Difference between revisions of "Mikrotik: Certificate Generate"
Jump to navigation
Jump to search
Print
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| (13 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | |||
| + | |||
| + | |||
==Make certificate templates== | ==Make certificate templates== | ||
| Line 16: | Line 19: | ||
/certificate | /certificate | ||
# sign ca-template ca-crl-host=192.168.88.198 name=myCa | # sign ca-template ca-crl-host=192.168.88.198 name=myCa | ||
| − | sign ca-template ca-crl-host=192.168.0. | + | sign ca-template ca-crl-host=192.168.0.219 name=myCa |
sign server-template ca=myCa name=server | sign server-template ca=myCa name=server | ||
sign client1-template ca=myCa name=client1 | sign client1-template ca=myCa name=client1 | ||
| Line 36: | Line 39: | ||
/certificate export-certificate client1 export-passphrase=123456789 | /certificate export-certificate client1 export-passphrase=123456789 | ||
/certificate export-certificate client2 export-passphrase=123456789 | /certificate export-certificate client2 export-passphrase=123456789 | ||
| + | |||
| + | ===Client Linux - Downloat crt & key=== | ||
FTP untuk download file crt & key. Dari Linux Client | FTP untuk download file crt & key. Dari Linux Client | ||
| Line 55: | Line 60: | ||
2 K I client1 client1 26233de30e89b203b946ab... | 2 K I client1 client1 26233de30e89b203b946ab... | ||
3 K I client2 client2 cf172b62201befaf8d8966... | 3 K I client2 client2 cf172b62201befaf8d8966... | ||
| + | |||
| + | |||
| + | ==Client Kali Linux== | ||
| + | |||
| + | cd /etc/openvpn/client/ | ||
| + | |||
| + | ftp (IP Mikrotik OpenVPN - 192.168.0.219) | ||
| + | username admin | ||
| + | password | ||
| + | mget * | ||
| + | quit | ||
| + | |||
| + | Edit auth.conf | ||
| + | |||
| + | vi /etc/openvpn/client/auth.conf | ||
| + | |||
| + | line 1 username | ||
| + | line 2 password | ||
| + | client1 | ||
| + | 123456789 | ||
| + | |||
| + | Edit client1.ovpn | ||
| + | |||
| + | client | ||
| + | ca cert_export_myCa.crt | ||
| + | cert cert_export_client1.crt | ||
| + | key cert_export_client1.key | ||
| + | auth-user-pass auth.conf | ||
| + | dev tun1 | ||
| + | proto tcp-client | ||
| + | tls-client | ||
| + | # remote (IP Public OpenVPN Mikrotik) 1194 | ||
| + | remote 192.168.0.219 1194 | ||
| + | resolv-retry infinite | ||
| + | nobind | ||
| + | persist-key | ||
| + | persist-tun | ||
| + | cipher BF-CBC # Blowfish (default) | ||
| + | auth SHA1 | ||
| + | verb 4 | ||
| + | keepalive 10 15 | ||
| + | |||
| + | ==Client UBUNTU== | ||
| + | |||
| + | Referensi: | ||
| + | * https://labkom.co.id/mikrotik/membuat-openvpn-di-mikrotik-dengan-client-windows | ||
| + | * https://gryzli.info/2014/10/05/mikrotik-configuring-openvpn-server-linux-client/ | ||
| + | |||
| + | vi auth.conf | ||
| + | |||
| + | |||
| + | |||
| + | vi client1.ovpn | ||
| + | |||
| + | dev tun | ||
| + | proto tcp-client | ||
| + | remote (IP Public OpenVPN Mikrotik) 1194 | ||
| + | ca cert_export_myCa.crt | ||
| + | cert cert_export_client1.crt | ||
| + | key cert_export_client1.key | ||
| + | tls-client | ||
| + | port 1194 | ||
| + | persist-tun | ||
| + | persist-key | ||
| + | mute-replay-warnings | ||
| + | verb 3 | ||
| + | cipher AES-256-CBC | ||
| + | auth SHA1 | ||
| + | pull | ||
| + | # auth-user-pass 123456789 | ||
| + | # route 172.17.0.1 255.255.255.0 172.31.31.1 | ||
| + | |||
| + | |||
| + | Contoh lain, | ||
| + | |||
| + | client | ||
| + | ca cert_export_myCa.crt | ||
| + | cert cert_export_client1.crt | ||
| + | key cert_export_client1.key | ||
| + | auth-user-pass 123456789 | ||
| + | dev tun1 | ||
| + | proto tcp-client | ||
| + | tls-client | ||
| + | remote (IP Public OpenVPN Mikrotik) 1194 | ||
| + | resolv-retry infinite | ||
| + | nobind | ||
| + | persist-key | ||
| + | persist-tun | ||
| + | cipher BF-CBC # Blowfish (default) | ||
| + | auth SHA1 | ||
| + | verb 4 | ||
| + | keepalive 10 15 | ||
Latest revision as of 05:17, 5 December 2022
Make certificate templates
/certificate add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign add name=server-template common-name=server add name=client1-template common-name=client1 add name=client2-template common-name=client2
Sign certificates and add CRL url
Kita menggunakan IP public Mikrotik sebagai CRL URL. Proses ini butuh waktu, harus dilakukan satu per satu; jangan sekaligus.
/certificate # sign ca-template ca-crl-host=192.168.88.198 name=myCa sign ca-template ca-crl-host=192.168.0.219 name=myCa sign server-template ca=myCa name=server sign client1-template ca=myCa name=client1 sign client2-template ca=myCa name=client2
Trust Certificate
/certificate set myCa trusted=yes set server trusted=yes
Export Certificate
Export client certificates with keys and CA certificate:
/certificate export-certificate myCa # /certificate export-certificate client1 export-passphrase=xxxxxxxx # /certificate export-certificate client2 export-passphrase=xxxxxxxx /certificate export-certificate client1 export-passphrase=123456789 /certificate export-certificate client2 export-passphrase=123456789
Client Linux - Downloat crt & key
FTP untuk download file crt & key. Dari Linux Client
ftp ip-mikrotik username admin
mget * quit
[admin@pe0] /certificate> print Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted # NAME COMMON-NAME FINGERPRINT 0 K L A T myCa myCa 7fa636e6576495fe78f1a4... 1 K I T server server cf0650a291bf4685f2fbd3... 2 K I client1 client1 26233de30e89b203b946ab... 3 K I client2 client2 cf172b62201befaf8d8966...
Client Kali Linux
cd /etc/openvpn/client/ ftp (IP Mikrotik OpenVPN - 192.168.0.219) username admin password mget * quit
Edit auth.conf
vi /etc/openvpn/client/auth.conf
line 1 username line 2 password client1 123456789
Edit client1.ovpn
client ca cert_export_myCa.crt cert cert_export_client1.crt key cert_export_client1.key auth-user-pass auth.conf dev tun1 proto tcp-client tls-client # remote (IP Public OpenVPN Mikrotik) 1194 remote 192.168.0.219 1194 resolv-retry infinite nobind persist-key persist-tun cipher BF-CBC # Blowfish (default) auth SHA1 verb 4 keepalive 10 15
Client UBUNTU
Referensi:
- https://labkom.co.id/mikrotik/membuat-openvpn-di-mikrotik-dengan-client-windows
- https://gryzli.info/2014/10/05/mikrotik-configuring-openvpn-server-linux-client/
vi auth.conf
vi client1.ovpn
dev tun proto tcp-client remote (IP Public OpenVPN Mikrotik) 1194 ca cert_export_myCa.crt cert cert_export_client1.crt key cert_export_client1.key tls-client port 1194 persist-tun persist-key mute-replay-warnings verb 3 cipher AES-256-CBC auth SHA1 pull # auth-user-pass 123456789 # route 172.17.0.1 255.255.255.0 172.31.31.1
Contoh lain,
client ca cert_export_myCa.crt cert cert_export_client1.crt key cert_export_client1.key auth-user-pass 123456789 dev tun1 proto tcp-client tls-client remote (IP Public OpenVPN Mikrotik) 1194 resolv-retry infinite nobind persist-key persist-tun cipher BF-CBC # Blowfish (default) auth SHA1 verb 4 keepalive 10 15