Difference between revisions of "OpenVPN: IPv6 routed 2 LAN"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
(12 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | + | Pada kesempatan ini akan di perlihatan konfigurasi OpenVPN untuk memberikan akses sebuah LAN client. Jaringan tempat mesin bekerja adalah IPv4, sementara jaringan yang dimasukan ke tunnel adalah IPv6. Topologi jaringan yang di bangun kira-kira seperti gambar terlampir, | |
LAN 1 ---------- HOST A ---------------- HOST B -------------- LAN 2 | LAN 1 ---------- HOST A ---------------- HOST B -------------- LAN 2 | ||
ovpn server ovpn client | ovpn server ovpn client | ||
− | |||
2002::/64 2345::1/64 2345::2/64 2003::/64 | 2002::/64 2345::1/64 2345::2/64 2003::/64 | ||
− | |||
HOST A OpenVPN Server | HOST A OpenVPN Server | ||
Line 20: | Line 18: | ||
LAN2 : 2003::/64 | LAN2 : 2003::/64 | ||
+ | ==Konfigurasi Tambahan OpenVPN Server== | ||
− | + | Enable IPv4 & IPv6 forwarding, | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
vi /etc/sysctl.conf | vi /etc/sysctl.conf | ||
+ | |||
net.ipv4.ip_forward=1 | net.ipv4.ip_forward=1 | ||
net.ipv4.conf.all.forwarding=1 | net.ipv4.conf.all.forwarding=1 | ||
net.ipv6.conf.all.forwarding=1 | net.ipv6.conf.all.forwarding=1 | ||
net.ipv6.conf.default.forwarding=1 | net.ipv6.conf.default.forwarding=1 | ||
+ | |||
+ | sysctl -p | ||
− | + | Set IP address Server | |
− | ifconfig enp0s3 192.168.0. | + | ifconfig enp0s3 192.168.0.105 netmask 255.255.255.0 |
ifconfig enp0s8 10.10.10.1 netmask 255.255.255.0 | ifconfig enp0s8 10.10.10.1 netmask 255.255.255.0 | ||
ip addr add 2002::1/64 dev enp0s8 | ip addr add 2002::1/64 dev enp0s8 | ||
Line 55: | Line 44: | ||
server-ipv6 2345::/64 | server-ipv6 2345::/64 | ||
push tun-ipv6 | push tun-ipv6 | ||
− | |||
route-ipv6 2003::/64 | route-ipv6 2003::/64 | ||
client-config-dir client | client-config-dir client | ||
+ | Tambahan di dalam folder /etc/openvpn/client file: “client” - filename “client” tergantung nama file “client.ovpn” yang digunakan oleh user / pengguna. Isi file tersebut dengan | ||
− | + | # paksa IP static di client untuk memudahkan routing | |
− | + | ifconfig-push 10.8.0.2 255.255.255.0 | |
− | + | # paksa routing ke upstream | |
− | ifconfig-push 10.8.0.2 255.255.255.0 | + | push "route 10.10.10.0 255.255.255.0" |
− | push "route 10.10.10.0 255.255.255.0" | + | # internal routing ke arah LAN |
− | iroute 10.10.20.0 255.255.255.0 | + | iroute 10.10.20.0 255.255.255.0 |
# | # | ||
+ | # set IPv6 interface client | ||
+ | ifconfig-ipv6-push 2345::2 2345::1 | ||
+ | # push tabel routing | ||
+ | push "route-ipv6 2000::/3" | ||
+ | # set internal routing ke client LAN, harus sesuai dg. server.conf | ||
iroute-ipv6 2003::/64 | iroute-ipv6 2003::/64 | ||
− | ==Konfigurasi Client Gateway== | + | ==Konfigurasi Client LAN Gateway== |
− | + | Enable IPv6 Forwarding, | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
vi /etc/sysctl.conf | vi /etc/sysctl.conf | ||
+ | |||
net.ipv4.ip_forward=1 | net.ipv4.ip_forward=1 | ||
net.ipv4.conf.all.forwarding=1 | net.ipv4.conf.all.forwarding=1 | ||
net.ipv6.conf.all.forwarding=1 | net.ipv6.conf.all.forwarding=1 | ||
net.ipv6.conf.default.forwarding=1 | net.ipv6.conf.default.forwarding=1 | ||
+ | |||
+ | sysctl -p | ||
+ | |||
+ | Konfigurasi interface LAN Gateway | ||
+ | |||
+ | ifconfig enp0s3 192.168.0.107 netmask 255.255.255.0 | ||
+ | ifconfig enp0s8 10.10.20.1 netmask 255.255.255.0 | ||
+ | ip addr add 2003::1/64 dev enp0s8 | ||
+ | |||
+ | Untuk memberikan IPv6 address ke client LAN, dapat menggunakan radvd. Edit /etc/radvd.conf: | ||
+ | |||
+ | # file: /etc/radvd.conf | ||
+ | interface enp0s8 | ||
+ | { | ||
+ | AdvSendAdvert on; | ||
+ | prefix 2003::/64 | ||
+ | { | ||
+ | AdvOnLink on; | ||
+ | AdvAutonomous on; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | Install & restart radvd | ||
+ | |||
+ | apt install radvd | ||
+ | /etc/init.d/radvd restart | ||
+ | |||
+ | Sambungkan OpenVPN | ||
+ | |||
+ | openvpn --config client.ovpn | ||
+ | |||
+ | Akan tampak | ||
+ | |||
+ | Mon Mar 11 04:38:29 2019 ROUTE_GATEWAY 192.168.0.223/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:c5:c4:7a | ||
+ | Mon Mar 11 04:38:29 2019 GDG6: remote_host_ipv6=n/a | ||
+ | Mon Mar 11 04:38:29 2019 ROUTE6_GATEWAY fe80::1 IFACE=enp0s3 | ||
+ | Mon Mar 11 04:38:29 2019 TUN/TAP device tun0 opened | ||
+ | Mon Mar 11 04:38:29 2019 TUN/TAP TX queue length set to 100 | ||
+ | Mon Mar 11 04:38:29 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=1 | ||
+ | Mon Mar 11 04:38:29 2019 /sbin/ip link set dev tun0 up mtu 1500 | ||
+ | Mon Mar 11 04:38:29 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255 | ||
+ | Mon Mar 11 04:38:29 2019 /sbin/ip -6 addr add 2345::1000/64 dev tun0 | ||
+ | Mon Mar 11 04:38:29 2019 /sbin/ip route add 192.168.0.105/32 dev enp0s3 | ||
+ | Mon Mar 11 04:38:29 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1 | ||
+ | Mon Mar 11 04:38:29 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1 | ||
+ | Mon Mar 11 04:38:29 2019 add_route_ipv6(2000::/3 -> 2345::1 metric -1) dev tun0 | ||
+ | Mon Mar 11 04:38:29 2019 /sbin/ip -6 route add 2000::/3 dev tun0 | ||
+ | Mon Mar 11 04:38:29 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this | ||
+ | Mon Mar 11 04:38:29 2019 Initialization Sequence Completed | ||
+ | |||
+ | Perhatikan ada beberapa setup IPv4 maupun IPv6 yang di berikan oleh OpenVPN. Hal ini akan tampak pada ifconfig, akan muncul interface tambahan tun0 | ||
+ | |||
+ | tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 | ||
+ | inet 10.8.0.2 netmask 255.255.255.0 destination 10.8.0.2 | ||
+ | inet6 fe80::519f:30a1:8afb:d64b prefixlen 64 scopeid 0x20<link> | ||
+ | inet6 2345::1000 prefixlen 64 scopeid 0x0<global> | ||
+ | unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) | ||
+ | RX packets 1 bytes 76 (76.0 B) | ||
+ | RX errors 0 dropped 0 overruns 0 frame 0 | ||
+ | TX packets 5 bytes 380 (380.0 B) | ||
+ | TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 | ||
+ | |||
+ | TIDAK ADA Tambahan konfigurasi di client.ovpn. Pastikan setup interface BENAR. Pastikan setup routing BENAR. | ||
− | + | ip route show | |
+ | ip -6 route show | ||
+ | route -n | ||
− | agar lebih aman | + | Catatan Tambahan Firewall atau NAT di LAN Gateway |
+ | Sebaiknya firewall jangan di pasang, jika kita ingin membuka semua client ke Internet secara terbuka lebar. Tapi bagi mereka yang takut, ada baiknya menggunakan firewall agar lebih aman. Contoh konfigurasi adalah sebagai berikut, | ||
ipt6tables -P FORWARD DROP | ipt6tables -P FORWARD DROP | ||
− | ip6tables -A FORWARD -s 2003::/64 -d ::/0 -m comment --comment "allow outgoing | + | ip6tables -A FORWARD -s 2003::/64 -d ::/0 -m comment --comment "allow outgoing" -j ACCEPT |
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "Accept established" -j ACCEPT | ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "Accept established" -j ACCEPT | ||
ip6tables -A INPUT -i enp0s8 -j ACCEPT | ip6tables -A INPUT -i enp0s8 -j ACCEPT | ||
# | # | ||
− | # ijinkan akses tertentu ke internal | + | # ijinkan akses tertentu ke internal |
− | ip6tables -A FORWARD -d 2003::c01d/64 -m comment --comment " | + | ip6tables -A FORWARD -d 2003::c01d/64 -m comment --comment "A/C" -j ACCEPT |
+ | |||
+ | # Allow traffic initiated from VPN to access LAN | ||
+ | ip6tables -I FORWARD -i tun0 -o enp0s8 -m conntrack --ctstate NEW -j ACCEPT | ||
+ | # Allow traffic initiated from LAN to access "the world" | ||
+ | ip6tables -I FORWARD -i enp0s8 -o tun0 -m conntrack --ctstate NEW -j ACCEPT | ||
+ | # Allow established traffic to pass back and forth | ||
+ | ip6tables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | ||
+ | |||
+ | Jika firewall juga gagal, tampaknya kita akan stuck dengan NAT | ||
+ | |||
+ | ip6tables -t nat -A POSTROUTING -s 2003::/64 -o tun0 -j MASQUERADE | ||
+ | |||
+ | ==Konfigurasi LAN 1 Client== | ||
+ | |||
+ | Konfigurasi LAN1 Client cukup sederhana, | ||
+ | |||
+ | * IPv6 di sesuaikan dengan alokasi yang ada di LAN1 | ||
+ | * Routing di sesuaikan dengan routing yang ada, kita perlu menambahkan routing ke arah LAN2 melalui OpenVPN gateway. | ||
+ | |||
+ | Contoh | ||
+ | |||
+ | ip addr 2002::1000 dev enp0s3 | ||
+ | ip route add 2003::/64 via 2002::1 | ||
+ | ==Konfigurasi LAN 2 Client== | ||
− | + | Konfigurasi LAN2 Client cukup sederhana, | |
− | + | ||
− | + | * IPv6 di sesuaikan dengan alokasi yang ada di LAN2 | |
+ | * IPv6 dapat di buat automatis karena gateway Client LAN menjalankan radvd Server. | ||
+ | * Routing di sesuaikan dengan routing yang ada, kita perlu menambahkan routing ke arah LAN1 melalui OpenVPN gateway. | ||
− | + | Contoh | |
− | |||
− | |||
− | ip | + | ip addr 2003::1000 dev enp0s3 |
− | ip | + | ip route add 2000::/3 dev enp0s3 |
− | |||
==Referensi== | ==Referensi== | ||
Line 122: | Line 195: | ||
==Pranala Menarik== | ==Pranala Menarik== | ||
− | * [[OpenVPN]] | + | * [[OpenVPN: IPv4 /32 single client]] |
+ | * [[OpenVPN: IPv4 /32 multi-client]] | ||
+ | * [[OpenVPN: IPv4 routed LAN]] | ||
+ | * [[OpenVPN: IPv4 routed 2 LAN]] | ||
+ | * [[OpenVPN: IPv6 /128 single client]] | ||
+ | * [[OpenVPN: IPv6 routed LAN]] | ||
+ | * [[OpenVPN: IPv6 routed 2 LAN]] | ||
+ | |||
+ | * [[IPv6: OpenVPN: Ubuntu roadwarrior]] | ||
+ | * [[OpenVPN: Simple Server using Script]] | ||
+ | * [[OpenVPN: Free VPN untuk Ubuntu]] | ||
+ | * [[Instalasi OpenVPN]] | ||
+ | * [[Instalasi OpenVPN Client di Linux]] | ||
+ | * [[Capture Screen Proses Instalasi OpenVPN di Windows]] | ||
+ | * [[Instalasi OpenVPN di Windows]] | ||
+ | * [[WNDW: OpenVPN]] | ||
+ | * [[OpenVPN: Instalasi di Ubuntu 16.04]] | ||
+ | * [[OpenVPN: Instalasi di Ubuntu 18.04]] | ||
+ | * [[OpenVPN: Briding dan Routing]] |
Latest revision as of 08:18, 31 March 2020
Pada kesempatan ini akan di perlihatan konfigurasi OpenVPN untuk memberikan akses sebuah LAN client. Jaringan tempat mesin bekerja adalah IPv4, sementara jaringan yang dimasukan ke tunnel adalah IPv6. Topologi jaringan yang di bangun kira-kira seperti gambar terlampir,
LAN 1 ---------- HOST A ---------------- HOST B -------------- LAN 2 ovpn server ovpn client 2002::/64 2345::1/64 2345::2/64 2003::/64
HOST A OpenVPN Server
OS : Ubuntu 18.04 IP : 192.168.0.239/24 IP : 2345::1/64 LAN1 : 2002::/64
HOST B OpenVPN Client
OS : Ubuntu 18.04 IP : 2345::2/64 LAN2 : 2003::/64
Konfigurasi Tambahan OpenVPN Server
Enable IPv4 & IPv6 forwarding,
vi /etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.default.forwarding=1 sysctl -p
Set IP address Server
ifconfig enp0s3 192.168.0.105 netmask 255.255.255.0 ifconfig enp0s8 10.10.10.1 netmask 255.255.255.0 ip addr add 2002::1/64 dev enp0s8
Tambahan di konfigurasi /etc/openvpn/server.conf
ifconfig 10.8.0.1 255.255.255.0 server 10.8.0.0 255.255.255.0 tun-ipv6 server-ipv6 2345::/64 push tun-ipv6 route-ipv6 2003::/64 client-config-dir client
Tambahan di dalam folder /etc/openvpn/client file: “client” - filename “client” tergantung nama file “client.ovpn” yang digunakan oleh user / pengguna. Isi file tersebut dengan
# paksa IP static di client untuk memudahkan routing ifconfig-push 10.8.0.2 255.255.255.0 # paksa routing ke upstream push "route 10.10.10.0 255.255.255.0" # internal routing ke arah LAN iroute 10.10.20.0 255.255.255.0 # # set IPv6 interface client ifconfig-ipv6-push 2345::2 2345::1 # push tabel routing push "route-ipv6 2000::/3" # set internal routing ke client LAN, harus sesuai dg. server.conf iroute-ipv6 2003::/64
Konfigurasi Client LAN Gateway
Enable IPv6 Forwarding,
vi /etc/sysctl.conf net.ipv4.ip_forward=1 net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1 net.ipv6.conf.default.forwarding=1 sysctl -p
Konfigurasi interface LAN Gateway
ifconfig enp0s3 192.168.0.107 netmask 255.255.255.0 ifconfig enp0s8 10.10.20.1 netmask 255.255.255.0 ip addr add 2003::1/64 dev enp0s8
Untuk memberikan IPv6 address ke client LAN, dapat menggunakan radvd. Edit /etc/radvd.conf:
# file: /etc/radvd.conf interface enp0s8 { AdvSendAdvert on; prefix 2003::/64 { AdvOnLink on; AdvAutonomous on; }; };
Install & restart radvd
apt install radvd /etc/init.d/radvd restart
Sambungkan OpenVPN
openvpn --config client.ovpn
Akan tampak
Mon Mar 11 04:38:29 2019 ROUTE_GATEWAY 192.168.0.223/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:c5:c4:7a Mon Mar 11 04:38:29 2019 GDG6: remote_host_ipv6=n/a Mon Mar 11 04:38:29 2019 ROUTE6_GATEWAY fe80::1 IFACE=enp0s3 Mon Mar 11 04:38:29 2019 TUN/TAP device tun0 opened Mon Mar 11 04:38:29 2019 TUN/TAP TX queue length set to 100 Mon Mar 11 04:38:29 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=1 Mon Mar 11 04:38:29 2019 /sbin/ip link set dev tun0 up mtu 1500 Mon Mar 11 04:38:29 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255 Mon Mar 11 04:38:29 2019 /sbin/ip -6 addr add 2345::1000/64 dev tun0 Mon Mar 11 04:38:29 2019 /sbin/ip route add 192.168.0.105/32 dev enp0s3 Mon Mar 11 04:38:29 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1 Mon Mar 11 04:38:29 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1 Mon Mar 11 04:38:29 2019 add_route_ipv6(2000::/3 -> 2345::1 metric -1) dev tun0 Mon Mar 11 04:38:29 2019 /sbin/ip -6 route add 2000::/3 dev tun0 Mon Mar 11 04:38:29 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Mon Mar 11 04:38:29 2019 Initialization Sequence Completed
Perhatikan ada beberapa setup IPv4 maupun IPv6 yang di berikan oleh OpenVPN. Hal ini akan tampak pada ifconfig, akan muncul interface tambahan tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.2 netmask 255.255.255.0 destination 10.8.0.2 inet6 fe80::519f:30a1:8afb:d64b prefixlen 64 scopeid 0x20<link> inet6 2345::1000 prefixlen 64 scopeid 0x0<global> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 1 bytes 76 (76.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 5 bytes 380 (380.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
TIDAK ADA Tambahan konfigurasi di client.ovpn. Pastikan setup interface BENAR. Pastikan setup routing BENAR.
ip route show ip -6 route show route -n
Catatan Tambahan Firewall atau NAT di LAN Gateway Sebaiknya firewall jangan di pasang, jika kita ingin membuka semua client ke Internet secara terbuka lebar. Tapi bagi mereka yang takut, ada baiknya menggunakan firewall agar lebih aman. Contoh konfigurasi adalah sebagai berikut,
ipt6tables -P FORWARD DROP ip6tables -A FORWARD -s 2003::/64 -d ::/0 -m comment --comment "allow outgoing" -j ACCEPT ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "Accept established" -j ACCEPT ip6tables -A INPUT -i enp0s8 -j ACCEPT # # ijinkan akses tertentu ke internal ip6tables -A FORWARD -d 2003::c01d/64 -m comment --comment "A/C" -j ACCEPT # Allow traffic initiated from VPN to access LAN ip6tables -I FORWARD -i tun0 -o enp0s8 -m conntrack --ctstate NEW -j ACCEPT # Allow traffic initiated from LAN to access "the world" ip6tables -I FORWARD -i enp0s8 -o tun0 -m conntrack --ctstate NEW -j ACCEPT # Allow established traffic to pass back and forth ip6tables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Jika firewall juga gagal, tampaknya kita akan stuck dengan NAT
ip6tables -t nat -A POSTROUTING -s 2003::/64 -o tun0 -j MASQUERADE
Konfigurasi LAN 1 Client
Konfigurasi LAN1 Client cukup sederhana,
- IPv6 di sesuaikan dengan alokasi yang ada di LAN1
- Routing di sesuaikan dengan routing yang ada, kita perlu menambahkan routing ke arah LAN2 melalui OpenVPN gateway.
Contoh
ip addr 2002::1000 dev enp0s3 ip route add 2003::/64 via 2002::1
Konfigurasi LAN 2 Client
Konfigurasi LAN2 Client cukup sederhana,
- IPv6 di sesuaikan dengan alokasi yang ada di LAN2
- IPv6 dapat di buat automatis karena gateway Client LAN menjalankan radvd Server.
- Routing di sesuaikan dengan routing yang ada, kita perlu menambahkan routing ke arah LAN1 melalui OpenVPN gateway.
Contoh
ip addr 2003::1000 dev enp0s3 ip route add 2000::/3 dev enp0s3
Referensi
- https://openoffice.nl/2018/04/05/ipv6-openvpn-part2/
- https://backreference.org/2009/11/15/openvpn-and-iroute/
Pranala Menarik
- OpenVPN: IPv4 /32 single client
- OpenVPN: IPv4 /32 multi-client
- OpenVPN: IPv4 routed LAN
- OpenVPN: IPv4 routed 2 LAN
- OpenVPN: IPv6 /128 single client
- OpenVPN: IPv6 routed LAN
- OpenVPN: IPv6 routed 2 LAN
- IPv6: OpenVPN: Ubuntu roadwarrior
- OpenVPN: Simple Server using Script
- OpenVPN: Free VPN untuk Ubuntu
- Instalasi OpenVPN
- Instalasi OpenVPN Client di Linux
- Capture Screen Proses Instalasi OpenVPN di Windows
- Instalasi OpenVPN di Windows
- WNDW: OpenVPN
- OpenVPN: Instalasi di Ubuntu 16.04
- OpenVPN: Instalasi di Ubuntu 18.04
- OpenVPN: Briding dan Routing