Kurusetra Computer Linux VPN MPLS. Budi Santosa,ST

Kurusetra Computer www.kurusetra.web.id Linux VPN MPLS Budi Santosa,ST

Daftar Isi OpenVPN...3 Konfigurasi Server VPN...4 Konfigurasi Static IP Client...5 Konfigurasi klien VPN Linux...5 OpenVPN GUI MS Windows XP/Vista...6 Konfigurasi Klien MS Windows...6 BGP Routing...9 External BGP...9 Internal BGP...10 MPLS Virtual WAN...11 Virtual Wide Area Networking...11 BGP Inside OpenVPN...12 Topologi Lengkap Virtual WAN...13 Konfigurasi Virtual WAN...14 PC Router Kantor Surabaya...14 PC Router Kantor Madiun...17 -- 2 --

OpenVPN -- 3 --

Konfigurasi Server VPN Linux VPN MPLS apt get install openvpn openssh server cd /usr/share/doc/openvpn/examples/easy rsa/ cd 1.0/ vim vars export KEY_COUNTRY=ID export KEY_PROVINCE=JT export KEY_CITY=MAGETAN export KEY_ORG="Kurusetra Computer" export KEY_EMAIL="linux.multimedia@gmail.com" source./vars./clean all./build ca./build key server./build key server server./build key client1./build key client2./build key client3./build key client4./build dh cp keys/* /etc/openvpn/ cd /usr/share/doc/openvpn/examples/sample config files/ cp server.conf.gz /etc/openvpn/ cd /etc/openvpn/ gunzip server.conf.gz vim server.conf port 1194 proto udp dev tap ca ca.crt cert server.crt key server.key dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig pool persist ipp.txt client to client keepalive 10 120 comp lzo persist key persist tun status openvpn status.log verb 3 cd /usr/share/doc/openvpn/examples/easy rsa/2.0/keys/ scp r client1.* root@ipclient1:/etc/openvpn/ scp r dh1024.pem root@ipclient1:/etc/openvpn/ scp r ca.* root@ipclient1:/etc/openvpn/ -- 4 --

Konfigurasi Static IP Client Linux VPN MPLS vim /etc/openvpn/server.conf client-config-dir /etc/openvpn/ccd mkdir /etc/openvpn/ccd vim /etc/openvpn/ccd/client1 (nama file sesuai sertifikat) ifconfig-push 10.8.0.21 255.255.255.0 /etc/init.d/openvpn restart Konfigurasi klien VPN Linux apt get install openvpn openssh server cd /usr/share/doc/openvpn/examples/sample config files/ cp client.conf /etc/openvpn/ cd /etc/openvpn vim client.conf client dev tun proto udp remote IP_VPN_SERVER 1194 resolv retry infinite nobind persist key persist tun ca ca.crt cert client1.crt key client1.key comp lzo verb 3 -- 5 --

OpenVPN GUI MS Windows XP/Vista Konfigurasi Klien MS Windows 1. Download OpenVPN GUI di http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe 2. Install OpenVPN GUI Sewaktu ada peringatan install driver Pilih Continue Anyway -- 6 --

3. Masuk ke Folder OpenVPN Sample Configuration Files dan copy file client.ovpn ke Folder OpenVPN configuration file directory. Bersama file sertifikat dan key nya. 4. Setelah di copy file hasilnya seperti dibawah ini 5. Edit file client.ovpn dan sesuaikan parameter beserta sertifikatnya client dev tap proto udp remote 148.6.64.1 1194 ca ca.crt cert magetan.crt key magetan.key -- 7 --

6. Kemudian pada taskbar MS Windows sebelah kanan bawah klik kanan icon OpenVPN dan pilih connect -- 8 --

BGP Routing External BGP Router A (IP: 10.8.1.1) hostname router_a router bgp 65000 router-id 10.8.1.1 network 192.168.1.0/24 network 10.8.1.0/24 neigbor 10.8.1.100 remote-as 65002!#Router D neigbor 10.8.1.101 remote-as 65001!#Router C neigbor 192.168.1.2 remote-as 65000!#Router B ibgp Router C (10.8.1.101) hostname router_c router bgp 65001 router-id 10.8.1.101 network 192.168.6.0/24 neigbor 10.8.1.100 remote-as 65002!#Router D neigbor 10.8.1.1 remote-as 65000!#Router A Router D (10.8.1.100) hostname router_d router bgp 65002 router-id 10.8.1.100 network 192.168.10.0/24 neigbor 10.8.1.101 remote-as 65001!#Router C neigbor 192.168.10.2 remote-as 65002!#Router E ibgp neigbor 10.8.1.1 remote-as 65000!#Router A -- 9 --

Internal BGP Linux VPN MPLS Router B (192.168.1.2) hostname router_d router bgp 65000 router-id 192.168.1.2 network 192.168.1.0/24 network 192.168.3.0/24 neigbor 192.168.1.1 remote-as 65000!#Router A Router E (192.168.10.2) hostname router_d router bgp 65002 router-id 192.168.10.2 network 192.168.10.0/24 network 192.168.9.0/24 neigbor 192.168.10.1 remote-as 65002!#Router D Router F (192.168.10.3) hostname router_d router bgp 65002 router-id 192.168.10.3 network 192.168.10.0/24 network 192.168.9.0/24 neigbor 192.168.10.1 remote-as 65002!#Router D -- 10 --

MPLS Virtual WAN Virtual Wide Area Networking Wide Area Networking adalah suatu area luas (kota / wilayah) yang berbeda geografis yang saling terhubung satu dengan lain dalam suatu topologi jaringan komputer. Pada artikel ini kita akan membahas mengenai Virtual WAN (Virtual Wide Area Networking), yang bertujuan menghubungkan beberapa subnet wilayah, kota ataupun kantor perusahaan menjadi satu topologi. Subnet yang akan kita hubungkan menggunakan alamat IP Private 192.xxx.xxx.xxx yang tidak dikenal oleh internet. Jadi Virtual WAN lebih ditujukan untuk pemakaian pribadi (personal atau corporate). Hubungan antar subnet mirip dengan internet atau WAN, pengguna dapat langsung melakukan sharing data antar komputer beda subnet, printer dan pemanfaatan aplikasi. Gambar dibawah ini merupakan contoh topologi subnet kantor surabaya, madiun dan ponorogo, kita akan menggabungkan menjadi satu topologi Virtual WAN menggunakan kombinasi OpenVPN dan BGP Routing Protocol. -- 11 --

BGP Inside OpenVPN Linux VPN MPLS Diagram dibawah ini menunjukkan pemanfaatan teknologi Tunneling VPN (garis biru) untuk membawa BGP routing protocol yang menghubungkan jaringan antar subnet. Setiap AS Number (ASN) dihubungkan oleh jalur tunnel VPN, paket data routing BGP yang melintas selalu dibungkus (encapsulation) dan di enkripsi (encryption), sehingga meningkatkan keamanan komunikasi data antar subnet. Madiun = ASN 1003 Ponorogo = ASN 1002 Surabaya = ASN 1001 -- 12 --

Topologi Lengkap Virtual WAN Linux VPN MPLS Gambar dibawah ini menunjukkan penggabungan topologi antar subnet dengan diagram BGP routing inside OpenVPN. Setiap perangkat PC Router Linux terpasang aplikasi OpenVPN dan Quagga Routing Daemon, hanya saja pada kantor surabaya router kita fungsikan sebagai OpenVPN Server dan harus memakai IP Publik Statis. Koneksi kantor madiun maupun ponorogo bisa memakai koneksi IP dinamis dan kita fungsikan sebagai VPN Client. Berikut ini data koneksi setiap PC Router. Kantor Surabaya Koneksi Internet : Dedicated Leased Line 512kbps 1Mbps IP Publik : 122.200.52.41 Subnet LAN : 192.168.0.0/24 IP VPN : 10.8.1.1 ASN : 1001 Kantor Madiun Koneksi Internet : Telkom Speedy Unlimited IP Telkom Speedy : 125.22.156.45 (IP dinamis) Subnet LAN : 192.168.10.0/24 IP VPN : 10.8.1.3 ASN : 1003 Kantor Ponorogo Koneksi Internet : FastNet First Media IP FastNet : 122.34.200.70 (IP dinamis) Subnet LAN : 192.168.1.0/24 IP VPN : 10.8.1.4 ASN : 1002 -- 13 --

Konfigurasi Virtual WAN PC Router Kantor Surabaya vim /etc/openvpn/server.conf (OpenVPN Server) dev tap ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem server 10.8.1.0 255.255.255.0 ifconfig pool persist ipp.txt client to client duplicate cn keepalive 10 120 persist key persist tun status openvpn status.log verb 3 vim /etc/quagga/daemons zebra = yes bgpd = yes ospfd = no ospf6d = no ripd = no ripngd = no isisd = no -- 14 --

vim /etc/quagga/debian.conf vtysh_enable=yes zebra_options=" daemon" bgpd_options=" daemon" ospfd_options=" daemon" ospf6d_options=" daemon A ::1" ripd_options=" daemon" ripngd_options=" daemon A ::1" isisd_options=" daemon A 127.0.0.1" vim /etc/quagga/bgpd.conf hostname bgpd password zebra enable password ardelindo log stdout router bgp 1001 bgp router id 10.8.1.1 network 122.200.50.0/24 network 192.168.0.0/24 neighbor 10.8.1.3 remote as 1003 neighbor 10.8.1.4 remote as 1002 line vty ############################# ##TEST KONFIGURASI ##KANTOR SURABAYA ############################# Router> show ip route Codes: K kernel route, C connected, S static, R RIP, O OSPF, I ISIS, B BGP, > selected route, * FIB route K>* 0.0.0.0/0 via 122.200.52.1, eth1 C>* 10.8.1.0/24 is directly connected, tap0 C>* 122.200.52.0/25 is directly connected, eth1 C>* 127.0.0.0/8 is directly connected, lo C>* 192.168.0.0/24 is directly connected, eth3 K>* 192.168.0.218/32 via 10.8.1.2, tap0 B>* 192.168.1.0/24 [20/0] via 10.8.1.4, tap0, 03:29:27 B>* 192.168.10.0/24 [20/0] via 10.8.1.3, tap0, 15:03:25 bgpd> show ip bgp neighbors BGP neighbor is 10.8.1.3, remote AS 1003, local AS 1001, external link BGP version 4, remote router ID 10.8.1.3 BGP state = Established, up for 15:05:21 Last read 00:00:21, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(old & new) Address family IPv4 Unicast: advertised and received Message statistics: Inq depth is 0 Outq depth is 0 Sent Rcvd Opens: 10 2 Notifications: 3 5 Updates: 15 5 Keepalives: 1521 1512 Route Refresh: 0 0 Capability: 0 0 Total: 1549 1524 Minimum time between advertisement runs is 30 seconds -- 15 --

For address family: IPv4 Unicast Community attribute sent to this neighbor(both) 1 accepted prefixes Connections established 5; dropped 3 Last reset 1d00h58m, due to BGP Notification send Local host: 10.8.1.1, Local port: 179 Foreign host: 10.8.1.3, Foreign port: 42912 Nexthop: 10.8.1.1 Nexthop global: fe80::2ff:79ff:fe7c:31a8 -- 16 --

############################# ##TEST KONFIGURASI ##KANTOR MADIUN ############################# Router> show ip route Codes: K kernel route, C connected, S static, R RIP, O OSPF, I ISIS, B BGP, > selected route, * FIB route K>* 0.0.0.0/0 via 192.168.1.1, eth1 O 10.8.1.0/24 [110/10] is directly connected, tap0, 1d00h34m C>* 10.8.1.0/24 is directly connected, tap0 B>* 122.200.50.0/24 [20/0] via 10.8.1.1, tap0, 14:29:07 C>* 127.0.0.0/8 is directly connected, lo B>* 192.168.0.0/24 [20/0] via 10.8.1.1, tap0, 14:29:07 B 192.168.1.0/24 [20/0] via 10.8.1.4, tap0, 02:54:53 C>* 192.168.1.0/24 is directly connected, eth1 O 192.168.10.0/24 [110/10] is directly connected, eth2, 1d00h34m C>* 192.168.10.0/24 is directly connected, eth2 bgpd> show ip bgp summary BGP router identifier 10.8.1.3, local AS number 1003 RIB entries 7, using 448 bytes of memory Peers 1, using 2512 bytes of memory Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.8.1.1 4 1001 1484 1499 0 0 0 14:32:29 3 Total number of neighbors 1 bgpd> show ip bgp neighbors BGP neighbor is 10.8.1.1, remote AS 1001, local AS 1003, external link BGP version 4, remote router ID 10.8.1.1 BGP state = Established, up for 14:33:09 Last read 00:00:56, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(old & new) Address family IPv4 Unicast: advertised and received Message statistics: Inq depth is 0 Outq depth is 0 Sent Rcvd Opens: 7 3 Notifications: 7 0 Updates: 4 12 Keepalives: 1482 1469 Route Refresh: 0 0 Capability: 0 0 Total: 1500 1484 Minimum time between advertisement runs is 30 seconds For address family: IPv4 Unicast Community attribute sent to this neighbor(both) 3 accepted prefixes Connections established 4; dropped 0 Last reset never Local host: 10.8.1.3, Local port: 42912 Foreign host: 10.8.1.1, Foreign port: 179 Nexthop: 10.8.1.3 Nexthop global: fe80::2ff:9dff:fecd:a17b Nexthop local: :: BGP connection: non shared network Read thread: on Write thread: off -- 17 --

bgpd> show ip bgp summary BGP router identifier 10.8.1.3, local AS number 1003 RIB entries 7, using 448 bytes of memory Peers 1, using 2512 bytes of memory Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.8.1.1 4 1001 1519 1534 0 0 0 15:07:23 3 Total number of neighbors 1 -- 18 --