Instalasi OpenVPN
cp openvpn-2.0.9.tar.gz /usr/local/src cd /usr/local/src tar zxvf openvpn-2.0.9.tar.gz cd openvpn-2.0.9 ./configure make make install
- apt-get install openvpn
Linux Server Internal IP: 192.168.0.2 Internet Gateway: 192.168.0.222 Gateway's IP Address: dynamic Speedy Network Layout: Internet ----- Router/Firewall ----- OpenVPN Server (eth1)
vi etc/network/interfaces
auto eth0 iface eth0 inet static address 192.168.0.2 netmask 255.255.255.0 gateway 192.168.0.222
- apt-get install openvpn
- cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/
- cd /etc/openvpn/
- vi vars
#this is to ensure secure data export KEY_SIZE=1024 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY=ID export KEY_PROVINCE=DKI export KEY_CITY=Jakarta export KEY_ORG="Kerm.IT" export KEY_EMAIL="onno@indo.net.id"
- cd /etc/openvpn/
. ./vars ./clean-all ./build-ca Country Name (2 letter code) [ID]: State or Province Name (full name) [DKI]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [Kerm.IT]: Organizational Unit Name (eg, section) []:Kerm.IT Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org Email Address [onno@indo.net.id]:
- ls -l /etc/openvpn/
- ls -l /etc/openvpn/keys
ca.crt ca.key index.txt serial
./build-key-server server Country Name (2 letter code) [ID]: State or Province Name (full name) [DKI]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [Kerm.IT]: Organizational Unit Name (eg, section) []:Kerm.IT Common Name (eg, your name or your server's hostname) []:yc0mlc.ampr.org Email Address [onno@indo.net.id]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:Kerm.IT Using configuration from /etc/openvpn/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'ID' stateOrProvinceName :PRINTABLE:'DKI' localityName :PRINTABLE:'Jakarta' organizationName :PRINTABLE:'Kerm.IT' organizationalUnitName:PRINTABLE:'Kerm.IT' commonName :PRINTABLE:'yc0mlc.ampr.org' emailAddress :IA5STRING:'onno@indo.net.id' Certificate is to be certified until Jan 13 03:34:36 2018 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
./build-key admin 1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries Data Base Updated
./build-key-pass username ./build-key username
./build-dh openvpn --genkey --secret keys/ta.key
openvpn --genkey --secret keys/ca.key
openvpn --genkey --secret keys/ta.key
test key
- openvpn --genkey --secret key
- openvpn --test-crypto --secret key
test di 2 windows
- cd /etc/openvpn
- cp -Rf /usr/share/doc/openvpn/examples/sample-config-files/ /etc/openvpn/
- cp -Rf /usr/share/doc/openvpn/examples/sample-keys/ /etc/openvpn/
- openvpn --config sample-config-files/loopback-client
- openvpn --config sample-config-files/loopback-server
Example OpenVPN-Admin
- apt-get install mono openvpn-admin
Operational Server server.conf (from www.openvpn.org)
- openvpn --config /etc/openvpn/server.conf
Operational Client client.conf (from www.openvpn.org)
- openvpn --config /etc/openvpn/client.conf
- vi /etc/openvpn/server.conf
- OpenVPN Server config file
- Which local IP address should OpenVPN listen on? (optional)
- local 10.1.1.2
local 192.168.0.2
- Which TCP/UDP port should OpenVPN listen on?
port 1194
- TCP or UDP server?
proto tcp
- "dev tun" will create a routed IP tunnel, which is what we want
dev tun
- Windows needs the TAP-Win32 adapter name
- from the Network Connections panel if you
- have more than one. On XP SP2 or higher,
- you may need to selectively disable the
- Windows firewall for the TAP adapter.
- Non-Windows systems usually don't need this.
- dev-node MyTap
- SSL/TLS root certificate (ca), certificate
- (cert), and private key (key). Each client
- and the server must have their own cert and
- key file. The server and all clients will
- use the same ca file.
ca keys/ca.crt cert keys/server.crt key keys/server.key # This file should be kept secret
- Diffie hellman parameters.
dh keys/dh1024.pem
- Configure server mode and supply a VPN subnet
server 192.168.1.0 255.255.255.0
- Maintain a record of client <-> virtual IP address
- associations in this file.
ifconfig-pool-persist ipp.txt
- Push routes to the client to allow it
- to reach other private subnets behind
- the server. Remember that these
- private subnets will also need
- to know to route the OpenVPN client
- address pool (10.8.0.0/255.255.255.0)
- back to the OpenVPN server.
- push “route 172.10.1.0 255.255.255.0"
- push “route 192.168.0.0 255.255.255.0"
- If enabled, this directive will configure
- all clients to redirect their default
- network gateway through the VPN, causing
- all IP traffic such as web browsing and
- and DNS lookups to go through the VPN
push “redirect-gateway”
- Certain Windows-specific network settings
- can be pushed to clients, such as DNS
- or WINS server addresses.
- push “dhcp-option DNS 172.10.1.2′′
- Uncomment this directive to allow different
- clients to be able to “see” each other.
client-to-client
- Ping every 10 seconds, assume that remote
- peer is down if no ping received during
- a 120 second time period.
keepalive 10 120
- For extra security beyond that provided
- by SSL/TLS, create an “HMAC firewall”
- to help block DoS attacks and UDP port flooding.
tls-auth keys/ta.key 0 # This file is secret
- Select a cryptographic cipher.
- This config item must be copied to
- the client config file as well.
- cipher BF-CBC # Blowfish (default)
cipher AES-128-CBC # AES
- cipher DES-EDE3-CBC # Triple-DES
- Enable compression on the VPN link.
- comp-lzo
- The maximum number of concurrently connected
- clients we want to allow.
max-clients 250
- It’s a good idea to reduce the OpenVPN
- daemon’s privileges after initialization.
user nobody group nogroup
- The persist options will try to avoid
- accessing certain resources on restart
- that may no longer be accessible because
- of the privilege downgrade.
persist-key persist-tun
- Output a short status file showing
status openvpn-status.log log-append openvpn.log
- Set the appropriate level of log
- file verbosity.
- 0 is silent, except for fatal errors
- 4 is reasonable for general usage
- 5 and 6 can help to debug connection problems
- 9 is extremely verbose
verb 4
- Silence repeating messages. At most 20
- sequential messages of the same message
- category will be output to the log.
mute 20
client Linux -----------------
- apt-get install kvpnc
- apt-get install network-manager-openvpn openvpn
- cp -Rf /usr/share/doc/openvpn/examples/easy-rsa/* /etc/openvpn/
- cd /etc/openvpn
- mkdir /etc/openvpn/keys
- vi vars
- , ./vars
- ./clean-all
- scp -r root@192.168.0.2:/etc/openvpn/keys/ca.crt /etc/openvpn/keys
- scp -r root@192.168.0.2:/etc/openvpn/keys/user1.crt /etc/openvpn/keys
- scp -r root@192.168.0.2:/etc/openvpn/keys/user1.key /etc/openvpn/keys
Operational Client (client.conf from www.openvpn.org)
- openvpn --config /etc/openvpn/client.conf
- vi /etc/openvpn/client.conf
# Specify that we are a client and that we # will be pulling certain config file directives # from the server. client
# Use the same setting as you are using on # the server. # On most systems, the VPN will not function # unless you partially or fully disable # the firewall for the TUN/TAP interface. ;dev tap dev tun
# Windows needs the TAP-Win32 adapter name # from the Network Connections panel # if you have more than one. On XP SP2, # you may need to disable the firewall # for the TAP adapter. ;dev-node MyTap
# Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp proto udp
# The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. ;remote my-server-1 1194 ;remote my-server-2 1194 remote 192.168.0.2 1194
# Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random
# Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite
# Most clients don't need to bind to # a specific local port number. nobind
# Downgrade privileges after initialization (non-Windows only) user nobody group nogroup
# Try to preserve some state across restarts. persist-key persist-tun
# If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings
# SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca keys/ca.crt cert keys/client.crt key keys/client.key
# Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ;ns-cert-type server
# If a tls-auth key is used on the server # then every client must also have the key. ;tls-auth ta.key 1
# Select a cryptographic cipher. # If the cipher option is used on the server # then you must also specify it here. ;cipher x
# Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo
# Set log file verbosity. verb 3
# Silence repeating messages ;mute 20