Difference between revisions of "Mikrotik: OpenVPN - Site to Site"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| (16 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
| − | + | MikroTik Identity HQ | |
| − | + | Client Name Cabang | |
| − | + | MikroTik Local IP 192.168.88.198 | |
| − | + | Private Key 123456789 | |
==MIKROTIK A (SERVER): CERTIFICATE SETUP & EXPORT== | ==MIKROTIK A (SERVER): CERTIFICATE SETUP & EXPORT== | ||
| + | |||
| + | |||
| + | ===Setup Router Mikrotik Biasa=== | ||
| + | |||
| + | /ip dhcp-client print | ||
| + | /ip dhcp-client add interface=ether1 disable=no | ||
| + | /interface bridge | ||
| + | add name=bridge1 | ||
| + | /interface bridge port | ||
| + | add bridge=bridge1 interface=ether2 | ||
| + | add bridge=bridge1 interface=ether3 | ||
| + | add bridge=bridge1 interface=ether4 | ||
| + | add bridge=bridge1 interface=ether5 | ||
| + | add bridge=bridge1 interface=ether6 | ||
| + | add bridge=bridge1 interface=ether7 | ||
| + | add bridge=bridge1 interface=ether8 | ||
| + | /ip address add interface=bridge1 address=192.168.100.1/24 | ||
| + | /ip route add gateway=bridge1 | ||
| + | /ip dns set servers=1.1.1.1 | ||
| + | /ip dns set allow-remote-request=yes | ||
| + | /ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade | ||
| + | /ip firewall nat print | ||
| + | |||
| + | /ip dhcp-server setup | ||
| + | |||
===CREATE THE CERTIFICATES=== | ===CREATE THE CERTIFICATES=== | ||
| Line 18: | Line 43: | ||
===SIGN THE CERTIFICATES=== | ===SIGN THE CERTIFICATES=== | ||
| − | Butuh waktu, jangan copy paste sekaligus. | + | '''SATU PER SATU''' Butuh waktu, jangan copy paste sekaligus. |
| − | /certificate sign ca-template ca-crl-host=192.168. | + | /certificate sign ca-template ca-crl-host=192.168.3.73 name=CA-HQ # 192.168.3.73 IP address "public" WAN Mikrotik |
/certificate sign ca=CA-HQ server-template name=SERVER | /certificate sign ca=CA-HQ server-template name=SERVER | ||
/certificate sign ca=CA-HQ client-Cabang-template name=client-Cabang | /certificate sign ca=CA-HQ client-Cabang-template name=client-Cabang | ||
| Line 28: | Line 53: | ||
/certificate set CA-HQ trusted=yes | /certificate set CA-HQ trusted=yes | ||
/certificate set SERVER trusted=yes | /certificate set SERVER trusted=yes | ||
| − | |||
| − | |||
===EXPORT THE CERTIFICATES=== | ===EXPORT THE CERTIFICATES=== | ||
| Line 36: | Line 59: | ||
/certificate export-certificate client-Cabang export-passphrase=123456789 | /certificate export-certificate client-Cabang export-passphrase=123456789 | ||
| + | Ambil file menggunakan FTP ke Mikrotik SERVER | ||
| + | cert_export_CA-HQ.crt | ||
| + | cert_export_client-Cabang.key | ||
| + | cert_export_client-Cabang.crt | ||
| − | MIKROTIK | + | ==MIKROTIK A (SERVER): OPENVPN PPP CONFIGURATION== |
| − | |||
| − | + | ===IMPORT THE CERTIFICATES=== | |
| − | |||
| − | |||
| − | + | /ppp profile add name=openvpn local-address=10.10.200.1 remote-address=10.10.200.2 change-tcp-mss=yes use-compression=no use-encryption=required | |
| − | + | ==CREATE A PPP SECRET (MODIFY COMMAND AS NEEDED)== | |
| − | |||
| − | |||
| − | + | /ppp secret add name=Cabang password=123456789 profile=openvpn service=ovpn | |
| − | + | ===CONFIGURE THE OVPN SERVER (MODIFY COMMAND AS NEEDED)=== | |
| − | + | /interface ovpn-server server set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn enabled=yes require-client-certificate=yes | |
| − | + | ===CREATE A ROUTE (MODIFY COMMAND AS NEEDED)=== | |
| − | + | /ip route add dst-address=192.168.200.0/24 gateway=10.10.200.2 | |
| + | ==MIKROTIK A (SERVER): OPENVPN FIREWALL/NAT CONFIGURATION== | ||
| − | + | CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED): | |
| − | /interface ovpn-server | + | /ip firewall filter add chain=input dst-port=1194 protocol=tcp |
| + | /ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.200.0/24 place-before=0 | ||
| + | |||
| + | |||
| + | ==Monitor== | ||
| + | |||
| + | /interface ovpn-server monitor 0 | ||
| + | |||
| + | ==MIKROTIK B (CLIENT): CERTIFICATE SETUP & IMPORT== | ||
| + | |||
| + | ===Setup Router Mikrotik Biasa=== | ||
| + | |||
| + | /ip dhcp-client print | ||
| + | /ip dhcp-client add interface=ether1 disable=no | ||
| + | /interface bridge | ||
| + | add name=bridge1 | ||
| + | /interface bridge port | ||
| + | add bridge=bridge1 interface=ether2 | ||
| + | add bridge=bridge1 interface=ether3 | ||
| + | add bridge=bridge1 interface=ether4 | ||
| + | add bridge=bridge1 interface=ether5 | ||
| + | add bridge=bridge1 interface=ether6 | ||
| + | add bridge=bridge1 interface=ether7 | ||
| + | add bridge=bridge1 interface=ether8 | ||
| + | /ip address add interface=bridge1 address=192.168.200.1/24 | ||
| + | /ip route add gateway=bridge1 | ||
| + | /ip dns set servers=1.1.1.1 | ||
| + | /ip dns set allow-remote-request=yes | ||
| + | /ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade | ||
| + | /ip firewall nat print | ||
| − | + | /ip dhcp-server setup | |
| − | + | ===Download file menggunakan FTP=== | |
| − | + | cert_export_CA-HQ.crt | |
| + | cert_export_client-Cabang.key | ||
| + | cert_export_client-Cabang.crt | ||
| − | |||
| + | ===IMPORT THE CERTIFICATES=== | ||
| − | + | /certificate import file-name=cert_export_CA-HQ.crt passphrase="" | |
| − | + | /certificate import file-name=cert_export_client-Cabang.crt passphrase=123456789 | |
| + | /certificate import file-name=cert_export_client-Cabang.key passphrase=123456789 | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | ==MIKROTIK B (CLIENT): OPENVPN PPP CONFIGURATION== | |
| − | + | ===CREATE A OVPN CLIENT (MODIFY COMMAND AS NEEDED)=== | |
| + | # /interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=71.157.75.49 mac-address=02:2F:03:6C:10:59 name=ovpn-Texas password=NyTx325 profile=default-encryption user=NewYork | ||
| − | + | /interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=10.10.200.1 name=ovpn-ke-HQ password=123456789 profile=default-encryption user=Cabang | |
| − | |||
| − | + | ===CREATE A ROUTE (MODIFY COMMAND AS NEEDED)=== | |
| − | + | /ip route add dst-address=192.168.100.0/24 gateway=10.10.200.1 | |
| Line 103: | Line 154: | ||
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED): | CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED): | ||
| − | /ip firewall filter add chain=input dst-port=1194 protocol=tcp | + | # /ip firewall filter add chain=input dst-port=1194 protocol=tcp |
| − | /ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.100.0/24 place-before=0 | + | # /ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.100.0/24 place-before=0 |
==Referensi== | ==Referensi== | ||
* https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/ | * https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/ | ||
Latest revision as of 11:56, 29 December 2022
Sumber: https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/
MikroTik Identity HQ Client Name Cabang MikroTik Local IP 192.168.88.198 Private Key 123456789
MIKROTIK A (SERVER): CERTIFICATE SETUP & EXPORT
Setup Router Mikrotik Biasa
/ip dhcp-client print /ip dhcp-client add interface=ether1 disable=no /interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether2 add bridge=bridge1 interface=ether3 add bridge=bridge1 interface=ether4 add bridge=bridge1 interface=ether5 add bridge=bridge1 interface=ether6 add bridge=bridge1 interface=ether7 add bridge=bridge1 interface=ether8 /ip address add interface=bridge1 address=192.168.100.1/24 /ip route add gateway=bridge1 /ip dns set servers=1.1.1.1 /ip dns set allow-remote-request=yes /ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade /ip firewall nat print
/ip dhcp-server setup
CREATE THE CERTIFICATES
/certificate add name=ca-template common-name=CA-HQ key-usage=key-cert-sign,crl-sign /certificate add name=server-template common-name=SERVER /certificate add name=client-Cabang-template common-name=client-Cabang
SIGN THE CERTIFICATES
SATU PER SATU Butuh waktu, jangan copy paste sekaligus.
/certificate sign ca-template ca-crl-host=192.168.3.73 name=CA-HQ # 192.168.3.73 IP address "public" WAN Mikrotik /certificate sign ca=CA-HQ server-template name=SERVER /certificate sign ca=CA-HQ client-Cabang-template name=client-Cabang
ENABLE “TRUSTED” FOR THE CERTIFICATE AUTHORITY AND SERVER ONLY
/certificate set CA-HQ trusted=yes /certificate set SERVER trusted=yes
EXPORT THE CERTIFICATES
/certificate export-certificate CA-HQ /certificate export-certificate client-Cabang export-passphrase=123456789
Ambil file menggunakan FTP ke Mikrotik SERVER
cert_export_CA-HQ.crt cert_export_client-Cabang.key cert_export_client-Cabang.crt
MIKROTIK A (SERVER): OPENVPN PPP CONFIGURATION
IMPORT THE CERTIFICATES
/ppp profile add name=openvpn local-address=10.10.200.1 remote-address=10.10.200.2 change-tcp-mss=yes use-compression=no use-encryption=required
CREATE A PPP SECRET (MODIFY COMMAND AS NEEDED)
/ppp secret add name=Cabang password=123456789 profile=openvpn service=ovpn
CONFIGURE THE OVPN SERVER (MODIFY COMMAND AS NEEDED)
/interface ovpn-server server set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn enabled=yes require-client-certificate=yes
CREATE A ROUTE (MODIFY COMMAND AS NEEDED)
/ip route add dst-address=192.168.200.0/24 gateway=10.10.200.2
MIKROTIK A (SERVER): OPENVPN FIREWALL/NAT CONFIGURATION
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
/ip firewall filter add chain=input dst-port=1194 protocol=tcp /ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.200.0/24 place-before=0
Monitor
/interface ovpn-server monitor 0
MIKROTIK B (CLIENT): CERTIFICATE SETUP & IMPORT
Setup Router Mikrotik Biasa
/ip dhcp-client print /ip dhcp-client add interface=ether1 disable=no /interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether2 add bridge=bridge1 interface=ether3 add bridge=bridge1 interface=ether4 add bridge=bridge1 interface=ether5 add bridge=bridge1 interface=ether6 add bridge=bridge1 interface=ether7 add bridge=bridge1 interface=ether8 /ip address add interface=bridge1 address=192.168.200.1/24 /ip route add gateway=bridge1 /ip dns set servers=1.1.1.1 /ip dns set allow-remote-request=yes /ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade /ip firewall nat print
/ip dhcp-server setup
Download file menggunakan FTP
cert_export_CA-HQ.crt cert_export_client-Cabang.key cert_export_client-Cabang.crt
IMPORT THE CERTIFICATES
/certificate import file-name=cert_export_CA-HQ.crt passphrase="" /certificate import file-name=cert_export_client-Cabang.crt passphrase=123456789 /certificate import file-name=cert_export_client-Cabang.key passphrase=123456789
MIKROTIK B (CLIENT): OPENVPN PPP CONFIGURATION
CREATE A OVPN CLIENT (MODIFY COMMAND AS NEEDED)
# /interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=71.157.75.49 mac-address=02:2F:03:6C:10:59 name=ovpn-Texas password=NyTx325 profile=default-encryption user=NewYork
/interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=10.10.200.1 name=ovpn-ke-HQ password=123456789 profile=default-encryption user=Cabang
CREATE A ROUTE (MODIFY COMMAND AS NEEDED)
/ip route add dst-address=192.168.100.0/24 gateway=10.10.200.1
MIKROTIK B (CLIENT): OPENVPN FIREWALL/NAT CONFIGURATION
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
# /ip firewall filter add chain=input dst-port=1194 protocol=tcp # /ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.100.0/24 place-before=0