Difference between revisions of "OpenVPN: IPv6 routed 2 LAN"

From OnnoWiki
Jump to navigation Jump to search
 
(22 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Topology==
+
Pada kesempatan ini akan di perlihatan konfigurasi OpenVPN untuk memberikan akses sebuah LAN client. Jaringan tempat mesin bekerja adalah IPv4, sementara jaringan yang dimasukan ke tunnel adalah IPv6. Topologi jaringan yang di bangun kira-kira seperti gambar terlampir,
  
 
  LAN 1 ---------- HOST A ---------------- HOST B -------------- LAN 2
 
  LAN 1 ---------- HOST A ---------------- HOST B -------------- LAN 2
 
                   ovpn server            ovpn client
 
                   ovpn server            ovpn client
 
 
  2002::/64        2345::1/64              2345::2/64            2003::/64
 
  2002::/64        2345::1/64              2345::2/64            2003::/64
 
  
 
HOST A OpenVPN Server
 
HOST A OpenVPN Server
Line 20: Line 18:
 
  LAN2 : 2003::/64
 
  LAN2 : 2003::/64
  
 +
==Konfigurasi Tambahan OpenVPN Server==
  
==Konfigurasi Server==
+
Enable IPv4 & IPv6 forwarding,
  
  echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
+
  vi /etc/sysctl.conf
  echo 1 > /proc/sys/net/ipv4/conf/default/forwarding
+
   
  echo 1 > /proc/sys/net/ipv4/conf/tun0/forwarding
+
net.ipv4.ip_forward=1
  echo 1 > /proc/sys/net/ipv4/conf/enp0s3/forwarding
+
  net.ipv4.conf.all.forwarding=1
  echo 1 > /proc/sys/net/ipv4/conf/enp0s8/forwarding
+
  net.ipv6.conf.all.forwarding=1
 +
  net.ipv6.conf.default.forwarding=1
 +
 +
sysctl -p
  
  ifconfig enp0s3 192.168.0.239 netmask 255.255.255.0
+
Set IP address Server
 +
 
 +
  ifconfig enp0s3 192.168.0.105 netmask 255.255.255.0
 
  ifconfig enp0s8 10.10.10.1 netmask 255.255.255.0
 
  ifconfig enp0s8 10.10.10.1 netmask 255.255.255.0
 
  ip addr add 2002::1/64 dev enp0s8
 
  ip addr add 2002::1/64 dev enp0s8
Line 37: Line 41:
 
  ifconfig 10.8.0.1 255.255.255.0
 
  ifconfig 10.8.0.1 255.255.255.0
 
  server 10.8.0.0 255.255.255.0
 
  server 10.8.0.0 255.255.255.0
#
 
 
  tun-ipv6
 
  tun-ipv6
 
  server-ipv6 2345::/64
 
  server-ipv6 2345::/64
  route-ipv6 2003::/64 2345::2            # routing ke arah LAN client
+
push tun-ipv6
 +
  route-ipv6 2003::/64
 
  client-config-dir client
 
  client-config-dir client
  
Tambahan di /etc/openvpn/client
+
Tambahan di dalam folder /etc/openvpn/client file: “client”  - filename “client” tergantung nama file “client.ovpn” yang digunakan oleh user / pengguna. Isi file tersebut dengan
  
  File: client  # tergantung username client.ovpn
+
  # paksa IP static di client untuk memudahkan routing
  ifconfig-push 10.8.0.2 255.255.255.0     # paksa IP static di client untuk memudahkan routing
+
  ifconfig-push 10.8.0.2 255.255.255.0
  push "route 10.10.10.0 255.255.255.0"   # paksa routing ke upstream
+
# paksa routing ke upstream   
  iroute 10.10.20.0 255.255.255.0         # internal routing ke arah
+
  push "route 10.10.10.0 255.255.255.0"  
 +
# internal routing ke arah LAN
 +
  iroute 10.10.20.0 255.255.255.0
 
  #
 
  #
  push tun-ipv6
+
  # set IPv6 interface client         
  ifconfig-ipv6 2345::1 2345::2
+
  ifconfig-ipv6-push 2345::2 2345::1
push "ifconfig-ipv6 2345::2 2345::1"
+
  # push tabel routing     
  push "route-ipv6 2002::/64"
 
 
  push "route-ipv6 2000::/3"
 
  push "route-ipv6 2000::/3"
 +
# set internal routing ke client LAN, harus sesuai dg. server.conf                   
 +
iroute-ipv6 2003::/64
 +
 +
==Konfigurasi Client LAN Gateway==
 +
 +
Enable IPv6 Forwarding,
  
==Konfigurasi Client Gateway==
+
vi /etc/sysctl.conf
 +
 +
net.ipv4.ip_forward=1
 +
net.ipv4.conf.all.forwarding=1
 +
net.ipv6.conf.all.forwarding=1
 +
net.ipv6.conf.default.forwarding=1
 +
 +
sysctl -p
  
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
+
Konfigurasi interface LAN Gateway
echo 1 > /proc/sys/net/ipv4/conf/default/forwarding
 
echo 1 > /proc/sys/net/ipv4/conf/tun0/forwarding
 
echo 1 > /proc/sys/net/ipv4/conf/enp0s3/forwarding
 
echo 1 > /proc/sys/net/ipv4/conf/enp0s8/forwarding
 
  
  ifconfig enp0s3 192.168.0.237 netmask 255.255.255.0
+
  ifconfig enp0s3 192.168.0.107 netmask 255.255.255.0
 
  ifconfig enp0s8 10.10.20.1 netmask 255.255.255.0
 
  ifconfig enp0s8 10.10.20.1 netmask 255.255.255.0
 +
ip addr add 2003::1/64 dev enp0s8
 +
 +
Untuk memberikan IPv6 address ke client LAN, dapat menggunakan radvd. Edit /etc/radvd.conf:
  
  ip addr add 2003::1/64 dev enp0s8
+
  # file: /etc/radvd.conf
 +
interface enp0s8
 +
{
 +
  AdvSendAdvert on;
 +
  prefix 2003::/64
 +
  {
 +
    AdvOnLink on;
 +
    AdvAutonomous on;
 +
  };
 +
};
 +
 
 +
Install & restart radvd
 +
 
 +
apt install radvd
 +
/etc/init.d/radvd restart
 +
 
 +
Sambungkan OpenVPN
 +
 
 +
openvpn --config client.ovpn
 +
 
 +
Akan tampak
 +
 
 +
Mon Mar 11 04:38:29 2019 ROUTE_GATEWAY 192.168.0.223/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:c5:c4:7a
 +
Mon Mar 11 04:38:29 2019 GDG6: remote_host_ipv6=n/a
 +
Mon Mar 11 04:38:29 2019 ROUTE6_GATEWAY fe80::1 IFACE=enp0s3
 +
Mon Mar 11 04:38:29 2019 TUN/TAP device tun0 opened
 +
Mon Mar 11 04:38:29 2019 TUN/TAP TX queue length set to 100
 +
Mon Mar 11 04:38:29 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
 +
Mon Mar 11 04:38:29 2019 /sbin/ip link set dev tun0 up mtu 1500
 +
Mon Mar 11 04:38:29 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
 +
Mon Mar 11 04:38:29 2019 /sbin/ip -6 addr add 2345::1000/64 dev tun0
 +
Mon Mar 11 04:38:29 2019 /sbin/ip route add 192.168.0.105/32 dev enp0s3
 +
Mon Mar 11 04:38:29 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
 +
Mon Mar 11 04:38:29 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
 +
Mon Mar 11 04:38:29 2019 add_route_ipv6(2000::/3 -> 2345::1 metric -1) dev tun0
 +
Mon Mar 11 04:38:29 2019 /sbin/ip -6 route add 2000::/3 dev tun0
 +
Mon Mar 11 04:38:29 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
 +
Mon Mar 11 04:38:29 2019 Initialization Sequence Completed
 +
 
 +
Perhatikan ada beberapa setup IPv4 maupun IPv6 yang di berikan oleh OpenVPN. Hal ini akan tampak pada ifconfig, akan muncul interface tambahan tun0
 +
 
 +
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
 +
        inet 10.8.0.2  netmask 255.255.255.0  destination 10.8.0.2
 +
        inet6 fe80::519f:30a1:8afb:d64b  prefixlen 64  scopeid 0x20<link>
 +
        inet6 2345::1000  prefixlen 64 scopeid 0x0<global>
 +
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
 +
        RX packets 1  bytes 76 (76.0 B)
 +
        RX errors 0  dropped 0  overruns 0  frame 0
 +
        TX packets 5  bytes 380 (380.0 B)
 +
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  
TIDAK ADA Tambahan konfigurasi di client.ovpn.
+
TIDAK ADA Tambahan konfigurasi di client.ovpn. Pastikan setup interface BENAR. Pastikan setup routing BENAR.
Pastikan setup interface BENAR.
 
Pastikan setup routing BENAR.
 
  
 
  ip route show
 
  ip route show
 
  ip -6 route show
 
  ip -6 route show
 
  route -n
 
  route -n
 +
 +
Catatan Tambahan Firewall atau NAT di LAN Gateway
 +
Sebaiknya firewall jangan di pasang, jika kita ingin membuka semua client ke Internet secara terbuka lebar. Tapi bagi mereka yang takut, ada baiknya menggunakan firewall agar lebih aman. Contoh konfigurasi adalah sebagai berikut,
 +
 +
ipt6tables -P FORWARD DROP
 +
ip6tables -A FORWARD -s 2003::/64 -d ::/0 -m comment --comment "allow outgoing" -j ACCEPT
 +
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "Accept established" -j ACCEPT
 +
ip6tables -A INPUT -i enp0s8 -j ACCEPT
 +
#
 +
#  ijinkan akses tertentu ke internal
 +
ip6tables -A FORWARD -d 2003::c01d/64 -m comment --comment "A/C" -j ACCEPT
 +
 +
# Allow traffic initiated from VPN to access LAN
 +
ip6tables -I FORWARD -i tun0 -o enp0s8 -m conntrack --ctstate NEW -j ACCEPT
 +
# Allow traffic initiated from LAN to access "the world"
 +
ip6tables -I FORWARD -i enp0s8 -o tun0 -m conntrack --ctstate NEW -j ACCEPT
 +
# Allow established traffic to pass back and forth
 +
ip6tables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 +
 +
Jika firewall juga gagal, tampaknya kita akan stuck dengan NAT
 +
 +
ip6tables -t nat -A POSTROUTING -s 2003::/64 -o tun0 -j MASQUERADE
 +
 +
==Konfigurasi LAN 1 Client==
 +
 +
Konfigurasi LAN1 Client cukup sederhana,
 +
 +
* IPv6 di sesuaikan dengan alokasi yang ada di LAN1
 +
* Routing di sesuaikan dengan routing yang ada, kita perlu menambahkan routing ke arah LAN2 melalui OpenVPN gateway.
 +
 +
Contoh
 +
 +
ip addr 2002::1000 dev enp0s3
 +
ip route add 2003::/64 via 2002::1
 +
 +
==Konfigurasi LAN 2 Client==
 +
 +
Konfigurasi LAN2 Client cukup sederhana,
 +
 +
* IPv6 di sesuaikan dengan alokasi yang ada di LAN2
 +
* IPv6 dapat di buat automatis karena gateway Client LAN menjalankan radvd Server.
 +
* Routing di sesuaikan dengan routing yang ada, kita perlu menambahkan routing ke arah LAN1 melalui OpenVPN gateway.
 +
 +
Contoh
 +
 +
ip addr 2003::1000 dev enp0s3
 +
ip route add 2000::/3 dev enp0s3
  
 
==Referensi==
 
==Referensi==
  
 +
* https://openoffice.nl/2018/04/05/ipv6-openvpn-part2/
 
* https://backreference.org/2009/11/15/openvpn-and-iroute/
 
* https://backreference.org/2009/11/15/openvpn-and-iroute/
  
 
==Pranala Menarik==
 
==Pranala Menarik==
  
* [[OpenVPN]]
+
* [[OpenVPN: IPv4 /32 single client]]
 +
* [[OpenVPN: IPv4 /32 multi-client]]
 +
* [[OpenVPN: IPv4 routed LAN]]
 +
* [[OpenVPN: IPv4 routed 2 LAN]]
 +
* [[OpenVPN: IPv6 /128 single client]]
 +
* [[OpenVPN: IPv6 routed LAN]]
 +
* [[OpenVPN: IPv6 routed 2 LAN]]
 +
 
 +
* [[IPv6: OpenVPN: Ubuntu roadwarrior]]
 +
* [[OpenVPN: Simple Server using Script]]
 +
* [[OpenVPN: Free VPN untuk Ubuntu]]
 +
* [[Instalasi OpenVPN]]
 +
* [[Instalasi OpenVPN Client di Linux]]
 +
* [[Capture Screen Proses Instalasi OpenVPN di Windows]]
 +
* [[Instalasi OpenVPN di Windows]]
 +
* [[WNDW: OpenVPN]]
 +
* [[OpenVPN: Instalasi di Ubuntu 16.04]]
 +
* [[OpenVPN: Instalasi di Ubuntu 18.04]]
 +
* [[OpenVPN: Briding dan Routing]]

Latest revision as of 08:18, 31 March 2020

Pada kesempatan ini akan di perlihatan konfigurasi OpenVPN untuk memberikan akses sebuah LAN client. Jaringan tempat mesin bekerja adalah IPv4, sementara jaringan yang dimasukan ke tunnel adalah IPv6. Topologi jaringan yang di bangun kira-kira seperti gambar terlampir,

LAN 1 ---------- HOST A ---------------- HOST B -------------- LAN 2
                 ovpn server             ovpn client
2002::/64        2345::1/64              2345::2/64            2003::/64

HOST A OpenVPN Server

OS   : Ubuntu 18.04
IP   : 192.168.0.239/24
IP   : 2345::1/64
LAN1 : 2002::/64

HOST B OpenVPN Client

OS   : Ubuntu 18.04
IP   : 2345::2/64
LAN2 : 2003::/64

Konfigurasi Tambahan OpenVPN Server

Enable IPv4 & IPv6 forwarding,

vi /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv4.conf.all.forwarding=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1

sysctl -p 

Set IP address Server

ifconfig enp0s3 192.168.0.105 netmask 255.255.255.0
ifconfig enp0s8 10.10.10.1 netmask 255.255.255.0
ip addr add 2002::1/64 dev enp0s8

Tambahan di konfigurasi /etc/openvpn/server.conf

ifconfig 10.8.0.1 255.255.255.0
server 10.8.0.0 255.255.255.0
tun-ipv6
server-ipv6 2345::/64
push tun-ipv6
route-ipv6 2003::/64
client-config-dir client

Tambahan di dalam folder /etc/openvpn/client file: “client” - filename “client” tergantung nama file “client.ovpn” yang digunakan oleh user / pengguna. Isi file tersebut dengan

# paksa IP static di client untuk memudahkan routing
ifconfig-push 10.8.0.2 255.255.255.0
# paksa routing ke upstream     
push "route 10.10.10.0 255.255.255.0" 
# internal routing ke arah LAN
iroute 10.10.20.0 255.255.255.0
#
# set IPv6 interface client          
ifconfig-ipv6-push 2345::2 2345::1
# push tabel routing       
push "route-ipv6 2000::/3"
# set internal routing ke client LAN, harus sesuai dg. server.conf                    
iroute-ipv6 2003::/64

Konfigurasi Client LAN Gateway

Enable IPv6 Forwarding,

vi /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv4.conf.all.forwarding=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1

sysctl -p 

Konfigurasi interface LAN Gateway

ifconfig enp0s3 192.168.0.107 netmask 255.255.255.0
ifconfig enp0s8 10.10.20.1 netmask 255.255.255.0
ip addr add 2003::1/64 dev enp0s8

Untuk memberikan IPv6 address ke client LAN, dapat menggunakan radvd. Edit /etc/radvd.conf:

# file: /etc/radvd.conf
interface enp0s8
{ 
  AdvSendAdvert on; 
  prefix 2003::/64 
  {
    AdvOnLink on;
    AdvAutonomous on;
  }; 
};

Install & restart radvd

apt install radvd
/etc/init.d/radvd restart

Sambungkan OpenVPN

openvpn --config client.ovpn

Akan tampak

Mon Mar 11 04:38:29 2019 ROUTE_GATEWAY 192.168.0.223/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:c5:c4:7a
Mon Mar 11 04:38:29 2019 GDG6: remote_host_ipv6=n/a
Mon Mar 11 04:38:29 2019 ROUTE6_GATEWAY fe80::1 IFACE=enp0s3
Mon Mar 11 04:38:29 2019 TUN/TAP device tun0 opened
Mon Mar 11 04:38:29 2019 TUN/TAP TX queue length set to 100
Mon Mar 11 04:38:29 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Mon Mar 11 04:38:29 2019 /sbin/ip link set dev tun0 up mtu 1500
Mon Mar 11 04:38:29 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Mon Mar 11 04:38:29 2019 /sbin/ip -6 addr add 2345::1000/64 dev tun0
Mon Mar 11 04:38:29 2019 /sbin/ip route add 192.168.0.105/32 dev enp0s3
Mon Mar 11 04:38:29 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Mon Mar 11 04:38:29 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Mon Mar 11 04:38:29 2019 add_route_ipv6(2000::/3 -> 2345::1 metric -1) dev tun0
Mon Mar 11 04:38:29 2019 /sbin/ip -6 route add 2000::/3 dev tun0
Mon Mar 11 04:38:29 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Mar 11 04:38:29 2019 Initialization Sequence Completed

Perhatikan ada beberapa setup IPv4 maupun IPv6 yang di berikan oleh OpenVPN. Hal ini akan tampak pada ifconfig, akan muncul interface tambahan tun0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.2  netmask 255.255.255.0  destination 10.8.0.2
        inet6 fe80::519f:30a1:8afb:d64b  prefixlen 64  scopeid 0x20<link>
        inet6 2345::1000  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 1  bytes 76 (76.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5  bytes 380 (380.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

TIDAK ADA Tambahan konfigurasi di client.ovpn. Pastikan setup interface BENAR. Pastikan setup routing BENAR.

ip route show
ip -6 route show
route -n

Catatan Tambahan Firewall atau NAT di LAN Gateway Sebaiknya firewall jangan di pasang, jika kita ingin membuka semua client ke Internet secara terbuka lebar. Tapi bagi mereka yang takut, ada baiknya menggunakan firewall agar lebih aman. Contoh konfigurasi adalah sebagai berikut,

ipt6tables -P FORWARD DROP
ip6tables -A FORWARD -s 2003::/64 -d ::/0 -m comment --comment "allow outgoing" -j ACCEPT
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "Accept established" -j ACCEPT
ip6tables -A INPUT -i enp0s8 -j ACCEPT
#
#  ijinkan akses tertentu ke internal
ip6tables -A FORWARD -d 2003::c01d/64 -m comment --comment "A/C" -j ACCEPT

# Allow traffic initiated from VPN to access LAN
ip6tables -I FORWARD -i tun0 -o enp0s8 -m conntrack --ctstate NEW -j ACCEPT
# Allow traffic initiated from LAN to access "the world"
ip6tables -I FORWARD -i enp0s8 -o tun0 -m conntrack --ctstate NEW -j ACCEPT
# Allow established traffic to pass back and forth
ip6tables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Jika firewall juga gagal, tampaknya kita akan stuck dengan NAT

ip6tables -t nat -A POSTROUTING -s 2003::/64 -o tun0 -j MASQUERADE

Konfigurasi LAN 1 Client

Konfigurasi LAN1 Client cukup sederhana,

  • IPv6 di sesuaikan dengan alokasi yang ada di LAN1
  • Routing di sesuaikan dengan routing yang ada, kita perlu menambahkan routing ke arah LAN2 melalui OpenVPN gateway.

Contoh

ip addr 2002::1000 dev enp0s3
ip route add 2003::/64 via 2002::1

Konfigurasi LAN 2 Client

Konfigurasi LAN2 Client cukup sederhana,

  • IPv6 di sesuaikan dengan alokasi yang ada di LAN2
  • IPv6 dapat di buat automatis karena gateway Client LAN menjalankan radvd Server.
  • Routing di sesuaikan dengan routing yang ada, kita perlu menambahkan routing ke arah LAN1 melalui OpenVPN gateway.

Contoh

ip addr 2003::1000 dev enp0s3
ip route add 2000::/3 dev enp0s3

Referensi

Pranala Menarik