Difference between revisions of "Mikrotik: OpenVPN - Server ke PC dari wiki mikrotik"

From OnnoWiki
Jump to navigation Jump to search
(Created page with "Sumber: https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN ==Referensi== * https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN")
 
 
(14 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
Sumber: https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN
 
Sumber: https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN
  
 +
[[File:Ipsec-road-warrior (1).png]]
 +
 +
 +
==Kondisi Jaringan==
 +
 +
Office    192.168.3.73/24
 +
Office LAN 192.168.100.0/24
 +
VPN Pool  192.168.77.0/24 gw 192.168.77.1
 +
 +
Client    192.168.3.77/24
 +
 +
==Certificate==
 +
 +
===Certificate Generate===
 +
 +
/certificate
 +
add name=ca-template common-name=itts.ac.id days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
 +
add name=server-template common-name=*.itts.ac.id days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
 +
add name=client-template common-name=client.itts.ac.id days-valid=3650 key-size=2048 key-usage=tls-client
 +
add name=client1-template common-name=client1.itts.ac.id days-valid=3650 key-size=2048 key-usage=tls-client
 +
 +
===Certificate Sign===
 +
 +
'''SATU PER SATU''', jangan COPAS Sekaligus. Proses signing akan membutuhkan waktu, harap sabar.
 +
 +
/certificate
 +
sign ca-template name=ca
 +
sign server-template name=server ca=ca
 +
sign client-template name=client ca=ca
 +
sign client1-template name=client1 ca=ca
 +
 +
===Certificate Trust===
 +
 +
/certificate
 +
set ca trusted=yes
 +
set server trusted=yes
 +
 +
===Certificate Export===
 +
 +
 +
/file print
 +
/file remove numbers=0
 +
/file remove numbers=1
 +
.... dst....
 +
 +
 +
/certificate
 +
export-certificate ca export-passphrase=""
 +
export-certificate client export-passphrase=123456789
 +
export-certificate client1 export-passphrase=123456789
 +
 +
Cek bahwa sudah di generate menggunakan
 +
 +
/file print
 +
 +
==Server==
 +
 +
/ip dhcp-client print
 +
/ip dhcp-client add interface=ether1 disable=no
 +
/interface bridge
 +
add name=bridge1
 +
/interface bridge port
 +
add bridge=bridge1 interface=ether2
 +
add bridge=bridge1 interface=ether3
 +
add bridge=bridge1 interface=ether4
 +
add bridge=bridge1 interface=ether5
 +
add bridge=bridge1 interface=ether6
 +
add bridge=bridge1 interface=ether7
 +
add bridge=bridge1 interface=ether8
 +
/ip address add interface=bridge1 address=192.168.100.1/24
 +
/ip route add gateway=bridge1
 +
/ip dns set servers=1.1.1.1
 +
/ip dns set allow-remote-request=yes
 +
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
 +
/ip firewall nat print
 +
/ip dhcp-server setup
 +
 +
/ip pool add name=ovpn-pool range=192.168.77.2-192.168.77.254
 +
/ppp profile add name=ovpn local-address=192.168.77.1 remote-address=ovpn-pool
 +
/ppp secret
 +
  add name=client password=123456 profile=ovpn
 +
  add name=client1 password=123456 profile=ovpn
 +
/interface ovpn-server server set enabled=yes certificate=server
 +
 +
==Client Mikrotik==
 +
 +
/interface ovpn-client
 +
  add name=ovpn-client1 connect-to=2.2.2.2 user=client password=123456 disabled=no
 +
/ip route
 +
  add dst-address=192.168.100.0/24 gateway=ovpn-client1
 +
/ip firewall nat add chain=srcnat action=masquerade out-interface=ovpn-client1
 +
 +
==Client Linux==
 +
 +
dev tun
 +
proto tcp-client
 +
remote 2.2.2.2 1194
 +
tls-client
 +
ca cert_export_ca.crt
 +
key cert_export_client1.key  cert_export_client.key
 +
cert cert_export_client1.crt  cert_export_client.crt  client.ovpn
 +
 +
user nobody
 +
group nogroup
 +
#comp-lzo # Do not use compression.
 +
# More reliable detection when a system loses its connection.
 +
ping 15
 +
ping-restart 45
 +
ping-timer-rem
 +
persist-tun
 +
persist-key
 +
mute-replay-warnings
 +
verb 3
 +
cipher BF-CBC
 +
auth SHA1
 +
pull
 +
auth-user-pass auth.cfg
  
  

Latest revision as of 10:04, 12 January 2023

Sumber: https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN

Ipsec-road-warrior (1).png


Kondisi Jaringan

Office     192.168.3.73/24
Office LAN 192.168.100.0/24
VPN Pool   192.168.77.0/24 gw 192.168.77.1

Client     192.168.3.77/24

Certificate

Certificate Generate

/certificate
add name=ca-template common-name=itts.ac.id days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=*.itts.ac.id days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=client.itts.ac.id days-valid=3650 key-size=2048 key-usage=tls-client
add name=client1-template common-name=client1.itts.ac.id days-valid=3650 key-size=2048 key-usage=tls-client

Certificate Sign

SATU PER SATU, jangan COPAS Sekaligus. Proses signing akan membutuhkan waktu, harap sabar. 

/certificate
sign ca-template name=ca
sign server-template name=server ca=ca
sign client-template name=client ca=ca
sign client1-template name=client1 ca=ca

Certificate Trust

/certificate
set ca trusted=yes
set server trusted=yes

Certificate Export

/file print 
/file remove numbers=0
/file remove numbers=1
.... dst....



/certificate
export-certificate ca export-passphrase=""
export-certificate client export-passphrase=123456789
export-certificate client1 export-passphrase=123456789

Cek bahwa sudah di generate menggunakan 

/file print

Server

/ip dhcp-client print
/ip dhcp-client add interface=ether1 disable=no
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
/ip address add interface=bridge1 address=192.168.100.1/24
/ip route add gateway=bridge1
/ip dns set servers=1.1.1.1
/ip dns set allow-remote-request=yes
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
/ip firewall nat print
/ip dhcp-server setup

/ip pool add name=ovpn-pool range=192.168.77.2-192.168.77.254
/ppp profile add name=ovpn local-address=192.168.77.1 remote-address=ovpn-pool
/ppp secret
  add name=client password=123456 profile=ovpn
  add name=client1 password=123456 profile=ovpn
/interface ovpn-server server set enabled=yes certificate=server

Client Mikrotik

/interface ovpn-client
  add name=ovpn-client1 connect-to=2.2.2.2 user=client password=123456 disabled=no
/ip route 
  add dst-address=192.168.100.0/24 gateway=ovpn-client1
/ip firewall nat add chain=srcnat action=masquerade out-interface=ovpn-client1

Client Linux

dev tun
proto tcp-client
remote 2.2.2.2 1194
tls-client
ca cert_export_ca.crt
key cert_export_client1.key  cert_export_client.key
cert cert_export_client1.crt  cert_export_client.crt   client.ovpn

user nobody
group nogroup
#comp-lzo # Do not use compression.
# More reliable detection when a system loses its connection.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
mute-replay-warnings
verb 3
cipher BF-CBC
auth SHA1
pull
auth-user-pass auth.cfg


Referensi

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=Mikrotik:_OpenVPN_-_Server_ke_PC_dari_wiki_mikrotik&oldid=67610"