Konfigurasi openvpn server di Linux Debian
Konfigurasi openvpn server di Linux Debian dapat mengikuti langkah berikut:
# apt update && apt install openvpn# sed -i 's/#AUTOSTART="all"/AUTOSTART="all"/' /etc/default/openvpn# cd /etc/openvpn/
# /usr/share/easy-rsa/easyrsa init-pki
# cp -a /usr/share/easy-rsa/vars.example /etc/openvpn/pki/vars
# vi /etc/openvpn/pki/vars
# In how many days should the root CA key expire?
set_var EASYRSA_CA_EXPIRE 3650
# In how many days should certificates expire?
set_var EASYRSA_CERT_EXPIRE 1825
# How many days until the Certificate Revokation List will expire.
#
# IMPORTANT: When the CRL expires, an OpenVPN Server which uses a
# CRL will reject ALL new connections, until the CRL is replaced.
#
set_var EASYRSA_CRL_DAYS 1095
# Choose a size in bits for your keypairs. The recommended value is 2048.
# Using 2048-bit keys is considered more than sufficient for many years into
# the future. Larger keysizes will slow down TLS negotiation and make key/DH
# param generation take much longer. Values up to 4096 should be accepted by
# most software. Only used when the crypto alg is rsa, see below.
set_var EASYRSA_KEY_SIZE 4096# /usr/share/easy-rsa/easyrsa build-ca nopass
# /usr/share/easy-rsa/easyrsa build-server-full server nopass
# /usr/share/easy-rsa/easyrsa gen-dh
# /usr/share/easy-rsa/easyrsa build-client-full client01 nopass
# /usr/share/easy-rsa/easyrsa gen-dh
# for i in $(seq -w 1 10);do /usr/share/easy-rsa/easyrsa build-client-full client"$i" nopass; done
port 1194
proto udp
dev tun
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/server.crt
key /etc/openvpn/pki/private/server.key # the server.key private key must be kept secret
dh /etc/openvpn/pki/dh.pem
# internal tun0 connection IP
server 10.10.25.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
# Compression - must now be turned off for security reasonfor security reasons.
# Use compress stub-v2 if needed in place
#comp-lzo
persist-key
persist-tun
# parameters to be adjusted according to your network configuration
#push "dhcp-option DNS 172.18.0.250"
push "dhcp-option DOMAIN std.local"
push "route 172.18.0.0 255.255.252.0"
#push "redirect-gateway autolocal"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
#push "route 10.10.25.0 255.255.255.0"
#push "redirect-gateway def1"
#push "redirect-gateway local def1 bypass-dhcp"
#push "redirect-gateway def1 bypass-dhcp"
push "redirect-gateway local def1 bypass-dhcp"
status /var/log/openvpn-status.log
push "block-outside-dns"
# verbose mode
verb 3
# systemctl edit openvpn@server.service
tambahkan baris berikut ke file /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
table ip NAT {
chain my_masquerade {
type nat hook postrouting priority 100; policy accept;
ip saddr { 10.10.25.0/24 } oifname "enp3s0" masquerade comment "outgoing NAT"
}
}Selanjutnya aktipkan nftables.service
# systemctl enable nftables.service
Tambahkan forward=1 di file /etc/sysctl.d/99-ipforward.conf
net.ipv4.ip_forward=1selanjutkan aktipkan ip forward diatas dengan perintah dibawah
# sysctl -p /etc/sysctl.d/99-ipforward.conf
aktipkan juga openvpn@server.service dan restart
# systemctl enable --now openvpn@server.service
# systemctl restart openvpn@server.service
cek apakah tun sudah aktip
#ip addr sh
hasilnya seperti dibawah
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 9c:5c:8e:02:51:8c brd ff:ff:ff:ff:ff:ff altname enx9c5c8e02518c inet 172.18.0.250/22 brd 172.18.3.255 scope global dynamic noprefixroute enp3s0 valid_lft 565sec preferred_lft 490sec inet6 fe80::7dc:1797:b9c7:57dd/64 scope link valid_lft forever preferred_lft forever 3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500 link/none inet 10.10.25.1 peer 10.10.25.2/32 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::4d30:520e:22bb:ff94/64 scope link stable-privacy proto kernel_ll valid_lft forever preferred_lft forever 4: ztppizrecu: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 qdisc fq_codel state UNKNOWN group default qlen 1000 link/ether 4a:f2:6e:f3:c5:17 brd ff:ff:ff:ff:ff:ff inet 10.10.11.250/24 brd 10.10.11.255 scope global ztppizrecu valid_lft forever preferred_lft forever inet6 fe80::48f2:6eff:fef3:c517/64 scope link proto kernel_ll valid_lft forever preferred_lft forever
copy semua file yang diperlukan untuk koneksi dari client ke server openvpn
cp /etc/openvpn/pki/ca.crt /root/ cp /etc/openvpn/pki/issued/client01.crt /root/ cp /etc/openvpn/pki/private/client01.key /root/
buatkan file koneksi dari client
vi /root/client01.ovpn
isikan file seperti dibawah, sesuaikan dengan keperluan.
client dev tun proto udp remote OPENVPN_IP 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client01.crt key client01.key # disabled for security, use compress stub-v2 if needed in place #comp-lzo verb 3
Buka Windows explorer dan tempatkan file diatas ke folder C:\Users\tampu\OpenVPN\config
Download openvpn client kemudian konfigurasikan dengan melakukan upload file ovpn diatas dan lakukan koneksi ke server.
Comments