Difference between revisions of "Mikrotik: OpenVPN - Server ke PC"
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 91: | Line 91: | ||
You don’t have client.ovpn? Well, one is in sample-config directory and we just need to change/add highlighted items: | You don’t have client.ovpn? Well, one is in sample-config directory and we just need to change/add highlighted items: | ||
| − | client | + | client |
| − | dev tun | + | dev tun |
| − | proto tcp | + | proto tcp |
| − | remote example.com 1194 | + | remote example.com 1194 |
| − | resolv-retry infinite | + | resolv-retry infinite |
| − | nobind | + | nobind |
| − | persist-key | + | persist-key |
| − | persist-tun | + | persist-tun |
| − | ca ca.crt | + | ca ca.crt |
| − | cert client.crt | + | cert client.crt |
| − | key client.key | + | key client.key |
| − | remote-cert-tls server | + | remote-cert-tls server |
| − | cipher AES-128-CBC | + | cipher AES-128-CBC |
| − | auth SHA1 | + | auth SHA1 |
| − | auth-user-pass | + | auth-user-pass |
| − | redirect-gateway def1 | + | redirect-gateway def1 |
Revision as of 10:46, 9 January 2021
Sumber: https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/
Certificate Generate
/certificate add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign add name=server-template common-name=*.example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client add name=client1-template common-name=client1.example.com days-valid=3650 key-size=2048 key-usage=tls-client
Certificate Sign
Proses signing akan membutuhkan waktu, harap sabar.
/certificate sign ca-template name=ca-certificate sign server-template name=server-certificate ca=ca-certificate sign client-template name=client-certificate ca=ca-certificate sign client1-template name=client1-certificate ca=ca-certificate
Certificate Trust
/certificate set ca-certificate trusted=yes set server-certificate trusted=yes
Certificate Export
/certificate export-certificate ca-certificate export-passphrase="" export-certificate client-certificate export-passphrase=12345678 export-certificate client1-certificate export-passphrase=12345678
Cek bahwa sudah di generate menggunakan
/file print
Di sisi Client
Bisa di download ke PC / client menggunakan ftp, file yang dibutuhkan adalah
cert_export_ca-certificate.crt cert_export_client-certificate.crt cert_export_client-certificate.key
Nantinya bisa di rename menjadi
ca.crt, client.crt, & client.key
dengan ftp
cd /etc/openvpn/client ftp 192.168.88.198 username admin password
mget * quit
cd /etc/openvpn/client mv cert_export_ca-certificate.crt ca.crt mv cert_export_client1-certificate.crt client1.crt mv cert_export_client1-certificate.key client1.key mv cert_export_client-certificate.crt client.crt mv cert_export_client-certificate.key client.key
respectively.
Next we need a separate pool of IP addresses for clients. I will assume you have your clients in some other network (e.g. 192.168.1.x) and this new network is just for VPN:
/ip pool add name="vpn-pool" ranges=192.168.8.10-192.168.8.99 Instead of editing the default encrypted profile, we can create a new one. Assumption is your Mikrotik will also be a DNS server. And while at it, you can create a bit more imaginative user/password:
/ppp profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool secret add name=user profile=vpn-profile password=password Finally, we can enable OpenVPN server interface:
/interface ovpn-server server set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes Now finally we can copy both ca.crt and client.crt to C:\Program Files\OpenVPN\config\ directory alongside client.ovpn.
You don’t have client.ovpn? Well, one is in sample-config directory and we just need to change/add highlighted items:
client dev tun proto tcp remote example.com 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client.crt key client.key remote-cert-tls server cipher AES-128-CBC auth SHA1 auth-user-pass redirect-gateway def1
verb 3 A bit annoying step is being asked for the private key passphrase (in the addition to username/password). Mikrotik doesn’t allow export without it but fortunately we can use OpenSSL to change that:
> openssl.exe rsa -in client.key -out client.key Enter pass phrase for client.key: 12345678 writing RSA key With this, your VPN connection should work like a charm.
PS: Do not forget to adjust firewall if necessary (TCP port 1194).
/ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN" PPS: Do check SSTP guide too.
[2017-01-26: Adjusted certificate creation to work on RouterOS 6.38 and later] [2017-01-26: Changed key size to 2048 (instead of 4096) so it doesn’t take ages to generate certificates. :)] [2017-02-25: Changed example to use AES-128 for lower CPU usage on router.]