OpenVPN: IPv4 /32 single client

From OnnoWiki
Jump to navigation Jump to search

sumber: https://www.ostechnix.com/easiest-way-install-configure-openvpn-server-linux/


Topology

CLIENT 1 ------- HOST A ---------------- HOST B --------- CLIENT 2
                 ovpn server             ovpn client



Host A akan berfungsi sebagai OpenVPN Server.

OS : Ubuntu 18.04
IP : 192.168.0.239/24
hostname : vpnserver


Host B akan berfungsi sebagai OpenVPN client

OS : Ubuntu 18.04
IP : 192.168.0.237/24

Instal & Konfigurasi OpenVPN Server

Download script openvpn-install dari github

cd /usr/local/src
wget https://git.io/vpn -O openvpn-install.sh
bash openvpn-install.sh

Jawab pertanyaan:

IP address: 192.168.0.239
Public IP address / hostname: vpnserver
Protocol [1-2]: 1 -- UDP
Port: 1194
DNS [1-5]: 1
Client name: client
Press any key to continue...  <ENTER>

Maka akan tampak file client.ovpn, di

/root/client.ovpn

Copykan ke client

scp client.ovpn root@192.168.0.237:/etc/openvpn/


Konfigurasi OpenVPN Client

OpenVPN client Configuration

Make sure you have copied the client.ovpn file from your VPN server system. I already have copied this file to /etc/openvpn/ directory of my VPN client system.

Install OpenVPN package using the distribution package manager.

yum install openvpn

Next, run the following command to establish secure connection with VPN server.

openvpn --config /etc/openvpn/client.ovpn

Sample output:

Wed Apr 5 18:50:44 2017 Unrecognized option or missing parameter(s) in /etc/openvpn/client.ovpn:14: block-outside-dns (2.3.14) Wed Apr 5 18:50:44 2017 OpenVPN 2.3.14 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 7 2016 Wed Apr 5 18:50:44 2017 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06 Wed Apr 5 18:50:44 2017 Control Channel Authentication: tls-auth using INLINE static key file Wed Apr 5 18:50:44 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 5 18:50:44 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 5 18:50:44 2017 Socket Buffers: R=[87380->87380] S=[16384->16384] Wed Apr 5 18:50:44 2017 Attempting to establish TCP connection with [AF_INET]192.168.43.150:1194 [nonblock] Wed Apr 5 18:50:45 2017 TCP connection established with [AF_INET]192.168.43.150:1194 Wed Apr 5 18:50:45 2017 TCPv4_CLIENT link local: [undef] Wed Apr 5 18:50:45 2017 TCPv4_CLIENT link remote: [AF_INET]192.168.43.150:1194 Wed Apr 5 18:50:45 2017 TLS: Initial packet from [AF_INET]192.168.43.150:1194, sid=c6fb554e 362eb192 Wed Apr 5 18:50:45 2017 VERIFY OK: depth=1, CN=ChangeMe Wed Apr 5 18:50:45 2017 Validating certificate key usage Wed Apr 5 18:50:45 2017 ++ Certificate has key usage 00a0, expects 00a0 Wed Apr 5 18:50:45 2017 VERIFY KU OK Wed Apr 5 18:50:45 2017 Validating certificate extended key usage Wed Apr 5 18:50:45 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Wed Apr 5 18:50:45 2017 VERIFY EKU OK Wed Apr 5 18:50:45 2017 VERIFY OK: depth=0, CN=server Wed Apr 5 18:50:45 2017 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Wed Apr 5 18:50:45 2017 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 5 18:50:45 2017 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key Wed Apr 5 18:50:45 2017 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Apr 5 18:50:45 2017 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Wed Apr 5 18:50:45 2017 [server] Peer Connection Initiated with [AF_INET]192.168.43.150:1194 Wed Apr 5 18:50:48 2017 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Wed Apr 5 18:50:48 2017 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 8.8.8.8,dhcp-option DNS 8.8.4.4,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: timers and/or timeouts modified Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: --ifconfig/up options modified Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: route options modified Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: route-related options modified Wed Apr 5 18:50:48 2017 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Wed Apr 5 18:50:48 2017 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:28:98:6b Wed Apr 5 18:50:48 2017 TUN/TAP device tun0 opened Wed Apr 5 18:50:48 2017 TUN/TAP TX queue length set to 100 Wed Apr 5 18:50:48 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Wed Apr 5 18:50:48 2017 /usr/sbin/ip link set dev tun0 up mtu 1500 Wed Apr 5 18:50:48 2017 /usr/sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255 Wed Apr 5 18:50:48 2017 /usr/sbin/ip route add 192.168.43.150/32 dev enp0s3 Wed Apr 5 18:50:48 2017 /usr/sbin/ip route add 0.0.0.0/1 via 10.8.0.1 Wed Apr 5 18:50:48 2017 /usr/sbin/ip route add 128.0.0.0/1 via 10.8.0.1 Wed Apr 5 18:50:48 2017 Initialization Sequence Completed

Now, check if tun0(VPN interface) is created, and check the VPN interface IP address using ‘ip addr’ command:

ip addr

Sample output:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet 127.0.0.1/8 scope host lo
 valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host 
 valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP  qlen 1000
 link/ether 08:00:27:28:98:6b brd ff:ff:ff:ff:ff:ff
 inet 192.168.43.199/24 brd 192.168.43.255 scope global dynamic enp0s3
 valid_lft 42359sec preferred_lft 42359sec
 inet6 fe80::a00:27ff:fe28:986b/64 scope link 
 valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100
 link/none 
 inet 10.8.0.2/24 brd 10.8.0.255 scope global tun0
 valid_lft forever preferred_lft forever

As you can see in the above output, Our VPN server automatically assigned an IP address 10.8.0.2 to the VPN client.

Now, try to ping the VPN server from your VPN client system:

ping -c3 10.8.0.1

Sample output:

PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=1.05 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=1.94 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=2.49 ms

--- 10.8.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 1.057/1.832/2.495/0.594 ms

Congratulations! We have now successfully installed and configured OpenVPN server and client in CentOS. This method is same for DEB based systems such as Ubuntu and Linux Mint. Unlike the manual installation, this script makes the the openvpn installation and configuration much easier.

Cheers!



Referensi

Pranala Menarik