OpenVPN: IPv6 routed 2 LAN

From OnnoWiki
Revision as of 08:18, 31 March 2020 by Onnowpurbo (talk | contribs) (→‎Pranala Menarik)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Pada kesempatan ini akan di perlihatan konfigurasi OpenVPN untuk memberikan akses sebuah LAN client. Jaringan tempat mesin bekerja adalah IPv4, sementara jaringan yang dimasukan ke tunnel adalah IPv6. Topologi jaringan yang di bangun kira-kira seperti gambar terlampir,

LAN 1 ---------- HOST A ---------------- HOST B -------------- LAN 2
                 ovpn server             ovpn client
2002::/64        2345::1/64              2345::2/64            2003::/64

HOST A OpenVPN Server

OS   : Ubuntu 18.04
IP   : 192.168.0.239/24
IP   : 2345::1/64
LAN1 : 2002::/64

HOST B OpenVPN Client

OS   : Ubuntu 18.04
IP   : 2345::2/64
LAN2 : 2003::/64

Konfigurasi Tambahan OpenVPN Server

Enable IPv4 & IPv6 forwarding,

vi /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv4.conf.all.forwarding=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1

sysctl -p 

Set IP address Server

ifconfig enp0s3 192.168.0.105 netmask 255.255.255.0
ifconfig enp0s8 10.10.10.1 netmask 255.255.255.0
ip addr add 2002::1/64 dev enp0s8

Tambahan di konfigurasi /etc/openvpn/server.conf

ifconfig 10.8.0.1 255.255.255.0
server 10.8.0.0 255.255.255.0
tun-ipv6
server-ipv6 2345::/64
push tun-ipv6
route-ipv6 2003::/64
client-config-dir client

Tambahan di dalam folder /etc/openvpn/client file: “client” - filename “client” tergantung nama file “client.ovpn” yang digunakan oleh user / pengguna. Isi file tersebut dengan

# paksa IP static di client untuk memudahkan routing
ifconfig-push 10.8.0.2 255.255.255.0
# paksa routing ke upstream     
push "route 10.10.10.0 255.255.255.0" 
# internal routing ke arah LAN
iroute 10.10.20.0 255.255.255.0
#
# set IPv6 interface client          
ifconfig-ipv6-push 2345::2 2345::1
# push tabel routing       
push "route-ipv6 2000::/3"
# set internal routing ke client LAN, harus sesuai dg. server.conf                    
iroute-ipv6 2003::/64

Konfigurasi Client LAN Gateway

Enable IPv6 Forwarding,

vi /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv4.conf.all.forwarding=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1

sysctl -p 

Konfigurasi interface LAN Gateway

ifconfig enp0s3 192.168.0.107 netmask 255.255.255.0
ifconfig enp0s8 10.10.20.1 netmask 255.255.255.0
ip addr add 2003::1/64 dev enp0s8

Untuk memberikan IPv6 address ke client LAN, dapat menggunakan radvd. Edit /etc/radvd.conf:

# file: /etc/radvd.conf
interface enp0s8
{ 
  AdvSendAdvert on; 
  prefix 2003::/64 
  {
    AdvOnLink on;
    AdvAutonomous on;
  }; 
};

Install & restart radvd

apt install radvd
/etc/init.d/radvd restart

Sambungkan OpenVPN

openvpn --config client.ovpn

Akan tampak

Mon Mar 11 04:38:29 2019 ROUTE_GATEWAY 192.168.0.223/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:c5:c4:7a
Mon Mar 11 04:38:29 2019 GDG6: remote_host_ipv6=n/a
Mon Mar 11 04:38:29 2019 ROUTE6_GATEWAY fe80::1 IFACE=enp0s3
Mon Mar 11 04:38:29 2019 TUN/TAP device tun0 opened
Mon Mar 11 04:38:29 2019 TUN/TAP TX queue length set to 100
Mon Mar 11 04:38:29 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Mon Mar 11 04:38:29 2019 /sbin/ip link set dev tun0 up mtu 1500
Mon Mar 11 04:38:29 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Mon Mar 11 04:38:29 2019 /sbin/ip -6 addr add 2345::1000/64 dev tun0
Mon Mar 11 04:38:29 2019 /sbin/ip route add 192.168.0.105/32 dev enp0s3
Mon Mar 11 04:38:29 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Mon Mar 11 04:38:29 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Mon Mar 11 04:38:29 2019 add_route_ipv6(2000::/3 -> 2345::1 metric -1) dev tun0
Mon Mar 11 04:38:29 2019 /sbin/ip -6 route add 2000::/3 dev tun0
Mon Mar 11 04:38:29 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Mar 11 04:38:29 2019 Initialization Sequence Completed

Perhatikan ada beberapa setup IPv4 maupun IPv6 yang di berikan oleh OpenVPN. Hal ini akan tampak pada ifconfig, akan muncul interface tambahan tun0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.2  netmask 255.255.255.0  destination 10.8.0.2
        inet6 fe80::519f:30a1:8afb:d64b  prefixlen 64  scopeid 0x20<link>
        inet6 2345::1000  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 1  bytes 76 (76.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5  bytes 380 (380.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

TIDAK ADA Tambahan konfigurasi di client.ovpn. Pastikan setup interface BENAR. Pastikan setup routing BENAR.

ip route show
ip -6 route show
route -n

Catatan Tambahan Firewall atau NAT di LAN Gateway Sebaiknya firewall jangan di pasang, jika kita ingin membuka semua client ke Internet secara terbuka lebar. Tapi bagi mereka yang takut, ada baiknya menggunakan firewall agar lebih aman. Contoh konfigurasi adalah sebagai berikut,

ipt6tables -P FORWARD DROP
ip6tables -A FORWARD -s 2003::/64 -d ::/0 -m comment --comment "allow outgoing" -j ACCEPT
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "Accept established" -j ACCEPT
ip6tables -A INPUT -i enp0s8 -j ACCEPT
#
#  ijinkan akses tertentu ke internal
ip6tables -A FORWARD -d 2003::c01d/64 -m comment --comment "A/C" -j ACCEPT

# Allow traffic initiated from VPN to access LAN
ip6tables -I FORWARD -i tun0 -o enp0s8 -m conntrack --ctstate NEW -j ACCEPT
# Allow traffic initiated from LAN to access "the world"
ip6tables -I FORWARD -i enp0s8 -o tun0 -m conntrack --ctstate NEW -j ACCEPT
# Allow established traffic to pass back and forth
ip6tables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Jika firewall juga gagal, tampaknya kita akan stuck dengan NAT

ip6tables -t nat -A POSTROUTING -s 2003::/64 -o tun0 -j MASQUERADE

Konfigurasi LAN 1 Client

Konfigurasi LAN1 Client cukup sederhana,

  • IPv6 di sesuaikan dengan alokasi yang ada di LAN1
  • Routing di sesuaikan dengan routing yang ada, kita perlu menambahkan routing ke arah LAN2 melalui OpenVPN gateway.

Contoh

ip addr 2002::1000 dev enp0s3
ip route add 2003::/64 via 2002::1

Konfigurasi LAN 2 Client

Konfigurasi LAN2 Client cukup sederhana,

  • IPv6 di sesuaikan dengan alokasi yang ada di LAN2
  • IPv6 dapat di buat automatis karena gateway Client LAN menjalankan radvd Server.
  • Routing di sesuaikan dengan routing yang ada, kita perlu menambahkan routing ke arah LAN1 melalui OpenVPN gateway.

Contoh

ip addr 2003::1000 dev enp0s3
ip route add 2000::/3 dev enp0s3

Referensi

Pranala Menarik