Difference between revisions of "OpenVPN: Simple Server using Script"

From OnnoWiki
Jump to navigation Jump to search
Line 28: Line 28:
 
==Setup Firewall==
 
==Setup Firewall==
  
That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/rc.local file:
+
Kadang konfigurasi Firewall bisa di lihat di /etc/rc.local file:
  
  $ cat /etc/rc.local
+
  cat /etc/rc.local
  
Sample outputs:
+
Contoh Firewall:
  
 
  iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
  iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Line 39: Line 39:
 
  iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 139.59.1.155
 
  iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 139.59.1.155
  
You can view your openvpn server config file generated by the script as follows (do not edit this file by hand):
+
Contoh konfigurasi Server openvpn,
  
  $ sudo more /etc/openvpn/server.conf
+
  sudo more /etc/openvpn/server.conf
  $ sudo vi /etc/openvpn/server.conf
+
  sudo vi /etc/openvpn/server.conf
  
Sample outputs:
+
Run / Control OpenVPN Server,
  
  port 1194
+
  sudo systemctl stop openvpn@server
proto udp
+
  sudo systemctl start openvpn@server
dev tun
+
  sudo systemctl restart openvpn@server
sndbuf 0
 
rcvbuf 0
 
ca ca.crt
 
cert server.crt
 
  key server.key
 
dh dh.pem
 
tls-auth ta.key 0
 
topology subnet
 
  server 10.8.0.0 255.255.255.0
 
ifconfig-pool-persist ipp.txt
 
push "redirect-gateway def1 bypass-dhcp"
 
push "dhcp-option DNS 8.8.8.8"
 
push "dhcp-option DNS 8.8.4.4"
 
keepalive 10 120
 
cipher AES-128-CBC
 
comp-lzo
 
user nobody
 
group nogroup
 
persist-key
 
persist-tun
 
status openvpn-status.log
 
verb 3
 
crl-verify crl.pem
 
  
How do I start/stop/restart OpenVPN server on Ubuntu Linux 16.04/18.04 LTS?
+
sudo /etc/init.d/openvpn stop
 +
sudo /etc/init.d/openvpn start
 +
sudo /etc/init.d/openvpn restart
  
Type the following command stop the OpenVPN service:
+
==ufw firewall rules (optional)==
$ sudo systemctl stop openvpn@server
 
  
Type the following command start the OpenVPN service:
+
Edit /etc/ufw/before.rules,
$ sudo systemctl start openvpn@server
 
  
Type the following command restart the OpenVPN service:
+
  sudo vi /etc/ufw/before.rules
  $ sudo systemctl restart openvpn@server
 
How do I start/stop/restart OpenVPN server on Ubuntu Linux 14.04 LTS?
 
  
Type the following command stop the OpenVPN service:
+
sudo ufw allow 1194/udp
  $ sudo /etc/init.d/openvpn stop
+
  sudo ufw allow 22/tcp
  
Type the following command start the OpenVPN service:
+
Edit /etc/ufw/sysctl.conf file,
$ sudo /etc/init.d/openvpn start
 
  
Type the following command restart the OpenVPN service:
+
  sudo vi /etc/ufw/sysctl.conf
  $ sudo /etc/init.d/openvpn restart
 
{Optional} How to configure and use the ufw firewall rules for the OpenVPN server
 
  
The default rules added to the /etc/rc.local file should work out of the box. However, if you have complicated firewall settings or prefer ufw to control all firewall settings on Ubuntu Linux server, try the following. First, edit the /etc/rc.local file using a text editor and comment out all firewall rules added by the script. Type the following ufw command to open port 1194 and 22 (ssh):
 
$ sudo ufw allow 1194/udp
 
$ sudo ufw allow 22/tcp
 
 
Edit the file /etc/ufw/before.rules, enter:
 
$ sudo vi /etc/ufw/before.rules
 
 
Save and close the file. Next edit the /etc/ufw/sysctl.conf file, enter:
 
$ sudo vi /etc/ufw/sysctl.conf
 
 
Find and uncomment the following line to allow this host to route packets between interfaces
 
 
  net/ipv4/ip_forward=1
 
  net/ipv4/ip_forward=1
  
Save and close the file. Enable ufw or reload if already running:
+
Enable / Reload ufw,
$ sudo ufw enable
 
  
 +
sudo ufw enable
 
OR
 
OR
  $ sudo ufw reload
+
  sudo ufw reload
 +
 
 +
Verify,
  
Verify new firewall rules:
+
  sudo ufw status
  $ sudo ufw status
+
  sudo iptables -t nat -L -n -v
  $ sudo iptables -t nat -L -n -v
+
  sudo iptables -L FORWARD -n -v
  $ sudo iptables -L FORWARD -n -v
+
  sudo iptables -L ufw-before-forward -n -v
  $ sudo iptables -L ufw-before-forward -n -v
 
  
 
==Client configuration==
 
==Client configuration==

Revision as of 08:47, 31 March 2020

sumber: https://www.cyberciti.biz/faq/howto-setup-openvpn-server-on-ubuntu-linux-14-04-or-16-04-lts/


Cek IP Publik Kita

Jika Server tersambung langsung ke Internet, dapat menggunakan

ip addr show eth0
ip addr show enp0s3
ip a

atau menggunakan

dig TXT +short o-o.myaddr.l.google.com @ns1.google.com
host myip.opendns.com resolver1.opendns.com

Download openvpn-install.sh script

Download

wget https://git.io/vpn -O openvpn-install.sh
openvpn-install.sh

Install OpenVPN, run,

sudo bash openvpn-install.sh

Setup Firewall

Kadang konfigurasi Firewall bisa di lihat di /etc/rc.local file:

cat /etc/rc.local

Contoh Firewall:

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 139.59.1.155

Contoh konfigurasi Server openvpn,

sudo more /etc/openvpn/server.conf
sudo vi /etc/openvpn/server.conf

Run / Control OpenVPN Server,

sudo systemctl stop openvpn@server
sudo systemctl start openvpn@server
sudo systemctl restart openvpn@server
sudo /etc/init.d/openvpn stop
sudo /etc/init.d/openvpn start
sudo /etc/init.d/openvpn restart

ufw firewall rules (optional)

Edit /etc/ufw/before.rules,

sudo vi /etc/ufw/before.rules
sudo ufw allow 1194/udp
sudo ufw allow 22/tcp

Edit /etc/ufw/sysctl.conf file,

sudo vi /etc/ufw/sysctl.conf
net/ipv4/ip_forward=1

Enable / Reload ufw,

sudo ufw enable

OR

sudo ufw reload

Verify,

sudo ufw status
sudo iptables -t nat -L -n -v
sudo iptables -L FORWARD -n -v
sudo iptables -L ufw-before-forward -n -v

Client configuration

On server your will find a client configuration file called ~/iphone.ovpn. All you have to do is copy this file to your local desktop using the scp and provide this file to your OpenVPN client to connect:

$ scp vivek@139.59.1.155:~/iphone.ovpn .

Next, you need to download OpenVPN client as per your operating system:

   Download OpenVPN client for Apple IOS version 6.x or above and install it.
   Download OpenVPN client for Android and install it.
   Download OpenVPN client for Apple MacOS (OS X) and install it.
   Download OpenVPN client for Windows 8/10 and install it.

MacOS/OS X OpenVPN client configuration

Just double click on iphone.ovpn file and it will open in your tunnelblick client > Click on the “Only me” to install it. Fig.03: MacOS / OS X openvpn client configuration Fig.03: MacOS / OS X openvpn client configuration

Once installed click on Connect button and you will be online. Use the following command on MacOS client to verify that your public IP changed to the VPN server IP: $ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

You can ping to OpenVPN server private IP:

$ ping 10.8.0.1

Linux OpenVPN client configuration

First, install the openvpn client, enter:

$ sudo yum install openvpn

OR

$ sudo apt install openvpn

Next, copy iphone.ovpn as follows:

$ sudo cp iphone.ovpn /etc/openvpn/client.conf

Test connectivity from the CLI:

$ sudo openvpn --client --config /etc/openvpn/client.conf

Your Linux system will automatically connect when computer restart using /etc/init.d/openvpn script:

$ sudo /etc/init.d/openvpn start

For systemd based system, use the following command:

$ sudo systemctl start openvpn@client

Test the connectivity:

$ ping 10.8.0.1 #Ping to OpenVPN server gateway
$ ip route #Make sure routing setup
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com #Make sure your public IP set to OpenVPN server

FreeBSD OpenVPN client configuration

First, install the openvpn client, enter:

$ sudo pkg install openvpn

Next, copy iphone.ovpn as follows:

$ mkdir -p /usr/local/etc/openvpn/
$ sudo cp iphone.ovpn /usr/local/etc/openvpn/client.conf

Edit /etc/rc.conf and add the following:

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/client.conf"

Start the OpenVPN service:

$ sudo /usr/local/etc/rc.d/openvpn start

Verify it:

$ ping 10.8.0.1 #Ping to OpenVPN server gateway
$
$ netstat -nr #Make sure routing setup
$
$ drill myip.opendns.com @resolver1.opendns.com #Make sure your public IP set to OpenVPN server

How do I add a new client?

For demo purpose I added a new device called iphone. Let us add one more device called googlephone by running the script again:

$ sudo bash openvpn-install.sh

Sample outputs:

Looks like OpenVPN is already installed

What do you want to do?

  1) Add a cert for a new user
  2) Revoke existing user cert
  3) Remove OpenVPN
  4) Exit

Select an option [1-4]:


Referensi

Pranala Menarik