OpenVPN belum terdapat di repository bawaan CentOS, jadi untuk menginstallnya harus ditambah repo EPEL
wget http://fedora.dionipe.web.id/epel/6/i386/epel-release-6-8.noarch.rpm yum localinstall epel-release-6-8.noarch.rpm
Install OpenVPN
Install OpenVPN dengan cara
yum install openvpn easy-rsa bridge-utils
Generate Certificate
Agar client dan server OpenVPN bisa berkomunikasi, dibutuhkan sertifikat di kedua pihak, maka kita akan menggenerate sertifikat untuk client dan server.
Buat folder tempat menyimpan keys
mkdir -p /etc/openvpn/easy-rsa/keys cp -r /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Untuk mempersingkat waktu tanpa perlu menginput Negara, Email, dll edit file vars (/etc/openvpn/easy-rsa/vars) sesuaikan bagian dibawah ini sesuai dengan keinginan anda
export KEY_COUNTRY="ID" export KEY_PROVINCE="Jakarta" export KEY_CITY="Jakarta" export KEY_ORG="Jaranguda Simalem" export KEY_EMAIL="[email protected]" export KEY_OU="DevSSL"
file diatas sebenarnya tidak terlalu berpengaruh, jadi bisa saja dibiarkan default.
inisialisasi awal
cd /etc/openvpn/easy-rsa/ source ./vars ./clean-all
build ca dan key
./build-ca
output perintah diatas
Generating a 2048 bit RSA private key ...................................+++ ....+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [ID]: State or Province Name (full name) [Jakarta]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [Jaranguda Simalem]: Organizational Unit Name (eg, section) [DevSSL]: Common Name (eg, your name or your server's hostname) [Jaranguda Simalem CA]: Name [EasyRSA]: Email Address [[email protected]]:
Country Name, State, Locality semua pertanyaan diatas cukup di tekan tombol Enter di keyboard, karena sudah kita setting sebelumnya.
build certificate server
./build-key-server server
output perintah diatas
Generating a 2048 bit RSA private key .......+++ .....................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [ID]: State or Province Name (full name) [Jakarta]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [Jaranguda Simalem]: Organizational Unit Name (eg, section) [DevSSL]: Common Name (eg, your name or your server's hostname) [server]: Name [EasyRSA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'ID' stateOrProvinceName :PRINTABLE:'Jakarta' localityName :PRINTABLE:'Jakarta' organizationName :PRINTABLE:'Jaranguda Simalem' organizationalUnitName:PRINTABLE:'DevSSL' commonName :PRINTABLE:'server' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Apr 18 07:07:36 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Generate certificate untuk Client
Contoh kita akan membuat user OpenVPN dengan nama jaranguda01
./build-key jaranguda01
output perintah diatas
Generating a 2048 bit RSA private key ..................................+++ .....................................................................................................+++ writing new private key to 'jaranguda01.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [ID]: State or Province Name (full name) [Jakarta]: Locality Name (eg, city) [Jakarta]: Organization Name (eg, company) [Jaranguda Simalem]: Organizational Unit Name (eg, section) [DevSSL]: Common Name (eg, your name or your server's hostname) [jaranguda01]: Name [EasyRSA]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'ID' stateOrProvinceName :PRINTABLE:'Jakarta' localityName :PRINTABLE:'Jakarta' organizationName :PRINTABLE:'Jaranguda Simalem' organizationalUnitName:PRINTABLE:'DevSSL' commonName :PRINTABLE:'jaranguda01' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Apr 18 07:11:45 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Generate DH
./build-dh
Semua file untuk client dan server sudah di-generate, sekarang bagian konfigurasi.
Copy semua file dari folder keys ke openvpn
cd /etc/openvpn/easy-rsa/keys/ cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/
File konfigurasi Server OpenVPN
Copy file server.conf dari file doc bawaan OpenVPN
cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn/
buka file server.conf, edit bagian
;proto tcp proto udp ;push "redirect-gateway def1 bypass-dhcp" ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220"
menjadi
proto tcp ;proto udp push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220"
Aktifkan Port Forwarding
buka file /etc/sysctl.conf
edit
net.ipv4.ip_forward = 0
menjadi
net.ipv4.ip_forward = 1
aktifkan perubahan diatas dengan
sysctl -paktifkan fitur routing trafic di iptables
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source 107.xx.xx.xxx
ganti 107.xx.xx.xxx dengan IP server anda.
jalankan OpenVPN
service openvpn start
Client OpenVPN
Tahap instalasi OpenVPN di server sudah selesai, sekarang masuk bagian client. Disini file yang harus diambil dari server adalah ca.crt, client.crt dan client.key. Bisa di copy lewat FTP, SSH atau lainnya. Kalo mau gampangnya install apache
login ke server OpenVPN
yum install httpd -y service httpd start
kompress file server.crt jaranguda01.crt jaranguda01.key ke jaranguda.tar.gz
cd /etc/openvpn/easy-rsa/keys tar zcvf jaranguda.tar.gz jaranguda01.crt jaranguda01.key server.crt
pidahkan file jaranguda.tar.gz ke folder /var/www/html
cp jaranguda.tar.gz /var/www/html/
sekarang kembali ke client, disini kita akan menggunakan Linux juga :D download file jaranguda.tar.gz yang ada di IP.Server/jaranguda.tar.gz
wget 107.xxx.xxx.xxx/jaranguda.tar.gz
ekstrak file tersebut
tar zxvf jaranguda.tar.gz
Client Config
jaranguda.ovpn
client remote IP.Server 1194 dev tun proto tcp comp-lzo ca ca.crt cert perkis01.crt key perkis01.key route-delay 2 route-method exe redirect-gateway def1 verb 3 cert jaranguda01.crt key jaranguda01.key
jalankan openvpn dengan root
openvpn --config jaranguda.ovpn
pakai ubuntu,,
semua step sudah ok.
sampai dapat crt.
tetapi ketika Download file client OpenVPN..
gi mana tuh ?