VIRTUAL PRIVATE NETWORK dengan Open VPN (server)

21 Aug

SERVER GATEWAY & OPENVPN
1. Install rpm yang dibutuhkan
http://dag.wieers.com/rpm/packages/lzo2/
[root@router test]# rpm -Uvh lzo2-2.02-3.el4.rf.i386.rpm lzo2-devel-2.02-3.el4.rf.i386.rpm
warning: lzo2-2.02-3.el4.rf.i386.rpm: V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing… ########################################### [100%]
1:lzo2 ########################################### [ 50%]
2:lzo2-devel ########################################### [100%]

http://dag.wieers.com/rpm/packages/openvpn/
[root@router test]# rpm -Uvh openvpn-2.0.9-1.el4.rf.i386.rpm
warning: openvpn-2.0.9-1.el4.rf.i386.rpm: V3 DSA signature: NOKEY, key ID 6b8d79e6
Preparing… ########################################### [100%]
1:openvpn ########################################### [100%]

2. CA configuration
[root@router test]# cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa /etc/openvpn/
[root@router test]# cd /etc/openvpn/easy-rsa
[root@router easy-rsa]# vim vars
export D=`pwd`
export KEY_CONFIG=$D/openssl.cnf
export KEY=$D/keys
export KEY_SIZE=1024
export KEY_COUNTRY=ID
export KEY_PROVINCE=JAWATIMUR
export KEY_CITY=SURABAYA
export KEY_ORG=”ISCUBS”
export KEY_EMAIL=”setijo@gmail.com”
export KEY_OU=”IT”
export KEY_COMMON=”ubslinux.com”

[root@router easy-rsa]# chmod u+x *
[root@router easy-rsa]# source ./vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/easy-rsa/keys
[root@router easy-rsa]# ./clean-all

3. Build CA
[root@router easy-rsa]# ./build-ca
Generating a 1024 bit RSA private key
…………++++++
……………………………..++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [ID]:
State or Province Name (full name) [JAWATIMUR]:
Locality Name (eg, city) [SURABAYA]:
Organization Name (eg, company) [ISCUBS]:
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []:ubslinux.com
Email Address [setijo@gmail.com]:

4. Building server key
[root@router easy-rsa]# ./build-key-server isc
Generating a 1024 bit RSA private key
…………………………………………..++++++
……++++++
writing new private key to ‘isc.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [ID]:
State or Province Name (full name) [JAWATIMUR]:
Locality Name (eg, city) [SURABAYA]:
Organization Name (eg, company) [xxx]:
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []:ubslinux.com
Email Address [setijo@gmail.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’ID’
stateOrProvinceName :PRINTABLE:’JAWATIMUR’
localityName :PRINTABLE:’SURABAYA’
organizationName :PRINTABLE:’xxx’
organizationalUnitName:PRINTABLE:’IT’
commonName :PRINTABLE:’ubslinux.com’
emailAddress :IA5STRING:’setijo@gmail.com’
Certificate is to be certified until Jul 7 08:17:47 2018 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@router easy-rsa]#

5. Generate Diffie Hellman parameter
[root@router easy-rsa]# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
………………………………………..+…………….+..+………..+…………………………………………………………………..+……………………………………………….+………….+………………………………………………………………………………………………….+……+………………………………………………….+……+…………………………………………………………………….+………………………………………………………………………….+………………………………………………..+………………………………………………………………………………..++*++*++*

6. Konfigurasi OpenVPN
[root@router easy-rsa]# cd /etc/openvpn
[root@router openvpn]# cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
[root@router openvpn]# cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/
[root@router openvpn]# cp /etc/openvpn/easy-rsa/keys/isc.key /etc/openvpn/
[root@router openvpn]# cp /etc/openvpn/easy-rsa/keys/isc.crt /etc/openvpn/
[root@router openvpn]# cp /etc/openvpn/easy-rsa/keys/dh1024.pem /etc/openvpn/
[root@router openvpn]# vim /etc/openvpn/server.conf
############################################################################
# server openvpn
############################################################################
port 1194
proto tcp
dev tun
ca ca.crt
cert isc.crt
key isc.key
dh dh1024.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 172.20.0.0 255.255.0.0”

client-to-client
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

7. Cara menjalankan VPN Server
[root@router openvpn]# service openvpn restart
Shutting down openvpn: [ OK ]
Starting openvpn: [ OK ]

8. Generate key dan certificate untuk client
[root@router easy-rsa]# ./build-key myclient1
Generating a 1024 bit RSA private key
………………………..++++++
…………………………………++++++
writing new private key to ‘myclient1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [ID]:
State or Province Name (full name) [JAWATIMUR]:
Locality Name (eg, city) [SURABAYA]:
Organization Name (eg, company) [xxx]:
Organizational Unit Name (eg, section) []:myclient1
Common Name (eg, your name or your server’s hostname) []:myclient1
Email Address [setijo@gmail.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’ID’
stateOrProvinceName :PRINTABLE:’JAWATIMUR’
localityName :PRINTABLE:’SURABAYA’
organizationName :PRINTABLE:’xxx’
organizationalUnitName:PRINTABLE:’myclient1′
commonName :PRINTABLE:’myclient1′
emailAddress :IA5STRING:’setijo@gmail.com’
Certificate is to be certified until Jul 7 09:08:21 2018 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@router easy-rsa]# ./build-key myclient2
Generating a 1024 bit RSA private key
………++++++
…………++++++
writing new private key to ‘myclient2.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [ID]:
State or Province Name (full name) [JAWATIMUR]:
Locality Name (eg, city) [SURABAYA]:
Organization Name (eg, company) [xxx]:
Organizational Unit Name (eg, section) []:myclient2
Common Name (eg, your name or your server’s hostname) []:myclient2
Email Address [setijo@gmail.com]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’ID’
stateOrProvinceName :PRINTABLE:’JAWATIMUR’
localityName :PRINTABLE:’SURABAYA’
organizationName :PRINTABLE:’xxx’
organizationalUnitName:PRINTABLE:’myclient2′
commonName :PRINTABLE:’myclient2′
emailAddress :IA5STRING:’setijo@gmail.com’
Certificate is to be certified until Jul 7 09:09:01 2018 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@router easy-rsa]#

9. setup iptables
[root@router easy-rsa]# iptables -F -t nat
[root@router easy-rsa]# iptables -L -t nat
[root@router easy-rsa]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
[root@router easy-rsa]# echo 1 > /proc/sys/net/ipv4/ip_forward

10. agar setiap kali reboot dijalankan
[root@router easy-rsa]# vim /etc/rc.local
/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

1. VIRTUAL PRIVATE NETWORK dengan Open VPN (pendahuluan)

2. VIRTUAL PRIVATE NETWORK dengan Open VPN (server)

3. VIRTUAL PRIVATE NETWORK dengan Open VPN (client linux)

4. VIRTUAL PRIVATE NETWORK dengan Open VPN (client windows)

5. VIRTUAL PRIVATE NETWORK dengan Open VPN (server login with password)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: