Difference between revisions of "IPv6: OpenVPN: Ubuntu roadwarrior"

From OnnoWiki
Jump to navigation Jump to search
 
(19 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
  
OpenVPN is very popular open-source software application that implements virtual private networks (VPN). It uses a custom security protocol that utilizes SSL/TLS for key exchange. We very often configure only IPv4 for the VPN service. But if you have IPv6, why not enable it for VPN?
+
Aplikasi open source untuk mengimplementasi Virtual Private Network (VPN) yang cukup populer adalah OpenVPN. OpenVPN menggunakan protocol SSL / TLS untuk mempertukarkan kunci. Pada kesempatan ini akan di terangkan cara mengaktifkan OpenVPN untuk IPv6.
  
First, let’s quickly see how can we install OpenVPN in an Ubuntu server; we will then enable IPv6.
+
==Contoh Topology==
  
1. Install OpenVPN
+
Jaringan dibuat di GNS3 menggunakan NAT (192.168.122.1), 2 Server 202.x.x.x satu berfungsi sebagai client, satu lagi berfungsi sebagai server.
  
In this example, I am using an OpenVPN road warrior installer. Download the initial script and run the command:
 
  
$ wget https://git.io/vpn -O openvpn-install.sh
+
2222::/64 -- B Client 10.10.10.2 --  10.10.10.1 A Server  ---- NAT 192.168.122.1
  
$ sudo bash openvpn-install.sh
+
==Konfigurasi Jaringan==
  
You need to define the external IP address on which you will run the service:
+
===Server A===
  
a. External IP address on which you will run the service
+
dhclient enp0s3
b. Port No
+
ifconfig enp0s8 10.10.10.1 netmask 255.255.255.0
c. DNS you want to use
+
ip addr add 2001::1/64 dev enp0s3
  
This will create the necessary certificates and create the first client.
+
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 +
echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
 +
echo 1 > /proc/sys/net/ipv6/conf/enp0s3/forwarding
 +
echo 1 > /proc/sys/net/ipv6/conf/enp0s8/forwarding
 +
echo 1 > /proc/sys/net/ipv6/conf/tun0/forwarding
  
That’s it. Your OpenVPN server has been configured and is ready to use. You can see the added firewall rules /etc/rc.local file:
+
===Client B===
  
$ cat /etc/rc.local
+
ifconfig enp0s3 10.10.10.2 netmask 255.255.255.0
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+
ip addr add 2222::1/64 dev enp0s8
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
+
route add default gw 10.10.10.1
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
 
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 203.0.113.10
 
  
Type the following command to start the OpenVPN service:
+
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 +
echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
 +
echo 1 > /proc/sys/net/ipv6/conf/enp0s3/forwarding
 +
echo 1 > /proc/sys/net/ipv6/conf/enp0s8/forwarding
 +
echo 1 > /proc/sys/net/ipv6/conf/tun0/forwarding
  
$ sudo /etc/init.d/openvpn start
+
==Server: Instalasi OpenVPN==
  
The client certificate will be stored in the home directory.
+
Agar mudah kita menggunakan OpenVPN road warrior installer. Download dan jalankan script untuk instalasi menggunakan perintah
  
fakrul-apnic.ovpn
+
sudo su
 +
rm /var/lib/dpkg/lock
 +
apt update
  
To connect from MacOSX, you can use TunnelBlick.
+
cd /usr/local/src
 +
wget https://git.io/vpn -O openvpn-install.sh
 +
sudo bash openvpn-install.sh
  
To add a new client, run the openvpn-install.sh script. Choose option 1 to add a new client and the certificate will be stored in the home folder.
+
Beberapa informasi yang dibutuhkan
  
B. Enable IPv6
+
* IP address OpenVPN:
 +
* Public IP address / hostname:
 +
* Protocol UDP / TCP
 +
* Port: 1194 (UDP)
 +
* DNS: Google
 +
* Client name: coba1
  
Now let’s enable IPv6. For the configuration I am using IP 2001:db8:ee00:ee00::10/64 for the VPN server.
+
Jika OpenVPN serve telah di konfigurasi dan siap pakai. Akan tampak di rules firewall di /etc/rc.local kira-kira
  
2001:db8:ee00:abcd::/64 has been routed to the OpenVPN server host. That mean users connected via OpenVPN will get an address from 2001:db8:ee00:abcd::/64
+
$ cat /etc/rc.local
 +
# iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 +
# iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
 +
# iptables -I INPUT -p udp --dport 1194 -j ACCEPT
 +
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24-j SNAT --to 10.10.10.1
  
Step 1: We need to edit the OpenVPN configuration file and enable IPv6 tunnel service
+
Jalankan OpenVPN, ketik
  
vi /etc/openvpn/server.conf
+
sudo /etc/init.d/openvpn start
  
Add the following:
+
Sertifikat client di simpan di home directory supaya mudah di ambil,
  
server-ipv6 2001:0db8:ee00:abcd::/64
+
mv /root/coba1.ovpn /home/onno/coba1.ovpn
tun-ipv6
+
chmod -Rf 777 /home/onno/coba1.ovpn
push tun-ipv6
+
chown -Rf onno: /home/onno/coba1.ovpn
ifconfig-ipv6 2001:0db8:ee00:abcd::1 2001:0db8:ee00:abcd::2
 
push "route-ipv6 2001:0db8:ee00:ee00::2/64"
 
push "route-ipv6 2000::/3"
 
  
Step 2: Enable IPv6 forwarding:
+
==AKtifkan IPv6==
  
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
Interface tun0 di server biasanya
  
Step 3: Reload OpenVPN Service
+
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
 +
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
 +
        inet6 fe80::4d06:4709:ba3f:7120  prefixlen 64  scopeid 0x20<link>
 +
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
 +
        RX packets 0  bytes 0 (0.0 B)
 +
        RX errors 0  dropped 0  overruns 0  frame 0
 +
        TX packets 6  bytes 288 (288.0 B)
 +
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  
sudo /etc/init.d/openvpn restart
+
Langkah selanjutnya adalah mengaktifkan IPv6.
  
Try to connect your OpenVPN client.
+
Misalnya,
  
From the Tunnelblick log you can verify the IP addresses:
+
* IPv6 Server : 2001::1/64
 +
* IPv6 Routed : 2222::/59 (ada 32 network /64)
  
Test the IPv6 reachability by accessing http://test-ipv6.com/
+
Edit server.conf
 +
 
 +
vi /etc/openvpn/server.conf
  
Note:
+
Tambahkan:
1. To make IPv6 forwarding persistent, remember to uncomment in /etc/sysctl.conf:
 
  
net.ipv6.conf.all.forwarding = 1
+
server-ipv6 2001::1/64
 +
tun-ipv6
 +
push tun-ipv6
 +
ifconfig-ipv6 2222::1 2222::2
 +
push "route-ipv6 2222::2/59"
 +
push "route-ipv6 2000::/3"
  
2. Make sure that you route 2001:db8:ee00:abcd::/64 to your OpenVPN Server. I have done this from my Cisco router:
+
Reload OpenVPN Service
  
ipv6 route 2001:db8:ee00:abcd::/64 2001:db8:ee00:ee00::10
+
sudo /etc/init.d/openvpn restart
  
So you now have native IPv6 and can access all IPv6-enabled services. As a roaming user, it will give you better security.
+
==Client==
  
 +
Install openvpn
  
 +
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
 +
echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
 +
echo 1 > /proc/sys/net/ipv6/conf/enp0s3/forwarding
 +
echo 1 > /proc/sys/net/ipv6/conf/enp0s8/forwarding
  
 +
rm /var/lib/dpkg/lock
 +
apt update
 +
apt install openvpn
  
 +
Download file .ovpn client. Coba sambungkan
  
 +
openvpn --config coba1.ovpn
 +
 +
Test the IPv6 reachability by accessing http://test-ipv6.com/
  
 
==Referensi==
 
==Referensi==
Line 97: Line 138:
 
==Pranala Menarik==
 
==Pranala Menarik==
  
* [[OpenVPN]]
+
* [[OpenVPN: IPv4 /32 single client]]
* [[IPv6]]
+
* [[OpenVPN: IPv4 /32 multi-client]]
 +
* [[OpenVPN: IPv4 routed LAN]]
 +
* [[OpenVPN: IPv4 routed 2 LAN]]
 +
* [[OpenVPN: IPv6 /128 single client]]
 +
* [[OpenVPN: IPv6 routed LAN]]
 +
* [[OpenVPN: IPv6 routed 2 LAN]]
 +
 
 +
* [[IPv6: OpenVPN: Ubuntu roadwarrior]]
 +
* [[OpenVPN: Simple Server using Script]]
 +
* [[OpenVPN: Free VPN untuk Ubuntu]]
 +
* [[Instalasi OpenVPN]]
 +
* [[Instalasi OpenVPN Client di Linux]]
 +
* [[Capture Screen Proses Instalasi OpenVPN di Windows]]
 +
* [[Instalasi OpenVPN di Windows]]
 +
* [[WNDW: OpenVPN]]
 +
* [[OpenVPN: Instalasi di Ubuntu 16.04]]
 +
* [[OpenVPN: Instalasi di Ubuntu 18.04]]
 +
* [[OpenVPN: Briding dan Routing]]

Latest revision as of 08:19, 31 March 2020

sumber: https://blog.apnic.net/2017/06/09/using-openvpn-ipv6/


Aplikasi open source untuk mengimplementasi Virtual Private Network (VPN) yang cukup populer adalah OpenVPN. OpenVPN menggunakan protocol SSL / TLS untuk mempertukarkan kunci. Pada kesempatan ini akan di terangkan cara mengaktifkan OpenVPN untuk IPv6.

Contoh Topology

Jaringan dibuat di GNS3 menggunakan NAT (192.168.122.1), 2 Server 202.x.x.x satu berfungsi sebagai client, satu lagi berfungsi sebagai server.


2222::/64 -- B Client 10.10.10.2 --  10.10.10.1 A Server  ---- NAT 192.168.122.1

Konfigurasi Jaringan

Server A

dhclient enp0s3
ifconfig enp0s8 10.10.10.1 netmask 255.255.255.0
ip addr add 2001::1/64 dev enp0s3
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
echo 1 > /proc/sys/net/ipv6/conf/enp0s3/forwarding
echo 1 > /proc/sys/net/ipv6/conf/enp0s8/forwarding
echo 1 > /proc/sys/net/ipv6/conf/tun0/forwarding

Client B

ifconfig enp0s3 10.10.10.2 netmask 255.255.255.0
ip addr add 2222::1/64 dev enp0s8
route add default gw 10.10.10.1
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
echo 1 > /proc/sys/net/ipv6/conf/enp0s3/forwarding
echo 1 > /proc/sys/net/ipv6/conf/enp0s8/forwarding
echo 1 > /proc/sys/net/ipv6/conf/tun0/forwarding

Server: Instalasi OpenVPN

Agar mudah kita menggunakan OpenVPN road warrior installer. Download dan jalankan script untuk instalasi menggunakan perintah

sudo su
rm /var/lib/dpkg/lock
apt update
cd /usr/local/src
wget https://git.io/vpn -O openvpn-install.sh
sudo bash openvpn-install.sh

Beberapa informasi yang dibutuhkan

  • IP address OpenVPN:
  • Public IP address / hostname:
  • Protocol UDP / TCP
  • Port: 1194 (UDP)
  • DNS: Google
  • Client name: coba1

Jika OpenVPN serve telah di konfigurasi dan siap pakai. Akan tampak di rules firewall di /etc/rc.local kira-kira

$ cat /etc/rc.local
# iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
# iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 ! -d 10.8.0.0/24-j SNAT --to 10.10.10.1

Jalankan OpenVPN, ketik

sudo /etc/init.d/openvpn start

Sertifikat client di simpan di home directory supaya mudah di ambil,

mv /root/coba1.ovpn /home/onno/coba1.ovpn
chmod -Rf 777 /home/onno/coba1.ovpn
chown -Rf onno: /home/onno/coba1.ovpn

AKtifkan IPv6

Interface tun0 di server biasanya

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        inet6 fe80::4d06:4709:ba3f:7120  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6  bytes 288 (288.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Langkah selanjutnya adalah mengaktifkan IPv6.

Misalnya,

  • IPv6 Server : 2001::1/64
  • IPv6 Routed : 2222::/59 (ada 32 network /64)

Edit server.conf

vi /etc/openvpn/server.conf

Tambahkan:

server-ipv6 2001::1/64
tun-ipv6
push tun-ipv6
ifconfig-ipv6 2222::1 2222::2
push "route-ipv6 2222::2/59"
push "route-ipv6 2000::/3"

Reload OpenVPN Service

sudo /etc/init.d/openvpn restart

Client

Install openvpn

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
echo 1 > /proc/sys/net/ipv6/conf/enp0s3/forwarding
echo 1 > /proc/sys/net/ipv6/conf/enp0s8/forwarding
rm /var/lib/dpkg/lock
apt update
apt install openvpn

Download file .ovpn client. Coba sambungkan

openvpn --config coba1.ovpn

Test the IPv6 reachability by accessing http://test-ipv6.com/

Referensi

Pranala Menarik