Difference between revisions of "Instalasi OpenVPN"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
(14 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | == | + | ==Install openvpn== |
+ | Install openvpn di Ubuntu | ||
+ | |||
+ | apt-get install openvpn | ||
+ | cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/ | ||
+ | |||
+ | Pada Ubuntu 8.10 akan di terlihat folder | ||
+ | |||
+ | /etc/openvpn/1.0 | ||
+ | /etc/openvpn/2.0 | ||
+ | |||
+ | Mungkin ada baiknya untuk pengguna Ubuntu 8.10, 9.04, 9.10 untuk memilih kita akan menggunakan konfigurasi 1.0 atau 2.0 dengan cara mengcopy | ||
− | + | cp -Rf /etc/openvpn/2.0/* /etc/openvpn | |
− | + | Alternatif lain yang lebih susah, compile openvpn dari [[source code]] | |
− | |||
+ | cp openvpn-2.0.9.tar.gz /usr/local/src | ||
+ | cd /usr/local/src | ||
+ | tar zxvf openvpn-2.0.9.tar.gz | ||
+ | cd openvpn-2.0.9 | ||
+ | ./configure | ||
+ | make | ||
+ | make install | ||
− | + | Anda tidak perlu mengcompile dari [[source code]], jika sudah menginstalasi openvpn menggunakan apt-get install | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
Edit file vars di /etc/openvpn | Edit file vars di /etc/openvpn | ||
Line 33: | Line 43: | ||
export KEY_EMAIL="onno@indo.net.id" | export KEY_EMAIL="onno@indo.net.id" | ||
+ | ==Membuat Certificate Authority (CA)== | ||
− | + | cd /etc/openvpn/ | |
− | |||
− | |||
. ./vars | . ./vars | ||
./clean-all | ./clean-all | ||
Line 51: | Line 60: | ||
Lihat keys apakah sudah di generate | Lihat keys apakah sudah di generate | ||
− | + | ls -l /etc/openvpn/ | |
− | + | ls -l /etc/openvpn/keys | |
− | |||
− | |||
− | |||
− | |||
+ | Akan tampak file berikut | ||
− | + | ca.crt | |
+ | ca.key | ||
+ | index.txt | ||
+ | serial | ||
+ | |||
+ | ==Membuat Server Key== | ||
# ./build-key-server server | # ./build-key-server server | ||
Line 92: | Line 103: | ||
Data Base Updated | Data Base Updated | ||
− | Buat key untuk user admin maupun user lainnya jika di perlukan | + | ==Buat Key User== |
+ | |||
+ | Membuat key untuk user admin maupun user lainnya jika di perlukan | ||
# ./build-key admin | # ./build-key admin | ||
Line 103: | Line 116: | ||
./build-key-pass username | ./build-key-pass username | ||
./build-key username | ./build-key username | ||
+ | |||
+ | |||
+ | Membuat DH Parameter dari key | ||
./build-dh | ./build-dh | ||
+ | |||
+ | |||
# openvpn --genkey --secret keys/ta.key | # openvpn --genkey --secret keys/ta.key | ||
− | |||
# openvpn --genkey --secret keys/ca.key | # openvpn --genkey --secret keys/ca.key | ||
# openvpn --genkey --secret keys/ta.key | # openvpn --genkey --secret keys/ta.key | ||
+ | |||
+ | ==Test key== | ||
Test key | Test key | ||
+ | |||
# openvpn --genkey --secret key | # openvpn --genkey --secret key | ||
# openvpn --test-crypto --secret key | # openvpn --test-crypto --secret key | ||
− | Test sambungan di 2 windows | + | ==Test sambungan di 2 windows== |
− | |||
− | |||
− | |||
− | |||
− | |||
+ | Test yang sangat berguna melihat sambungan OpenVPN dari dua (2) Windows. | ||
+ | cd /etc/openvpn | ||
+ | cp -Rf /usr/share/doc/openvpn/examples/sample-config-files/ /etc/openvpn/ | ||
+ | cp -Rf /usr/share/doc/openvpn/examples/sample-keys/ /etc/openvpn/ | ||
+ | openvpn --config sample-config-files/loopback-client | ||
+ | openvpn --config sample-config-files/loopback-server | ||
+ | Jika di perlukan kita dapat menginstalasi OpenVPN Administrator. | ||
Contoh menginstalasi OpenVPN-Admin | Contoh menginstalasi OpenVPN-Admin | ||
+ | |||
# apt-get install mono openvpn-admin | # apt-get install mono openvpn-admin | ||
− | + | ==Edit Server.conf== | |
− | |||
− | |||
− | Edit Server.conf | ||
# vi /etc/openvpn/server.conf | # vi /etc/openvpn/server.conf | ||
Line 138: | Line 158: | ||
isinya kurang lebih | isinya kurang lebih | ||
− | #OpenVPN Server config file | + | # OpenVPN Server config file |
# Which local IP address should OpenVPN listen on? (optional) | # Which local IP address should OpenVPN listen on? (optional) | ||
− | + | local 192.168.0.3 | |
− | local 192.168.0. | + | |
# Which TCP/UDP port should OpenVPN listen on? | # Which TCP/UDP port should OpenVPN listen on? | ||
port 1194 | port 1194 | ||
+ | |||
# TCP or UDP server? | # TCP or UDP server? | ||
− | proto | + | proto udp |
+ | |||
# "dev tun" will create a routed IP tunnel, which is what we want | # "dev tun" will create a routed IP tunnel, which is what we want | ||
dev tun | dev tun | ||
− | + | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
# SSL/TLS root certificate (ca), certificate | # SSL/TLS root certificate (ca), certificate | ||
# (cert), and private key (key). Each client | # (cert), and private key (key). Each client | ||
Line 165: | Line 181: | ||
# Diffie hellman parameters. | # Diffie hellman parameters. | ||
dh keys/dh1024.pem | dh keys/dh1024.pem | ||
+ | |||
# Configure server mode and supply a VPN subnet | # Configure server mode and supply a VPN subnet | ||
− | server 192.168. | + | server 192.168.111.0 255.255.255.0 |
+ | |||
# Maintain a record of client <-> virtual IP address | # Maintain a record of client <-> virtual IP address | ||
# associations in this file. | # associations in this file. | ||
ifconfig-pool-persist ipp.txt | ifconfig-pool-persist ipp.txt | ||
+ | |||
# Push routes to the client to allow it | # Push routes to the client to allow it | ||
# to reach other private subnets behind | # to reach other private subnets behind | ||
Line 177: | Line 196: | ||
# address pool (10.8.0.0/255.255.255.0) | # address pool (10.8.0.0/255.255.255.0) | ||
# back to the OpenVPN server. | # back to the OpenVPN server. | ||
− | # push | + | # push âroute 172.10.1.0 255.255.255.0" |
− | # push | + | # push âroute 192.168.0.0 255.255.255.0" |
# If enabled, this directive will configure | # If enabled, this directive will configure | ||
# all clients to redirect their default | # all clients to redirect their default | ||
Line 184: | Line 203: | ||
# all IP traffic such as web browsing and | # all IP traffic such as web browsing and | ||
# and DNS lookups to go through the VPN | # and DNS lookups to go through the VPN | ||
− | push | + | ; push "redirect-gateway" |
# Certain Windows-specific network settings | # Certain Windows-specific network settings | ||
# can be pushed to clients, such as DNS | # can be pushed to clients, such as DNS | ||
# or WINS server addresses. | # or WINS server addresses. | ||
− | ;push | + | ;push "dhcp-option DNS 172.10.1.2" |
# Uncomment this directive to allow different | # Uncomment this directive to allow different | ||
− | # clients to be able to | + | # clients to be able to âseeâ |
client-to-client | client-to-client | ||
+ | |||
# Ping every 10 seconds, assume that remote | # Ping every 10 seconds, assume that remote | ||
# peer is down if no ping received during | # peer is down if no ping received during | ||
# a 120 second time period. | # a 120 second time period. | ||
keepalive 10 120 | keepalive 10 120 | ||
+ | |||
# For extra security beyond that provided | # For extra security beyond that provided | ||
− | # by SSL/TLS, create an | + | # by SSL/TLS, create an âHMAC firewallâ |
# to help block DoS attacks and UDP port flooding. | # to help block DoS attacks and UDP port flooding. | ||
− | tls-auth keys/ta.key 0 # This file is secret | + | ; tls-auth keys/ta.key 0 # This file is secret |
# Select a cryptographic cipher. | # Select a cryptographic cipher. | ||
# This config item must be copied to | # This config item must be copied to | ||
# the client config file as well. | # the client config file as well. | ||
;cipher BF-CBC # Blowfish (default) | ;cipher BF-CBC # Blowfish (default) | ||
− | cipher AES-128-CBC # AES | + | ;cipher AES-128-CBC # AES |
;cipher DES-EDE3-CBC # Triple-DES | ;cipher DES-EDE3-CBC # Triple-DES | ||
+ | |||
# Enable compression on the VPN link. | # Enable compression on the VPN link. | ||
− | + | ; comp-lzo | |
+ | |||
# The maximum number of concurrently connected | # The maximum number of concurrently connected | ||
# clients we want to allow. | # clients we want to allow. | ||
max-clients 250 | max-clients 250 | ||
− | # | + | |
− | # | + | # It's a good idea to reduce the OpenVPN |
+ | # daemonâs privileges after initialization. | ||
user nobody | user nobody | ||
group nogroup | group nogroup | ||
+ | |||
# The persist options will try to avoid | # The persist options will try to avoid | ||
# accessing certain resources on restart | # accessing certain resources on restart | ||
# that may no longer be accessible because | # that may no longer be accessible because | ||
− | # of the privilege downgrade. | + | # of the privilege downgrade. |
persist-key | persist-key | ||
persist-tun | persist-tun | ||
+ | |||
# Output a short status file showing | # Output a short status file showing | ||
status openvpn-status.log | status openvpn-status.log | ||
log-append openvpn.log | log-append openvpn.log | ||
+ | |||
# Set the appropriate level of log | # Set the appropriate level of log | ||
# file verbosity. | # file verbosity. | ||
Line 232: | Line 259: | ||
# 9 is extremely verbose | # 9 is extremely verbose | ||
verb 4 | verb 4 | ||
+ | |||
# Silence repeating messages. At most 20 | # Silence repeating messages. At most 20 | ||
# sequential messages of the same message | # sequential messages of the same message | ||
# category will be output to the log. | # category will be output to the log. | ||
− | mute 20 | + | mute 20 |
+ | ==Cara menjalankan VPN Server== | ||
+ | Mengaktifkan VPN Server dengan server.conf (from www.openvpn.org) | ||
− | |||
# openvpn --config /etc/openvpn/server.conf | # openvpn --config /etc/openvpn/server.conf | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
==Pranala Menarik== | ==Pranala Menarik== | ||
+ | * http://eshabe.wordpress.com/2008/10/17/hardy-ubuntu-804-speedy-openvpn | ||
+ | * [[Instalasi OpenVPN Client di Linux]] | ||
+ | * [[Instalasi OpenVPN di Windows]] | ||
* [[Linux Howto]] | * [[Linux Howto]] | ||
+ | |||
+ | [[Category: Linux]] |
Latest revision as of 16:03, 7 July 2010
Install openvpn
Install openvpn di Ubuntu
apt-get install openvpn cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/
Pada Ubuntu 8.10 akan di terlihat folder
/etc/openvpn/1.0 /etc/openvpn/2.0
Mungkin ada baiknya untuk pengguna Ubuntu 8.10, 9.04, 9.10 untuk memilih kita akan menggunakan konfigurasi 1.0 atau 2.0 dengan cara mengcopy
cp -Rf /etc/openvpn/2.0/* /etc/openvpn
Alternatif lain yang lebih susah, compile openvpn dari source code
cp openvpn-2.0.9.tar.gz /usr/local/src cd /usr/local/src tar zxvf openvpn-2.0.9.tar.gz cd openvpn-2.0.9 ./configure make make install
Anda tidak perlu mengcompile dari source code, jika sudah menginstalasi openvpn menggunakan apt-get install
Edit file vars di /etc/openvpn
# cd /etc/openvpn/ # vi vars #this is to ensure secure data export KEY_SIZE=1024 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY=ID export KEY_PROVINCE=DKI export KEY_CITY=Jakarta export KEY_ORG="Kerm.IT" export KEY_EMAIL="onno@indo.net.id"
Membuat Certificate Authority (CA)
cd /etc/openvpn/ . ./vars ./clean-all ./build-ca Country Name (2 letter code) [ID]: State or Province Name (full name) [DKI]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [Kerm.IT]: Organizational Unit Name (eg, section) []:Kerm.IT Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org Email Address [onno@indo.net.id]:
Lihat keys apakah sudah di generate
ls -l /etc/openvpn/ ls -l /etc/openvpn/keys
Akan tampak file berikut
ca.crt ca.key index.txt serial
Membuat Server Key
# ./build-key-server server Country Name (2 letter code) [ID]: State or Province Name (full name) [DKI]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [Kerm.IT]: Organizational Unit Name (eg, section) []:Kerm.IT Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org Email Address [onno@indo.net.id]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:Kerm.IT Using configuration from /etc/openvpn/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'ID' stateOrProvinceName :PRINTABLE:'DKI' localityName :PRINTABLE:'Jakarta' organizationName :PRINTABLE:'Kerm.IT' organizationalUnitName:PRINTABLE:'Kerm.IT' commonName :PRINTABLE:'yc0mlc.ampr.org' emailAddress :IA5STRING:'onno@indo.net.id' Certificate is to be certified until Jan 13 03:34:36 2018 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Buat Key User
Membuat key untuk user admin maupun user lainnya jika di perlukan
# ./build-key admin 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Buat key untuk user lain jika di perlukan
./build-key-pass username ./build-key username
Membuat DH Parameter dari key
./build-dh
# openvpn --genkey --secret keys/ta.key
# openvpn --genkey --secret keys/ca.key # openvpn --genkey --secret keys/ta.key
Test key
Test key
# openvpn --genkey --secret key # openvpn --test-crypto --secret key
Test sambungan di 2 windows
Test yang sangat berguna melihat sambungan OpenVPN dari dua (2) Windows.
cd /etc/openvpn cp -Rf /usr/share/doc/openvpn/examples/sample-config-files/ /etc/openvpn/ cp -Rf /usr/share/doc/openvpn/examples/sample-keys/ /etc/openvpn/ openvpn --config sample-config-files/loopback-client openvpn --config sample-config-files/loopback-server
Jika di perlukan kita dapat menginstalasi OpenVPN Administrator. Contoh menginstalasi OpenVPN-Admin
# apt-get install mono openvpn-admin
Edit Server.conf
# vi /etc/openvpn/server.conf
isinya kurang lebih
# OpenVPN Server config file # Which local IP address should OpenVPN listen on? (optional) local 192.168.0.3 # Which TCP/UDP port should OpenVPN listen on? port 1194 # TCP or UDP server? proto udp # "dev tun" will create a routed IP tunnel, which is what we want dev tun # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. ca keys/ca.crt cert keys/server.crt key keys/server.key # This file should be kept secret # Diffie hellman parameters. dh keys/dh1024.pem # Configure server mode and supply a VPN subnet server 192.168.111.0 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. ifconfig-pool-persist ipp.txt # Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. # push âroute 172.10.1.0 255.255.255.0" # push âroute 192.168.0.0 255.255.255.0" # If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN ; push "redirect-gateway" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. ;push "dhcp-option DNS 172.10.1.2" # Uncomment this directive to allow different # clients to be able to âseeâ client-to-client # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # For extra security beyond that provided # by SSL/TLS, create an âHMAC firewallâ # to help block DoS attacks and UDP port flooding. ; tls-auth keys/ta.key 0 # This file is secret # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES # Enable compression on the VPN link. ; comp-lzo # The maximum number of concurrently connected # clients we want to allow. max-clients 250 # It's a good idea to reduce the OpenVPN # daemonâs privileges after initialization. user nobody group nogroup # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Output a short status file showing status openvpn-status.log log-append openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. mute 20
Cara menjalankan VPN Server
Mengaktifkan VPN Server dengan server.conf (from www.openvpn.org)
# openvpn --config /etc/openvpn/server.conf