# "dev tun" will create a routed IP tunnel, which is what we want
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
# Diffie hellman parameters.
dh keys/dh1024.pem
# Configure server mode and supply a VPN subnet
server 192.168.1.0 255.255.255.0
# Maintain a record of client <-> virtual IP address
# associations in this file.
ifconfig-pool-persist ipp.txt
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
# push “route 172.10.1.0 255.255.255.0"
# push “route 192.168.0.0 255.255.255.0"
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
push “redirect-gateway”
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.
;push “dhcp-option DNS 172.10.1.2′′
# Uncomment this directive to allow different
# clients to be able to “see” each other.
client-to-client
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an “HMAC firewall”
# to help block DoS attacks and UDP port flooding.
tls-auth keys/ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES
# Enable compression on the VPN link.
# comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
max-clients 250
# It’s a good idea to reduce the OpenVPN
# daemon’s privileges after initialization.
user nobody
group nogroup
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
status openvpn-status.log
log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20 


Setup Client OpenVPN di Linux

Install aplikasi GUI utuk client

# apt-get install kvpnc
# apt-get install network-manager-openvpn openvpn

Copy setting OpenVPN

# cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/
# cd /etc/openvpn
# mkdir /etc/openvpn/keys
# vi vars
# , ./vars
# ./clean-all

Copy key client dari Server

# scp -r root@192.168.0.2:/etc/openvpn/keys/ca.crt /etc/openvpn/keys
# scp -r root@192.168.0.2:/etc/openvpn/keys/user1.crt /etc/openvpn/keys
# scp -r root@192.168.0.2:/etc/openvpn/keys/user1.key /etc/openvpn/keys


Menjalankan VPN Client (client.conf from www.openvpn.org)

# openvpn --config /etc/openvpn/client.conf


Edit Client.conf

# vi /etc/openvpn/client.conf

isinya kurang lebih

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap 
# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp 
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-1 1194
;remote my-server-2 1194
remote 192.168.0.2 1194
# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20