Minggu, 20 Mei 2012

Install OpenVPN on FreeBSD

Server Setup
=================
1.install
# cd /usr/ports/security/openvpn
# make install clean

2. edit rc.conf

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_if="tun"

3. buat config file

# cd /usr/local/etc
# mkdir openvpn
# cd openvpn
# ee openvpn.conf

# Specify device
dev tun

# Server and client IP and Pool
server 10.254.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# Certificates for VPN Authentication
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem

# Routes to push to the client
push "route 192.168.2.0 255.255.255.0"

# Use compression on the VPN link
comp-lzo

# Make the link more resistant to connection failures

keepalive 10 60
ping-timer-rem
persist-tun
persist-key

# Run OpenVPN as a daemon and drop privileges to user/group nobody user nobody
group nobody
daemon

4. copy seluruh file yg ada di easy-rsa

#cp -r /usr/local/share/doc/openvpn/easy-rsa /usr/local/etc/openvpn/

5. buat sertifikasi
# cd /usr/local/etc/openvpn/easy-rsa
# sh
#. vars
#./clean-all
#./build-ca

6. buat sertifikasi tuk server
# cd /usr/local/etc/openvpn/easy-rsa
#sh
#./build-key-server server
Generating a 1024 bit RSA private key
............++++++
.........................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [KG]:id
State or Province Name (full name) [NA]:bangkabelitung
Locality Name (eg, city) [BISHKEK]:pangkalpinang
Organization Name (eg, company) [OpenVPN-TEST]:PaninBankKCUPangkalpinang
Organizational Unit Name (eg, section) []:edp
Common Name (eg, your name or your server's hostname) []:panin
Email Address [me@myhost.mydomain]:andri.yanto@panin.co.id

A challenge password []:sinchan
An optional company name []:Panin
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'id'
stateOrProvinceName :PRINTABLE:'bangkabelitung'
localityName :PRINTABLE:'pangkalpinang'
organizationName :PRINTABLE:'PaninBankKCUPangkalpinang'
organizationalUnitName:PRINTABLE:'edp'
commonName :PRINTABLE:'panin'
emailAddress :IA5STRING:'andri.yanto@panin.co.id'
Certificate is to be certified until Oct 26 12:17:06 2018 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


note: sertifikasi server dibuat sama dengan sertifikasi client

7. buat sertifikasi client VPN
# cd /usr/local/etc/openvpn/easy-rsa
#sh
#./build-key client1
#./build-key client2
#./build-key client3
dst.........
note: sertifikasi server dibuat sama dengan sertifikasi client

8. buat parameter server
# cd /usr/local/etc/openvpn/easy-rsa
#sh
#./build-dh


9. copy seluruh sertifikasi server dan client
# cd /usr/local/etc/openvpn/easy-rsa
#cp -r keys /usr/local/etc/openvpn/

10. buat logging
# ee /etc/syslog.conf

!openvpn
*.* /var/log/openvpn.log

11. buat log file
#touch /var/log/openvpn.log

12. restart syslogd
#killall -HUP syslogd

13. start openvpn
#/usr/local/etc/rc.d/openvpn start


14. liat hasil config di interface
#ifconfig
tun1: flags=8051 metric 0 mtu 1500
inet 10.254.0.1 --> 10.254.0.2 netmask 0xffffffff
Opened by PID 1100


15. firewall configuration

# ee /etc/pf.conf

vpn_if="tun1"
ext_if="tun0"
vpn_network="10.254.0.0/24"

nat on $ext_if from $vpn_network to any -> ($ext_if)
pass in on $ext_if proto udp from any to port 1194 keep state
pass quick on $vpn_if

client windows setup
=====================

1.download openvpn gui for windows di http://www.openvpn.se
2.copy sertifikasi client yg ada di direktori /usr/local/etc/openvpn/keys di server ke C:\Program Files\Openvpn\config di pc windows
ca.crt
client1.crt
client1.key

3. buat config file myvpn.ovpn di C:\Program Files\Openvpn\config

client
remote 1194
dev tun
comp-lzo

ca ca.crt
cert client1.crt
key client1.key

# Set log file verbosity.
verb 3

4. matikan firewall di komputer windows tersebut
5. uncheck TAP-Win32 adapter di control panel->security center->windows firewall->advanced
6.klik kanan di icon openvpn trs klik connect


cek di server pake perintah

#tcpdump -n -e -ttt -i tun1

good luck............
Diposting oleh di 20.13

1 komentar:

Posting Komentar

Komentarnya mana
readbud - get paid to read and rate articles