Instalasi OpenVPN ini dikerjakan pada mesin Debian. Harusnya juga bisa untuk turunan Debian lainnya seperti Ubuntu, Mint, dll.
Tujuan saya menggunakan OpenVPN biasanya untuk tunneling aja, menggunakan IP address luar, mem-bypass restriksi oleh ISP, dll. Fitur enkripsi dan login menggunakan certificate akan saya disable supaya koneksi semakin ringan dan stabil, lalu sebagai gantinya proses login nanti akan menggunakan username & password. Enkripsi cuma akan menambah overhead di trafik.
Cek dulu TUN / TAP sudah enabled apa belum;
root@starscream:~# cat /dev/net/tun cat: /dev/net/tun: File descriptor in bad state
Kalau outputnya seperti di atas, berarti TUN / TAP sudah enabled. Jadi kita bisa lanjut ke proses instalasi.
apt-get install openvpn pam-devel
Copy contoh file konfigurasi yang udah ada ke /etc/openvpn untuk selanjutnya kita edit;
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/
chmod -R 755 /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
Lalu kita edit file vars (optional). Biasanya saya edit jadi seperti ini;
vi vars
# Increase this to 2048 if you # are paranoid. This will slow # down TLS negotiation performance # as well as the one-time DH parms # generation process. export KEY_SIZE=384 # In how many days should the root CA key expire? export CA_EXPIRE=3650 # In how many days should certificates expire? export KEY_EXPIRE=3650 # These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="ID" export KEY_PROVINCE="JKT" export KEY_CITY="Jakarta" export KEY_ORG="lifebit.me" export KEY_EMAIL="scylla@lifebit.me" export KEY_CN=vpn.lifebit.me export KEY_NAME=lifebit.me export KEY_OU=lifebit.me export PKCS11_MODULE_PATH=changeme export PKCS11_PIN=666666
setelah di-edit dan save, lalu;
source ./vars./vars./clean-all
./build-ca
Generating a 384 bit RSA private key .++++++++++++++++++ ................++++++++++++++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [ID]: State or Province Name (full name) [JKT]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [lifebit.me]: Organizational Unit Name (eg, section) [lifebit.me]: Common Name (eg, your name or your server's hostname) [vpn.lifebit.me]: Name [lifebit.me]: Email Address [scylla@lifebit.me]:
./build-key-server vpn.lifebit.me
Perhatikan ketika execute perintah build-key-server di atas, value nya harus sama dengan Common Name, atau KEY_CN yaitu vpn.lifebit.me
Generating a 384 bit RSA private key ............++++++++++++++++++ ..++++++++++++++++++ writing new private key to 'vpn.lifebit.me.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [ID]: State or Province Name (full name) [JKT]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [lifebit.me]: Organizational Unit Name (eg, section) [lifebit.me]: Common Name (eg, your name or your server's hostname) [vpn.lifebit.me]: Name [lifebit.me]: Email Address [scylla@lifebit.me]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'ID' stateOrProvinceName :PRINTABLE:'JKT' localityName :PRINTABLE:'Jakarta' organizationName :PRINTABLE:'lifebit.me' organizationalUnitName:PRINTABLE:'lifebit.me' commonName :PRINTABLE:'vpn.lifebit.me' name :PRINTABLE:'lifebit.me' emailAddress :IA5STRING:'scylla@lifebit.me' Certificate is to be certified until Jan 4 06:27:10 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
./build-dh
Selanjutnya kita buat file konfigurasi server;
cd /etc/openvpn
vi udp53.confPada konfigurasi server saya isinya kurang lebih seperti ini;
port 53 proto udp dev tun ca easy-rsa/2.0/keys/ca.crt cert easy-rsa/2.0/keys/vpn.lifebit.me.crt key easy-rsa/2.0/keys/vpn.lifebit.me.key dh easy-rsa/2.0/keys/dh384.pem plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/login client-cert-not-required username-as-common-name server 10.53.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1" push "dhcp-option DNS 8.8.4.4" push "dhcp-option DNS 208.67.220.220" keepalive 2 30 comp-lzo cipher none persist-key persist-tun status udp53.log verb 3
Setelah di-edit dan save, restart service openvpn;
/etc/init.d/openvpn restart
Sampai sini service OpenVPN udah start dan client bisa login, tapi belum bisa melakukan koneksi ke internet karena belum diforward. Untuk itu edit file /etc/rc.local;
vi /etc/rc.local
dan tambahkan script ini;
echo 1 > /proc/sys/net/ipv4/ip_forward iptables -F iptables -X iptables -t nat -F iptables -t nat -A POSTROUTING -s 10.53.0.0/24 -j SNAT --to 209.141.55.165
10.53.0.0/24 adalah alamat jaringan local VPN yang saya masukkan di konfigurasi udp53.conf tadi, sedangkan 209.141.55.165 adalah IP public server saya. Setelah di-edit dan save, lalu;
sh /etc/rc.local
Langkah selanjutnya kita buat user untuk login ke VPN;
useradd -m -s /bin/false scylla
Konfigurasi di sisi server udah selesai, sekarang lakukan konfigurasi client. Karena aplikasi client untuk konek ke OpenVPN server ada beberapa macam (OpenVPN, Viscosity, dll) dan beda platform (Linux, Windows, Mac OSX) maka saya cuma akan menampilkan konfigurasinya secara general aja. Gimana cara install, konfigurasinya di mana, dll, cari dan coba2 sendiri ya. Atau bisa juga ditanyakan di kolom komentar di bawah.
## Contoh konfigurasi OpenVPN client (*.ovpn) ## client dev tun proto udp #protocol remote 209.141.55.165 53 #IP address server dan port resolv-retry infinite route-method exe nobind persist-key persist-tun ca ca.crt #file ini yang kita download dari server, dan diletakkan di folder yang sama. auth-user-pass comp-lzo cipher none #disable enkripsi verb 3
Di sisi client, yang kita butuhkan cuma file ca.crt yang ada di server tadi, jadi jangan lupa untuk dicopy / download dulu ke client.
Hasil pencarian populer:
- setting openvpn server debian 6
- cara mudah setting vpn debian
- konfigurasi openvpn server di debian
- cat /dev/net/tun file descriptor in bad state
- membuat open vpn di debuan squeeze
- konfigurasi vpn pada debian 5
- cara mengkonfigurasi vpn pada debian
- instalasi openvpn pada debian
- vpn server debian
- konfigurasi openvpn pada debian
- vpn server debian squeeze
- membuat user vpn di debian 6
- konfigurasi VPN debian
- membuat server vpn sendiri pada debian
- konfigurasi vpn di debian
- konsep openvpn pada debian server
- lion openvpn pkcs11_module_path
- konfigurasi vpn di debian 6
- install openvpn di debian
- kunci private dan kunci publik pada open vpn
Post terkait:
hedeeh.. wedeeew.. tuing2, bandingin sm postingan aku yg gag slese.. cm smpe install doank :lol:
yaelah itupun solusinya karena ganti komputer.. coba di komputer yang sama, yakin deh ga bakalan diposting :P