Tutorial kali ini kita akan menginstall OpenVPN di Debian 7 wheezy. Langkah-langkah Instalasi OpenVPN di OpenVZ VPS pada Debian 7 dapat dilihat dibawah ini.
Tahap 1 :
Periksa apakah tun sudah di aktifkan
cat /dev/net/tun |
bila muncul error
cat: /dev/net/tun: File descriptor in bad state |
berarti TUN sudah diaktifkan dan bisa menggunakan OpenVPN, bila belum silahkan kontak penyedia jasa VPS anda untuk mengaktifkan TUN/TAP.
Tahap 2 :
Update Debian dan upgrade software-software yang terinstall
apt-get clean all; apt-get update; apt-get upgrade |
Tahap 3 :
Install aplikasi OpenVPN dan dependency
apt-get install openvpn libssl-dev openssl iptables-persistent curl apache2 -y |
Tahap 4 :
Menghapus key yang sudah ada dan menggenerate key yang baru
. ./vars >/dev/null ./clean-all >/dev/null source ./vars >/dev/null |
generate CA
./build-ca## output perintah diatas Generating a 1024 bit RSA private key ......................++++++ .............................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [changeme]: Name [changeme]: Email Address [mail@host.domain]: |
biarkan saja default ;) Untuk semua pertanyaan tekan saja enter.
Generate Private Key
./build-key-server server## output perintah diatas Generating a 1024 bit RSA private key ........++++++ ........++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [server]: Name [changeme]: Email Address [mail@host.domain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'server' name :PRINTABLE:'changeme' emailAddress :IA5STRING:'mail@host.domain' Certificate is to be certified until Dec 8 15:17:49 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated |
Generating DH parameters
./build-dh## output perintah diatas Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ............................................+..........+...........+..................................................................................................+............................................+.....................................................+.......+............................................................................++*++*++* |
Pindahkan sertifikat yang sudah kita buat ke /etc/openvpn
cp /etc/openvpn/easy-rsa/2.0/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/ |
File konfigurasi OpenVPN berada di /etc/openvpn/openvpn.conf, hapus file tersebut dan buat baru isikan file dibawah ini
dev tun server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt ca ca.crt cert server.crt key server.key dh dh1024.pem push "route 10.8.0.0 255.255.255.0" push "redirect-gateway" push "dhcp-option DNS 4.2.2.1" push "dhcp-option DNS 4.2.2.2" comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key group daemon daemon |
Aktifkan IP Forward
echo 1 > /proc/sys/net/ipv4/ip_forward; echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf |
Tahap 5 : Konfigurasi iptables
Jalankan perintah dibawah ini untuk konfigurasi iptables
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source 192.168.1.1 iptables > /etc/iptables.conf iptables-save > /etc/iptables.conf |
ganti 192.168.1.1 dengan IP Server anda, untuk mengetahuinya bisa dengan menggunakan perintah
curl cekwhois.com/ip.php |
Tahap 6 : Menambah client OpenVPN
Misalkan client yang akan kita tambahkan kita beri nama perkis01
./build-key perkis01## output perintah diatas Generating a 1024 bit RSA private key .......++++++ ..........++++++ writing new private key to 'perkis01.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [CA]: Locality Name (eg, city) [SanFrancisco]: Organization Name (eg, company) [Fort-Funston]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [perkis01]: Name [changeme]: Email Address [mail@host.domain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'CA' localityName :PRINTABLE:'SanFrancisco' organizationName :PRINTABLE:'Fort-Funston' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'perkis01' name :PRINTABLE:'changeme' emailAddress :IA5STRING:'mail@host.domain' Certificate is to be certified until Dec 8 15:26:05 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated |
File konfigurasi untuk client
client remote 192.168.1.1 1194 dev tun comp-lzo ca ca.crt cert perkis01.crt key perkis01.key route-delay 2 route-method exe redirect-gateway def1 verb 3 |
ganti 192.168.1.1 dengan IP Server anda, untuk mengetahuinya bisa dengan menggunakan perintah
curl cekwhois.com/ip.php |
simpan semua file konfigurasi untuk client di /var/www/perkis01.tar.gz
cd /etc/openvpn/easy-rsa/2.0/keys/; tar zcvf /var/www/perkis01.tar.gz {ca.crt,ca.key,perkis01.crt,perkis01.csr,perkis01.key,perkis01.ovpn} ; cd - |
Download file konfigurasi anda melalui browser di alamat IPVPS/perkis01.tar.gz. Sebagai contoh saya akan konek ke server VPN di Fedora 20
wget IPVPS/perkis01.tar.gz## output perintah diatas --2013-12-10 22:54:49-- http://xxx.xxx.xxx.xxx/perkis01.tar.gz Connecting to xxx.xxx.xxx.xxx:80... connected. HTTP request sent, awaiting response... 200 OK Length: 4523 (4.4K) [application/x-gzip] Saving to: ‘perkis01.tar.gz’ 100%[=============================================================================================>] 4,523 --.-K/s in 0.009s 2013-12-10 22:54:49 (513 KB/s) - ‘perkis01.tar.gz’ saved [4523/4523] |
ekstrak file perkis01.tar.gz diatas
tar zxvf perkis01.tar.gz## output perintah diatas ca.crt ca.key perkis01.crt perkis01.csr perkis01.key perkis01.ovpn |
sekarang jalankan OpenVPN
su -c "openvpn --config perkis01.ovpn "
|
bila diminta password, masukkan password anda, output perintah diatas
Tue Dec 10 22:56:40 2013 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013 Tue Dec 10 22:56:40 2013 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Tue Dec 10 22:56:40 2013 Socket Buffers: R=[212992->131072] S=[212992->131072] Tue Dec 10 22:56:40 2013 UDPv4 link local (bound): [undef] Tue Dec 10 22:56:40 2013 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194 Tue Dec 10 22:56:40 2013 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=964bf497 301c1644 Tue Dec 10 22:56:42 2013 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain Tue Dec 10 22:56:42 2013 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=server, name=changeme, emailAddress=mail@host.domain Tue Dec 10 22:56:46 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Dec 10 22:56:46 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Dec 10 22:56:46 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Dec 10 22:56:46 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Dec 10 22:56:46 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Tue Dec 10 22:56:46 2013 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194 Tue Dec 10 22:56:48 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Tue Dec 10 22:56:48 2013 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,redirect-gateway,dhcp-option DNS 4.2.2.1,dhcp-option DNS 4.2.2.2,route 10.8.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5' Tue Dec 10 22:56:48 2013 OPTIONS IMPORT: timers and/or timeouts modified Tue Dec 10 22:56:48 2013 OPTIONS IMPORT: --ifconfig/up options modified Tue Dec 10 22:56:48 2013 OPTIONS IMPORT: route options modified Tue Dec 10 22:56:48 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Tue Dec 10 22:56:48 2013 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlp3s0 HWADDR=74:2f:68:b5:1b:f8 Tue Dec 10 22:56:48 2013 TUN/TAP device tun0 opened Tue Dec 10 22:56:48 2013 TUN/TAP TX queue length set to 100 Tue Dec 10 22:56:48 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Dec 10 22:56:48 2013 /usr/sbin/ip link set dev tun0 up mtu 1500 Tue Dec 10 22:56:48 2013 /usr/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add xxx.xxx.xxx.xxx/32 via 192.168.1.1 Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add 0.0.0.0/1 via 10.8.0.5 Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add 128.0.0.0/1 via 10.8.0.5 Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.5 Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5 Tue Dec 10 22:56:51 2013 Initialization Sequence Completed |
selesai, instalasi OpenVPN di Debian 7, berhasil dengan sempurna.
0 Comments
Posting Komentar