Menurut IETF, Internet Engineering Task Force, VPN is an emulation of [a] private Wide Area Network(WAN) using shared or public IP facilities, such as the Internet or private IP backbones.VPN merupakan suatu bentuk private internet yang melalui public network (internet), dengan menekankan pada keamanan data dan akses global melalui internet. Hubungan ini dibangun melalui suatu tunnel (terowongan) virtual antara 2 node.
Access VPN memungkinkan pengguna untuk mengakses resource suatu network kapanpun dan dimanapun mereka berada. Access VPN mencakup jalur analog, ISDN, digital subcriber line (DSL), mobile IP dan berbagai teknologi kabel tersebut dapat dipisahkan menjadi tiga jenis, yaitu: 1. Client-Initiated, 2. Remote Router-Initiated, 3. Network Access Server (NAS)-Initiated.
Just That,..... lets implemented our VPN server
This howto is a quick a dirty guide to building OpenVPN on a FreeBSD box (running pf as the firewall), and then connecting a Windows XP client to it.
Add This config to your openvpn.conf ***************** - - - - - - - ********************* # Specify device dev tun # Server dan client IP Pool server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt
# Certificates untuk VPN Authentication ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/server.crt key /usr/local/etc/openvpn/keys/server.key dh /usr/local/etc/openvpn/keys/dh1024.pem
# Routes untuk client push "route 192.168.0.0 255.255.255.0"
# Run OpenVPN sebagai daemon dan drop privileges ke user/group nobody user nobody group nobody daemon ***************** - - - - - - - *********************
OK Beres, Sekarang tinggal bikin Certificate caranya #cp -r /usr/local/share/doc/openvpn/easy-rsa ~gigih/ #cd ~gigih/easyrsa
untuk create sertificate via easy-rsa, mesti pake set mode bourne shell, just type
# sh
And Then we'll going to generate certificate & Key for server
# . vars NOTE: when you run ./clean-all, I will be doing a rm -rf on /usr/home/gigih/easy-rsa/keys # ./clean-all # ./build-ca Generating a 1024 bit RSA private key . ....................................++++++ . ..............++++++ . writing new private key to 'ca.key' . ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [ID]: State or Province Name (full name) [LAMPUNG]: Locality Name (eg, city) [LAMPUNG]: Organization Name (eg, company) [VPN-SERV]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address [
]:
Jika dah beres tinggal generate aja key server dengan mengikuti langkah berikut
# ./build-key-server server Generating a 1024 bit RSA private key . ..........++++++ . ..................................................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [ID]: State or Province Name (full name) [LAMPUNG]: Locality Name (eg, city) [LAMPUNG]: Organization Name (eg, company) [VPN-SERV]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:SERVER -->>>> Bagian yang Penting Email Address [
]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:1234567 An optional company name []:LAMPUNG Using configuration from /usr/home/gigih/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'ID' stateOrProvinceName :PRINTABLE:'LAMPUNG' localityName :PRINTABLE:'LAMPUNG' organizationName :PRINTABLE:'VPN-SERVER' commonName :PRINTABLE:'SERVER' emailAddress :IA5STRING:'
@unila.ac.id' Certificate is to be certified until Jun 26 10:04:29 2011 GMT (3650 days) Sign the certificate? [y/n]:y . 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Yups beres dah generate key buat server
Sekarang kita mo buat key untuk client
# ./build-key client1 Generating a 1024 bit RSA private key . .........++++++ . ....................................++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [ID]: State or Province Name (full name) [LAMPUNG]: Locality Name (eg, city) [LAMPUNG]: Organization Name (eg, company) [VPN-SERV]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:CLIENT1 Email Address [
]:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:LAMPUNG Using configuration from /usr/home/gigih/easy-rsa/openssl.cnf DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'ID' stateOrProvinceName :PRINTABLE:LAMPUNG localityName :PRINTABLE:'LAMPUNG' organizationName :PRINTABLE:'VPN-SERV' commonName :PRINTABLE:'CLIENT1' emailAddress :IA5STRING:'
' Certificate is to be certified until Jun 26 10:10:43 2017 GMT (3650 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
Kalo mo Create key untuk client 2, 3 dan seterusnya sama aja dengan langkah create client1 yang mesti diingat tinggal ubah Common Name nya
Common Name (eg, your name or your server's hostname) []:CLIENT1 menjadi Common Name (eg, your name or your server's hostname) []:CLIENT2
sekarang tinggal generate dh, 1024 bit
# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time . ......................................................................................+.................+.................+......
# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ......................................................................................+.................+.................+......................
coba cek file /var/log/messages pastikan daemon openvpn telah berjalan
Aug 9 17:57:32 gateway openvpn[38670]: OpenVPN 2.0.5 i386-portbld-freebsd6.1 [SSL] [LZO] built on Aug 9 2007 Aug 9 17:57:32 gateway openvpn[38670]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Aug 9 17:57:32 gateway openvpn[38670]: WARNING: --keepalive option is missing from server config Aug 9 17:57:32 gateway openvpn[38670]: gw 222.124.196.100 Aug 9 17:57:32 gateway openvpn[38670]: TUN/TAP device /dev/tun0 opened Aug 9 17:57:32 gateway openvpn[38670]: /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up Aug 9 17:57:32 gateway openvpn[38675]: GID set to nobody Aug 9 17:57:32 gateway openvpn[38675]: UDPv4 link local (bound): [undef]:1194 Aug 9 17:57:32 gateway openvpn[38675]: UDPv4 link remote: [undef] Aug 9 17:57:32 gateway openvpn[38675]: Initialization Sequence Completed
# ifconfig pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208 pfsync0: flags=0<> mtu 2020 tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 inet6 fe80::20e:cff:fe3e:2ccd%tun0 prefixlen 64 scopeid 0x7 inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff Opened by PID 38670 #
Yups berarti openvpnnya dah jalan Karena saya pake PF (Packet Filter) sebagai firewallnya, tinggal ubah sedikit konfigurasi pada fle pf.conf
# /etc/pf.conf # Maintained by Gigih. # # Rev 1.0 Feb 04 2006 # Please, please, please confirm any changes # on this file to me. #
eIF = "xl0" iIF = "em0" dIF = "rl0" vpn_if="tun0"
# VPN Network vpn_network="10.8.0.0/24" --->> terserah mo netwrok berapa ajah
# NAT VPN connections nat on $eIF from $vpn_network to any -> ($eIF) -> artinya paket dari interface vpn akan di NAT langsung sebagai IP eksternal
# VPN connections inbound pass in on $ext_if proto udp from any to port 1194 keep state pass quick on $vpn_if
Jangan sampe kebalik-balik yah....................... Done, server VPN anda udah UP
Gimana mo nyobainnya,, Gampang............... Untuk windows 2000 dan XP dah ada software VPN yang gratis, tinggal donlod disini
http://www.openvpn.se
Langsung aja install di PC client By default akan terinstall di direktori
C:\Program Files\Openvpn\
sekarang langsung aja kopi file key yang sudah kita generate di server tadi, filenya adalah ca.crt, client1.crt, client1.key, gw biasanya pindahin via ftp kopiiin ke direktori C:\Program Files\Openvpn\config
Selanjutnya masuk ke C:\Program Files\Openvpn\config dan bikin config openvpnnya kasihnamafilenya myopenvpn.ovpn isinya kira-kira begini
----------snip----------- client remote my.openvpn.server 1194 dev tun comp-lzo
ca ca.crt cert client1.crt key client1.key
# Set log file verbosity. verb 3 ----------snip-----------
Jika sudah logo icon openvpn akan nongol di pojok kanan bawah windows, tinggal klik kanan dan konek......
JIka logo berwarna ijo berarti anda sudah terhubung dengan server, COngratulationssss.....
bisa tes dengan mengetikkan
ipconfig /all pada command promp
C:\Documents and Settings\Administrator>ipconfig /all
FreeBSD 
(0 vote)