Instalasi dan Konfigurasi OpenVPN Server di CentOS 7.x

Details: Written by H.A.Mooduto; Category: Blog; Published: 07 January 2019; Hits: 1501

Mengenai VPN silahkan baca di link ini: https://en.wikipedia.org/wiki/Virtual_private_network

INSTALASI OpenVPN:
1. Lakukan instalasi EPEL repo jika belum, perintahnya:
#yum -y install epel-release
#yum -y update

2. Berikutnya instal openvpn dan easy-rsa, perintahnya:
#yum -y install openvpn easy-rsa

KONFIGURASI OpenVPN:
1. Buat konfigurasi openvpn server seperti di bawah ini pada direktori /etc/openvpn dengan nama berkas server.conf: #vi /etc/openvpn/server.conf

    # Secure OpenVPN Server Config
    #
   dev tun
   proto udp
   port 1194
   keepalive 10 120
   max-clients 50

   ca ca.crt
   cert server.crt
   key server.key
   dh dh.pem
   tls-auth ta.key 0

   reneg-sec 0
   remote-cert-tls client
   crl-verify crl.pem
   tls-version-min 1.2
   cipher AES-256-CBC
   auth SHA512
   tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

   user nobody
   group nobody

   server 192.168.212.0 255.255.255.0
   topology subnet
   ifconfig-pool-persist ipp.txt

   duplicate-cn
   persist-key
   persist-tun
   comp-lzo

   push "redirect-gateway def1 bypass-dhcp"
   push "dhcp-option DNS 8.8.8.8"
   push "dhcp-option DNS 8.8.4.4"

   log-append /var/log/openvpn.log
   verb 3

2. Membuat Key dan Certificate, disini menggunakan tool easy-rsa, langkah-langkahnya adalah sebagai berikut:
   #cd ~
   #/usr/share/easy-rsa/3.0.3/easyrsa init-pki
   #/usr/share/easy-rsa/3.0.3/easyrsa build-ca nopass
   #/usr/share/easy-rsa/3.0.3/easyrsa gen-dh
   #/usr/share/easy-rsa/3.0.3/easyrsa build-server-full vpn-server-name nopass
   #/usr/share/easy-rsa/3.0.3/easyrsa build-client-full vpn-client-name nopass
   #/usr/share/easy-rsa/3.0.3/easyrsa gen-crl
   #openvpn --genkey --secret pki/ta.key

3. Copy-kan berkas Key dan Certicate dari proses 2 yang ada dalam direktori ~/pki ke direktori /etc/openvpn:
   #cp pki/ca.crt /etc/openvpn
   #cp pki/dh.pem /etc/openvpn
   #cp pki/issued/vpn-server-name.crt /etc/openvpn/server.crt
   #cp pki/private/vpn-server-name.key /etc/openvpn/server.key
   #cp pki/ta.key /etc/openvpn
   #cp pki/crl.pem /etc/openvpn

4. Aktifkan IPv4 Forwarding dengan membuka berkas: #vi /etc/sysctl.conf dan tambahkan seperti baris di bawah ini:
        net.ipv4.ip_foward = 1

    Selanjutnya restart network: #systemctl restart network

5. Aktifkan service dan firewall untuk openvpn:
   #firewall-cmd --zone=public --add-port=1194/udp --permanent
   #firewall-cmd --zone=public --add-service openvpn
   #firewall-cmd --zone=public --add-service openvpn --permanent
   #firewall-cmd --zone=public --add-masquerade
   #firewall-cmd --zone=public --add-masquerade --permanent
   #
   #para = $(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
   #firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 192.168.212.0/24 -o $para -j MASQUERADE
   #
   #firewwall-cmd --reload
   #
   #systemctl -f enable This email address is being protected from spambots. You need JavaScript enabled to view it.
   #systemctl start This email address is being protected from spambots. You need JavaScript enabled to view it.

   Untuk memastikan openvpn server sudah aktif, gunakan perintah: #systemctl status This email address is being protected from spambots. You need JavaScript enabled to view it.

DATA KONFIGURASI UNTUK CLIENT VPN
1. Buat direktori untuk data client vpn:
#cd ~
#mkdir vpn-client-config

2. Copy-kan data key dan certificate ke direktori vpn-client-config tersebut:
   #cp pki/ca.crt vpn-client-config
   #cp pki/issued/vpn-client-name.crt vpn-client-config/client.crt
   #cp pki/private/vpn-client-name.key vpn-client-config/client.key
   #cp pki/ta.key vpn-client-config

3. Selanjutnya buat berkas profile VPN client dengan nama berkas client.ovpn yang isinya seperti di bawah ini dan di simpan di direktori vpn-client-config:

   # Secure OpenVPN Client Config
   #
   tls-client
   pull
   client
   dev tun
   proto udp
   remote 123.123.123.123  1194
   redirect-gateway def1
   nobind
   persist-key
   persist-tun
   comp-lzo
   verb 3
   ca ca.crt
   cert client.crt
   key client.key
   tls-auth ta.key 1
   remote-cert-tls server
   ns-cert-type server
   key-direction 1
   cipher AES-256-CBC
   tls-version-min 1.2
   auth SHA512
   tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

-------------------------------------------
123.123.123.123 = IP Address VPN Server.

Catatan:
- Data yang dibutuhkan untuk settingan aplikasi client VPN koneksi ke VPN server adalah: client.ovpn, ca.crt, client.crt, client.key, ta.key
- Aplikasi client untuk akses ke VPN server bisa di lihat di link ini https://openvpn.net/community-downloads/
atau untuk yang berbasis android silahkan unduh di google play store.

Referensi:
1. http://www.startupcto.com/server-tech/centos/setting-up-openvpn-server-on-centos
2. https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-centos-7

Instalasi dan Konfigurasi OpenVPN Server di CentOS 7.x

Main Menu

Links

Tools eLearning