Tutorial kali ini kita akan menginstall OpenVPN di Debian 7 wheezy. Langkah-langkah Instalasi OpenVPN di OpenVZ VPS pada Debian 7 dapat dilihat dibawah ini.
Tahap 1 :
Periksa apakah tun sudah di aktifkan
cat /dev/net/tun
bila muncul error
cat: /dev/net/tun: File descriptor in bad state
berarti TUN sudah diaktifkan dan bisa menggunakan OpenVPN, bila belum silahkan kontak penyedia jasa VPS anda untuk mengaktifkan TUN/TAP.
Tahap 2 :
Update Debian dan upgrade software-software yang terinstall
apt-get clean all; apt-get update; apt-get upgrade
Tahap 3 :
Install aplikasi OpenVPN dan dependency
apt-get install openvpn libssl-dev openssl iptables-persistent curl apache2 -y
Tahap 4 :
Menghapus key yang sudah ada dan menggenerate key yang baru
. ./vars >/dev/null ./clean-all >/dev/null source ./vars >/dev/null
generate CA
./build-ca
## output perintah diatas
Generating a 1024 bit RSA private key
......................++++++
.............................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [changeme]:
Name [changeme]:
Email Address [mail@host.domain]:
biarkan saja default ;) Untuk semua pertanyaan tekan saja enter.
Generate Private Key
./build-key-server server
## output perintah diatas
Generating a 1024 bit RSA private key
........++++++
........++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [server]:
Name [changeme]:
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'server'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Dec 8 15:17:49 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Generating DH parameters
./build-dh
## output perintah diatas
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
............................................+..........+...........+..................................................................................................+............................................+.....................................................+.......+............................................................................++*++*++*
Pindahkan sertifikat yang sudah kita buat ke /etc/openvpn
cp /etc/openvpn/easy-rsa/2.0/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/
File konfigurasi OpenVPN berada di /etc/openvpn/openvpn.conf, hapus file tersebut dan buat baru isikan file dibawah ini
dev tun server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt ca ca.crt cert server.crt key server.key dh dh1024.pem push "route 10.8.0.0 255.255.255.0" push "redirect-gateway" push "dhcp-option DNS 4.2.2.1" push "dhcp-option DNS 4.2.2.2" comp-lzo keepalive 10 60 ping-timer-rem persist-tun persist-key group daemon daemon
Aktifkan IP Forward
echo 1 > /proc/sys/net/ipv4/ip_forward; echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
Tahap 5 : Konfigurasi iptables
Jalankan perintah dibawah ini untuk konfigurasi iptables
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT iptables -A FORWARD -j REJECT iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source 192.168.1.1 iptables > /etc/iptables.conf iptables-save > /etc/iptables.conf
ganti 192.168.1.1 dengan IP Server anda, untuk mengetahuinya bisa dengan menggunakan perintah
curl cekwhois.com/ip.php
Tahap 6 : Menambah client OpenVPN
Misalkan client yang akan kita tambahkan kita beri nama perkis01
./build-key perkis01
## output perintah diatas
Generating a 1024 bit RSA private key
.......++++++
..........++++++
writing new private key to 'perkis01.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [changeme]:
Common Name (eg, your name or your server's hostname) [perkis01]:
Name [changeme]:
Email Address [mail@host.domain]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'CA'
localityName :PRINTABLE:'SanFrancisco'
organizationName :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'changeme'
commonName :PRINTABLE:'perkis01'
name :PRINTABLE:'changeme'
emailAddress :IA5STRING:'mail@host.domain'
Certificate is to be certified until Dec 8 15:26:05 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
File konfigurasi untuk client
client remote 192.168.1.1 1194 dev tun comp-lzo ca ca.crt cert perkis01.crt key perkis01.key route-delay 2 route-method exe redirect-gateway def1 verb 3
ganti 192.168.1.1 dengan IP Server anda, untuk mengetahuinya bisa dengan menggunakan perintah
curl cekwhois.com/ip.php
simpan semua file konfigurasi untuk client di /var/www/perkis01.tar.gz
cd /etc/openvpn/easy-rsa/2.0/keys/; tar zcvf /var/www/perkis01.tar.gz {ca.crt,ca.key,perkis01.crt,perkis01.csr,perkis01.key,perkis01.ovpn} ; cd -
Download file konfigurasi anda melalui browser di alamat IPVPS/perkis01.tar.gz. Sebagai contoh saya akan konek ke server VPN di Fedora 20
wget IPVPS/perkis01.tar.gz
## output perintah diatas
--2013-12-10 22:54:49-- http://xxx.xxx.xxx.xxx/perkis01.tar.gz
Connecting to xxx.xxx.xxx.xxx:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4523 (4.4K) [application/x-gzip]
Saving to: ‘perkis01.tar.gz’
100%[=============================================================================================>] 4,523 --.-K/s in 0.009s
2013-12-10 22:54:49 (513 KB/s) - ‘perkis01.tar.gz’ saved [4523/4523]
ekstrak file perkis01.tar.gz diatas
tar zxvf perkis01.tar.gz
## output perintah diatas
ca.crt
ca.key
perkis01.crt
perkis01.csr
perkis01.key
perkis01.ovpn
sekarang jalankan OpenVPN
su -c "openvpn --config perkis01.ovpn "
bila diminta password, masukkan password anda, output perintah diatas
Tue Dec 10 22:56:40 2013 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Sep 12 2013 Tue Dec 10 22:56:40 2013 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Tue Dec 10 22:56:40 2013 Socket Buffers: R=[212992->131072] S=[212992->131072] Tue Dec 10 22:56:40 2013 UDPv4 link local (bound): [undef] Tue Dec 10 22:56:40 2013 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194 Tue Dec 10 22:56:40 2013 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=964bf497 301c1644 Tue Dec 10 22:56:42 2013 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain Tue Dec 10 22:56:42 2013 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=server, name=changeme, emailAddress=mail@host.domain Tue Dec 10 22:56:46 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Dec 10 22:56:46 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Dec 10 22:56:46 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Tue Dec 10 22:56:46 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Dec 10 22:56:46 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Tue Dec 10 22:56:46 2013 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194 Tue Dec 10 22:56:48 2013 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1) Tue Dec 10 22:56:48 2013 PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,redirect-gateway,dhcp-option DNS 4.2.2.1,dhcp-option DNS 4.2.2.2,route 10.8.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5' Tue Dec 10 22:56:48 2013 OPTIONS IMPORT: timers and/or timeouts modified Tue Dec 10 22:56:48 2013 OPTIONS IMPORT: --ifconfig/up options modified Tue Dec 10 22:56:48 2013 OPTIONS IMPORT: route options modified Tue Dec 10 22:56:48 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Tue Dec 10 22:56:48 2013 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlp3s0 HWADDR=74:2f:68:b5:1b:f8 Tue Dec 10 22:56:48 2013 TUN/TAP device tun0 opened Tue Dec 10 22:56:48 2013 TUN/TAP TX queue length set to 100 Tue Dec 10 22:56:48 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Dec 10 22:56:48 2013 /usr/sbin/ip link set dev tun0 up mtu 1500 Tue Dec 10 22:56:48 2013 /usr/sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add xxx.xxx.xxx.xxx/32 via 192.168.1.1 Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add 0.0.0.0/1 via 10.8.0.5 Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add 128.0.0.0/1 via 10.8.0.5 Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add 10.8.0.0/24 via 10.8.0.5 Tue Dec 10 22:56:51 2013 /usr/sbin/ip route add 10.8.0.1/32 via 10.8.0.5 Tue Dec 10 22:56:51 2013 Initialization Sequence Completed
selesai, instalasi OpenVPN di Debian 7, berhasil dengan sempurna.