OpenVPN with FreeBSD, PF and Windows XP as Client

Apa itu VPN :

Menurut IETF, Internet Engineering Task Force, VPN is an emulation of [a] private Wide Area Network(WAN) using shared or public IP facilities, such as the Internet or private IP backbones.VPN merupakan suatu bentuk private internet yang melalui public network (internet), dengan menekankan pada keamanan data dan akses global melalui internet. Hubungan ini dibangun melalui suatu tunnel (terowongan) virtual antara 2 node.

Access VPN memungkinkan pengguna untuk mengakses resource suatu network kapanpun dan dimanapun mereka berada. Access VPN mencakup jalur analog, ISDN, digital subcriber line (DSL), mobile IP dan berbagai teknologi kabel tersebut dapat dipisahkan menjadi tiga jenis, yaitu:
1. Client-Initiated,
2. Remote Router-Initiated,
3. Network Access Server (NAS)-Initiated.
Just That,….. lets implemented our VPN server
This howto is a quick a dirty guide to building OpenVPN on a FreeBSD box (running pf as the firewall), and then connecting a Windows XP client to it.

1. #cd /usr/ports/security/openvpn
2. #make config
3. #make build
4. #make install clean

And Then just modified your rc.conf file on /etc/rc.conf

openvpn_enable=”YES”
Now we going to create the config files, which we will place in /usr/local/etc/openvpn

#mkdir /usr/local/etc/openvpn
#cd /usr/local/etc/openvpn

#vi openvpn.conf

Add This config to your openvpn.conf
***************** – – – – – – – *********************
# Specify device
dev tun
# Server dan client IP Pool
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

# Certificates untuk VPN Authentication
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem

# Routes untuk client
push “route 192.168.0.0 255.255.255.0″

# compression VPN link
comp-lzo

#keepalive 10 60
ping-timer-rem
persist-tun
persist-key

# Run OpenVPN sebagai daemon dan drop privileges ke user/group nobody user nobody
group nobody
daemon
***************** – – – – – – – *********************

OK Beres,
Sekarang tinggal bikin Certificate caranya
#cp -r /usr/local/share/doc/openvpn/easy-rsa ~gigih/
#cd ~gigih/easyrsa

Modif dikit file vars
#vi vars

1. export KEY_COUNTRY=ID
2. export KEY_PROVINCE=”LAMPUNG”
3. export KEY_CITY=LAMPUNG
4. export KEY_ORG=”VPN-SERV”
5. export KEY_EMAIL=” // <![CDATA[

untuk create sertificate via easy-rsa, mesti pake set mode bourne shell, just type

# sh

And Then we’ll going to generate certificate & Key for server

# . vars
NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/home/gigih/easy-rsa/keys
# ./clean-all
# ./build-ca
Generating a 1024 bit RSA private key
. ………………………………++++++
. …………..++++++
. writing new private key to ‘ca.key’
. —–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [ID]:
State or Province Name (full name) [LAMPUNG]:
Locality Name (eg, city) [LAMPUNG]:
Organization Name (eg, company) [VPN-SERV]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:
Email Address [ // <![CDATA[

Jika dah beres tinggal generate aja key server dengan mengikuti langkah berikut

# ./build-key-server server
Generating a 1024 bit RSA private key
. ……….++++++
. …………………………………………..++++++
writing new private key to ‘server.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [ID]:
State or Province Name (full name) [LAMPUNG]:
Locality Name (eg, city) [LAMPUNG]:
Organization Name (eg, company) [VPN-SERV]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:SERVER –>>>> Bagian yang Penting
Email Address [ // <![CDATA[

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:1234567
An optional company name []:LAMPUNG
Using configuration from /usr/home/gigih/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName               :PRINTABLE:’ID’
stateOrProvinceName   :PRINTABLE:’LAMPUNG’
localityName                :PRINTABLE:’LAMPUNG’
organizationName      :PRINTABLE:’VPN-SERVER’
commonName            :PRINTABLE:’SERVER’
emailAddress             :IA5STRING:’ // <![CDATA[

var prefix = 'ma' + 'il' + 'to';
var path = 'hr' + 'ef' + '=';
var addy50153 = 'admin_katro' + '@';
addy50153 = addy50153 + 'unila' + '.' + 'ac' + '.' + 'id';
document.write( '‘ );
document.write( addy50153 );
document.write( ” );
// ]]>admin_katro@unila.ac.id
This email address is being protected from spam bots, you need Javascript enabled to view it
@unila.ac.id’
Certificate is to be certified until Jun 26 10:04:29 2011 GMT (3650 days)
Sign the certificate? [y/n]:y
.
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Yups beres dah generate key buat server

Sekarang kita mo buat key untuk client

# ./build-key client1
Generating a 1024 bit RSA private key
. ………++++++
. ………………………………++++++
writing new private key to ‘client1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [ID]:
State or Province Name (full name) [LAMPUNG]:
Locality Name (eg, city) [LAMPUNG]:
Organization Name (eg, company) [VPN-SERV]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:CLIENT1
Email Address [ // <![CDATA[

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:LAMPUNG
Using configuration from /usr/home/gigih/easy-rsa/openssl.cnf
DEBUG[load_index]: unique_subject = “yes”
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName           :PRINTABLE:’ID’
stateOrProvinceName   :PRINTABLE:LAMPUNG
localityName          :PRINTABLE:’LAMPUNG’
organizationName      :PRINTABLE:’VPN-SERV’
commonName            :PRINTABLE:’CLIENT1′
emailAddress          :IA5STRING:’ // <![CDATA[

var prefix = 'ma' + 'il' + 'to';
var path = 'hr' + 'ef' + '=';
var addy50153 = 'admin_katro' + '@';
addy50153 = addy50153 + 'unila' + '.' + 'ac' + '.' + 'id';
document.write( '‘ );
document.write( addy50153 );
document.write( ” );
// ]]>admin_katro@unila.ac.id
This email address is being protected from spam bots, you need Javascript enabled to view it
‘
Certificate is to be certified until Jun 26 10:10:43 2017 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Kalo mo Create key untuk client 2, 3 dan seterusnya sama aja dengan langkah create client1
yang mesti diingat tinggal ubah Common Name nya

Common Name (eg, your name or your server’s hostname) []:CLIENT1
menjadi
Common Name (eg, your name or your server’s hostname) []:CLIENT2

sekarang tinggal generate dh, 1024 bit

# ./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
. …………………………………………………………………………..+……………..+……………..+……

……………………………………………………………………………………………………………………+..+……….

…………………………………………………………………+…………………………………………………..+……..

………………….+………………………………………..+……………………………………+………..+…..

………+…………………………………….++*++*++*

# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time …………………………………………………………………………..+……………..+……………..+………………….

……………………………………………………………………………………………………..+..+……………..

…………………………………………………………..+…………………………………………………..+…………..

…………….+………………………………………..+……………………………………+………..+…………..+………..

…………………………..++*++*++*

sip dah beres, urusannya dengan key dan sercificate, tinggal kopiin key yang sudah digenerate tadi ke folder openvpn

#cp -R keys /usr/local/etc/openvpn/

Tapi sebelumnya elu kudu musti modif dikit file syslog.conf

#vi /etc/syslog.conf
—————**********———-

!openvpn
.* /var/log/openvpn.log

—————**********———-

#touch /var/log/openvpn.log
#killall -HUP syslogd

Jangan lupa mesti meload interface tun agar bisa digunakan si daemon openvpn, just type

#kldload if_tun

#kldload if_tap

NOTE: error kldload: can’t load if_tun, just Ignore …… 🙂

1. if_tap_load=”YES” # Ethernet tunnel software network interface
2. if_tun_load=”YES” # Tunnel driver (user process ppp)

Terakhir tinggal jalankan daemon openVPN

#/usr/local/etc/rc.d/openvpn start

coba cek file /var/log/messages pastikan daemon openvpn telah berjalan

Aug 9 17:57:32 gateway openvpn[38670]: OpenVPN 2.0.5 i386-portbld-freebsd6.1 [SSL] [LZO] built on Aug 9 2007
Aug 9 17:57:32 gateway openvpn[38670]: IMPORTANT: OpenVPN’s default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Aug 9 17:57:32 gateway openvpn[38670]: WARNING: –keepalive option is missing from server config
Aug 9 17:57:32 gateway openvpn[38670]: gw 222.124.196.100
Aug 9 17:57:32 gateway openvpn[38670]: TUN/TAP device /dev/tun0 opened
Aug 9 17:57:32 gateway openvpn[38670]: /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Aug 9 17:57:32 gateway openvpn[38675]: GID set to nobody
Aug 9 17:57:32 gateway openvpn[38675]: UDPv4 link local (bound): [undef]:1194
Aug 9 17:57:32 gateway openvpn[38675]: UDPv4 link remote: [undef]
Aug 9 17:57:32 gateway openvpn[38675]: Initialization Sequence Completed

# ifconfig
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
pfsync0: flags=0<> mtu 2020
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet6 fe80::20e:cff:fe3e:2ccd%tun0 prefixlen 64 scopeid 0x7
inet 10.8.0.1 –> 10.8.0.2 netmask 0xffffffff
Opened by PID 38670
#

Yups berarti openvpnnya dah jalan
Karena saya pake PF (Packet Filter) sebagai firewallnya, tinggal ubah sedikit konfigurasi pada fle pf.conf

# /etc/pf.conf
# Maintained by Gigih.
#
# Rev 1.0 Feb 04 2006
# Please, please, please confirm any changes
# on this file to me.
#

eIF = “xl0”
iIF = “em0”
dIF = “rl0″
vpn_if=”tun0″

# VPN Network
vpn_network=”10.8.0.0/24” —>> terserah mo netwrok berapa ajah

# NAT VPN connections
nat on $eIF from $vpn_network to any -> ($eIF) -> artinya paket dari interface vpn akan di NAT langsung sebagai IP eksternal

# VPN connections inbound
pass in on $ext_if proto udp from any to port 1194 keep state
pass quick on $vpn_if

Jangan sampe kebalik-balik yah…………………..
Done, server VPN anda udah UP

Gimana mo nyobainnya,, Gampang……………
Untuk windows 2000 dan XP dah ada software VPN yang gratis, tinggal donlod disini

http://www.openvpn.se

Langsung aja install di PC client
By default akan terinstall di direktori

C:Program FilesOpenvpn

sekarang langsung aja kopi file key yang sudah kita generate di server tadi,
filenya adalah ca.crt, client1.crt, client1.key, gw biasanya pindahin via ftp
kopiiin ke direktori C:Program FilesOpenvpnconfig

Selanjutnya masuk ke C:Program FilesOpenvpnconfig dan bikin config openvpnnya
kasihnamafilenya myopenvpn.ovpn
isinya kira-kira begini

———-snip———–
client
remote my.openvpn.server 1194
dev tun
comp-lzo

ca ca.crt
cert client1.crt
key client1.key

# Set log file verbosity.
verb 3
———-snip———–

Jika sudah logo icon openvpn akan nongol di pojok kanan bawah windows,
tinggal klik kanan dan konek……

JIka logo berwarna ijo berarti anda sudah terhubung dengan server,
COngratulationssss…..

bisa tes dengan mengetikkan

ipconfig /all
pada command promp

C:Documents and SettingsAdministrator>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : gigih-banget
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : unila.ac.id

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : unila.ac.id
Description . . . . . . . . . . . : Realtek RTL8169/8110 Family Gigabit
Ethernet NIC
Physical Address. . . . . . . . . : 00-18-F3-7E-BF-65
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.204
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.245
DNS Servers . . . . . . . . . . . : 192.168.1.3

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Win32 Adapter V8
Physical Address. . . . . . . . . : 00-FF-49-04-3A-D7
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 10.8.0.6
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 10.8.0.5
Lease Obtained. . . . . . . . . . : Thursday, August 09, 2007 5:52:32 PM

Lease Expires . . . . . . . . . . : Friday, August 08, 2008 5:52:32 PM

C:Documents and SettingsAdministrator>

Leave a Reply Cancel reply