Selasa, 02 Juni 2015

,

Cara Install OpenVPN di Debian 7 (Wheezy)




Tutorial kali ini kita akan menginstall OpenVPN di Debian 7 wheezy. Langkah-langkah Instalasi OpenVPN di OpenVZ VPS pada Debian 7 dapat dilihat dibawah ini.

Tahap 1 :

Periksa apakah tun sudah di aktifkan

cat /dev/net/tun

bila muncul error

cat: /dev/net/tun: File descriptor in bad state

berarti TUN sudah diaktifkan dan bisa menggunakan OpenVPN, bila belum silahkan kontak penyedia jasa VPS anda untuk mengaktifkan TUN/TAP.
Tahap 2 :

Update Debian dan upgrade software-software yang terinstall

apt-get clean all; apt-get update; apt-get upgrade

Tahap 3 :

Install aplikasi OpenVPN dan dependency

apt-get install openvpn libssl-dev openssl iptables-persistent curl apache2 -y

Tahap 4 :

Menghapus key yang sudah ada dan menggenerate key yang baru

. ./vars >/dev/null
./clean-all >/dev/null
source ./vars >/dev/null

generate CA

./build-ca## output perintah diatas
Generating a 1024 bit RSA private key
......................++++++
.............................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [mail@host.domain]:

biarkan saja default ;) Untuk semua pertanyaan tekan saja enter.

Generate Private Key

./build-key-server server## output perintah diatas
Generating a 1024 bit RSA private key
........++++++
........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [server]:
Name [changeme]:
Email Address [mail@host.domain]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Dec  8 15:17:49 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Generating DH parameters

./build-dh## output perintah diatas
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
............................................+..........+...........+..................................................................................................+............................................+.....................................................+.......+............................................................................++*++*++*

Pindahkan sertifikat yang sudah kita buat ke /etc/openvpn

cp /etc/openvpn/easy-rsa/2.0/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/

File konfigurasi OpenVPN berada di /etc/openvpn/openvpn.conf, hapus file tersebut dan buat baru isikan file dibawah ini

dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 4.2.2.1"
push "dhcp-option DNS 4.2.2.2"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
group daemon
daemon

Aktifkan IP Forward

echo 1 > /proc/sys/net/ipv4/ip_forward;
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

Tahap 5 : Konfigurasi iptables

Jalankan perintah dibawah ini untuk konfigurasi iptables

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source 192.168.1.1
iptables > /etc/iptables.conf
iptables-save > /etc/iptables.conf

ganti 192.168.1.1 dengan IP Server anda, untuk mengetahuinya bisa dengan menggunakan perintah

curl cekwhois.com/ip.php

Tahap 6 : Menambah client OpenVPN

Misalkan client yang akan kita tambahkan kita beri nama perkis01

./build-key perkis01## output perintah diatas
Generating a 1024 bit RSA private key
.......++++++
..........++++++
writing new private key to 'perkis01.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [perkis01]:
Name [changeme]:
Email Address [mail@host.domain]:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName            :PRINTABLE:'perkis01'
name                  :PRINTABLE:'changeme'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Dec  8 15:26:05 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

File konfigurasi untuk client

client
remote 192.168.1.1 1194
dev tun
comp-lzo
ca ca.crt
cert perkis01.crt
key perkis01.key
route-delay 2
route-method exe
redirect-gateway def1
verb 3

ganti 192.168.1.1 dengan IP Server anda, untuk mengetahuinya bisa dengan menggunakan perintah

curl cekwhois.com/ip.php

simpan semua file konfigurasi untuk client di /var/www/perkis01.tar.gz

cd /etc/openvpn/easy-rsa/2.0/keys/; tar zcvf /var/www/perkis01.tar.gz {ca.crt,ca.key,perkis01.crt,perkis01.csr,perkis01.key,perkis01.ovpn} ; cd -

Download file konfigurasi anda melalui browser di alamat IPVPS/perkis01.tar.gz. Sebagai contoh saya akan konek ke server VPN di Fedora 20

wget IPVPS/perkis01.tar.gz## output perintah diatas
--2013-12-10 22:54:49--  http://xxx.xxx.xxx.xxx/perkis01.tar.gz
Connecting to xxx.xxx.xxx.xxx:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4523 (4.4K) [application/x-gzip]
Saving to: ‘perkis01.tar.gz’
 
100%[=============================================================================================>] 4,523       --.-K/s   in 0.009s  
2013-12-10 22:54:49 (513 KB/s) - ‘perkis01.tar.gz’ saved [4523/4523]

ekstrak file perkis01.tar.gz diatas

tar zxvf perkis01.tar.gz## output perintah diatas
ca.crt
ca.key
perkis01.crt
perkis01.csr
perkis01.key
perkis01.ovpn

sekarang jalankan OpenVPN

su -c "openvpn --config perkis01.ovpn "

bila diminta password, masukkan password anda, output perintah diatas

Tue Dec 10 22:56:40 2013 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013
Tue Dec 10 22:56:40 2013 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Dec 10 22:56:40 2013 Socket Buffers: R=[212992->131072] S=[212992->131072]
Tue Dec 10 22:56:40 2013 UDPv4 link local (bound): [undef]
Tue Dec 10 22:56:40 2013 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Tue Dec 10 22:56:40 2013 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=964bf497 301c1644
Tue Dec 10 22:56:42 2013 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Tue Dec 10 22:56:42 2013 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=server, name=changeme, emailAddress=mail@host.domain
Tue Dec 10 22:56:46 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Dec 10 22:56:46 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 10 22:56:46 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Dec 10 22:56:46 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 10 22:56:46 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue Dec 10 22:56:46 2013 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
Tue Dec 10 22:56:48 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Tue Dec 10 22:56:48 2013 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,redirect-gateway,dhcp-option DNS 4.2.2.1,dhcp-option DNS 4.2.2.2,route 10.8.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5'
Tue Dec 10 22:56:48 2013 OPTIONS IMPORT: timers and/or timeouts modified
Tue Dec 10 22:56:48 2013 OPTIONS IMPORT: --ifconfig/up options modified
Tue Dec 10 22:56:48 2013 OPTIONS IMPORT: route options modified
Tue Dec 10 22:56:48 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Tue Dec 10 22:56:48 2013 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlp3s0 HWADDR=74:2f:68:b5:1b:f8
Tue Dec 10 22:56:48 2013 TUN/TAP device tun0 opened
Tue Dec 10 22:56:48 2013 TUN/TAP TX queue length set to 100
Tue Dec 10 22:56:48 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Dec 10 22:56:48 2013 /usr/sbin/ip link set dev tun0 up mtu 1500
Tue Dec 10 22:56:48 2013 /usr/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add xxx.xxx.xxx.xxx/32 via 192.168.1.1
Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.5
Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Tue Dec 10 22:56:51 2013 Initialization Sequence Completed

selesai, instalasi OpenVPN di Debian 7, berhasil dengan sempurna.

0 comments:

Posting Komentar