tun
(untuk tunnel level IP) dan antarmuka tap
(tunnel level terowongan) yang didukung. Dalam prakteknya, antarmuka tun
akan paling sering digunakan kecuali ketika klien VPN yang dimaksudkan untuk diintegrasikan ke dalam jaringan lokal server melalui bridge Ethernet.
pki/ca.crt
) will be stored on all machines (both server and clients) as /etc/ssl/certs/Falcot_CA.crt
. The server's certificate is installed only on the server (pki/issued/vpn.falcot.com.crt
goes to /etc/ssl/certs/vpn.falcot.com.crt
, and pki/private/vpn.falcot.com.key
goes to /etc/ssl/private/vpn.falcot.com.key
with restricted permissions so that only the administrator can read it), with the corresponding Diffie-Hellman parameters (pki/dh.pem
) installed to /etc/openvpn/dh.pem
. Client certificates are installed on the corresponding VPN client in a similar fashion.
/etc/openvpn/*.conf
. Setting up a VPN server is therefore a matter of storing a corresponding configuration file in this directory. A good starting point is /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
, which leads to a rather standard server. Of course, some parameters need to be adapted: ca
, cert
, key
and dh
need to describe the selected locations (respectively, /etc/ssl/certs/Falcot_CA.crt
, /etc/ssl/vpn.falcot.com.crt
, /etc/ssl/private/vpn.falcot.com.key
and /etc/openvpn/dh.pem
). The server 10.8.0.0 255.255.255.0
directive defines the subnet to be used by the VPN; the server uses the first IP address in that range (10.8.0.1
) and the rest of the addresses are allocated to clients.
tun0
name. However, firewalls are often configured at the same time as the real network interfaces, which happens before OpenVPN starts. Good practice therefore recommends creating a persistent virtual network interface, and configuring OpenVPN to use this pre-existing interface. This further allows choosing the name for this interface. To this end, openvpn --mktun --dev vpn --dev-type tun
creates a virtual network interface named vpn
with type tun
; this command can easily be integrated in the firewall configuration script, or in an up
directive of the /etc/network/interfaces
file, or a udev rule can be added to that end. The OpenVPN configuration file must also be updated accordingly, with the dev vpn
and dev-type tun
directives.
10.8.0.1
. Memberi akses untuk klien ke jaringan lokal (192.168.0.0/24), memerlukan penambahan direktif push route 192.168.0.0 255.255.255.0
ke konfigurasi OpenVPN sehingga klien VPN secara otomatis mendapatkan route yang memberi tahu mereka bahwa jaringan ini dapat dicapai melalui VPN. Lebih jauh, mesin-mesin pada jaringan lokal juga perlu diberitahu bahwa route ke VPN adalah melalui server VPN (ini secara otomatis berjalan ketika server VPN dipasang pada gateway). Alternatifnya, server VPN dapat dikonfigurasi untuk melaksanakan masquerading IP sehingga koneksi yang datang dari klien-klien VPN tampak seperti datang dari server VPN (lihat Bagian 10.1, “Gateway”).
/etc/openvpn/
. Sebuah konfigurasi standar dapat diperoleh dengan memakai /usr/share/doc/openvpn/examples/sample-config-files/client.conf
sebagai titik awal. Direktif remote vpn.falcot.com 1194
menjelaskan alamat dan port server OpenVPN; ca
, cert
, dan key
juga perlu diadaptasi untuk menjelaskan lokasi berkas-berkas kunc.
AUTOSTART
directive to none
in the /etc/default/openvpn
file. Starting or stopping a given VPN connection is always possible with the commands systemctl start openvpn@name
and systemctl stop openvpn@name
(where the connection name matches the one defined in /etc/openvpn/name.conf
).
tun*
) pada kedua sisi dari koneksi SSH, dan antarmuka virtual ini dapat dikonfigurasi secara persis seolah mereka antarmuka fisik. Sistem tunnel pertama mesti difungsikan dengan menata PermitTunnel
ke ”yes” dalam berkas konfigurasi server SSH (/etc/ssh/sshd_config
). Ketika menjalin suatu koneksi SSH, pembuatan tunnel mesti diminta secara eksplisit dengan opsi -w any:any
(any
dapat digantikan dengan nomor peranti tun
yang dikehendaki). Ini memerlukan pengguna memiliki hak administrator pada kedua sisi, sehingga dapat membuat peranti jaringan (dengan kata lain, koneksi mesti dijalin sebagai root).
/etc/ipsec.conf
contains the parameters for IPsec tunnels (or Security Associations, in the IPsec terminology) that the host is concerned with. There are many configuration examples in /usr/share/doc/libreswan/
, but Libreswan's online documentation has more examples with explanations:
systemctl
; for example, systemctl start ipsec
will start the IPsec service.
/etc/ppp/options.pptp
, /etc/ppp/peers/falcot
, /etc/ppp/ip-up.d/falcot
, dan /etc/ppp/ip-down.d/falcot
.
Contoh 10.2. Berkas /etc/ppp/options.pptp
# PPP options used for a PPTP connection lock noauth nobsdcomp nodeflate
Contoh 10.3. Berkas /etc/ppp/peers/falcot
# vpn.falcot.com is the PPTP server pty "pptp vpn.falcot.com --nolaunchpppd" # the connection will identify as the "vpn" user user vpn remotename pptp # encryption is needed require-mppe-128 file /etc/ppp/options.pptp ipparam falcot
pptpd
adalah server PPTP untuk Linux. Berkas konfigurasi utamanya, /etc/pptpd.conf
, memerlukan sangat sedikit perubahan: localip (alamat IP lokal) dan remoteip (alamat IP remote). Dalam contoh di bawah, server PPTP selalu memakai alamat 192.168.0.199
dan klien PPTP menerima alamat IP dari 192.168.0.200
sampai 192.168.0.250
.
Contoh 10.6. Berkas /etc/pptpd.conf
# TAG: speed # # Specifies the speed for the PPP daemon to talk at. # speed 115200 # TAG: option # # Specifies the location of the PPP options file. # By default PPP looks in '/etc/ppp/options' # option /etc/ppp/pptpd-options # TAG: debug # # Turns on (more) debugging to syslog # # debug # TAG: localip # TAG: remoteip # # Specifies the local and remote IP address ranges. # # You can specify single IP addresses separated by commas or you can # specify ranges, or both. For example: # # 192.168.0.234,192.168.0.245-249,192.168.0.254 # # IMPORTANT RESTRICTIONS: # # 1. No spaces are permitted between commas or within addresses. # # 2. If you give more IP addresses than MAX_CONNECTIONS, it will # start at the beginning of the list and go until it gets # MAX_CONNECTIONS IPs. Others will be ignored. # # 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238, # you must type 234-238 if you mean this. # # 4. If you give a single localIP, that's ok - all local IPs will # be set to the given one. You MUST still give at least one remote # IP for each simultaneous client. # #localip 192.168.0.234-238,192.168.0.245 #remoteip 192.168.1.234-238,192.168.1.245 #localip 10.0.1.1 #remoteip 10.0.1.2-100 localip 192.168.0.199 remoteip 192.168.0.200-250
/etc/ppp/pptpd-options
. Parameter penting adalah nama server (pptp
), nama domain (falcot.com
), dan alamat IP untuk server DNS dan WINS.
Contoh 10.7. Berkas /etc/ppp/pptpd-options
## turn pppd syslog debugging on #debug ## change 'servername' to whatever you specify as your server name in chap-secrets name pptp ## change the domainname to your local domain domain falcot.com ## these are reasonable defaults for WinXXXX clients ## for the security related settings # The Debian pppd package now supports both MSCHAP and MPPE, so enable them # here. Please note that the kernel support for MPPE must also be present! auth require-chap require-mschap require-mschap-v2 require-mppe-128 ## Fill in your addresses ms-dns 192.168.0.1 ms-wins 192.168.0.1 ## Fill in your netmask netmask 255.255.255.0 ## some defaults nodefaultroute proxyarp lock
vpn
(dan kata sandi terkait) dalam berkas /etc/ppp/chap-secrets
. Berbeda dengan instansi lain dimana bintang (*
) akan bekerja, nama server harus diisi secara eksplisit di sini. Lebih jauh, klien-klien PPTP Windows mengidentifikasi diri mereka sendiri dalam bentuk DOMAIN\\USER
, bukan sekedar menyediakan nama pengguna. Ini menjelaskan mengapa berkas juga menyinggung pengguna FALCOT\\vpn
. Juga dimungkinkan untuk menyatakan alamat IP individu untuk para pengguna; bintang dalam ruas ini menyatakan bahwa pengalamat dinamis mesti dipakai.