Mengenai VPN silahkan baca di link ini: https://en.wikipedia.org/wiki/Virtual_private_network
INSTALASI OpenVPN:
1. Lakukan instalasi EPEL repo jika belum, perintahnya:
#yum -y install epel-release
#yum -y update
2. Berikutnya instal openvpn dan easy-rsa, perintahnya:
#yum -y install openvpn easy-rsa
KONFIGURASI OpenVPN:
1. Buat konfigurasi openvpn server seperti di bawah ini pada direktori /etc/openvpn dengan nama berkas server.conf: #vi /etc/openvpn/server.conf
# Secure OpenVPN Server Config
#
dev tun
proto udp
port 1194
keepalive 10 120
max-clients 50
ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
reneg-sec 0
remote-cert-tls client
crl-verify crl.pem
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
user nobody
group nobody
server 192.168.212.0 255.255.255.0
topology subnet
ifconfig-pool-persist ipp.txt
duplicate-cn
persist-key
persist-tun
comp-lzo
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
log-append /var/log/openvpn.log
verb 3
2. Membuat Key dan Certificate, disini menggunakan tool easy-rsa, langkah-langkahnya adalah sebagai berikut:
#cd ~
#/usr/share/easy-rsa/3.0.3/easyrsa init-pki
#/usr/share/easy-rsa/3.0.3/easyrsa build-ca nopass
#/usr/share/easy-rsa/3.0.3/easyrsa gen-dh
#/usr/share/easy-rsa/3.0.3/easyrsa build-server-full vpn-server-name nopass
#/usr/share/easy-rsa/3.0.3/easyrsa build-client-full vpn-client-name nopass
#/usr/share/easy-rsa/3.0.3/easyrsa gen-crl
#openvpn --genkey --secret pki/ta.key
3. Copy-kan berkas Key dan Certicate dari proses 2 yang ada dalam direktori ~/pki ke direktori /etc/openvpn:
#cp pki/ca.crt /etc/openvpn
#cp pki/dh.pem /etc/openvpn
#cp pki/issued/vpn-server-name.crt /etc/openvpn/server.crt
#cp pki/private/vpn-server-name.key /etc/openvpn/server.key
#cp pki/ta.key /etc/openvpn
#cp pki/crl.pem /etc/openvpn
4. Aktifkan IPv4 Forwarding dengan membuka berkas: #vi /etc/sysctl.conf dan tambahkan seperti baris di bawah ini:
net.ipv4.ip_foward = 1
Selanjutnya restart network: #systemctl restart network
5. Aktifkan service dan firewall untuk openvpn:
#firewall-cmd --zone=public --add-port=1194/udp --permanent
#firewall-cmd --zone=public --add-service openvpn
#firewall-cmd --zone=public --add-service openvpn --permanent
#firewall-cmd --zone=public --add-masquerade
#firewall-cmd --zone=public --add-masquerade --permanent
#
#para = $(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
#firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 192.168.212.0/24 -o $para -j MASQUERADE
#
#firewwall-cmd --reload
#
#systemctl -f enable This email address is being protected from spambots. You need JavaScript enabled to view it.
#systemctl start This email address is being protected from spambots. You need JavaScript enabled to view it.
Untuk memastikan openvpn server sudah aktif, gunakan perintah: #systemctl status This email address is being protected from spambots. You need JavaScript enabled to view it.
DATA KONFIGURASI UNTUK CLIENT VPN
1. Buat direktori untuk data client vpn:
#cd ~
#mkdir vpn-client-config
2. Copy-kan data key dan certificate ke direktori vpn-client-config tersebut:
#cp pki/ca.crt vpn-client-config
#cp pki/issued/vpn-client-name.crt vpn-client-config/client.crt
#cp pki/private/vpn-client-name.key vpn-client-config/client.key
#cp pki/ta.key vpn-client-config
3. Selanjutnya buat berkas profile VPN client dengan nama berkas client.ovpn yang isinya seperti di bawah ini dan di simpan di direktori vpn-client-config:
# Secure OpenVPN Client Config
#
tls-client
pull
client
dev tun
proto udp
remote 123.123.123.123 1194
redirect-gateway def1
nobind
persist-key
persist-tun
comp-lzo
verb 3
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
remote-cert-tls server
ns-cert-type server
key-direction 1
cipher AES-256-CBC
tls-version-min 1.2
auth SHA512
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
-------------------------------------------
123.123.123.123 = IP Address VPN Server.
Catatan:
- Data yang dibutuhkan untuk settingan aplikasi client VPN koneksi ke VPN server adalah: client.ovpn, ca.crt, client.crt, client.key, ta.key
- Aplikasi client untuk akses ke VPN server bisa di lihat di link ini https://openvpn.net/community-downloads/
atau untuk yang berbasis android silahkan unduh di google play store.
Referensi:
1. http://www.startupcto.com/server-tech/centos/setting-up-openvpn-server-on-centos
2. https://www.digitalocean.com/community/tutorials/how-to-set-up-and-configure-an-openvpn-server-on-centos-7