OpenVPN: IPv6 routed 2 LAN: Difference between revisions

From OnnoCenterWiki
Jump to navigationJump to search
← Older editNewer edit →
Onnowpurbo (talk | contribs)
69,477 edits
Onnowpurbo (talk | contribs)
69,477 edits
Onnowpurbo (talk | contribs)
69,477 edits
No edit summary
Line 1: Line 1:
 
Pada kesempatan ini akan di perlihatan konfigurasi OpenVPN untuk memberikan akses sebuah LAN client. Jaringan tempat mesin bekerja adalah IPv4, sementara jaringan yang dimasukan ke tunnel adalah IPv6. Topologi jaringan yang di bangun kira-kira seperti gambar terlampir,
 
==Topology==


  LAN 1 ---------- HOST A ---------------- HOST B -------------- LAN 2
  LAN 1 ---------- HOST A ---------------- HOST B -------------- LAN 2
                   ovpn server            ovpn client
                   ovpn server            ovpn client
  2002::/64        2345::1/64              2345::2/64            2003::/64
  2002::/64        2345::1/64              2345::2/64            2003::/64


HOST A OpenVPN Server
HOST A OpenVPN Server
Line 22: Line 18:
  LAN2 : 2003::/64
  LAN2 : 2003::/64


==Konfigurasi Tambahan OpenVPN Server==


==Konfigurasi Server==
Enable IPv4 & IPv6 forwarding,
 
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv4/conf/default/forwarding
echo 1 > /proc/sys/net/ipv4/conf/tun0/forwarding
echo 1 > /proc/sys/net/ipv4/conf/enp0s3/forwarding
echo 1 > /proc/sys/net/ipv4/conf/enp0s8/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
echo 1 > /proc/sys/net/ipv6/conf/tun0/forwarding
echo 1 > /proc/sys/net/ipv6/conf/enp0s3/forwarding
echo 1 > /proc/sys/net/ipv6/conf/enp0s8/forwarding
 
atau


  vi /etc/sysctl.conf
  vi /etc/sysctl.conf
  net.ipv4.ip_forward=1
  net.ipv4.ip_forward=1
  net.ipv4.conf.all.forwarding=1
  net.ipv4.conf.all.forwarding=1
  net.ipv6.conf.all.forwarding=1
  net.ipv6.conf.all.forwarding=1
  net.ipv6.conf.default.forwarding=1
  net.ipv6.conf.default.forwarding=1
sysctl -p


sysctl -p
Set IP address Server


  ifconfig enp0s3 192.168.0.239 netmask 255.255.255.0
  ifconfig enp0s3 192.168.0.105 netmask 255.255.255.0
  ifconfig enp0s8 10.10.10.1 netmask 255.255.255.0
  ifconfig enp0s8 10.10.10.1 netmask 255.255.255.0
  ip addr add 2002::1/64 dev enp0s8
  ip addr add 2002::1/64 dev enp0s8
Line 60: Line 47:
  client-config-dir client
  client-config-dir client


Tambahan di dalam folder /etc/openvpn/client file: “client”  - filename “client” tergantung nama file “client.ovpn” yang digunakan oleh user / pengguna. Isi file tersebut dengan


Tambahan di /etc/openvpn/client
  # paksa IP static di client untuk memudahkan routing
 
  ifconfig-push 10.8.0.2 255.255.255.0
  File: client  # tergantung username client.ovpn
# paksa routing ke upstream   
 
  push "route 10.10.10.0 255.255.255.0"  
  ifconfig-push 10.8.0.2 255.255.255.0     # paksa IP static di client untuk memudahkan routing
# internal routing ke arah LAN
  push "route 10.10.10.0 255.255.255.0"   # paksa routing ke upstream
  iroute 10.10.20.0 255.255.255.0
  iroute 10.10.20.0 255.255.255.0         # internal routing ke arah
  #
  #
  ifconfig-ipv6-push 2345::2 2345::1      # set IPv6 interface client
# set IPv6 interface client         
  push "route 2000::/3"                   # push tabel routing
  ifconfig-ipv6-push 2345::2 2345::1
  iroute-ipv6 2003::/64                    # set internal routing ke client LAN, harus sesuai dengan yg di server.conf
# push tabel routing        
  push "route-ipv6 2000::/3"
  # set internal routing ke client LAN, harus sesuai dg. server.conf                  
iroute-ipv6 2003::/64


==Konfigurasi Client Gateway==
==Konfigurasi Client LAN Gateway==


echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
Enable IPv6 Forwarding,
echo 1 > /proc/sys/net/ipv4/conf/default/forwarding
echo 1 > /proc/sys/net/ipv4/conf/tun0/forwarding
echo 1 > /proc/sys/net/ipv4/conf/enp0s3/forwarding
echo 1 > /proc/sys/net/ipv4/conf/enp0s8/forwarding
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
echo 1 > /proc/sys/net/ipv6/conf/tun0/forwarding
echo 1 > /proc/sys/net/ipv6/conf/enp0s3/forwarding
echo 1 > /proc/sys/net/ipv6/conf/enp0s8/forwarding
 
atau


  vi /etc/sysctl.conf
  vi /etc/sysctl.conf
 
  net.ipv4.ip_forward=1
  net.ipv4.ip_forward=1
  net.ipv4.conf.all.forwarding=1
  net.ipv4.conf.all.forwarding=1
  net.ipv6.conf.all.forwarding=1
  net.ipv6.conf.all.forwarding=1
  net.ipv6.conf.default.forwarding=1
  net.ipv6.conf.default.forwarding=1
sysctl -p


  sysctl -p
Konfigurasi interface LAN Gateway
 
  ifconfig enp0s3 192.168.0.107 netmask 255.255.255.0
ifconfig enp0s8 10.10.20.1 netmask 255.255.255.0
ip addr add 2003::1/64 dev enp0s8
 
Untuk memberikan IPv6 address ke client LAN, dapat menggunakan radvd. Edit /etc/radvd.conf:
 
# file: /etc/radvd.conf
interface enp0s8
{
  AdvSendAdvert on;
  prefix 2003::/64
  {
    AdvOnLink on;
    AdvAutonomous on;
  };
};
 
Install & restart radvd
 
apt install radvd
/etc/init.d/radvd restart
 
Sambungkan OpenVPN
 
openvpn --config client.ovpn
 
Akan tampak
 
Mon Mar 11 04:38:29 2019 ROUTE_GATEWAY 192.168.0.223/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:c5:c4:7a
Mon Mar 11 04:38:29 2019 GDG6: remote_host_ipv6=n/a
Mon Mar 11 04:38:29 2019 ROUTE6_GATEWAY fe80::1 IFACE=enp0s3
Mon Mar 11 04:38:29 2019 TUN/TAP device tun0 opened
Mon Mar 11 04:38:29 2019 TUN/TAP TX queue length set to 100
Mon Mar 11 04:38:29 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Mon Mar 11 04:38:29 2019 /sbin/ip link set dev tun0 up mtu 1500
Mon Mar 11 04:38:29 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Mon Mar 11 04:38:29 2019 /sbin/ip -6 addr add 2345::1000/64 dev tun0
Mon Mar 11 04:38:29 2019 /sbin/ip route add 192.168.0.105/32 dev enp0s3
Mon Mar 11 04:38:29 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Mon Mar 11 04:38:29 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Mon Mar 11 04:38:29 2019 add_route_ipv6(2000::/3 -> 2345::1 metric -1) dev tun0
Mon Mar 11 04:38:29 2019 /sbin/ip -6 route add 2000::/3 dev tun0
Mon Mar 11 04:38:29 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Mar 11 04:38:29 2019 Initialization Sequence Completed
 
Perhatikan ada beberapa setup IPv4 maupun IPv6 yang di berikan oleh OpenVPN. Hal ini akan tampak pada ifconfig, akan muncul interface tambahan tun0
 
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.2  netmask 255.255.255.0  destination 10.8.0.2
        inet6 fe80::519f:30a1:8afb:d64b  prefixlen 64  scopeid 0x20<link>
        inet6 2345::1000  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 1  bytes 76 (76.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5  bytes 380 (380.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


===Firewall atau NAT===
TIDAK ADA Tambahan konfigurasi di client.ovpn. Pastikan setup interface BENAR. Pastikan setup routing BENAR.


Firewall jangan di pasang, jika kita ingin membuka semua client ke Internet.
ip route show
ip -6 route show
route -n


agar lebih aman menggunakan firewall (experimental)
Catatan Tambahan Firewall atau NAT di LAN Gateway
Sebaiknya firewall jangan di pasang, jika kita ingin membuka semua client ke Internet secara terbuka lebar. Tapi bagi mereka yang takut, ada baiknya menggunakan firewall agar lebih aman. Contoh konfigurasi adalah sebagai berikut,


  ipt6tables -P FORWARD DROP
  ipt6tables -P FORWARD DROP
  ip6tables -A FORWARD -s 2003::/64 -d ::/0 -m comment --comment "allow outgoing traffic from local ipv6 range" -j ACCEPT
  ip6tables -A FORWARD -s 2003::/64 -d ::/0 -m comment --comment "allow outgoing" -j ACCEPT
  ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "Accept established" -j ACCEPT
  ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "Accept established" -j ACCEPT
  ip6tables -A INPUT -i enp0s8 -j ACCEPT
  ip6tables -A INPUT -i enp0s8 -j ACCEPT
  #
  #
  # ijinkan akses tertentu ke internal
  # ijinkan akses tertentu ke internal
  ip6tables -A FORWARD -d 2003::c01d/64 -m comment --comment "let internet conrtol airco" -j ACCEPT
  ip6tables -A FORWARD -d 2003::c01d/64 -m comment --comment "A/C" -j ACCEPT
 
 
  # Allow traffic initiated from VPN to access LAN
  # Allow traffic initiated from VPN to access LAN
  ip6tables -I FORWARD -i tun0 -o enp0s8 -m conntrack --ctstate NEW -j ACCEPT
  ip6tables -I FORWARD -i tun0 -o enp0s8 -m conntrack --ctstate NEW -j ACCEPT
Line 118: Line 158:
  # Allow established traffic to pass back and forth
  # Allow established traffic to pass back and forth
  ip6tables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  ip6tables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


Jika firewall juga gagal, tampaknya kita akan stuck dengan NAT
Jika firewall juga gagal, tampaknya kita akan stuck dengan NAT


  ip6tables -t nat -A POSTROUTING -s 2003::/64 -o tun0 -j MASQUERADE
  ip6tables -t nat -A POSTROUTING -s 2003::/64 -o tun0 -j MASQUERADE
==Konfigurasi LAN 1 Client==
Konfigurasi LAN1 Client cukup sederhana,
* IPv6 di sesuaikan dengan alokasi yang ada di LAN1
* Routing di sesuaikan dengan routing yang ada, kita perlu menambahkan routing ke arah LAN2 melalui OpenVPN gateway.
Contoh
ip addr 2002::1000 dev enp0s3
ip route add 2003::/64 via 2002::1
==Konfigurasi LAN 2 Client==
Konfigurasi LAN2 Client cukup sederhana,
* IPv6 di sesuaikan dengan alokasi yang ada di LAN2
* IPv6 dapat di buat automatis karena gateway Client LAN menjalankan radvd Server.
* Routing di sesuaikan dengan routing yang ada, kita perlu menambahkan routing ke arah LAN1 melalui OpenVPN gateway.
Contoh
ip addr 2003::1000 dev enp0s3
ip route add 2000::/3 dev enp0s3






===Konfigurasi Interface===


Konfigurasi interface


sudo su
ifconfig enp0s3 192.168.0.163 netmask 255.255.255.0
ifconfig enp0s8 10.10.20.1 netmask 255.255.255.0
ip addr add 2003::1/64 dev enp0s8


===Install radvd===


Edit /etc/radvd.conf:


# file: /etc/radvd.conf
interface enp0s8
{
  AdvSendAdvert on;
  prefix 2003::/64
  {
    AdvOnLink on;
    AdvAutonomous on;
  };
};


Install


apt install radvd




TIDAK ADA Tambahan konfigurasi di client.ovpn.
Pastikan setup interface BENAR.
Pastikan setup routing BENAR.


ip route show
ip -6 route show
route -n


==Referensi==
==Referensi==

Revision as of 22:17, 10 March 2019

Pada kesempatan ini akan di perlihatan konfigurasi OpenVPN untuk memberikan akses sebuah LAN client. Jaringan tempat mesin bekerja adalah IPv4, sementara jaringan yang dimasukan ke tunnel adalah IPv6. Topologi jaringan yang di bangun kira-kira seperti gambar terlampir, 

LAN 1 ---------- HOST A ---------------- HOST B -------------- LAN 2
                 ovpn server             ovpn client
2002::/64        2345::1/64              2345::2/64            2003::/64

HOST A OpenVPN Server 

OS   : Ubuntu 18.04
IP   : 192.168.0.239/24
IP   : 2345::1/64
LAN1 : 2002::/64

HOST B OpenVPN Client 

OS   : Ubuntu 18.04
IP   : 2345::2/64
LAN2 : 2003::/64

Konfigurasi Tambahan OpenVPN Server

Enable IPv4 & IPv6 forwarding, 

vi /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv4.conf.all.forwarding=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1

sysctl -p

Set IP address Server 

ifconfig enp0s3 192.168.0.105 netmask 255.255.255.0
ifconfig enp0s8 10.10.10.1 netmask 255.255.255.0
ip addr add 2002::1/64 dev enp0s8

Tambahan di konfigurasi /etc/openvpn/server.conf 

ifconfig 10.8.0.1 255.255.255.0
server 10.8.0.0 255.255.255.0
tun-ipv6
server-ipv6 2345::/64
push tun-ipv6
route-ipv6 2003::/64
client-config-dir client

Tambahan di dalam folder /etc/openvpn/client file: “client” - filename “client” tergantung nama file “client.ovpn” yang digunakan oleh user / pengguna. Isi file tersebut dengan 

# paksa IP static di client untuk memudahkan routing
ifconfig-push 10.8.0.2 255.255.255.0
# paksa routing ke upstream     
push "route 10.10.10.0 255.255.255.0" 
# internal routing ke arah LAN
iroute 10.10.20.0 255.255.255.0
#
# set IPv6 interface client          
ifconfig-ipv6-push 2345::2 2345::1
# push tabel routing       
push "route-ipv6 2000::/3"
# set internal routing ke client LAN, harus sesuai dg. server.conf                    
iroute-ipv6 2003::/64

Konfigurasi Client LAN Gateway

Enable IPv6 Forwarding, 

vi /etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv4.conf.all.forwarding=1
net.ipv6.conf.all.forwarding=1
net.ipv6.conf.default.forwarding=1

sysctl -p

Konfigurasi interface LAN Gateway 

ifconfig enp0s3 192.168.0.107 netmask 255.255.255.0
ifconfig enp0s8 10.10.20.1 netmask 255.255.255.0
ip addr add 2003::1/64 dev enp0s8

Untuk memberikan IPv6 address ke client LAN, dapat menggunakan radvd. Edit /etc/radvd.conf: 

# file: /etc/radvd.conf
interface enp0s8
{ 
  AdvSendAdvert on; 
  prefix 2003::/64 
  {
    AdvOnLink on;
    AdvAutonomous on;
  }; 
};

Install & restart radvd 

apt install radvd
/etc/init.d/radvd restart

Sambungkan OpenVPN 

openvpn --config client.ovpn

Akan tampak 

Mon Mar 11 04:38:29 2019 ROUTE_GATEWAY 192.168.0.223/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:c5:c4:7a
Mon Mar 11 04:38:29 2019 GDG6: remote_host_ipv6=n/a
Mon Mar 11 04:38:29 2019 ROUTE6_GATEWAY fe80::1 IFACE=enp0s3
Mon Mar 11 04:38:29 2019 TUN/TAP device tun0 opened
Mon Mar 11 04:38:29 2019 TUN/TAP TX queue length set to 100
Mon Mar 11 04:38:29 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Mon Mar 11 04:38:29 2019 /sbin/ip link set dev tun0 up mtu 1500
Mon Mar 11 04:38:29 2019 /sbin/ip addr add dev tun0 10.8.0.2/24 broadcast 10.8.0.255
Mon Mar 11 04:38:29 2019 /sbin/ip -6 addr add 2345::1000/64 dev tun0
Mon Mar 11 04:38:29 2019 /sbin/ip route add 192.168.0.105/32 dev enp0s3
Mon Mar 11 04:38:29 2019 /sbin/ip route add 0.0.0.0/1 via 10.8.0.1
Mon Mar 11 04:38:29 2019 /sbin/ip route add 128.0.0.0/1 via 10.8.0.1
Mon Mar 11 04:38:29 2019 add_route_ipv6(2000::/3 -> 2345::1 metric -1) dev tun0
Mon Mar 11 04:38:29 2019 /sbin/ip -6 route add 2000::/3 dev tun0
Mon Mar 11 04:38:29 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Mar 11 04:38:29 2019 Initialization Sequence Completed

Perhatikan ada beberapa setup IPv4 maupun IPv6 yang di berikan oleh OpenVPN. Hal ini akan tampak pada ifconfig, akan muncul interface tambahan tun0 

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.2  netmask 255.255.255.0  destination 10.8.0.2
        inet6 fe80::519f:30a1:8afb:d64b  prefixlen 64  scopeid 0x20<link>
        inet6 2345::1000  prefixlen 64  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 1  bytes 76 (76.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5  bytes 380 (380.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

TIDAK ADA Tambahan konfigurasi di client.ovpn. Pastikan setup interface BENAR. Pastikan setup routing BENAR. 

ip route show
ip -6 route show
route -n

Catatan Tambahan Firewall atau NAT di LAN Gateway Sebaiknya firewall jangan di pasang, jika kita ingin membuka semua client ke Internet secara terbuka lebar. Tapi bagi mereka yang takut, ada baiknya menggunakan firewall agar lebih aman. Contoh konfigurasi adalah sebagai berikut, 

ipt6tables -P FORWARD DROP
ip6tables -A FORWARD -s 2003::/64 -d ::/0 -m comment --comment "allow outgoing" -j ACCEPT
ip6tables -A FORWARD -m state --state RELATED,ESTABLISHED -m comment --comment "Accept established" -j ACCEPT
ip6tables -A INPUT -i enp0s8 -j ACCEPT
#
#  ijinkan akses tertentu ke internal
ip6tables -A FORWARD -d 2003::c01d/64 -m comment --comment "A/C" -j ACCEPT

# Allow traffic initiated from VPN to access LAN
ip6tables -I FORWARD -i tun0 -o enp0s8 -m conntrack --ctstate NEW -j ACCEPT
# Allow traffic initiated from LAN to access "the world"
ip6tables -I FORWARD -i enp0s8 -o tun0 -m conntrack --ctstate NEW -j ACCEPT
# Allow established traffic to pass back and forth
ip6tables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Jika firewall juga gagal, tampaknya kita akan stuck dengan NAT 

ip6tables -t nat -A POSTROUTING -s 2003::/64 -o tun0 -j MASQUERADE

Konfigurasi LAN 1 Client

Konfigurasi LAN1 Client cukup sederhana,

  • IPv6 di sesuaikan dengan alokasi yang ada di LAN1
  • Routing di sesuaikan dengan routing yang ada, kita perlu menambahkan routing ke arah LAN2 melalui OpenVPN gateway.

Contoh 

ip addr 2002::1000 dev enp0s3
ip route add 2003::/64 via 2002::1

Konfigurasi LAN 2 Client

Konfigurasi LAN2 Client cukup sederhana,

  • IPv6 di sesuaikan dengan alokasi yang ada di LAN2
  • IPv6 dapat di buat automatis karena gateway Client LAN menjalankan radvd Server.
  • Routing di sesuaikan dengan routing yang ada, kita perlu menambahkan routing ke arah LAN1 melalui OpenVPN gateway.

Contoh 

ip addr 2003::1000 dev enp0s3
ip route add 2000::/3 dev enp0s3











Referensi

Pranala Menarik

Retrieved from "https://lms.onnocenter.or.id/wiki/index.php?title=OpenVPN:_IPv6_routed_2_LAN&oldid=55734"