Difference between revisions of "Mikrotik: OpenVPN - Site to Site"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "Sumber: https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/ MIKROTIK: SETUP A SITE-TO-SITE OPENVPN CONNECTION Networking, Security / Jun...")
 
Line 8: Line 8:
 
We will need to create the certificates on MikroTik A (Server). For simplicity (I hope), I’ve added the MikroTik terminal commands needed to create the certificates. Note that these commands include placeholders that will need to be changed to better suit your network environment. The variables/placeholders are encapsulated by the percent (%) symbol. I’ve included the following list of placeholders, that will need to be changed:
 
We will need to create the certificates on MikroTik A (Server). For simplicity (I hope), I’ve added the MikroTik terminal commands needed to create the certificates. Note that these commands include placeholders that will need to be changed to better suit your network environment. The variables/placeholders are encapsulated by the percent (%) symbol. I’ve included the following list of placeholders, that will need to be changed:
  
%MikroTik Identity%
+
%MikroTik Identity%
%Client Name%
+
%Client Name%
%MikroTik Local IP%
+
%MikroTik Local IP%
%Passphrase%
+
%Passphrase%
 +
 
 
MIKROTIK A (SERVER): CERTIFICATE SETUP & EXPORT
 
MIKROTIK A (SERVER): CERTIFICATE SETUP & EXPORT
 
CREATE THE CERTIFICATES
 
CREATE THE CERTIFICATES
/certificate add name=ca-template common-name=CA-%MikroTik Identity% key-usage=key-cert-sign,crl-sign
+
 
/certificate add name=server-template common-name=SERVER
+
/certificate add name=ca-template common-name=CA-%MikroTik Identity% key-usage=key-cert-sign,crl-sign
/certificate add name=client-%Client Name%-template common-name=client-%Client Name%
+
/certificate add name=server-template common-name=SERVER
 +
/certificate add name=client-%Client Name%-template common-name=client-%Client Name%
 +
 
 
SIGN THE CERTIFICATES
 
SIGN THE CERTIFICATES
/certificate sign ca-template ca-crl-host=%MikroTik Local IP% name=CA-%MikroTik Identity%
+
 
/certificate sign ca=CA-%MikroTik Identity% server-template name=SERVER
+
/certificate sign ca-template ca-crl-host=%MikroTik Local IP% name=CA-%MikroTik Identity%
/certificate sign ca=CA-%MikroTik Identity% client-%Client Name%-template name=client-%Client Name%
+
/certificate sign ca=CA-%MikroTik Identity% server-template name=SERVER
 +
/certificate sign ca=CA-%MikroTik Identity% client-%Client Name%-template name=client-%Client Name%
 +
 
 
ENABLE “TRUSTED” FOR THE CERTIFICATE AUTHORITY AND SERVER ONLY
 
ENABLE “TRUSTED” FOR THE CERTIFICATE AUTHORITY AND SERVER ONLY
/certificate set CA-%MikroTik Identity% trusted=yes
+
/certificate set CA-%MikroTik Identity% trusted=yes
/certificate set SERVER trusted=yes
+
/certificate set SERVER trusted=yes
  
 
The Certificates window should now look similar to this screenshot.
 
The Certificates window should now look similar to this screenshot.
 +
 
EXPORT THE CERTIFICATES
 
EXPORT THE CERTIFICATES
/certificate export-certificate CA-%MikroTik Identity%
+
/certificate export-certificate CA-%MikroTik Identity%
/certificate export-certificate client-%Client Name% export-passphrase=%Passphrase%
+
/certificate export-certificate client-%Client Name% export-passphrase=%Passphrase%
  
 
The File List window should now contain the exported certificates.
 
The File List window should now contain the exported certificates.
Line 35: Line 41:
 
MIKROTIK B (CLIENT): CERTIFICATE SETUP & IMPORT
 
MIKROTIK B (CLIENT): CERTIFICATE SETUP & IMPORT
 
IMPORT THE CERTIFICATES
 
IMPORT THE CERTIFICATES
/certificate import file-name=cert_export_CA-%MikroTik Identity%.crt passphrase=""
+
 
/certificate import file-name=cert_export_client-%Client Name%.crt passphrase=%Passphrase%
+
/certificate import file-name=cert_export_CA-%MikroTik Identity%.crt passphrase=""
/certificate import file-name=cert_export_client-%Client Name%.key passphrase=%Passphrase%
+
/certificate import file-name=cert_export_client-%Client Name%.crt passphrase=%Passphrase%
 +
/certificate import file-name=cert_export_client-%Client Name%.key passphrase=%Passphrase%
  
 
The Certificates window should now look similar to this screenshot.
 
The Certificates window should now look similar to this screenshot.
 +
 
MIKROTIK A (SERVER): OPENVPN PPP CONFIGURATION
 
MIKROTIK A (SERVER): OPENVPN PPP CONFIGURATION
 
IMPORT THE CERTIFICATES
 
IMPORT THE CERTIFICATES
/ppp profile add name=openvpn local-address=192.168.200.254 remote-address=192.168.200.10 change-tcp-mss=yes use-compression=no use-encryption=required
+
/ppp profile add name=openvpn local-address=192.168.200.254 remote-address=192.168.200.10 change-tcp-mss=yes use-compression=no use-encryption=required
 +
 
 
OR Navigate to PPP > Profiles and create a new PPP Profile (modify settings as needed):
 
OR Navigate to PPP > Profiles and create a new PPP Profile (modify settings as needed):
  
Line 49: Line 58:
  
 
CREATE A PPP SECRET (MODIFY COMMAND AS NEEDED)
 
CREATE A PPP SECRET (MODIFY COMMAND AS NEEDED)
/ppp secret add name=NewYork password=NyTx325 profile=openvpn service=ovpn
+
 
 +
/ppp secret add name=NewYork password=NyTx325 profile=openvpn service=ovpn
 +
 
 
OR Navigate to PPP > Secrets and create a new PPP Secret (modify settings as needed):
 
OR Navigate to PPP > Secrets and create a new PPP Secret (modify settings as needed):
  
  
 
CONFIGURE THE OVPN SERVER (MODIFY COMMAND AS NEEDED):
 
CONFIGURE THE OVPN SERVER (MODIFY COMMAND AS NEEDED):
/interface ovpn-server server set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn enabled=yes require-client-certificate=yes
+
 
 +
/interface ovpn-server server set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn enabled=yes require-client-certificate=yes
 +
 
 
OR Navigate to PPP > Interface, click on the OVPN Server button and configure the OVPN Server (modify settings as needed):
 
OR Navigate to PPP > Interface, click on the OVPN Server button and configure the OVPN Server (modify settings as needed):
  
  
 
CREATE A ROUTE (MODIFY COMMAND AS NEEDED):
 
CREATE A ROUTE (MODIFY COMMAND AS NEEDED):
/ip route add dst-address=192.168.88.0/24 gateway=192.168.200.10
+
 
 +
/ip route add dst-address=192.168.88.0/24 gateway=192.168.200.10
 +
 
 
OR Navigate to IP > Routes and create a new Route (modify settings as needed):
 
OR Navigate to IP > Routes and create a new Route (modify settings as needed):
  
Line 65: Line 80:
 
MIKROTIK A (SERVER): OPENVPN FIREWALL/NAT CONFIGURATION
 
MIKROTIK A (SERVER): OPENVPN FIREWALL/NAT CONFIGURATION
 
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
 
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
/ip firewall filter add chain=input dst-port=1194 protocol=tcp
+
 
/ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.88.0/24 place-before=0
+
/ip firewall filter add chain=input dst-port=1194 protocol=tcp
 +
/ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.88.0/24 place-before=0
 +
 
 
MIKROTIK B (CLIENT): OPENVPN PPP CONFIGURATION
 
MIKROTIK B (CLIENT): OPENVPN PPP CONFIGURATION
 
CREATE A OVPN CLIENT (MODIFY COMMAND AS NEEDED)
 
CREATE A OVPN CLIENT (MODIFY COMMAND AS NEEDED)
/interface ovpn-client add certificate=cert_export_client-NewYork.crt_0 cipher=aes256 connect-to=71.157.75.49 mac-address=02:2F:03:6C:10:59 name=ovpn-Texas password=NyTx325 profile=default-encryption user=NewYork
+
 
 +
/interface ovpn-client add certificate=cert_export_client-NewYork.crt_0 cipher=aes256 connect-to=71.157.75.49 mac-address=02:2F:03:6C:10:59 name=ovpn-Texas password=NyTx325 profile=default-encryption user=NewYork
 +
 
 
OR Navigate to PPP > Interface, create a new OVPN Client:
 
OR Navigate to PPP > Interface, create a new OVPN Client:
  
Line 75: Line 94:
 
MIKROTIK B (CLIENT): OPENVPN ROUTES CONFIGURATION
 
MIKROTIK B (CLIENT): OPENVPN ROUTES CONFIGURATION
 
CREATE A ROUTE (MODIFY COMMAND AS NEEDED):
 
CREATE A ROUTE (MODIFY COMMAND AS NEEDED):
/ip route add dst-address=192.168.100.0/24 gateway=192.168.200.254
+
 
 +
/ip route add dst-address=192.168.100.0/24 gateway=192.168.200.254
 +
 
 
OR Navigate to IP > Routes and create a new Route (modify settings as needed):
 
OR Navigate to IP > Routes and create a new Route (modify settings as needed):
  
Line 81: Line 102:
 
MIKROTIK B (CLIENT): OPENVPN FIREWALL/NAT CONFIGURATION
 
MIKROTIK B (CLIENT): OPENVPN FIREWALL/NAT CONFIGURATION
 
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
 
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
/ip firewall filter add chain=input dst-port=1194 protocol=tcp
+
 
/ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.100.0/24 place-before=0
+
/ip firewall filter add chain=input dst-port=1194 protocol=tcp
 +
/ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.100.0/24 place-before=0
  
  

Revision as of 05:19, 11 January 2021

Sumber: https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/


MIKROTIK: SETUP A SITE-TO-SITE OPENVPN CONNECTION Networking, Security / June 15, 2017 / By Marthur In this example, we will be using two MikroTik RB951G-2HnD running RouterOS v6.34.3 on firmware v3.24, each using a different subnet. In addition, the OpenVPN tunnel is using a different subnet as well, which means – between the two MikroTik routers and the OpenVPN tunnel, we have three different subnets. The OpenVPN local and remote IP addresses represent the respective gateway address for each end of the tunnel between MikroTik A (Server) and MikroTik B (Client). These are static IP addresses. For example, MikroTik A’s OpenVPN gateway IP address is 192.168.200.254 and MikroTik B’s OpenVPN gateway IP address is 192.168.200.10. The OpenVPN local and remote IP addresses are configured in the PPP profile, which we will get to later.

We will need to create the certificates on MikroTik A (Server). For simplicity (I hope), I’ve added the MikroTik terminal commands needed to create the certificates. Note that these commands include placeholders that will need to be changed to better suit your network environment. The variables/placeholders are encapsulated by the percent (%) symbol. I’ve included the following list of placeholders, that will need to be changed:

%MikroTik Identity%
%Client Name%
%MikroTik Local IP%
%Passphrase%

MIKROTIK A (SERVER): CERTIFICATE SETUP & EXPORT CREATE THE CERTIFICATES

/certificate add name=ca-template common-name=CA-%MikroTik Identity% key-usage=key-cert-sign,crl-sign
/certificate add name=server-template common-name=SERVER
/certificate add name=client-%Client Name%-template common-name=client-%Client Name%

SIGN THE CERTIFICATES

/certificate sign ca-template ca-crl-host=%MikroTik Local IP% name=CA-%MikroTik Identity%
/certificate sign ca=CA-%MikroTik Identity% server-template name=SERVER
/certificate sign ca=CA-%MikroTik Identity% client-%Client Name%-template name=client-%Client Name%

ENABLE “TRUSTED” FOR THE CERTIFICATE AUTHORITY AND SERVER ONLY

/certificate set CA-%MikroTik Identity% trusted=yes
/certificate set SERVER trusted=yes

The Certificates window should now look similar to this screenshot.

EXPORT THE CERTIFICATES

/certificate export-certificate CA-%MikroTik Identity%
/certificate export-certificate client-%Client Name% export-passphrase=%Passphrase%

The File List window should now contain the exported certificates. Copy/Move the exported certificates from Mikrotik A (Server) to Mikrotik B (Client).

MIKROTIK B (CLIENT): CERTIFICATE SETUP & IMPORT IMPORT THE CERTIFICATES

/certificate import file-name=cert_export_CA-%MikroTik Identity%.crt passphrase=""
/certificate import file-name=cert_export_client-%Client Name%.crt passphrase=%Passphrase%
/certificate import file-name=cert_export_client-%Client Name%.key passphrase=%Passphrase%

The Certificates window should now look similar to this screenshot.

MIKROTIK A (SERVER): OPENVPN PPP CONFIGURATION IMPORT THE CERTIFICATES

/ppp profile add name=openvpn local-address=192.168.200.254 remote-address=192.168.200.10 change-tcp-mss=yes use-compression=no use-encryption=required

OR Navigate to PPP > Profiles and create a new PPP Profile (modify settings as needed):


In the screenshot above, don’t forget to check the protocols tab. Under the protocols tab, the option for “Use Compression” and “Use Encryption” can be set. These two options are already set in the command, but cannot be seen in the screenshot. In addition, take note of the Local and Remote IP addresses (192.168.200.254 and 192.168.200.10), these two addresses define the static IP assigned to each end of the VPN tunnel. These IP addresses can be set to anything you want as long as they don’t match any of the existing subnets that are currently in use at each site.

CREATE A PPP SECRET (MODIFY COMMAND AS NEEDED)

/ppp secret add name=NewYork password=NyTx325 profile=openvpn service=ovpn

OR Navigate to PPP > Secrets and create a new PPP Secret (modify settings as needed):


CONFIGURE THE OVPN SERVER (MODIFY COMMAND AS NEEDED):

/interface ovpn-server server set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn enabled=yes require-client-certificate=yes

OR Navigate to PPP > Interface, click on the OVPN Server button and configure the OVPN Server (modify settings as needed):


CREATE A ROUTE (MODIFY COMMAND AS NEEDED):

/ip route add dst-address=192.168.88.0/24 gateway=192.168.200.10

OR Navigate to IP > Routes and create a new Route (modify settings as needed):


MIKROTIK A (SERVER): OPENVPN FIREWALL/NAT CONFIGURATION CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):

/ip firewall filter add chain=input dst-port=1194 protocol=tcp
/ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.88.0/24 place-before=0

MIKROTIK B (CLIENT): OPENVPN PPP CONFIGURATION CREATE A OVPN CLIENT (MODIFY COMMAND AS NEEDED)

/interface ovpn-client add certificate=cert_export_client-NewYork.crt_0 cipher=aes256 connect-to=71.157.75.49 mac-address=02:2F:03:6C:10:59 name=ovpn-Texas password=NyTx325 profile=default-encryption user=NewYork

OR Navigate to PPP > Interface, create a new OVPN Client:


MIKROTIK B (CLIENT): OPENVPN ROUTES CONFIGURATION CREATE A ROUTE (MODIFY COMMAND AS NEEDED):

/ip route add dst-address=192.168.100.0/24 gateway=192.168.200.254

OR Navigate to IP > Routes and create a new Route (modify settings as needed):


MIKROTIK B (CLIENT): OPENVPN FIREWALL/NAT CONFIGURATION CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):

/ip firewall filter add chain=input dst-port=1194 protocol=tcp
/ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.100.0/24 place-before=0



Referensi