Rabu, 04 Juni 2014

08.59

By treximaru

In: ,

No comments

How to Install OpenVPN server 2.3.2 on CentOs 6x


hahaha.... puas juga stelah nguwik-uwik openvpn 2.3.2 jadi juga....
langsung saja,  step pertama, cek dulu apakah server ready untuk vpn...
cat /dev/net/tun
pastikah hasilnya seperti ini 
cat: /dev/net/tun: File descriptor in bad state
kedua, pastikan repository sudah terinstall dan sudah ter-update, jika belum silahkan baca cara menambahkan EPEL Repository pada cent OS 5.x dan 6.x
yossh! next step, masuk ke tahap installasi
yum install gcc make rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel nano openvpn easy-rsa -y
easy-rsa skirp ada di /usr/share/easy-rsa/, buat folder /easy-rsa/keys di dalam folder /etc/openvpn dan copy skrip easy rsa ke dalam nya dengan cara:
mkdir -p /etc/openvpn/easy-rsa/keys
cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
berikutnya, buat ca.key dan ca.crt, caranya edit terlebih dahulu informasi yang nantinya diperlukan, sperti nama server, logkasi server dan email, contohnya seperti ini
nano /etc/openvpn/easy-rsa/vars
edit pada bagian yang diperlukan saja seperti ini, sekali lagi edit sesuai kebutuhan, di isi sama persis juga ndak masalah :D
[...]
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="LA"
export KEY_ORG="tehanget"
export KEY_EMAIL="tehangetvpn@gmail.com"
export KEY_OU="tehanget.info"
[...]
simpan dengan cara ctrl + x, konfirm y, enter. kemudian pindah ke folder /etc/openvpn/easy-rsa/ dengan cara 
cd /etc/openvpn/easy-rsa/

saatnya kita membuat certificate server dan client...
masukin satu satu mas brooo.... 
cp openssl-1.0.0.cnf openssl.cnf
source ./vars
./clean-all
build ca.crt dan ca.key dulu....
./build-ca
Generating a 2048 bit RSA private key ......................................................+++
............................................................+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]: ----> Press Enter
State or Province Name (full name) [CA]: ----> Press Enter
Locality Name (eg, city) [LA]: ----> Press Enter
Organization Name (eg, company) [TEHANGET]: ----> Press Enter
Organizational Unit Name (eg, section) [TEHANGET]: ----> Press Enter
Common Name (eg, your name or your server's hostname) [TEHANGET]: ----> Press Enter
Name [EasyRSA]: ----> Press Enter
Email Address [tehangetvpn@gmail.com]: ----> Press Enter 
lanjut bikin server key...
./build-key-server server
kurang lebih seperti ini:

enerating a 2048 bit RSA private key
....................+++
.............+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----- 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ----> Press Enter      
An optional company name []: ----> Press Enter
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'LA'
organizationName      :PRINTABLE:'TEHANGET'
organizationalUnitName:PRINTABLE:'TEHANGET'
commonName            :PRINTABLE:'TEHANGET'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'tehanget@gmail.com'
Certificate is to be certified until Mar 23 12:21:34 2024 GMT (3650 days)
Sign the certificate? [y/n]:y ----> Type Y and Press Enter

1 out of 1 certificate requests certified, commit? [y/n]y ----> Type Y and Press Enter
Write out database with 1 new entries
Data Base Updated
waahh capek juga... lanjutt!!!
build certificate buat client...
./build-key client

seperti ini ya...


Generating a 2048 bit RSA private key
.......+++
..................................................................................................+++
writing new private key to 'client.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ----> Press Enter      
An optional company name []: ----> Press Enter
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'LA'
organizationName      :PRINTABLE:'TEHANGET'
organizationalUnitName:PRINTABLE:'TEHANGET'
commonName            :PRINTABLE:'TEHANGET'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'tehanget@gmail.com'
Certificate is to be certified until Mar 23 12:21:34 2024 GMT (3650 days)
Sign the certificate? [y/n]:y ----> Type Y and Press Enter

1 out of 1 certificate requests certified, commit? [y/n]y ----> Type Y and Press Enter
Write out database with 1 new entries
Data Base Updated

langkah selanjutnya adalam membuat/generate deffie helman parameter (dh)...


./build-dh

tunggu aja sampe selesai proses buidl nya, hanya beberapa menit kok hahaha.... :p

-------

alhamdulilah selesai juga bikin server key dan clietn key... sekarang pindah keys tersebut ke /etc/openvpn dengan cara


cd /etc/openvpn/easy-rsa/keys/
cp dh2048.pem ca.crt server.crt server.key /etc/openvpn/

saat paling di tunggu..... buat server.conf


cd /etc/openpvn
nano server.conf

paste kan konfig berikut


port 444
proto tcp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so  /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.9.8.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 5 30
comp-lzo
persist-key
persist-tun
verb 3

save dengan cara ctrt x tekan y tekan enter, contoh diatas saya menggunakan mode tcp pada port 444



last step! forwading dan routing.... untuk forwarding caranya seperti ini:



nano  /etc/sysctl.conf



ubah bagian ini, save dan exit


net.ipv4.ip_forward = 1



apply kasikan dengan cara


sysctl -p



untuk routing harus sangat di perhatikan, pilih salah satu!



untuk openvz


iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -o venet0 -j SNAT --to IP_ENTE



untuk dedicated / kvm /cloud


iptables -t nat -A POSTROUTING -s 10.9.8.0/24 -o eth0 -j MASQUERADE


service iptables save 

forwarding dan routing selesai.... restart openvpnnya




service openvpn restart



wahahahaaaa... puyeengg kan?!?!?!



untuk konfigurasi client di windos silahkan baca konfigurasi openvpn cient on weduzz

bedanya, lokasi ca.crt nya ada di /etc/openvpn



selamat mencoba!!! 

























0
komentar:
        
















Posting Komentar