:::: MENU ::::

Posts Tagged / openvpn vpn

  • Apr 04 / 2012
  • 2
Tutorial Linux

Tutorial setting openvpn

Install paket-paket yang diperlukan :

[root@demo ~]# yum install wget

[root@demo ~]# yum install openssl openssl-devel lzo lzo-devel pam pam-devel -y

OpenVPN mengkoneksikan dua perangkat tun pada mesin yang berbeda menggunakan protokol udp atau tcp. Jadi pastikan bahwa driver untuk perangkat virtual tun sudah didukung oleh linux(pastinya fedora core linux 12 support untuk TUN/TAP Device):

[harry@demo ~]$ cat /proc/net/dev|grep tun tun0:59493117 403025 0 0 0 0 0 0 232675158 374324 0 0 0 0 0 0

jika tidak menampilkan apapun, mengindikasikan bahwa kernel tidak mendukung TUN/TAP. Rebuild kembali kernel anda agar dapat mendukung device TUN/TAP. Periksa kernel configurasi dan pastikan bahwa nilai berikut

CONFIG_TUN=m atau CONFIG_TUN=y

[root@demo ~]# grep “TUN” /usr/src/linux/.config CONFIG_TUN=m or CONFIG_TUN=y

Instalasi :

Ada dua cara untuk melakukan instalasi openvpn pada mesin fedora linux :

instalasi melalui yum

[root@demo ~]# yum install openvpn

instalasi paket rpm

download paket rpm

[root@demo ~]# wget -r http://kambing.ui.ac.id/fedora/releases/14/Fedora/x86_64/os/ Packages/openvpn-2.1.1-2.fc13.x86_64.rpm

[root@demo ~]# rpm -ivh openvpn-2.1.1-2.fc13.x86_64.rpm

Buat Master CA key:

[root@demo ~]# cp -ai /usr/share/openvpn/easy-rsa/2.0 ~/easy-rsa

[root@demo ~]# cd ~/easy-rsa

[root@demo easy-rsa]# pwd /root/easy-rsa

[root@demo easy-rsa]# mkdir keys

[root@demo easy-rsa]# mkdir /etc/openvpn/keys

[root@demo easy-rsa]# cp -ai ~/easy-rsa/keys/* /etc/openvpn/keys

buat file server.conf

[root@demo easy-rsa]# cp -ai /usr/share/doc/openvpn-*/sample-config-files/roadwarrior-server.conf /etc/openvpn/server.conf

[root@demo easy-rsa]# . ./vars Catatan: ada spasi diantara kedua titik.

[root@demo easy-rsa]# ./clean-all buatlah skrip shell untuk men-setting nilai dari

beberapa environment variabel yg ditentukan oleh user yang digunakan dalam membuat key. Kita buat file tersebut dan namakan misalnya genvars_ca, dan file tersebut berisi:

export KEY_CONFIG=/root/easy-rsa/openssl.cnf

export KEY_DIR=/etc/openvpn/keys

export KEY_SIZE=1024

export KEY_COUNTRY=ID

export KEY_PROVINCE=DKI

export KEY_CITY=JAKARTA

export KEY_ORG=”terradata”

export KEY_EMAIL=”info@terra-data.biz”

exec $SHELL -i

Yakinkan untuk mengubah mode file dengan perintah chmod pada file skrip tersebut untuk agar file bisa dieksekusi:

[root@demo easy-rsa]# chmod +x genvars_ca

jalankan skrip tersebut :

[root@demo easy-rsa]# ./genvars_ca

Pastikan bahwa anda menggunakan perintah berikut untuk memverifikasi peribahan pada shell:

[root@demo easy-rsa]# env|grep KEY

Selanjutnya, inisialisasi PKI nya:

[root@demo easy-rsa]# ./build-ca

Output:

Generating a 1024 bit RSA private key ……….++++++ …………………………………………………..++++++ writing new private key to ca.key —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —–

Country Name (2 letter code) [ID]:

State or Province Name (full name) [DKI]:

Locality Name (eg, city) [JAKARTA]:

Organization Name (eg, company) [terradata]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server hostname) [terradata CA]:

Name []:

Email Address [info@terra-data.biz]:

buat key untuk server: Catatan : hanya tekan enter untuk sebagian besar pertanyaan, kecuali pada common name masukkan kata server.

[root@demo easy-rsa]# ./build-key-server server

Output:

Generating a 1024 bit RSA private key ……..++++++ .++++++ 99 writing new private key to server.key —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —–

Country Name (2 letter code) [ID]:

State or Province Name (full name) [DKI]:

Locality Name (eg, city) [JAKARTA]:

Organization Name (eg, company) [terradata]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server hostname) [server]:

Name []:

Email Address [info@terra-data.biz]:

Please enter the following extra attributes to be sent with your certificate request

A challenge password []:zhaoke.com

An optional company name []:zhaoke.com

Using configuration from /root/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject’s Distinguished Name is as follows

countryName : PRINTABLE:[ID]

stateOrProvinceName : PRINTABLE:[DKI]

localityName : PRINTABLE:[JAKARTA]

organizationName : PRINTABLE:[terradata]

commonName : PRINTABLE:[server]

emailAddress : info@terra-data.biz

Certificate is to be certified until Nov 27 13:49:01 2009 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

Keterangan :

Anda akan ditanya untuk memberikan informasi yang diperlukan untuk pertukaran dalam permintaan sertifikat. Apa yang anda isikan tersebut dinamakan Distinguished Name atau DN. Ada beberapa field informasi dan dapat dibiarkan kosong Untuk beberapa field ada nilai default, Jika anda mengisikan , maka field akan dibiarkan kosong. Buat key untuk client: Seperti diatas, common name harus unik, jika anda punya beberapa client, untuk setiap client, ketikkan seperti dibawah ini:

./build-key client1

./build-key client2

Mari kita buat key untuk salah satu client:

[root@demo easy-rsa]# ./build-key client

Output:

Generating a 1024 bit RSA private key ……++++++ ………………….++++++ writing new private key to client.key —– You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —–

Country Name (2 letter code) [ID]:

State or Province Name (full name) [DKI]:

Locality Name (eg, city) [JAKARTA]:

Organization Name (eg, company) [terradata]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server hostname) [client]:

Name []:
Email Address [dns-manager@terra-data.biz]:
Please enter the following extra attributes
to be sent with your certificate request
A challenge password []:zhaoke.com
An optional company name []:zhaoke.com
Using configuration from /root/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject Distinguished Name is as follows
countryName : PRINTABLE:[ID]
stateOrProvinceName : PRINTABLE:[DKI]
localityName : PRINTABLE:[JAKARTA]
organizationName : PRINTABLE:[terradata]
commonName : PRINTABLE:[client]
emailAddress : [info@terra-data.biz]
Certificate is to be certified until Nov 27 13:57:06 2009 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Buat Diffie Hellman/DH key parameter:

[root@DB-utama easy-rsa]# source ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/easy-rsa/keys

[root@demo easy-rsa]# ./build-dh
Output:
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
……+….+…………………..++*++*++*
Copy-kan keys yang sudah dibuat untuk mesin server :
[root@demo easy-rsa]# cd keys
[root@demo keys]# cp ca.crt server.key server.crt dh1024.pem /etc/openvpn/keys

ambil file server.conf di pajang