posted by | Posted in Education Networking | Posted on Kamis, 28 Mei 2009
From site tetangga http://devi.ft-untirta.ac.id/ (buat catatan jk d perlukan nantinya)
Hal yang perlu diperhatikan adalah :
1. Jika server VPN dapat diakses dari jaringan PUBLIC/Internet, maka vpn server harus menggunakan IP Public.
2. Pada PC Server VPN diincludkan Firewall dengan dua Interface jaringan, yang satu menggunakan IP Public dan yang satunya untuk akses server-server dibawahnya, contohnya : webserver, voip server, email server dan sebagainy.
3. Untuk keamanan jaringan voip sebaiknya Server Asterisk IP PBX tidak menyatu dalam 1 PC Server VPN karena hal ini akan mempengaruhi kualitas suara yang dihasilkan dari Sistem VoIP tersebut
Konfigurasi Server VPN
#apt-get install openvpn
//masuk ke folder 2.0
#cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
#nano vars
//tambahkan dipaling bawah seperti ini!
export KEY_COUNTRY="ID"
export KEY_PROVINCE="BANTEN"
export KEY_CITY="Cilegon"
export KEY_ORG="ICT"
export KEY_EMAIL="aples@localhost"
//edit file excited, waktu berakhir sertifikat dalam hari
# In how many days should the root CA key expire?
export CA_EXPIRE=288
# In how many days should certificates expire?
export KEY_EXPIRE=288
//Buat Certificate Authority (CA)
#source ./vars
#./clean-all
#build-ca //Anda bisa mengetikan 'yes' untuk konfirmasi, jika ditanyakan password isi sesuai dengan keinginan atau bisa juga tidak.
//Lihat keys apakah sudah di generate
# ls -l /etc/openvpn/keys
//Jika berhasil maka Akan terlihat file berikut
ca.crt
ca.key
index.txt
serial
//Buat Server Key //Anda bisa mengetikan 'yes' untuk konfirmasi, jika ditanyakan password isi sesuai dengan keinginan atau bisa juga tidak.
#./build-key-server server
//Certificate is to be certified until Jan 13 03:34:36 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
//Buat Key client-client yang akan mengakses VPN server, contoh kampus cilegon, kampus serang, kampus pandeglang. Yang harus dilakukan sama dengan membuat key server.
#./build-dh //Ini akan membutuhkan waktu sedikit lama, jadi sabar saja untuk menunggu hingga selesai.
//Seluruh key dibuat masih pada folder server vpn di /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/*, untuk itu kita perlu mengcopy seluruhnya ke /etc/openvpn/
#cp keys/* /etc/openvpn/
//kita memerlukan server.conf di /etc/openvpn/ namun belum tersedia, oleh karenanya kita dapat mengambil dari contoh yang sudah ada untuk kemudian di copykan ke /etc/openvpn/
#cd /usr/share/doc/openvpn/examples/sample-config-files/
#cp server.conf.gz /etc/openvpn
#cd /etc/openvpn/
#gunzip server.conf.gz
#nano server.conf //yang perlu diconfigurasi adalah :
# Which local IP address should OpenVPN listen on? (optional)
local 192.168.2.60 //IP Server VPN
# Which TCP/UDP port should OpenVPN listen on?
port 1194# TCP or UDP server?
proto udp# "dev tun" will create a routed IP tunnel, which is what we want
dev tun# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
ca ca.crt //dengan asumsi file ca.crt satu folder dengan server.conf ini yaitu di /etc/openvpn/
cert server.crt //dengan asumsi file server.crt satu folder dengan server.conf ini yaitu di /etc/openvpn/
key server.key //dengan asumsi file server.key satu folder dengan server.conf ini yaitu di /etc/openvpn/
# This file should be kept secret
# Diffie hellman parameters.
dh dh1024.pem //dengan asumsi file dh dh1024.pem satu folder dengan server.conf ini yaitu di /etc/openvpn/# Configure server mode and supply a VPN subnet
server 10.8.0.0 255.255.255.0# Maintain a record of client <-> virtual IP address
# associations in this file.
ifconfig-pool-persist ipp.txt# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
# push âroute 172.10.1.0 255.255.255.0"
# push âroute 192.168.0.0 255.255.255.0"
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
; push "redirect-gateway"
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.
;push "dhcp-option DNS 172.10.1.2"
# Uncomment this directive to allow different
# clients to be able to âseeâ
client-to-client# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120# For extra security beyond that provided
# by SSL/TLS, create an âHMAC firewallâ
# to help block DoS attacks and UDP port flooding.
; tls-auth keys/ta.key 0 # This file is secret
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC # Blowfish (default)
;cipher AES-128-CBC # AES
;cipher DES-EDE3-CBC # Triple-DES# Enable compression on the VPN link.
comp-lzo //Jika tidak diaktifkan ping tidak akan jalan namun terlihat connected# The maximum number of concurrently connected
# clients we want to allow.
max-clients 250 //Jumlah maksimal client yang dapat ditangani oleh vpn server# It's a good idea to reduce the OpenVPN
# daemonâs privileges after initialization.
user nobody
group nogroup# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun# Output a short status file showing
status openvpn-status.log
log-append openvpn.log# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb3# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
# mute 20
//Copy klient yang dimaksud (client1,*, dh1024.pem, ca.*) yang telah dibuat di /usr/share/doc/openvpn/examples/easy-rsa/2.0/ keys/ ke masing-masing PC VPN Client /etc/openvpn, sesuaikan dengan nama clientnya, misalnya jakarta.*
#cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/ keys/
//Kita copykan dari server vpn ke client vpn secara remote dengan perintah :
#scp -r client1,*, dh1024.pem, ca.* root@ipclient1:/etc/openvpn/
//Cara menjalankan VPN server dengan server.conf
#openvpn --config /etc/openvpn/server.conf
//atau
#/etc/init.d/openvpn start
//Konfigurasi disisi PC klien VPN
#apt-get install openvpn
//kita memerlukan client.conf di /etc/openvpn/ namun belum tersedia, oleh karenanya kita dapat mengambil dari contoh yang sudah ada untuk kemudian di copykan ke /etc/openvpn/
#cd /usr/share/doc/openvpn/examples/sample-config-files/
#cp client.conf /etc/openvpn/
#nano client.conf //yang perlu diconfigurasi adalah
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
; dev tap
dev tun# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
; dev-node MyTap# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-1 1194
;remote my-server-2 1194
remote 192.168.2.60 1194 //Merupakan IP VPN server, jika IP Public maka isikan dengan IP Public VPN Server# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite# Most clients don't need to bind to
# a specific local port number.
nobind# Try to preserve some state across restarts.
persist-key
persist-tun# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt //dengan asumsi file ca.crt satu folder dengan client.conf ini yaitu di /etc/openvpn/
cert client.crt //dengan asumsi file client.crt satu folder dengan client.conf ini yaitu di /etc/openvpn/
key client.key //dengan asumsi file client.key satu folder dengan client.conf ini yaitu di /etc/openvpn/# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
;cipher AES-128-CBC# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo# Set log file verbosity.
verb 3# Silence repeating messages
;mute 20
//Cara menjalankan VPN client dengan client.conf
#openvpn --config /etc/openvpn/client.conf
//atau
#/etc/init.d/openvpn start
//untuk testing silahkan ping ke masing-masing IP VPN (10.8.0.x)
Artikel lainnya yg sejenis VPN dengan OpenSwan
Comments (0)
Posting Komentar