Difference between revisions of "Mikrotik: OpenVPN - Server ke PC"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "Sumber: https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/ Having OpenVPN server on your router is a nifty feature. However, as often with Mirotik, not all is...")
 
 
(52 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Sumber: https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/
 
Sumber: https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/
  
 +
Asumsi kita membuat sambungan OpenVPN dengan Server di balik Mikrotik sebagai berikut,
  
Having OpenVPN server on your router is a nifty feature. However, as often with Mirotik, not all is straight forward.
+
[[File:Openvpn-mikrotik.png|center|600px|thumb]]
  
This guide is going to assume you are to enter commands into the New Terminal window from WinBox. That way I will simply repeat commands needed instead of going through the screens. Commands are actually quite descriptive and easy to “translate” into GUI actions if that is your preference.
 
  
Prerequisite for any VPN server is to get certificates sorted. For OpenVPN we need main Certificate Authority, server, and client certificate. Yes, strictly speaking, client certificate is optional but let’s not skimp on security.
+
==Setup Router Mikrotik Biasa==
  
First we create all the certificate templates (10 years validity) we’ll need:
+
/ip dhcp-client print
 +
/ip dhcp-client add interface=ether1 disable=no
 +
/interface bridge
 +
add name=bridge1
 +
/interface bridge port
 +
add bridge=bridge1 interface=ether2
 +
add bridge=bridge1 interface=ether3
 +
add bridge=bridge1 interface=ether4
 +
add bridge=bridge1 interface=ether5
 +
add bridge=bridge1 interface=ether6
 +
add bridge=bridge1 interface=ether7
 +
add bridge=bridge1 interface=ether8
 +
/ip address add interface=bridge1 address=192.168.100.1/24
 +
/ip route add gateway=bridge1
 +
/ip dns set servers=1.1.1.1
 +
/ip dns set allow-remote-request=yes
 +
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
 +
/ip firewall nat print
  
/certificate
+
/ip dhcp-server setup
add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
 
add name=server-template common-name=*.example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
 
add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client
 
For the purpose of OpenVPN server common name can be really anything. However, some other VPNs are not as forgiving (yes SSTP, I am looking at you) so it might be best to have either your external IP or host name as the common-name text. Any yes, if you have dynamic IP and you are not using your own domain, you can put *.dyndns.org there – no worries.
 
  
Created certificates will need signing:
+
==Certificate==
  
/certificate
+
===Certificate Generate===
sign ca-template name=ca-certificate
 
sign server-template name=server-certificate ca=ca-certificate
 
sign client-template name=client-certificate ca=ca-certificate
 
Depending on your router’s speed, that sign command might time-out – nothing to worry about – just wait for CPU to drop below 100%. Or alternatively check name of certificate – template part will disappear once signing is completed.
 
  
With this we need to export a few files:
+
/certificate
 +
add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
 +
add name=server-template common-name=*.example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
 +
add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client
 +
add name=client1-template common-name=client1.example.com days-valid=3650 key-size=2048 key-usage=tls-client
  
/certificate
 
export-certificate ca-certificate export-passphrase=""
 
export-certificate client-certificate export-passphrase=12345678
 
This should give you three files: cert_export_ca-certificate.crt, cert_export_client-certificate.crt, and cert_export_client-certificate.key. After copying this on computer for later I like to rename them to ca.crt, client.crt, and client.key respectively.
 
  
Next we need a separate pool of IP addresses for clients. I will assume you have your clients in some other network (e.g. 192.168.1.x) and this new network is just for VPN:
+
===Certificate Sign===
  
/ip
+
'''SATU PER SATU''', jangan COPAS Sekaligus. Proses signing akan membutuhkan waktu, harap sabar.
pool add name="vpn-pool" ranges=192.168.8.10-192.168.8.99
 
Instead of editing the default encrypted profile, we can create a new one. Assumption is your Mikrotik will also be a DNS server. And while at it, you can create a bit more imaginative user/password:
 
  
/ppp
+
/certificate
profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool
+
sign ca-template name=ca-certificate
secret add name=user profile=vpn-profile password=password
+
sign server-template name=server-certificate ca=ca-certificate
Finally, we can enable OpenVPN server interface:
+
sign client-template name=client-certificate ca=ca-certificate
 +
sign client1-template name=client1-certificate ca=ca-certificate
  
/interface ovpn-server server
+
===Certificate Trust===
set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes
 
Now finally we can copy both ca.crt and client.crt to C:\Program Files\OpenVPN\config\ directory alongside client.ovpn.
 
  
You don’t have client.ovpn? Well, one is in sample-config directory and we just need to change/add highlighted items:
+
/certificate
 +
set ca-certificate trusted=yes
 +
set server-certificate trusted=yes
  
client
+
===Certificate Export===
dev tun
 
proto tcp
 
remote example.com 1194
 
resolv-retry infinite
 
nobind
 
persist-key
 
persist-tun
 
ca ca.crt
 
cert client.crt
 
key client.key
 
remote-cert-tls server
 
cipher AES-128-CBC
 
auth SHA1
 
auth-user-pass
 
redirect-gateway def1
 
verb 3
 
A bit annoying step is being asked for the private key passphrase (in the addition to username/password). Mikrotik doesn’t allow export without it but fortunately we can use OpenSSL to change that:
 
  
> openssl.exe rsa -in client.key -out client.key
+
/certificate
Enter pass phrase for client.key: 12345678
+
export-certificate ca-certificate export-passphrase=""
writing RSA key
+
export-certificate client-certificate export-passphrase=123456789
With this, your VPN connection should work like a charm.
+
export-certificate client1-certificate export-passphrase=123456789
  
PS: Do not forget to adjust firewall if necessary (TCP port 1194).
+
Cek bahwa sudah di generate menggunakan
  
/ip firewall filter
+
/file print
add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN"
 
PPS: Do check SSTP guide too.
 
  
[2017-01-26: Adjusted certificate creation to work on RouterOS 6.38 and later]
+
==OpenVPN Server di Mikrotik==
[2017-01-26: Changed key size to 2048 (instead of 4096) so it doesn’t take ages to generate certificates. :)]
 
[2017-02-25: Changed example to use AES-128 for lower CPU usage on router.]
 
  
  
 +
===OpenVPN Pool Address===
 +
 +
/ip
 +
pool add name="vpn-pool" ranges=192.168.8.10-192.168.8.99
 +
 +
===OpenVPN user===
 +
 +
/ppp
 +
profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool
 +
secret add name=user profile=vpn-profile password=123456
 +
secret add name=user1 profile=vpn-profile password=123456
 +
secret add name=user2 profile=vpn-profile password=123456
 +
secret add name=onno profile=vpn-profile password=123456
 +
 +
===OpenVPN Enable===
 +
 +
/interface ovpn-server server
 +
set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes
 +
 +
 +
==Set Firewall Mikrotik==
 +
 +
Jika dibutuhkan kita bisa buka access port 1194
 +
 +
/ip firewall filter
 +
add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN"
 +
 +
atau
 +
 +
/ip firewall filter
 +
add chain=input protocol=tcp dst-port=1194 action=accept comment="Allow OpenVPN"
 +
 +
==PC Kali Linux==
 +
 +
===Download crt & key===
 +
 +
cd /etc/openvpn/client
 +
 +
ftp 192.168.0.219    # IP OpenVPN Mikrotik
 +
username admin
 +
password
 +
mget *
 +
quit
 +
 +
===Edit client.ovpn===
 +
 +
cd /etc/openvpn/client
 +
vi client.ovpn
 +
 +
client
 +
dev tun
 +
proto tcp
 +
# remote (IP Mikrotik OpenVPN) 1194
 +
remote 192.168.0.219 1194
 +
resolv-retry infinite
 +
nobind
 +
persist-key
 +
persist-tun
 +
ca /etc/openvpn/client/cert_export_ca-certificate.crt
 +
cert /etc/openvpn/client/cert_export_client-certificate.crt
 +
key /etc/openvpn/client/cert_export_client-certificate.key
 +
remote-cert-tls server
 +
cipher AES-256-CBC
 +
auth SHA1
 +
auth-user-pass
 +
route 192.168.100.0 255.255.255.0    # Paksakan routing di belakang Mikrotik
 +
 +
===PC Run OpenVPN===
 +
 +
cd /etc/openvpn/client
 +
sudo openvpn --config client.ovpn
 +
 +
Enter Auth Username: user
 +
Enter Auth Password: 123456
 +
Enter Private Key Password: 123456789
 +
 +
===Interface tun tambahan===
 +
 +
Di CLI Kali Linux, ketik
 +
 +
ifconfig
 +
 +
Jika OpenVPN Berhasil di aktifkan, akan muncul
 +
 +
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
 +
        inet 192.168.8.99  netmask 255.255.255.0  destination 192.168.8.99
 +
        inet6 fe80::959a:7bd0:a3f3:3cc6  prefixlen 64  scopeid 0x20<link>
 +
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
 +
        RX packets 0  bytes 0 (0.0 B)
 +
        RX errors 0  dropped 0  overruns 0  frame 0
 +
        TX packets 22  bytes 2384 (2.3 KiB)
 +
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 +
 +
 +
===Tambahkan Routing ke LAN di Belakang Mikrotik===
 +
 +
route add -net 192.168.100.0/24 gw 192.168.8.250 dev tun0
 +
 +
==PC Client==
 +
 +
===PC Download File===
 +
 +
Bisa di download ke PC / client menggunakan ftp, file yang dibutuhkan adalah
 +
 +
cert_export_ca-certificate.crt
 +
cert_export_client-certificate.crt
 +
cert_export_client-certificate.key
 +
 +
Nantinya bisa di rename menjadi
 +
 +
ca.crt, client.crt, & client.key
 +
 +
 +
dengan ftp
 +
 +
cd /etc/openvpn/client
 +
ftp 192.168.88.198
 +
username admin
 +
password
 +
 +
mget *
 +
quit
 +
 +
 +
cd /etc/openvpn/client
 +
mv cert_export_ca-certificate.crt ca.crt
 +
mv cert_export_client1-certificate.crt client1.crt
 +
mv cert_export_client1-certificate.key client1.key
 +
mv cert_export_client-certificate.crt client.crt
 +
mv cert_export_client-certificate.key client.key
 +
 +
 +
===PC Buat Konfigurasi ovpn===
 +
 +
Buat client.ovpn
 +
 +
cd /etc/openvpn/client/
 +
sudo vi client.ovpn
 +
 +
client
 +
dev tun
 +
proto tcp
 +
# remote (IP OpenVPN Mikrotik) 1194
 +
remote 192.168.0.219 1194
 +
resolv-retry infinite
 +
nobind
 +
persist-key
 +
persist-tun
 +
ca ca.crt
 +
cert client.crt
 +
key client.key
 +
remote-cert-tls server
 +
cipher AES-128-CBC
 +
auth SHA1
 +
auth-user-pass
 +
# redirect-gateway def1
 +
 +
===PC Run OpenVPN===
 +
 +
cd /etc/openvpn/client
 +
sudo openvpn --config client.ovpn
 +
 +
Enter Auth Username: user
 +
Enter Auth Password: password
 +
Enter Private Key Password: 12345678
 +
 +
 +
===PC Cek===
 +
 +
Pastikan ada interface tun
 +
 +
ifconfig
 +
 +
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
 +
        inet 192.168.8.99  netmask 255.255.255.0  destination 192.168.8.99
 +
        inet6 fe80::76b3:bffd:1b3a:b9ea  prefixlen 64  scopeid 0x20<link>
 +
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
 +
        RX packets 1275  bytes 1208481 (1.2 MB)
 +
        RX errors 0  dropped 0  overruns 0  frame 0
 +
        TX packets 1328  bytes 148649 (148.6 KB)
 +
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 +
 +
Pastikan ada routing
 +
 +
netstat -nr
 +
 +
192.168.8.0    0.0.0.0        255.255.255.0  U        0 0          0 tun0
 +
 +
 +
 +
 +
 +
==Ubah client.key==
 +
 +
Langkah yang sedikit mengganggu adalah meminta kata private key password (selain username/password). Mikrotik tidak mengizinkan export key tanpa itu tapi untungnya kita bisa menggunakan OpenSSL untuk mengubahnya:
 +
 +
openssl rsa -in client.key -out client.key
 +
 +
Enter pass phrase for cert_export_client1.key:
 +
writing RSA key
 +
 +
 +
Teknik ini bisa di coba2, tampaknya kita tetap harus memasukan username/password/private key password.
  
 
==Referensi==
 
==Referensi==
  
 
* https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/
 
* https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/

Latest revision as of 18:47, 5 December 2022

Sumber: https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/

Asumsi kita membuat sambungan OpenVPN dengan Server di balik Mikrotik sebagai berikut,

Openvpn-mikrotik.png


Setup Router Mikrotik Biasa

/ip dhcp-client print
/ip dhcp-client add interface=ether1 disable=no
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
/ip address add interface=bridge1 address=192.168.100.1/24
/ip route add gateway=bridge1
/ip dns set servers=1.1.1.1
/ip dns set allow-remote-request=yes
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
/ip firewall nat print
/ip dhcp-server setup

Certificate

Certificate Generate

/certificate
add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=*.example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client
add name=client1-template common-name=client1.example.com days-valid=3650 key-size=2048 key-usage=tls-client


Certificate Sign

SATU PER SATU, jangan COPAS Sekaligus. Proses signing akan membutuhkan waktu, harap sabar.

/certificate
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate
sign client1-template name=client1-certificate ca=ca-certificate

Certificate Trust

/certificate
set ca-certificate trusted=yes
set server-certificate trusted=yes

Certificate Export

/certificate
export-certificate ca-certificate export-passphrase=""
export-certificate client-certificate export-passphrase=123456789
export-certificate client1-certificate export-passphrase=123456789

Cek bahwa sudah di generate menggunakan

/file print

OpenVPN Server di Mikrotik

OpenVPN Pool Address

/ip
pool add name="vpn-pool" ranges=192.168.8.10-192.168.8.99

OpenVPN user

/ppp
profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool
secret add name=user profile=vpn-profile password=123456
secret add name=user1 profile=vpn-profile password=123456
secret add name=user2 profile=vpn-profile password=123456
secret add name=onno profile=vpn-profile password=123456

OpenVPN Enable

/interface ovpn-server server
set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes


Set Firewall Mikrotik

Jika dibutuhkan kita bisa buka access port 1194

/ip firewall filter
add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN"

atau

/ip firewall filter
add chain=input protocol=tcp dst-port=1194 action=accept comment="Allow OpenVPN"

PC Kali Linux

Download crt & key

cd /etc/openvpn/client
ftp 192.168.0.219     # IP OpenVPN Mikrotik
username admin
password
mget *
quit

Edit client.ovpn

cd /etc/openvpn/client
vi client.ovpn
client
dev tun
proto tcp
# remote (IP Mikrotik OpenVPN) 1194
remote 192.168.0.219 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/client/cert_export_ca-certificate.crt
cert /etc/openvpn/client/cert_export_client-certificate.crt
key /etc/openvpn/client/cert_export_client-certificate.key
remote-cert-tls server
cipher AES-256-CBC
auth SHA1
auth-user-pass
route 192.168.100.0 255.255.255.0    # Paksakan routing di belakang Mikrotik

PC Run OpenVPN

cd /etc/openvpn/client
sudo openvpn --config client.ovpn
Enter Auth Username: user
Enter Auth Password: 123456
Enter Private Key Password: 123456789

Interface tun tambahan

Di CLI Kali Linux, ketik

ifconfig

Jika OpenVPN Berhasil di aktifkan, akan muncul

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 192.168.8.99  netmask 255.255.255.0  destination 192.168.8.99
        inet6 fe80::959a:7bd0:a3f3:3cc6  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 22  bytes 2384 (2.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


Tambahkan Routing ke LAN di Belakang Mikrotik

route add -net 192.168.100.0/24 gw 192.168.8.250 dev tun0

PC Client

PC Download File

Bisa di download ke PC / client menggunakan ftp, file yang dibutuhkan adalah

cert_export_ca-certificate.crt
cert_export_client-certificate.crt
cert_export_client-certificate.key

Nantinya bisa di rename menjadi

ca.crt, client.crt, & client.key


dengan ftp

cd /etc/openvpn/client
ftp 192.168.88.198
username admin
password 
mget *
quit


cd /etc/openvpn/client
mv cert_export_ca-certificate.crt ca.crt
mv cert_export_client1-certificate.crt client1.crt
mv cert_export_client1-certificate.key client1.key
mv cert_export_client-certificate.crt client.crt
mv cert_export_client-certificate.key client.key


PC Buat Konfigurasi ovpn

Buat client.ovpn

cd /etc/openvpn/client/
sudo vi client.ovpn
client
dev tun
proto tcp
# remote (IP OpenVPN Mikrotik) 1194
remote 192.168.0.219 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
# redirect-gateway def1

PC Run OpenVPN

cd /etc/openvpn/client
sudo openvpn --config client.ovpn
Enter Auth Username: user
Enter Auth Password: password
Enter Private Key Password: 12345678


PC Cek

Pastikan ada interface tun

ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 192.168.8.99  netmask 255.255.255.0  destination 192.168.8.99
        inet6 fe80::76b3:bffd:1b3a:b9ea  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 1275  bytes 1208481 (1.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1328  bytes 148649 (148.6 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Pastikan ada routing

netstat -nr
192.168.8.0     0.0.0.0         255.255.255.0   U         0 0          0 tun0



Ubah client.key

Langkah yang sedikit mengganggu adalah meminta kata private key password (selain username/password). Mikrotik tidak mengizinkan export key tanpa itu tapi untungnya kita bisa menggunakan OpenSSL untuk mengubahnya:

openssl rsa -in client.key -out client.key
Enter pass phrase for cert_export_client1.key:
writing RSA key


Teknik ini bisa di coba2, tampaknya kita tetap harus memasukan username/password/private key password.

Referensi