Difference between revisions of "Instalasi OpenVPN"

From OnnoWiki
Jump to navigation Jump to search
(New page: cp openvpn-2.0.9.tar.gz /usr/local/src cd /usr/local/src tar zxvf openvpn-2.0.9.tar.gz cd openvpn-2.0.9 ./configure make make install # apt-get install openvpn ---------------------...)
 
 
(19 intermediate revisions by the same user not shown)
Line 1: Line 1:
cp openvpn-2.0.9.tar.gz /usr/local/src
+
==Install openvpn==
cd /usr/local/src
 
tar zxvf openvpn-2.0.9.tar.gz
 
cd openvpn-2.0.9
 
./configure
 
make
 
make install
 
  
 +
Install openvpn di Ubuntu
  
 +
apt-get install openvpn
 +
cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/
  
# apt-get install openvpn
+
Pada Ubuntu 8.10 akan di terlihat folder
  
 +
/etc/openvpn/1.0
 +
/etc/openvpn/2.0
  
 +
Mungkin ada baiknya untuk pengguna Ubuntu 8.10, 9.04, 9.10 untuk memilih kita akan menggunakan konfigurasi 1.0 atau 2.0 dengan cara mengcopy
  
 +
cp -Rf /etc/openvpn/2.0/* /etc/openvpn
  
---------------------------------
+
Alternatif lain yang lebih susah, compile openvpn dari [[source code]]
  
Linux Server Internal IP: 192.168.0.2
+
cp openvpn-2.0.9.tar.gz /usr/local/src
Internet Gateway: 192.168.0.222
+
cd /usr/local/src
Gateway's IP Address: dynamic Speedy
+
tar zxvf openvpn-2.0.9.tar.gz
Network Layout: Internet ----- Router/Firewall ----- OpenVPN Server (eth1)
+
cd openvpn-2.0.9
 +
./configure
 +
make
 +
make install
  
 +
Anda tidak perlu mengcompile dari [[source code]], jika sudah menginstalasi openvpn menggunakan apt-get install
  
  
 +
Edit file vars di /etc/openvpn
  
vi etc/network/interfaces
+
# cd /etc/openvpn/
 +
# vi vars
 +
      #this is to ensure secure data
 +
      export KEY_SIZE=1024
 +
      # These are the default values for fields
 +
      # which will be placed in the certificate.
 +
      # Don't leave any of these fields blank.
 +
      export KEY_COUNTRY=ID
 +
      export KEY_PROVINCE=DKI
 +
      export KEY_CITY=Jakarta
 +
      export KEY_ORG="Kerm.IT"
 +
      export KEY_EMAIL="onno@indo.net.id"
  
auto eth0
+
==Membuat Certificate Authority (CA)==
iface eth0 inet static
 
address 192.168.0.2
 
netmask 255.255.255.0
 
gateway 192.168.0.222
 
  
 +
cd /etc/openvpn/
 +
. ./vars
 +
./clean-all
 +
./build-ca
 +
        Country Name (2 letter code) [ID]:
 +
        State or Province Name (full name) [DKI]:
 +
        Locality Name (eg, city) [Jakarta]:
 +
        Organization Name (eg, company) [Kerm.IT]:
 +
        Organizational Unit Name (eg, section) []:Kerm.IT
 +
        Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org
 +
        Email Address [onno@indo.net.id]:
  
# apt-get install openvpn
 
# cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/
 
  
# cd /etc/openvpn/
+
Lihat keys apakah sudah di generate
# vi vars
 
#this is to ensure secure data
 
export KEY_SIZE=1024
 
# These are the default values for fields
 
# which will be placed in the certificate.
 
# Don't leave any of these fields blank.
 
export KEY_COUNTRY=ID
 
export KEY_PROVINCE=DKI
 
export KEY_CITY=Jakarta
 
export KEY_ORG="Kerm.IT"
 
export KEY_EMAIL="onno@indo.net.id"
 
  
 +
ls -l /etc/openvpn/
 +
ls -l /etc/openvpn/keys
  
 +
Akan tampak file berikut
  
# cd /etc/openvpn/
+
ca.crt
. ./vars
+
ca.key
./clean-all
+
index.txt
./build-ca
+
serial
Country Name (2 letter code) [ID]:
 
State or Province Name (full name) [DKI]:
 
Locality Name (eg, city) [Jakarta]:
 
Organization Name (eg, company) [Kerm.IT]:
 
Organizational Unit Name (eg, section) []:Kerm.IT
 
Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org
 
Email Address [onno@indo.net.id]:
 
  
 +
==Membuat Server Key==
  
# ls -l /etc/openvpn/
+
# ./build-key-server server
# ls -l /etc/openvpn/keys
+
        Country Name (2 letter code) [ID]:
ca.crt
+
        State or Province Name (full name) [DKI]:
ca.key
+
        Locality Name (eg, city) [Jakarta]:
index.txt
+
        Organization Name (eg, company) [Kerm.IT]:
serial
+
        Organizational Unit Name (eg, section) []:Kerm.IT
 +
        Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org
 +
        Email Address [onno@indo.net.id]:
  
./build-key-server server
+
        Please enter the following 'extra' attributes
Country Name (2 letter code) [ID]:
+
        to be sent with your certificate request
State or Province Name (full name) [DKI]:
+
        A challenge password []:123456
Locality Name (eg, city) [Jakarta]:
+
        An optional company name []:Kerm.IT
Organization Name (eg, company) [Kerm.IT]:
+
        Using configuration from /etc/openvpn/openssl.cnf
Organizational Unit Name (eg, section) []:Kerm.IT
+
        Check that the request matches the signature
Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org
+
        Signature ok
Email Address [onno@indo.net.id]:
+
        The Subject's Distinguished Name is as follows
 +
        countryName          :PRINTABLE:'ID'
 +
        stateOrProvinceName  :PRINTABLE:'DKI'
 +
        localityName          :PRINTABLE:'Jakarta'
 +
        organizationName      :PRINTABLE:'Kerm.IT'
 +
        organizationalUnitName:PRINTABLE:'Kerm.IT'
 +
        commonName            :PRINTABLE:'yc0mlc.ampr.org'
 +
        emailAddress          :IA5STRING:'onno@indo.net.id'
 +
        Certificate is to be certified until Jan 13 03:34:36 2018 GMT (3650 days)
 +
        Sign the certificate? [y/n]:y
  
Please enter the following 'extra' attributes
+
        1 out of 1 certificate requests certified, commit? [y/n]y
to be sent with your certificate request
 
A challenge password []:123456
 
An optional company name []:Kerm.IT
 
Using configuration from /etc/openvpn/openssl.cnf
 
Check that the request matches the signature
 
Signature ok
 
The Subject's Distinguished Name is as follows
 
countryName          :PRINTABLE:'ID'
 
stateOrProvinceName  :PRINTABLE:'DKI'
 
localityName          :PRINTABLE:'Jakarta'
 
organizationName      :PRINTABLE:'Kerm.IT'
 
organizationalUnitName:PRINTABLE:'Kerm.IT'
 
commonName            :PRINTABLE:'yc0mlc.ampr.org'
 
emailAddress          :IA5STRING:'onno@indo.net.id'
 
Certificate is to be certified until Jan 13 03:34:36 2018 GMT (3650 days)
 
Sign the certificate? [y/n]:y
 
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
 
Write out database with 1 new entries
 
Data Base Updated
 
 
 
./build-key admin
 
1 out of 1 certificate requests certified, commit? [y/n]y
 
 
         Write out database with 1 new entries
 
         Write out database with 1 new entries
 
         Data Base Updated
 
         Data Base Updated
  
./build-key-pass username
+
==Buat Key User==
./build-key username
 
 
 
./build-dh
 
openvpn --genkey --secret keys/ta.key
 
 
 
 
 
openvpn --genkey --secret keys/ca.key
 
openvpn --genkey --secret keys/ta.key
 
 
 
 
 
test key
 
# openvpn --genkey --secret key
 
# openvpn --test-crypto --secret key
 
 
 
 
 
test di 2 windows
 
# cd /etc/openvpn
 
# cp -Rf /usr/share/doc/openvpn/examples/sample-config-files/ /etc/openvpn/
 
# cp -Rf /usr/share/doc/openvpn/examples/sample-keys/ /etc/openvpn/
 
# openvpn --config sample-config-files/loopback-client
 
# openvpn --config sample-config-files/loopback-server
 
 
 
 
 
 
 
Example OpenVPN-Admin
 
# apt-get install mono openvpn-admin
 
 
 
 
 
Operational Server server.conf (from www.openvpn.org)
 
# openvpn --config /etc/openvpn/server.conf
 
 
 
Operational Client client.conf (from www.openvpn.org)
 
# openvpn --config /etc/openvpn/client.conf
 
 
 
 
 
# vi /etc/openvpn/server.conf
 
 
 
#OpenVPN Server config file
 
# Which local IP address should OpenVPN listen on? (optional)
 
# local 10.1.1.2
 
local 192.168.0.2
 
# Which TCP/UDP port should OpenVPN listen on?
 
port 1194
 
# TCP or UDP server?
 
proto tcp
 
# "dev tun" will create a routed IP tunnel, which is what we want
 
dev tun
 
# Windows needs the TAP-Win32 adapter name
 
# from the Network Connections panel if you
 
# have more than one. On XP SP2 or higher,
 
# you may need to selectively disable the
 
# Windows firewall for the TAP adapter.
 
# Non-Windows systems usually don't need this.
 
;dev-node MyTap
 
# SSL/TLS root certificate (ca), certificate
 
# (cert), and private key (key). Each client
 
# and the server must have their own cert and
 
# key file. The server and all clients will
 
# use the same ca file.
 
ca keys/ca.crt
 
cert keys/server.crt
 
key keys/server.key # This file should be kept secret
 
# Diffie hellman parameters.
 
dh keys/dh1024.pem
 
# Configure server mode and supply a VPN subnet
 
server 192.168.1.0 255.255.255.0
 
# Maintain a record of client <-> virtual IP address
 
# associations in this file.
 
ifconfig-pool-persist ipp.txt
 
# Push routes to the client to allow it
 
# to reach other private subnets behind
 
# the server. Remember that these
 
# private subnets will also need
 
# to know to route the OpenVPN client
 
# address pool (10.8.0.0/255.255.255.0)
 
# back to the OpenVPN server.
 
# push “route 172.10.1.0 255.255.255.0"
 
# push “route 192.168.0.0 255.255.255.0"
 
# If enabled, this directive will configure
 
# all clients to redirect their default
 
# network gateway through the VPN, causing
 
# all IP traffic such as web browsing and
 
# and DNS lookups to go through the VPN
 
push “redirect-gateway”
 
# Certain Windows-specific network settings
 
# can be pushed to clients, such as DNS
 
# or WINS server addresses.
 
;push “dhcp-option DNS 172.10.1.2′′
 
# Uncomment this directive to allow different
 
# clients to be able to “see” each other.
 
client-to-client
 
# Ping every 10 seconds, assume that remote
 
# peer is down if no ping received during
 
# a 120 second time period.
 
keepalive 10 120
 
# For extra security beyond that provided
 
# by SSL/TLS, create an “HMAC firewall”
 
# to help block DoS attacks and UDP port flooding.
 
tls-auth keys/ta.key 0 # This file is secret
 
# Select a cryptographic cipher.
 
# This config item must be copied to
 
# the client config file as well.
 
;cipher BF-CBC # Blowfish (default)
 
cipher AES-128-CBC # AES
 
;cipher DES-EDE3-CBC # Triple-DES
 
# Enable compression on the VPN link.
 
# comp-lzo
 
# The maximum number of concurrently connected
 
# clients we want to allow.
 
max-clients 250
 
# It’s a good idea to reduce the OpenVPN
 
# daemon’s privileges after initialization.
 
user nobody
 
group nogroup
 
# The persist options will try to avoid
 
# accessing certain resources on restart
 
# that may no longer be accessible because
 
# of the privilege downgrade.
 
persist-key
 
persist-tun
 
# Output a short status file showing
 
status openvpn-status.log
 
log-append openvpn.log
 
# Set the appropriate level of log
 
# file verbosity.
 
#
 
# 0 is silent, except for fatal errors
 
# 4 is reasonable for general usage
 
# 5 and 6 can help to debug connection problems
 
# 9 is extremely verbose
 
verb 4
 
# Silence repeating messages. At most 20
 
# sequential messages of the same message
 
# category will be output to the log.
 
mute 20
 
  
 +
Membuat key untuk user admin maupun user lainnya jika di perlukan
  
 +
# ./build-key admin
 +
        1 out of 1 certificate requests certified, commit? [y/n]y
 +
        Write out database with 1 new entries
 +
        Data Base Updated
  
--------------- client Linux -----------------
+
Buat key untuk user lain jika di perlukan
  
# apt-get install kvpnc
+
./build-key-pass username
# apt-get install network-manager-openvpn openvpn
+
./build-key username
  
  
# cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/
+
Membuat DH Parameter dari key
# cd /etc/openvpn
 
# mkdir /etc/openvpn/keys
 
  
# vi vars
+
./build-dh
# , ./vars
 
# ./clean-all
 
  
# scp -r root@192.168.0.2:/etc/openvpn/keys/ca.crt /etc/openvpn/keys
 
# scp -r root@192.168.0.2:/etc/openvpn/keys/user1.crt /etc/openvpn/keys
 
# scp -r root@192.168.0.2:/etc/openvpn/keys/user1.key /etc/openvpn/keys
 
  
 +
# openvpn --genkey --secret keys/ta.key
  
Operational Client (client.conf from www.openvpn.org)
+
# openvpn --genkey --secret keys/ca.key
# openvpn --config /etc/openvpn/client.conf
+
# openvpn --genkey --secret keys/ta.key
  
  
# vi /etc/openvpn/client.conf
+
==Test key==
# Specify that we are a client and that we
 
# will be pulling certain config file directives
 
# from the server.
 
client
 
  
# Use the same setting as you are using on
+
Test key
# the server.
 
# On most systems, the VPN will not function
 
# unless you partially or fully disable
 
# the firewall for the TUN/TAP interface.
 
;dev tap
 
dev tun
 
  
# Windows needs the TAP-Win32 adapter name
+
# openvpn --genkey --secret key
# from the Network Connections panel
+
  # openvpn --test-crypto --secret key
# if you have more than one. On XP SP2,
 
# you may need to disable the firewall
 
# for the TAP adapter.
 
;dev-node MyTap
 
  
# Are we connecting to a TCP or
 
# UDP server?  Use the same setting as
 
# on the server.
 
;proto tcp
 
proto udp
 
  
# The hostname/IP and port of the server.
+
==Test sambungan di 2 windows==
# You can have multiple remote entries
 
# to load balance between the servers.
 
;remote my-server-1 1194
 
;remote my-server-2 1194
 
remote 192.168.0.2 1194
 
  
# Choose a random host from the remote
+
Test yang sangat berguna melihat sambungan OpenVPN dari dua (2) Windows.
# list for load-balancing. Otherwise
 
# try hosts in the order specified.
 
;remote-random
 
  
# Keep trying indefinitely to resolve the
+
cd /etc/openvpn
# host name of the OpenVPN server. Very useful
+
  cp -Rf /usr/share/doc/openvpn/examples/sample-config-files/ /etc/openvpn/
# on machines which are not permanently connected
+
cp -Rf /usr/share/doc/openvpn/examples/sample-keys/ /etc/openvpn/
# to the internet such as laptops.
+
openvpn --config sample-config-files/loopback-client
resolv-retry infinite
+
openvpn --config sample-config-files/loopback-server
  
# Most clients don't need to bind to
+
Jika di perlukan kita dapat menginstalasi OpenVPN Administrator.
# a specific local port number.
+
Contoh menginstalasi OpenVPN-Admin
nobind
 
  
# Downgrade privileges after initialization (non-Windows only)
+
# apt-get install mono openvpn-admin
user nobody
 
group nogroup
 
  
# Try to preserve some state across restarts.
+
==Edit Server.conf==
persist-key
 
persist-tun
 
  
# If you are connecting through an
+
# vi /etc/openvpn/server.conf
# HTTP proxy to reach the actual OpenVPN
 
# server, put the proxy server/IP and
 
# port number here.  See the man page
 
# if your proxy server requires
 
# authentication.
 
;http-proxy-retry # retry on connection failures
 
;http-proxy [proxy server] [proxy port #]
 
  
# Wireless networks often produce a lot
+
isinya kurang lebih
# of duplicate packets.  Set this flag
 
# to silence duplicate packet warnings.
 
;mute-replay-warnings
 
  
# SSL/TLS parms.
+
# OpenVPN Server config file
# See the server config file for more
+
# Which local IP address should OpenVPN listen on? (optional)
# descriptionIt's best to use
+
local 192.168.0.3
# a separate .crt/.key file pair
+
# for each client.  A single ca
+
# Which TCP/UDP port should OpenVPN listen on?
# file can be used for all clients.
+
port 1194
ca keys/ca.crt
+
cert keys/client.crt
+
# TCP or UDP server?
key keys/client.key
+
proto udp
 +
 +
# "dev tun" will create a routed IP tunnel, which is what we want
 +
dev tun
 +
 +
# SSL/TLS root certificate (ca), certificate
 +
# (cert), and private key (key). Each client
 +
# and the server must have their own cert and
 +
# key file. The server and all clients will
 +
# use the same ca file.
 +
  ca keys/ca.crt
 +
cert keys/server.crt
 +
key keys/server.key # This file should be kept secret
 +
# Diffie hellman parameters.
 +
dh keys/dh1024.pem
 +
 +
# Configure server mode and supply a VPN subnet
 +
server 192.168.111.0 255.255.255.0
 +
 +
# Maintain a record of client <-> virtual IP address
 +
# associations in this file.
 +
ifconfig-pool-persist ipp.txt
 +
 +
# Push routes to the client to allow it
 +
# to reach other private subnets behind
 +
# the server. Remember that these
 +
# private subnets will also need
 +
# to know to route the OpenVPN client
 +
  # address pool (10.8.0.0/255.255.255.0)
 +
# back to the OpenVPN server.
 +
# push âroute 172.10.1.0 255.255.255.0"
 +
# push âroute 192.168.0.0 255.255.255.0"
 +
# If enabled, this directive will configure
 +
# all clients to redirect their default
 +
# network gateway through the VPN, causing
 +
# all IP traffic such as web browsing and
 +
# and DNS lookups to go through the VPN
 +
; push "redirect-gateway"
 +
# Certain Windows-specific network settings
 +
# can be pushed to clients, such as DNS
 +
# or WINS server addresses.
 +
;push "dhcp-option DNS 172.10.1.2"
 +
# Uncomment this directive to allow different
 +
# clients to be able to âseeâ
 +
client-to-client
 +
 +
# Ping every 10 seconds, assume that remote
 +
# peer is down if no ping received during
 +
# a 120 second time period.
 +
keepalive 10 120
 +
 +
# For extra security beyond that provided
 +
# by SSL/TLS, create an âHMAC firewallâ
 +
# to help block DoS attacks and UDP port flooding.
 +
; tls-auth keys/ta.key 0 # This file is secret
 +
# Select a cryptographic cipher.
 +
# This config item must be copied to
 +
# the client config file as well.
 +
;cipher BF-CBC # Blowfish (default)
 +
;cipher AES-128-CBC # AES
 +
;cipher DES-EDE3-CBC # Triple-DES
 +
 +
# Enable compression on the VPN link.
 +
; comp-lzo
 +
 +
# The maximum number of concurrently connected
 +
# clients we want to allow.
 +
max-clients 250
 +
 +
# It's a good idea to reduce the OpenVPN
 +
# daemonâs privileges after initialization.
 +
user nobody
 +
group nogroup
 +
 +
# The persist options will try to avoid
 +
# accessing certain resources on restart
 +
# that may no longer be accessible because
 +
# of the privilege downgrade.  
 +
persist-key
 +
persist-tun
 +
 +
# Output a short status file showing
 +
status openvpn-status.log
 +
log-append openvpn.log
 +
 +
# Set the appropriate level of log
 +
# file verbosity.
 +
#
 +
# 0 is silent, except for fatal errors
 +
# 4 is reasonable for general usage
 +
# 5 and 6 can help to debug connection problems
 +
# 9 is extremely verbose
 +
verb 4
 +
 +
# Silence repeating messages. At most 20
 +
# sequential messages of the same message
 +
# category will be output to the log.
 +
mute 20
  
# Verify server certificate by checking
+
==Cara menjalankan VPN Server==
# that the certicate has the nsCertType
 
# field set to "server".  This is an
 
# important precaution to protect against
 
# a potential attack discussed here:
 
#  http://openvpn.net/howto.html#mitm
 
#
 
# To use this feature, you will need to generate
 
# your server certificates with the nsCertType
 
# field set to "server".  The build-key-server
 
# script in the easy-rsa folder will do this.
 
;ns-cert-type server
 
  
# If a tls-auth key is used on the server
+
Mengaktifkan VPN Server dengan server.conf (from www.openvpn.org)
# then every client must also have the key.
 
;tls-auth ta.key 1
 
  
# Select a cryptographic cipher.
+
# openvpn --config /etc/openvpn/server.conf
# If the cipher option is used on the server
 
# then you must also specify it here.
 
;cipher x
 
  
# Enable compression on the VPN link.
+
==Pranala Menarik==
# Don't enable this unless it is also
 
# enabled in the server config file.
 
comp-lzo
 
  
# Set log file verbosity.
+
* http://eshabe.wordpress.com/2008/10/17/hardy-ubuntu-804-speedy-openvpn
verb 3
+
* [[Instalasi OpenVPN Client di Linux]]
 +
* [[Instalasi OpenVPN di Windows]]
 +
* [[Linux Howto]]
  
# Silence repeating messages
+
[[Category: Linux]]
;mute 20
 

Latest revision as of 16:03, 7 July 2010

Install openvpn

Install openvpn di Ubuntu 

apt-get install openvpn
cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/

Pada Ubuntu 8.10 akan di terlihat folder 

/etc/openvpn/1.0
/etc/openvpn/2.0

Mungkin ada baiknya untuk pengguna Ubuntu 8.10, 9.04, 9.10 untuk memilih kita akan menggunakan konfigurasi 1.0 atau 2.0 dengan cara mengcopy 

cp -Rf /etc/openvpn/2.0/* /etc/openvpn

Alternatif lain yang lebih susah, compile openvpn dari source code 

cp openvpn-2.0.9.tar.gz /usr/local/src
cd /usr/local/src
tar zxvf openvpn-2.0.9.tar.gz
cd openvpn-2.0.9
./configure
make
make install

Anda tidak perlu mengcompile dari source code, jika sudah menginstalasi openvpn menggunakan apt-get install


Edit file vars di /etc/openvpn 

# cd /etc/openvpn/
# vi vars
     #this is to ensure secure data
     export KEY_SIZE=1024
     # These are the default values for fields
     # which will be placed in the certificate.
     # Don't leave any of these fields blank.
     export KEY_COUNTRY=ID
     export KEY_PROVINCE=DKI
     export KEY_CITY=Jakarta
     export KEY_ORG="Kerm.IT"
     export KEY_EMAIL="onno@indo.net.id"

Membuat Certificate Authority (CA)

cd /etc/openvpn/
. ./vars
./clean-all
./build-ca
       Country Name (2 letter code) [ID]:
       State or Province Name (full name) [DKI]:
       Locality Name (eg, city) [Jakarta]:
       Organization Name (eg, company) [Kerm.IT]:
       Organizational Unit Name (eg, section) []:Kerm.IT
       Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org
       Email Address [onno@indo.net.id]:


Lihat keys apakah sudah di generate 

ls -l /etc/openvpn/
ls -l /etc/openvpn/keys

Akan tampak file berikut 

ca.crt
ca.key
index.txt
serial

Membuat Server Key

# ./build-key-server server
       Country Name (2 letter code) [ID]:
       State or Province Name (full name) [DKI]:
       Locality Name (eg, city) [Jakarta]:
       Organization Name (eg, company) [Kerm.IT]:
       Organizational Unit Name (eg, section) []:Kerm.IT
       Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org
       Email Address [onno@indo.net.id]:

       Please enter the following 'extra' attributes
       to be sent with your certificate request
       A challenge password []:123456
       An optional company name []:Kerm.IT
       Using configuration from /etc/openvpn/openssl.cnf
       Check that the request matches the signature
       Signature ok
       The Subject's Distinguished Name is as follows
       countryName           :PRINTABLE:'ID'
       stateOrProvinceName   :PRINTABLE:'DKI'
       localityName          :PRINTABLE:'Jakarta'
       organizationName      :PRINTABLE:'Kerm.IT'
       organizationalUnitName:PRINTABLE:'Kerm.IT'
       commonName            :PRINTABLE:'yc0mlc.ampr.org'
       emailAddress          :IA5STRING:'onno@indo.net.id'
       Certificate is to be certified until Jan 13 03:34:36 2018 GMT (3650 days)
       Sign the certificate? [y/n]:y

       1 out of 1 certificate requests certified, commit? [y/n]y
       Write out database with 1 new entries
       Data Base Updated

Buat Key User

Membuat key untuk user admin maupun user lainnya jika di perlukan 

# ./build-key admin
       1 out of 1 certificate requests certified, commit? [y/n]y
       Write out database with 1 new entries
       Data Base Updated

Buat key untuk user lain jika di perlukan 

./build-key-pass username 
./build-key username


Membuat DH Parameter dari key 

./build-dh



# openvpn --genkey --secret keys/ta.key

# openvpn --genkey --secret keys/ca.key
# openvpn --genkey --secret keys/ta.key


Test key

Test key 

# openvpn --genkey --secret key
# openvpn --test-crypto --secret key


Test sambungan di 2 windows

Test yang sangat berguna melihat sambungan OpenVPN dari dua (2) Windows. 

cd /etc/openvpn
cp -Rf /usr/share/doc/openvpn/examples/sample-config-files/ /etc/openvpn/
cp -Rf /usr/share/doc/openvpn/examples/sample-keys/ /etc/openvpn/
openvpn --config sample-config-files/loopback-client
openvpn --config sample-config-files/loopback-server

Jika di perlukan kita dapat menginstalasi OpenVPN Administrator. Contoh menginstalasi OpenVPN-Admin 

# apt-get install mono openvpn-admin

Edit Server.conf

# vi /etc/openvpn/server.conf

isinya kurang lebih 

# OpenVPN Server config file
# Which local IP address should OpenVPN listen on? (optional)
local 192.168.0.3

# Which TCP/UDP port should OpenVPN listen on?
port 1194

# TCP or UDP server?
proto udp

# "dev tun" will create a routed IP tunnel, which is what we want
dev tun

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
ca keys/ca.crt
cert keys/server.crt
key keys/server.key # This file should be kept secret
# Diffie hellman parameters.
dh keys/dh1024.pem

# Configure server mode and supply a VPN subnet
server 192.168.111.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.
ifconfig-pool-persist ipp.txt

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
# push âroute 172.10.1.0 255.255.255.0"
# push âroute 192.168.0.0 255.255.255.0"
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
; push "redirect-gateway"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.
;push "dhcp-option DNS 172.10.1.2"
# Uncomment this directive to allow different
# clients to be able to âseeâ
client-to-client

# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an âHMAC firewallâ
# to help block DoS attacks and UDP port flooding.
; tls-auth keys/ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES

# Enable compression on the VPN link.
; comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
max-clients 250

# It's a good idea to reduce the OpenVPN
# daemonâs privileges after initialization.
user nobody
group nogroup

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade. 
persist-key
persist-tun

# Output a short status file showing
status openvpn-status.log
log-append openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 4

# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20

Cara menjalankan VPN Server

Mengaktifkan VPN Server dengan server.conf (from www.openvpn.org) 

# openvpn --config /etc/openvpn/server.conf

Pranala Menarik

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=Instalasi_OpenVPN&oldid=20514"