OpenVPN Server on Ubuntu Using TUN

VPN atau biasa disebut juga dengan Virtual Private Network adalah sebuah jaringan komputer yang menghubungkan antara komputer anda dengan komputer remote di suatu tempat misalnya di kantor anda.
Koneksi VPN memungkinkan anda untuk me-remote komputer anda yang berada di suatu tempat (remote site) dari rumah anda atau dari tempat lain, asalkan anda mempunyai akses internet.

Berikut adalah langkah instalasi OpenVPN Server di Ubuntu :
1. Install paket OpenVPN dari repo
$ sudo apt-get install openvpn

2. Buat direktori keys yang berada di dalam direktori /etc/openvpn
$ sudo mkdir /etc/openvpn/keys

3. Masuk ke direktori sample config files dari openvpn
$ cd /usr/share/doc/openvpn/examples/sample-config-files

4. Decompress file server.conf.gz
$ sudo gzip -d server.conf.gz

5. Copy-kan server.conf ke /etc/openvpn
$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn

6. Edit file konfigurasi dari server.conf
$ sudo vim /etc/openvpn/server.conf

Berikut ini adalah contoh file dari konfigurasi saya


port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key # This file should be kept secret
dh /etc/openvpn/keys/dh1024.pem
server 10.10.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 3600
comp-lzo
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 4
mute 10

7. Buat backup direktori dari easy-rsa
$ sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa /usr/share/doc/openvpn/examples/easy-rsa-ori

8. Edit file vars
# vim /usr/share/doc/openvpn/examples/easy-rsa/2.0/vars

9. Edit di baris yang mendangung kata berikut dan sesuaikan dengan anda
export KEY_COUNTRY="IN"
export KEY_PROVINCE="JT"
export KEY_CITY="Canada"
export KEY_ORG="CORP"
export KEY_EMAIL="me@myhost.mydomain"

10. Eksekusi file vars
# ./usr/share/doc/openvpn/examples/easy-rsa/2.0/vars
Anda akan mendapatkan berikut sebagai output :
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys

11. Eksekusi file clean-all
# ./usr/share/doc/openvpn/examples/easy-rsa/2.0/clean-all
Jika anda mendapat error seperti ini :
Please source the vars script first (i.e. "source ./vars")
Make sure you have edited it to reflect your configuration

Jalankan perintah berikut
source ./usr/share/doc/openvpn/examples/easy-rsa/2.0/vars
setelah itu jalankan lagi
./usr/share/doc/openvpn/examples/easy-rsa/2.0/clean-all

12. Eksekusi build-ca
./usr/share/doc/openvpn/examples/easy-rsa/2.0/build-ca
Anda akan mendapatkan output seperti ini :
Generating a 1024 bit RSA private key
........++++++
.................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [JT]:
Locality Name (eg, city) [Canada]:
Organization Name (eg, company) [CORP]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [CORPCA]:
Email Address [me@myhost.mydomain]:


13. Eksekusi build-key-server
# ./usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key-server server
Anda akan mendapatkan output seperti ini :
Generating a 1024 bit RSA private key
.++++++
.......................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [JT]:
Locality Name (eg, city) [Canada]:
Organization Name (eg, company) [CORP]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [server]:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'IN'
stateOrProvinceName :PRINTABLE:'JT'
localityName :PRINTABLE:'Canada'
organizationName :PRINTABLE:'CORP'
commonName :PRINTABLE:'server'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Nov 16 16:39:20 2018 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

14. Eksekusi file build-key untuk vpn client anda
# ./usr/share/doc/openvpn/examples/easy-rsa/2.0/build-key client1
Anda akan mendapatkan output seperti ini :
Generating a 1024 bit RSA private key
.++++++
.++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [IN]:
State or Province Name (full name) [JT]:
Locality Name (eg, city) [Canada]:
Organization Name (eg, company) [CORP]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [client1]:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'IN'
stateOrProvinceName :PRINTABLE:'JT'
localityName :PRINTABLE:'Canada'
organizationName :PRINTABLE:'CORP'
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Nov 16 16:43:15 2018 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

15. Eksekusi file build-dh
# ./usr/share/doc/openvpn/examples/easy-rsa/2.0/build-dh
Anda akan mendapatkan output seperti ini :
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.......................................++*++*++*


16. Copy file ca.crt, ca.key, dh1024.pem, server.crt, server.key ke /etc/openvpn/keys
# cp /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/keys/

17. Masuk ke direktori sample config files
# cd /usr/share/doc/openvpn/examples/sample-config-files

18. Edit file client.conf, disini digunakan mesin Windows sebagai openvpn client
# vim client.conf
Berikut adalah contoh config file dari client.conf saya, remote berisi informasi mengenai IP publik anda :

client
dev tun
proto udp
remote 202.123.456.789 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca "c:\\program files\\openvpn\\config\\ca.crt"
cert "c:\\program files\\openvpn\\config\\client1.crt"
key "c:\\program files\\openvpn\\config\\client1.key"
comp-lzo
verb 3


19. Jika anda menggunakan Windows sebagai client, maka install openvpn untuk windows yang dapat didownload disini : http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe

20. Copy file client1.crt, client1.key, ca.crt, client.conf ke dalam direktori C:/Program Files/OpenVPN/config

21. Rename client.conf menjadi client.ovpn di mesin windows anda

22. Jalankan service openvpn server anda
# /etc/init.d/openvpn start

23. Jalankan config file openvpn yang ada di windows dengan cara klik kanan pada file client.ovpn -> start openvpn on this config file.
Jika anda mendapatkan sampai pesan "Initialization Sequence Completed", maka anda telah berhasil.
Anda bisa juga menjalankan OpenVPN di windows dengan cara klik kanan pada icon openvpn di system tray, lalu pilih connect.

Sekarang bagaimana jika OpenVPN Server anda berada di belakang firewall / PC Router ?
Misal topologi jaringan seperti berikut ini :

vpn client===internet===gateway (202.123.456.789, 192.168.0.2)===pc router(192.168.0.11)===vpn server (192.168.0.250)

Berikut adalah konfigurasi iptables :
1. Tambahkan konfigurasi berikut di pc router anda
mangle
-A PREROUTING -s 192.168.0.0/255.255.255.0 -d 10.10.0.0/255.255.255.0 -j MPRE-70-OPENVPN

-A PREROUTING -s 192.168.0.250 -j MPRE-10-MYISP
-A PREROUTING -p udp -m udp --dport 1194 -j MPRE-10-MYISP
-A MPRE-70-OPENVPN -j MARK --set-mark 0x7
-A MPRE-70-OPENVPN -j ACCEPT


Eksekusi command berikut, dan tambahkan di /etc/rc.local supaya dapat di boot tiap kali booting
/sbin/ip route add 10.10.0.0/24 via 192.168.0.250 dev eth0
/sbin/ip route add table 70 default via 192.168.0.250
/sbin/ip rule add fwmark 0x07 table 70


2. Tambahkan rule ini di gateway anda :
filter :
-A FORWARD -s 192.168.0.0/255.255.255.0 -d 10.10.0.0/255.255.255.0 -j ACCEPT
-A FORWARD -s 10.10.0.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -j ACCEPT
-A FORWARD -p udp -i eth1 -d 192.168.0.250 --dport 1194 -j ACCEPT
-A FORWARD -p udp -m udp --dport 1194 -j ACCEPT

nat :
-A PREROUTING -p udp -i eth1 -d 202.123.456.789 --dport 1194 -j DNAT --to 192.168.0.250:1194

3. Tambahkan rule ini di VPN Server :
filter :
-A FORWARD -s 192.168.0.0/255.255.0.0 -j ACCEPT
nat :
-A POSTROUTING -o 192.168.0.0/16 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 10.10.0.0/255.255.0.0 -j SNAT --to-source 10.10.0.1
-A POSTROUTING -s 10.10.0.0/255.255.0.0 -d 192.168.0.0/255.255.255.0 -j SNAT --to-source 192.168.0.250


Eksekusi command berikut, dan tambahkan di /etc/rc.local supaya dapat di boot tiap kali booting
iptables-restore < /etc/sysconfig/iptables
route add default gw 192.168.0.1


Selamat anda telah berhasil membangun OpenVPN Server di Ubuntu dengan Windows Client :)

Referensi :
http://id.wikipedia.org/wiki/VPN
http://en.wikipedia.org/wiki/Vpn
http://openvpn.net/index.php/documentation/howto.html
http://www.techimo.com/forum/linux-unix/176687-howto-openvpn-ubuntu-dapper.html
http://eshabe.wordpress.com/2008/10/17/hardy-ubuntu-804-speedy-openvpn/
http://www.ventanazul.com/webzine/articles/openvpn-ubuntu-and-hulu
http://mashaki.wordpress.com/2007/07/17/pengantar-openvpn/
http://forum.linux.or.id/viewtopic.php?f=16&t=6975
http://www.terminal23.net/2007/08/openvpn_20_on_ubuntu_704.html