OpenVPN: IPv6 /128 single client
sumber: https://www.ostechnix.com/easiest-way-install-configure-openvpn-server-linux/
Topology
CLIENT 1 ------- HOST A ---------------- HOST B --------- CLIENT 2 ovpn server ovpn client
Host A akan berfungsi sebagai OpenVPN Server.
OS : Ubuntu 18.04 IP : 192.168.0.239/24 hostname : vpnserver
Host B akan berfungsi sebagai OpenVPN client
OS : Ubuntu 18.04 IP : 192.168.0.237/24
Instal & Konfigurasi OpenVPN Server
Download script openvpn-install dari github
sudo su apt install openssh-server openvpn cd /usr/local/src wget https://git.io/vpn -O openvpn-install.sh bash openvpn-install.sh
Jawab pertanyaan:
IP address: 192.168.0.239 Public IP address / hostname: vpnserver Protocol [1-2]: 1 -- UDP Port: 1194 DNS [1-5]: 1 Client name: client Press any key to continue... <ENTER>
Maka akan tampak file client.ovpn, di
/root/client.ovpn
Install openssh-server di client, copykan client.ovpn ke client
scp client.ovpn root@192.168.0.237:
Reboot
shutdown -r now
Cek kondisi jaringan
ifconfig
Akan muncul interface tun0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1 inet6 fe80::eaaa:77ed:ba02:748 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 6 bytes 288 (288.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Konfigurasi IPv6 Server
Enable IPv6 forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding echo 1 > /proc/sys/net/ipv6/conf/default/forwarding echo 1 > /proc/sys/net/ipv6/conf/tun0/forwarding
Edit
vi /etc/openvpn/server.conf
Tambahkan
server-ipv6 2001:db8:0:123::/64 push tun-ipv6 ifconfig-ipv6 2001:db8:0:123::1 2001:db8:0:123::2 push "route-ipv6 2001:db8:0:abc::/64" push "route-ipv6 2000::/3"
Restart
/etc/init.d/openvpn restart
Konfigurasi OpenVPN Client
Pastikan openvpn terinstalsi
sudo su apt install openssh-server openvpn
Edit /etc/hosts isi dengan nama OpenVPN server
192.168.0.239 vpnserver
Jalankan OpenVPN client
cd ~ sudo su openvpn --config client.ovpn
Akan keluar kira-kira
Sat Feb 16 08:24:44 2019 Unrecognized option or missing or extra parameter(s) in client.ovpn:14: block-outside-dns (2.4.4) Sat Feb 16 08:24:44 2019 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018 Sat Feb 16 08:24:44 2019 library versions: OpenSSL 1.1.0g 2 Nov 2017, LZO 2.08 Sat Feb 16 08:24:44 2019 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Sat Feb 16 08:24:44 2019 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication Sat Feb 16 08:24:44 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.239:1194 Sat Feb 16 08:24:44 2019 Socket Buffers: R=[212992->212992] S=[212992->212992] Sat Feb 16 08:24:44 2019 UDP link local: (not bound) Sat Feb 16 08:24:44 2019 UDP link remote: [AF_INET]192.168.0.239:1194 Sat Feb 16 08:24:44 2019 TLS: Initial packet from [AF_INET]192.168.0.239:1194, sid=5ece0ce6 888b9e5b Sat Feb 16 08:24:44 2019 VERIFY OK: depth=1, CN=ChangeMe Sat Feb 16 08:24:44 2019 VERIFY KU OK Sat Feb 16 08:24:44 2019 Validating certificate extended key usage Sat Feb 16 08:24:44 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Sat Feb 16 08:24:44 2019 VERIFY EKU OK Sat Feb 16 08:24:44 2019 VERIFY OK: depth=0, CN=server Sat Feb 16 08:24:44 2019 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Sat Feb 16 08:24:44 2019 [server] Peer Connection Initiated with [AF_INET]192.168.0.239:1194 Sat Feb 16 08:24:45 2019 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Sat Feb 16 08:24:45 2019 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 192.168.0.222,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0,peer-id 0,cipher AES-256-GCM ' Sat Feb 16 08:24:45 2019 OPTIONS IMPORT: timers and/or timeouts modified Sat Feb 16 08:24:45 2019 OPTIONS IMPORT: --ifconfig/up options modified Sat Feb 16 08:24:45 2019 OPTIONS IMPORT: route options modified Sat Feb 16 08:24:45 2019 OPTIONS IMPORT: route-related options modified Sat Feb 16 08:24:45 2019 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sat Feb 16 08:24:45 2019 OPTIONS IMPORT: peer-id set Sat Feb 16 08:24:45 2019 OPTIONS IMPORT: adjusting link_mtu to 1624 Sat Feb 16 08:24:45 2019 OPTIONS IMPORT: data channel crypto options modified Sat Feb 16 08:24:45 2019 Data Channel: using negotiated cipher 'AES-256-GCM' Sat Feb 16 08:24:45 2019 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sat Feb 16 08:24:45 2019 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Sat Feb 16 08:24:45 2019 ROUTE_GATEWAY 192.168.0.222/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:16:69:ed Sat Feb 16 08:24:45 2019 TUN/TAP device tun0 opened Sat Feb 16 08:24:45 2019 TUN/TAP TX queue length set to 100 Sat Feb 16 08:24:45 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Sat Feb 16 08:24:45 2019 /sbin/ip link set dev tun0 up mtu 1500 Sat Feb 16 08:24:45 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255 Sat Feb 16 08:24:45 2019 /sbin/ip route add 192.168.0.239/32 dev enp0s3 Sat Feb 16 08:24:45 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1 Sat Feb 16 08:24:45 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1 Sat Feb 16 08:24:45 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Sat Feb 16 08:24:45 2019 Initialization Sequence Completed
Cek interface, akan muncul tun0
ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.2 netmask 255.255.255.0 destination 10.8.0.2 inet6 fe80::28c4:3e38:2497:e12a prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 51 bytes 11522 (11.5 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 134 bytes 43524 (43.5 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Cek sambungan
ping -c3 10.8.0.1
Sample output:
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data. 64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=0.539 ms 64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=1.17 ms 64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=0.921 ms --- 10.8.0.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2007ms rtt min/avg/max/mdev = 0.539/0.878/1.176/0.264 ms
Cek routing
route -n
Sample output
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.8.0.1 128.0.0.0 UG 0 0 0 tun0
Anda sudah tersambung ke VPN dengan IP 10.8.0.0/24