Home » Blogs » zenadm's blog

OpenVPN Server on Ubuntu Using TAP

Submitted by zenadm on Mon, 05/04/2009 - 15:40

Pada tulisan saya yang sebelumnya, saya telah menuliskan bagaimana membangun OpenVPN server menggunakan TUN, nah bagaimana jika diinginkan membangun OpenVPN Server menggunakan TAP ?
TUN adalah sebuah device point to point IP Link, dimana implementasi OpenVPN menggunakan routing.
TAP adalah sebuah device virtual ethernet, dimana implementasi OpenVPN menggunakan bridging.
Dengan menggunakan bridging, VPN Client anda dapat mendapatkan IP yang satu subnet dengan VPN Server anda.
Dengan begitu anda dapat me-remote client anda dan client dapat me-remote anda.

Misal topologi jaringan seperti berikut ini :
vpn client===internet===gateway (202.123.456.789, 192.168.0.2)===pc router(192.168.0.11)===vpn server (192.168.0.250)

Berikut adalah langkah instalasi OpenVPN Server di Ubuntu :
1. Install paket OpenVPN dari repo
$ sudo apt-get install openvpn bridge-utils

2. Buat direktori keys yang berada di dalam direktori /etc/openvpn
$ sudo mkdir /etc/openvpn/keys

3. Masuk ke direktori sample config files dari openvpn
$ cd /usr/share/doc/openvpn/examples/sample-config-files

4. Decompress file server.conf.gz
$ sudo gzip -d server.conf.gz

5. Copy-kan server.conf ke /etc/openvpn
$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn

6. Edit file konfigurasi dari server.conf
$ sudo vim /etc/openvpn/server.conf

Berikut ini adalah contoh file dari konfigurasi saya


port 1194
proto udp
dev tap0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.0.250 255.255.255.0 192.168.0.200 192.168.0.249
client-to-client
keepalive 10 3600
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 4
mute 10

Ket :
192.168.0.250 : IP local dari VPN Server anda
192.168.0.200-192.168.0.249 : IP yang akan digunakan oleh vpn client anda (pastikan IP ini tidak ada yang memakai !)

7. Buat backup direktori dari easy-rsa
$ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa /usr/share/doc/openvpn/examples/easy-rsa-ori

8. Edit file vars
# vim /usr/share/doc/openvpn/examples/easy-rsa/2.0/vars

9. Edit di baris yang mendangung kata berikut dan sesuaikan dengan anda
export KEY_COUNTRY="IN"
export KEY_PROVINCE="JT"
export KEY_CITY="Canada"
export KEY_ORG="CORP"
export KEY_EMAIL="me@myhost.mydomain"

10. Eksekusi file vars
# ./usr/share/doc/openvpn/examples/easy-rsa/2.0/vars
Anda akan mendapatkan berikut sebagai output :
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys

11. Eksekusi file clean-all
# ./usr/share/doc/openvpn/examples/easy-rsa/2.0/clean-all
Jika anda mendapat error seperti ini :
Please source the vars script first (i.e. "source ./vars")
Make sure you have edited it to reflect your configuration

Jalankan perintah berikut
source ./usr/share/doc/openvpn/examples/easy-rsa/2.0/vars
setelah itu jalankan lagi
./usr/share/doc/openvpn/examples/easy-rsa/2.0/clean-all

12. Eksekusi build-ca
./usr/share/doc/openvpn/examples/easy-rsa/2.0/build-ca
Anda akan mendapatkan output seperti ini :
Generating a 1024 bit RSA private key
........++++++
.................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [JT]:
Locality Name (eg, city) [Canada]:
Organization Name (eg, company) [CORP]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [CORPCA]:
Email Address [me@myhost.mydomain]:

13. Eksekusi build-key-server
# ./usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key-server server
Anda akan mendapatkan output seperti ini :
Generating a 1024 bit RSA private key
.++++++
.......................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [JT]:
Locality Name (eg, city) [Canada]:
Organization Name (eg, company) [CORP]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Email Address [me@myhost.mydomain]:


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'IN'
stateOrProvinceName :PRINTABLE:'JT'
localityName :PRINTABLE:'Canada'
organizationName :PRINTABLE:'CORP'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Nov 16 16:39:20 2018 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

14. Eksekusi file build-key untuk vpn client anda
# ./usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key client1
Anda akan mendapatkan output seperti ini :
Generating a 1024 bit RSA private key
.++++++
.++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [JT]:
Locality Name (eg, city) [Canada]:
Organization Name (eg, company) [CORP]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Email Address [me@myhost.mydomain]:


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'IN'
stateOrProvinceName :PRINTABLE:'JT'
localityName :PRINTABLE:'Canada'
organizationName :PRINTABLE:'CORP'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Nov 16 16:43:15 2018 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

15. Eksekusi file build-dh
# ./usr/share/doc/openvpn/examples/easy-rsa/2.0/build-dh
Anda akan mendapatkan output seperti ini :
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.......................................++*++*++*

16. Copy file ca.crt, ca.key, dh1024.pem, server.crt, server.key ke /etc/openvpn/keys
# cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/keys/

17. Masuk ke direktori sample config files
# cd /usr/share/doc/openvpn/examples/sample-config-files

18. Edit file client.conf, disini digunakan mesin Windows sebagai openvpn client
# vim client.conf
Berikut adalah contoh config file dari client.conf saya, remote berisi informasi mengenai IP publik anda :

client
dev tap
proto udp
remote 202.123.456.789 1194
resolv-retry infinite
nobind


# --------- Untuk VPN Client Non Windows Aktifkan entry di bawah ini--------
;user nobody
;group nobody


persist-key
persist-tun
ca "c:\\program files\\openvpn\\config\\ca.crt"
cert "c:\\program files\\openvpn\\config\\client1.crt"
key "c:\\program files\\openvpn\\config\\client1.key"
comp-lzo
verb 3

19. Jika anda menggunakan Windows sebagai client, maka install openvpn untuk windows yang dapat didownload disini : http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe

20. Copy file client1.crt, client1.key, ca.crt, client.conf ke dalam direktori C:/Program Files/OpenVPN/config

21. Rename client.conf menjadi client.ovpn di mesin windows anda

22. Hentikan dulu service openvpn anda
# /etc/init.d/openvpn stop

23. Buat script untuk bridging, beri nama bridge-start dan letakkan di /root di 192.168.0.250 (VPN Server) :
#!/bin/bash
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
# Define Bridge Interface
br="br0"
# Define list of TAP interfaces to be bridged,
# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged
# with TAP interface(s) above.
eth="eth0"
eth_ip="192.168.0.250"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.0.255"
for t in $tap; do
openvpn --mktun --dev $t
done
brctl addbr $br
brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast

24. Jalankan script bridge-start di atas
# ./root/bridge-start

25. Jalankan service openvpn server anda
# /etc/init.d/openvpn start

26. Aktifkan IP Forwarding di VPN Server anda
# vim /etc/sysctl.conf
Perhatikan entri di bawah ini dan pastikan angka-nya 1
net.ipv4.ip_forward = 1
Jalankan perintah berikut untuk melakukan perubahan yang ada di sysctl.conf
# sysctl -p /etc/sysctl.conf

27. Jalankan config file openvpn yang ada di windows dengan cara klik kanan pada file client.ovpn -> start openvpn on this config file.
Jika anda mendapatkan sampai pesan "Initialization Sequence Completed", maka anda telah berhasil.
Anda bisa juga menjalankan OpenVPN di windows dengan cara klik kanan pada icon openvpn di system tray, lalu pilih connect.

Sekarang bagaimana jika OpenVPN Server anda berada di belakang firewall / PC Router ?
Misal topologi jaringan seperti berikut ini :

vpn client===internet===gateway (202.123.456.789, 192.168.0.2)===pc router(192.168.0.11)===vpn server (192.168.0.250)

Berikut adalah konfigurasi iptables :
1. Tambahkan konfigurasi berikut di pc router anda
mangle
-A PREROUTING -s 192.168.0.0/255.255.255.0 -d 10.10.0.0/255.255.255.0 -j MPRE-70-OPENVPN

-A PREROUTING -s 192.168.0.250 -j MPRE-10-MYISP
-A PREROUTING -p udp -m udp --dport 1194 -j MPRE-10-MYISP
-A MPRE-70-OPENVPN -j MARK --set-mark 0x7
-A MPRE-70-OPENVPN -j ACCEPT

Eksekusi command berikut, dan tambahkan di /etc/rc.local supaya dapat di boot tiap kali booting
/sbin/ip route add 10.10.0.0/24 via 192.168.0.250 dev eth0
/sbin/ip route add table 70 default via 192.168.0.250
/sbin/ip rule add fwmark 0x07 table 70

2. Tambahkan rule ini di gateway anda :
filter :
-A FORWARD -s 192.168.0.0/255.255.255.0 -d 10.10.0.0/255.255.255.0 -j ACCEPT
-A FORWARD -s 10.10.0.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -j ACCEPT
-A FORWARD -p udp -i eth1 -d 192.168.0.250 --dport 1194 -j ACCEPT
-A FORWARD -p udp -m udp --dport 1194 -j ACCEPT

nat :
-A PREROUTING -p udp -i eth1 -d 202.123.456.789 --dport 1194 -j DNAT --to 192.168.0.250:1194

3. Tambahkan rule ini di VPN Server :
filter :
-A FORWARD -s 192.168.0.0/255.255.0.0 -j ACCEPT
nat :
-A POSTROUTING -o 192.168.0.0/16 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 10.10.0.0/255.255.0.0 -j SNAT --to-source 10.10.0.1
-A POSTROUTING -s 10.10.0.0/255.255.0.0 -d 192.168.0.0/255.255.255.0 -j SNAT --to-source 192.168.0.250

Eksekusi command berikut, dan tambahkan di /etc/rc.local supaya dapat di boot tiap kali booting
iptables-restore < /etc/sysconfig/iptables
/etc/init.d/openvpn stop
./root/bridge-start
/etc/init.d/openvpn start
route add default gw 192.168.0.2

Selamat anda telah berhasil membangun OpenVPN Server di Ubuntu dengan Windows Client :)

Referensi :
http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html
http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html#linuxscript
http://openvpn.net/index.php/documentation/faq.html#bridge1
http://www.thebakershome.net/openvpn_tutorial
http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/

mau tanya

Submitted by arif (not verified) on Mon, 02/20/2012 - 13:32.

permisi mas mau tanya.
saya sedang tugas akhir mas membuat VPN.
dan saya udah mengikuti langkah2 tutorial yg udah mas buat sampai langkah 26.
yg mau saya tanyakan:
1) pada saat saya mulai/start openvpn nya, kenapa tulisannya FAIL ya mas di autostarting vpn server??
2) saat saya klik kanan di client.ovpn->Start OpenVPN on this config file di windows,tidak ada tulisan Initialization Sequence Completed??
3) tambahan konfig yang -A PREROUTING ... itu di ketik dimana mas? di terminal atau dimana mas?
mohon bantuaannya mas terima kas.

1. coba anda cek di OPEN VPN

Submitted by zenadm on Wed, 02/29/2012 - 21:35.

1. coba anda cek di OPEN VPN LOG anda, karena penyebab FAIL bisa dideteksi dari sana.

2. Anda harus benar dulu di sisi server, baru lanjut ke client, klo di sisi server masih salah, maka client otomatis juga ga bisa konek dengan server

3. Di konsole / terminal :)

semoga membantu

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer