Membuat VPN Sendiri dengan OpenVPN

By | August 2, 2024
292 Views

Membuat VPN Sendiri dengan OpenVPN – dengan menggunakan VPS, tentu kalian bisa gunakan untuk VPN lho. Caranya gampang kok. VPN adalah singkatan dari “Virtual Private Network” atau “Jaringan Pribadi Virtual”. VPN adalah layanan yang memungkinkan pengguna untuk mengakses internet melalui koneksi yang aman dan terenkripsi, seolah-olah mereka terhubung ke jaringan pribadi tentu Dengan VPN, alamat IP asli pengguna disembunyikan dan digantikan dengan alamat IP dari server VPN, sehingga aktivitas online lebih sulit dilacak.

Kita akan menggunakan OpenVPN yang berjalan di VPS (kalian beli sendiri VPS nya) murah kok per bulanan tergantung spesifikasinya. OpenVPN adalah perangkat lunak open-source yang menerapkan teknik Virtual Private Network (VPN) untuk membuat koneksi aman dan terenkripsi antara dua titik. OpenVPN banyak digunakan karena fleksibilitas, keamanan, dan kemampuannya untuk beroperasi di berbagai platform

Mari kita ikuti langkah berikut buka terminal setelah masuk via SSH

sudo su
apt-get update
curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh

Berikut tampilan install nya

[(base) root@upbeat-turing:/home/bejo# curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 40923  100 40923    0     0  77248      0 --:--:-- --:--:-- --:--:-- 77359
(base) root@upbeat-turing:/home/bejo# ls
openvpn-install.sh 
(base) root@upbeat-turing:/home/bejo# bash openvpn-install.sh 
Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install

I need to ask you a few questions before starting the setup.
You can leave the default options and just press enter if you are ok with them.

I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.
IP address: xxx.xx.xx.225

Checking for IPv6 connectivity...

Your host appears to have IPv6 connectivity.

Do you want to enable IPv6 support (NAT)? [y/n]: y

What port do you want OpenVPN to listen to?
   1) Default: 1194
   2) Custom
   3) Random [49152-65535]
Port choice [1-3]: 1

What protocol do you want OpenVPN to use?
UDP is faster. Unless it is not available, you shouldn't use TCP.
   1) UDP
   2) TCP
Protocol [1-2]: 1

What DNS resolvers do you want to use with the VPN?
   1) Current system resolvers (from /etc/resolv.conf)
   2) Self-hosted DNS Resolver (Unbound)
   3) Cloudflare (Anycast: worldwide)
   4) Quad9 (Anycast: worldwide)
   5) Quad9 uncensored (Anycast: worldwide)
   6) FDN (France)
   7) DNS.WATCH (Germany)
   8) OpenDNS (Anycast: worldwide)
   9) Google (Anycast: worldwide)
   10) Yandex Basic (Russia)
   11) AdGuard DNS (Anycast: worldwide)
   12) NextDNS (Anycast: worldwide)
   13) Custom
DNS [1-12]: 11

Do you want to use compression? It is not recommended since the VORACLE attack makes use of it.
Enable compression? [y/n]: n

Do you want to customize encryption settings?
Unless you know what you're doing, you should stick with the default parameters provided by the script.
Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.

Customize encryption settings? [y/n]: n

Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.
Press any key to continue...
Hit:1 http://autoinstall.plesk.com/pool/WPB_18.0.55_74 all InRelease
Err:1 http://autoinstall.plesk.com/pool/WPB_18.0.55_74 all InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY BD11A6AA914BDF7E
Hit:2 http://de.archive.ubuntu.com/ubuntu jammy InRelease
Get:3 http://de.archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB]
Hit:4 http://de.archive.ubuntu.com/ubuntu jammy-backports InRelease
Get:5 http://de.archive.ubuntu.com/ubuntu jammy-security InRelease [129 kB]
Fetched 257 kB in 3s (85.2 kB/s)   
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://autoinstall.plesk.com/pool/WPB_18.0.55_74 all InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY BD11A6AA914BDF7E
W: Failed to fetch http://autoinstall.plesk.com/pool/WPB_18.0.55_74/dists/all/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY BD11A6AA914BDF7E
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
gnupg is already the newest version (2.2.27-3ubuntu2.1).
gnupg set to manually installed.
The following packages were automatically installed and are no longer required:
  libruby3.0 rake ruby ruby-net-telnet ruby-rubygems ruby-webrick ruby-xmlrpc ruby3.0 rubygems-integration
Use 'apt autoremove' to remove them.
The following packages will be upgraded:
  ca-certificates
1 upgraded, 0 newly installed, 0 to remove and 246 not upgraded.
Need to get 155 kB of archives.
After this operation, 15.4 kB of additional disk space will be used.
Get:1 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 ca-certificates all 20230311ubuntu0.22.04.1 [155 kB]
Fetched 155 kB in 1s (105 kB/s)           
Preconfiguring packages ...
(Reading database ... 166337 files and directories currently installed.)
Preparing to unpack .../ca-certificates_20230311ubuntu0.22.04.1_all.deb ...
Unpacking ca-certificates (20230311ubuntu0.22.04.1) over (20211016) ...
Setting up ca-certificates (20230311ubuntu0.22.04.1) ...
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
19 added, 9 removed; done.
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for ca-certificates (20230311ubuntu0.22.04.1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

done.
done.
Scanning processes...                                                                                                                                                             
Scanning candidates...                                                                                                                                                            
Scanning linux images...                                                                                                                                                          

Running kernel seems to be up-to-date.

Restarting services...
 systemctl restart test3.service

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
ca-certificates is already the newest version (20230311ubuntu0.22.04.1).
curl is already the newest version (7.81.0-1ubuntu1.16).
The following packages were automatically installed and are no longer required:
  libruby3.0 rake ruby ruby-net-telnet ruby-rubygems ruby-webrick ruby-xmlrpc ruby3.0 rubygems-integration
Use 'apt autoremove' to remove them.
The following additional packages will be installed:
  libip4tc2 libip6tc2 libpkcs11-helper1 libxtables12
Suggested packages:
  firewalld resolvconf openvpn-systemd-resolved easy-rsa
The following NEW packages will be installed:
  libpkcs11-helper1 openvpn
The following packages will be upgraded:
  iptables libip4tc2 libip6tc2 libxtables12 openssl wget
6 upgraded, 2 newly installed, 0 to remove and 240 not upgraded.
Need to get 2720 kB of archives.
After this operation, 1774 kB of additional disk space will be used.
Get:1 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 iptables amd64 1.8.7-1ubuntu5.2 [455 kB]
Get:2 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libxtables12 amd64 1.8.7-1ubuntu5.2 [31.3 kB]
Get:3 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libip6tc2 amd64 1.8.7-1ubuntu5.2 [20.3 kB]
Get:4 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libip4tc2 amd64 1.8.7-1ubuntu5.2 [19.9 kB]
Get:5 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 openssl amd64 3.0.2-0ubuntu1.17 [1186 kB]
Get:6 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 wget amd64 1.21.2-2ubuntu1.1 [339 kB]
Get:7 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 libpkcs11-helper1 amd64 1.28-1ubuntu0.22.04.1 [50.3 kB]
Get:8 http://de.archive.ubuntu.com/ubuntu jammy-updates/main amd64 openvpn amd64 2.5.9-0ubuntu0.22.04.3 [618 kB]
Fetched 2720 kB in 7s (394 kB/s)                                                                                                                                                 
Preconfiguring packages ...
(Reading database ... 166347 files and directories currently installed.)
Preparing to unpack .../0-iptables_1.8.7-1ubuntu5.2_amd64.deb ...
Unpacking iptables (1.8.7-1ubuntu5.2) over (1.8.7-1ubuntu5) ...
Preparing to unpack .../1-libxtables12_1.8.7-1ubuntu5.2_amd64.deb ...
Unpacking libxtables12:amd64 (1.8.7-1ubuntu5.2) over (1.8.7-1ubuntu5) ...
Preparing to unpack .../2-libip6tc2_1.8.7-1ubuntu5.2_amd64.deb ...
Unpacking libip6tc2:amd64 (1.8.7-1ubuntu5.2) over (1.8.7-1ubuntu5) ...
Preparing to unpack .../3-libip4tc2_1.8.7-1ubuntu5.2_amd64.deb ...
Unpacking libip4tc2:amd64 (1.8.7-1ubuntu5.2) over (1.8.7-1ubuntu5) ...
Preparing to unpack .../4-openssl_3.0.2-0ubuntu1.17_amd64.deb ...
Unpacking openssl (3.0.2-0ubuntu1.17) over (3.0.2-0ubuntu1.6) ...
Preparing to unpack .../5-wget_1.21.2-2ubuntu1.1_amd64.deb ...
Unpacking wget (1.21.2-2ubuntu1.1) over (1.21.2-2ubuntu1) ...
Selecting previously unselected package libpkcs11-helper1:amd64.
Preparing to unpack .../6-libpkcs11-helper1_1.28-1ubuntu0.22.04.1_amd64.deb ...
Unpacking libpkcs11-helper1:amd64 (1.28-1ubuntu0.22.04.1) ...
Selecting previously unselected package openvpn.
Preparing to unpack .../7-openvpn_2.5.9-0ubuntu0.22.04.3_amd64.deb ...
Unpacking openvpn (2.5.9-0ubuntu0.22.04.3) ...
Setting up libip4tc2:amd64 (1.8.7-1ubuntu5.2) ...
Setting up wget (1.21.2-2ubuntu1.1) ...
Setting up libip6tc2:amd64 (1.8.7-1ubuntu5.2) ...
Setting up libpkcs11-helper1:amd64 (1.28-1ubuntu0.22.04.1) ...
Setting up libxtables12:amd64 (1.8.7-1ubuntu5.2) ...
Setting up openssl (3.0.2-0ubuntu1.17) ...
Setting up openvpn (2.5.9-0ubuntu0.22.04.3) ...
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn.service → /lib/systemd/system/openvpn.service.
Setting up iptables (1.8.7-1ubuntu5.2) ...
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for install-info (6.8-4build1) ...
Processing triggers for libc-bin (2.35-0ubuntu3.1) ...
Scanning processes...                                                                                                                                                             
Scanning candidates...                                                                                                                                                            
Scanning linux images...                                                                                                                                                          

Running kernel seems to be up-to-date.

Restarting services...
 /etc/needrestart/restart.d/systemd-manager
 systemctl restart systemd-journald.service systemd-networkd.service systemd-timesyncd.service
Service restarts being deferred:
 systemctl restart systemd-logind.service
 systemctl restart user@0.service

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
--2024-08-02 11:01:04--  https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz
Resolving github.com (github.com)... 20.205.243.166
Connecting to github.com (github.com)|20.205.243.166|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240802%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240802T040104Z&X-Amz-Expires=300&X-Amz-Signature=eed6333c5baeed7ae4f0911c7fde2c317165cf6f383fbb4086cc078f58d90fb0&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=4519663&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream [following]
--2024-08-02 11:01:04--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240802%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240802T040104Z&X-Amz-Expires=300&X-Amz-Signature=eed6333c5baeed7ae4f0911c7fde2c317165cf6f383fbb4086cc078f58d90fb0&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=4519663&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68984 (67K) [application/octet-stream]
Saving to: ‘/root/easy-rsa.tgz’

/root/easy-rsa.tgz                           100%[============================================================================================>]  67.37K  --.-KB/s    in 0.03s   

2024-08-02 11:01:06 (2.44 MB/s) - ‘/root/easy-rsa.tgz’ saved [68984/68984]


Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /etc/openvpn/easy-rsa/pki

* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

* Using x509-types directory: /etc/openvpn/easy-rsa/x509-types


* Using SSL: openssl OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)

* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>
Using configuration from /etc/openvpn/easy-rsa/pki/891aa396/temp.27c723aa
-----

Notice
------
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/etc/openvpn/easy-rsa/pki/ca.crt

* Using SSL: openssl OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)

* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>
-----

Notice
------
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/server_2c6S9bzHQ4u9V91P.req
key: /etc/openvpn/easy-rsa/pki/private/server_2c6S9bzHQ4u9V91P.key
Using configuration from /etc/openvpn/easy-rsa/pki/91c2cb6b/temp.912edec5
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'server_xxxxxxxxxx'
Certificate is to be certified until Jul 31 04:01:07 2034 GMT (3650 days)

Write out database with 1 new entries
Database updated

Notice
------
Certificate created at:
* /etc/openvpn/easy-rsa/pki/issued/server_2c6S9bzHQ4u9V91P.crt

Notice
------
Inline file created:
* /etc/openvpn/easy-rsa/pki/inline/server_2c6S9bzHQ4u9V91P.inline

* Using SSL: openssl OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)

* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>
Using configuration from /etc/openvpn/easy-rsa/pki/b6c6343a/temp.3dc4673a

Notice
------
An updated CRL has been created.
CRL file: /etc/openvpn/easy-rsa/pki/crl.pem

2024-08-02 11:01:07 WARNING: Using --genkey --secret filename is DEPRECATED.  Use --genkey secret filename instead.
* Applying /etc/sysctl.d/10-console-messages.conf ...
kernel.printk = 4 4 1 7
* Applying /etc/sysctl.d/10-ipv6-privacy.conf ...
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
* Applying /etc/sysctl.d/10-kernel-hardening.conf ...
kernel.kptr_restrict = 1
* Applying /etc/sysctl.d/10-magic-sysrq.conf ...
kernel.sysrq = 176
* Applying /etc/sysctl.d/10-network-security.conf ...
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2
* Applying /etc/sysctl.d/10-ptrace.conf ...
kernel.yama.ptrace_scope = 1
* Applying /etc/sysctl.d/10-zeropage.conf ...
vm.mmap_min_addr = 65536
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.default.accept_source_route = 0
sysctl: setting key "net.ipv4.conf.all.accept_source_route": Invalid argument
net.ipv4.conf.default.promote_secondaries = 1
sysctl: setting key "net.ipv4.conf.all.promote_secondaries": Invalid argument
net.ipv4.ping_group_range = 0 2147483647
net.core.default_qdisc = fq_codel
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_regular = 1
fs.protected_fifos = 1
* Applying /usr/lib/sysctl.d/50-pid-max.conf ...
kernel.pid_max = 4194304
* Applying /etc/sysctl.d/99-openvpn.conf ...
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
* Applying /usr/lib/sysctl.d/99-protect-links.conf ...
fs.protected_fifos = 1
fs.protected_hardlinks = 1
fs.protected_regular = 2
fs.protected_symlinks = 1
* Applying /etc/sysctl.d/99-sysctl.conf ...
* Applying /etc/sysctl.conf ...
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn@server.service → /etc/systemd/system/openvpn@.service.
Created symlink /etc/systemd/system/multi-user.target.wants/iptables-openvpn.service → /etc/systemd/system/iptables-openvpn.service.

Tell me a name for the client.
The name must consist of alphanumeric character. It may also include an underscore or a dash.
Client name: pamungkas

Do you want to protect the configuration file with a password?
(e.g. encrypt the private key with a password)
   1) Add a passwordless client
   2) Use a password for the client
Select an option [1-2]: 1

* Using SSL: openssl OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)

* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>
-----

Notice
------
Keypair and certificate request completed. Your files are:
req: /etc/openvpn/easy-rsa/pki/reqs/pamungkas.req
key: /etc/openvpn/easy-rsa/pki/private/pamungkas.key
Using configuration from /etc/openvpn/easy-rsa/pki/8422412a/temp.15f24829
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'pamungkas'
Certificate is to be certified until Jul 31 04:01:57 2034 GMT (3650 days)

Write out database with 1 new entries
Database updated

Notice
------
Certificate created at:
* /etc/openvpn/easy-rsa/pki/issued/pamungkas.crt

Notice
------
Inline file created:
* /etc/openvpn/easy-rsa/pki/inline/pamungkas.inline
Client pamungkas added.

The configuration file has been written to /root/pamungkas.ovpn.
Download the .ovpn file and import it in your OpenVPN client.

nanti kita download file /root/pamungkas.ovpn

See also  Brute Force Login SSH dengan scanner/ssh/ssh_login

Download aplikasi openvpn di https://openvpn.net/client-connect-vpn-for-mac-os/ nanti kita import ke openvpn nya

Berikut IP Address sebelum menggunakan VPN

dan setelah VPN

Setidaknya menggunakan VPN sendiri akan lebih baik dalam hal informasi yang tidak akan disimpan oleh VPN gratisan

ref: https://www.latcoding.com/2023/08/12/membuat-vpn-sendiri-di-vps/