Difference between revisions of "Mikrotik: OpenVPN - Site to Site"

From OnnoWiki
Jump to navigation Jump to search
 
(13 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
  
  %MikroTik Identity% HQ
+
  MikroTik Identity  HQ
  %Client Name%       Cabang
+
  Client Name        Cabang
  %MikroTik Local IP% 192.168.88.198
+
  MikroTik Local IP  192.168.88.198
  %Passphrase%        123456789
+
  Private Key        123456789
  
  
 
==MIKROTIK A (SERVER): CERTIFICATE SETUP & EXPORT==
 
==MIKROTIK A (SERVER): CERTIFICATE SETUP & EXPORT==
 +
 +
 +
===Setup Router Mikrotik Biasa===
 +
 +
/ip dhcp-client print
 +
/ip dhcp-client add interface=ether1 disable=no
 +
/interface bridge
 +
add name=bridge1
 +
/interface bridge port
 +
add bridge=bridge1 interface=ether2
 +
add bridge=bridge1 interface=ether3
 +
add bridge=bridge1 interface=ether4
 +
add bridge=bridge1 interface=ether5
 +
add bridge=bridge1 interface=ether6
 +
add bridge=bridge1 interface=ether7
 +
add bridge=bridge1 interface=ether8
 +
/ip address add interface=bridge1 address=192.168.100.1/24
 +
/ip route add gateway=bridge1
 +
/ip dns set servers=1.1.1.1
 +
/ip dns set allow-remote-request=yes
 +
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
 +
/ip firewall nat print
 +
 +
/ip dhcp-server setup
 +
  
 
===CREATE THE CERTIFICATES===
 
===CREATE THE CERTIFICATES===
Line 18: Line 43:
 
===SIGN THE CERTIFICATES===
 
===SIGN THE CERTIFICATES===
  
Butuh waktu, jangan copy paste sekaligus.
+
'''SATU PER SATU''' Butuh waktu, jangan copy paste sekaligus.
  
  /certificate sign ca-template ca-crl-host=192.168.88.198 name=CA-HQ
+
  /certificate sign ca-template ca-crl-host=192.168.3.73 name=CA-HQ     # 192.168.3.73 IP address "public" WAN Mikrotik
 
  /certificate sign ca=CA-HQ server-template name=SERVER
 
  /certificate sign ca=CA-HQ server-template name=SERVER
 
  /certificate sign ca=CA-HQ client-Cabang-template name=client-Cabang
 
  /certificate sign ca=CA-HQ client-Cabang-template name=client-Cabang
Line 28: Line 53:
 
  /certificate set CA-HQ trusted=yes
 
  /certificate set CA-HQ trusted=yes
 
  /certificate set SERVER trusted=yes
 
  /certificate set SERVER trusted=yes
 
The Certificates window should now look similar to this screenshot.
 
  
 
===EXPORT THE CERTIFICATES===
 
===EXPORT THE CERTIFICATES===
Line 36: Line 59:
 
  /certificate export-certificate client-Cabang export-passphrase=123456789
 
  /certificate export-certificate client-Cabang export-passphrase=123456789
  
Ambil file menggunakan FTP
+
Ambil file menggunakan FTP ke Mikrotik SERVER
  
 
  cert_export_CA-HQ.crt
 
  cert_export_CA-HQ.crt
Line 42: Line 65:
 
  cert_export_client-Cabang.crt
 
  cert_export_client-Cabang.crt
  
==MIKROTIK B (CLIENT): CERTIFICATE SETUP & IMPORT==
 
  
Upload file menggunakan FTP
+
==MIKROTIK A (SERVER): OPENVPN PPP CONFIGURATION==
 +
 
 +
===IMPORT THE CERTIFICATES===
 +
 
 +
/ppp profile add name=openvpn local-address=10.10.200.1 remote-address=10.10.200.2 change-tcp-mss=yes use-compression=no use-encryption=required
 +
 
 +
==CREATE A PPP SECRET (MODIFY COMMAND AS NEEDED)==
  
  cert_export_CA-HQ.crt
+
  /ppp secret add name=Cabang password=123456789 profile=openvpn service=ovpn
cert_export_client-Cabang.key
 
cert_export_client-Cabang.crt
 
  
  
===IMPORT THE CERTIFICATES===
+
===CONFIGURE THE OVPN SERVER (MODIFY COMMAND AS NEEDED)===
  
  /certificate import file-name=cert_export_CA-%MikroTik Identity%.crt passphrase=""
+
  /interface ovpn-server server set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn enabled=yes require-client-certificate=yes
/certificate import file-name=cert_export_client-%Client Name%.crt passphrase=%Passphrase%
 
/certificate import file-name=cert_export_client-%Client Name%.key passphrase=%Passphrase%
 
  
The Certificates window should now look similar to this screenshot.
+
===CREATE A ROUTE (MODIFY COMMAND AS NEEDED)===
  
MIKROTIK A (SERVER): OPENVPN PPP CONFIGURATION
+
  /ip route add dst-address=192.168.200.0/24 gateway=10.10.200.2
IMPORT THE CERTIFICATES
 
  /ppp profile add name=openvpn local-address=192.168.200.254 remote-address=192.168.200.10 change-tcp-mss=yes use-compression=no use-encryption=required
 
  
OR Navigate to PPP > Profiles and create a new PPP Profile (modify settings as needed):
+
==MIKROTIK A (SERVER): OPENVPN FIREWALL/NAT CONFIGURATION==
  
 +
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
  
In the screenshot above, don’t forget to check the protocols tab. Under the protocols tab, the option for “Use Compression” and “Use Encryption” can be set. These two options are already set in the command, but cannot be seen in the screenshot. In addition, take note of the Local and Remote IP addresses (192.168.200.254 and 192.168.200.10), these two addresses define the static IP assigned to each end of the VPN tunnel. These IP addresses can be set to anything you want as long as they don’t match any of the existing subnets that are currently in use at each site.
+
/ip firewall filter add chain=input dst-port=1194 protocol=tcp
 +
/ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.200.0/24 place-before=0
  
CREATE A PPP SECRET (MODIFY COMMAND AS NEEDED)
 
  
/ppp secret add name=NewYork password=NyTx325 profile=openvpn service=ovpn
+
==Monitor==
  
OR Navigate to PPP > Secrets and create a new PPP Secret (modify settings as needed):
+
  /interface ovpn-server monitor 0
  
 +
==MIKROTIK B (CLIENT): CERTIFICATE SETUP & IMPORT==
  
CONFIGURE THE OVPN SERVER (MODIFY COMMAND AS NEEDED):
+
===Setup Router Mikrotik Biasa===
  
  /interface ovpn-server server set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn enabled=yes require-client-certificate=yes
+
  /ip dhcp-client print
 +
/ip dhcp-client add interface=ether1 disable=no
 +
/interface bridge
 +
add name=bridge1
 +
/interface bridge port
 +
add bridge=bridge1 interface=ether2
 +
add bridge=bridge1 interface=ether3
 +
add bridge=bridge1 interface=ether4
 +
add bridge=bridge1 interface=ether5
 +
add bridge=bridge1 interface=ether6
 +
add bridge=bridge1 interface=ether7
 +
add bridge=bridge1 interface=ether8
 +
/ip address add interface=bridge1 address=192.168.200.1/24
 +
/ip route add gateway=bridge1
 +
/ip dns set servers=1.1.1.1
 +
/ip dns set allow-remote-request=yes
 +
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
 +
/ip firewall nat print
  
OR Navigate to PPP > Interface, click on the OVPN Server button and configure the OVPN Server (modify settings as needed):
+
/ip dhcp-server setup
  
  
CREATE A ROUTE (MODIFY COMMAND AS NEEDED):
+
===Download file menggunakan FTP===
  
  /ip route add dst-address=192.168.88.0/24 gateway=192.168.200.10
+
  cert_export_CA-HQ.crt
 +
cert_export_client-Cabang.key
 +
cert_export_client-Cabang.crt
  
OR Navigate to IP > Routes and create a new Route (modify settings as needed):
 
  
 +
===IMPORT THE CERTIFICATES===
  
MIKROTIK A (SERVER): OPENVPN FIREWALL/NAT CONFIGURATION
+
/certificate import file-name=cert_export_CA-HQ.crt passphrase=""
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
+
/certificate import file-name=cert_export_client-Cabang.crt passphrase=123456789
 +
/certificate import file-name=cert_export_client-Cabang.key passphrase=123456789
  
/ip firewall filter add chain=input dst-port=1194 protocol=tcp
 
/ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.88.0/24 place-before=0
 
  
MIKROTIK B (CLIENT): OPENVPN PPP CONFIGURATION
 
CREATE A OVPN CLIENT (MODIFY COMMAND AS NEEDED)
 
  
/interface ovpn-client add certificate=cert_export_client-NewYork.crt_0 cipher=aes256 connect-to=71.157.75.49 mac-address=02:2F:03:6C:10:59 name=ovpn-Texas password=NyTx325 profile=default-encryption user=NewYork
+
==MIKROTIK B (CLIENT): OPENVPN PPP CONFIGURATION==
  
OR Navigate to PPP > Interface, create a new OVPN Client:
+
===CREATE A OVPN CLIENT (MODIFY COMMAND AS NEEDED)===
  
 +
# /interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=71.157.75.49 mac-address=02:2F:03:6C:10:59 name=ovpn-Texas password=NyTx325 profile=default-encryption user=NewYork
  
MIKROTIK B (CLIENT): OPENVPN ROUTES CONFIGURATION
+
/interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=10.10.200.1 name=ovpn-ke-HQ password=123456789 profile=default-encryption user=Cabang
CREATE A ROUTE (MODIFY COMMAND AS NEEDED):
 
  
/ip route add dst-address=192.168.100.0/24 gateway=192.168.200.254
+
===CREATE A ROUTE (MODIFY COMMAND AS NEEDED)===
  
OR Navigate to IP > Routes and create a new Route (modify settings as needed):
+
/ip route add dst-address=192.168.100.0/24 gateway=10.10.200.1
  
  
Line 114: Line 154:
 
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
 
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
  
  /ip firewall filter add chain=input dst-port=1194 protocol=tcp
+
  # /ip firewall filter add chain=input dst-port=1194 protocol=tcp
  /ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.100.0/24 place-before=0
+
  # /ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.100.0/24 place-before=0
  
 
==Referensi==
 
==Referensi==
  
 
* https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/
 
* https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/

Latest revision as of 11:56, 29 December 2022

Sumber: https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/


MikroTik Identity  HQ
Client Name        Cabang
MikroTik Local IP  192.168.88.198
Private Key        123456789


MIKROTIK A (SERVER): CERTIFICATE SETUP & EXPORT

Setup Router Mikrotik Biasa

/ip dhcp-client print
/ip dhcp-client add interface=ether1 disable=no
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
/ip address add interface=bridge1 address=192.168.100.1/24
/ip route add gateway=bridge1
/ip dns set servers=1.1.1.1
/ip dns set allow-remote-request=yes
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
/ip firewall nat print
/ip dhcp-server setup


CREATE THE CERTIFICATES

/certificate add name=ca-template common-name=CA-HQ key-usage=key-cert-sign,crl-sign
/certificate add name=server-template common-name=SERVER
/certificate add name=client-Cabang-template common-name=client-Cabang

SIGN THE CERTIFICATES

SATU PER SATU Butuh waktu, jangan copy paste sekaligus.

/certificate sign ca-template ca-crl-host=192.168.3.73 name=CA-HQ     # 192.168.3.73 IP address "public" WAN Mikrotik
/certificate sign ca=CA-HQ server-template name=SERVER
/certificate sign ca=CA-HQ client-Cabang-template name=client-Cabang

ENABLE “TRUSTED” FOR THE CERTIFICATE AUTHORITY AND SERVER ONLY

/certificate set CA-HQ trusted=yes
/certificate set SERVER trusted=yes

EXPORT THE CERTIFICATES

/certificate export-certificate CA-HQ
/certificate export-certificate client-Cabang export-passphrase=123456789

Ambil file menggunakan FTP ke Mikrotik SERVER

cert_export_CA-HQ.crt
cert_export_client-Cabang.key
cert_export_client-Cabang.crt


MIKROTIK A (SERVER): OPENVPN PPP CONFIGURATION

IMPORT THE CERTIFICATES

/ppp profile add name=openvpn local-address=10.10.200.1 remote-address=10.10.200.2 change-tcp-mss=yes use-compression=no use-encryption=required

CREATE A PPP SECRET (MODIFY COMMAND AS NEEDED)

/ppp secret add name=Cabang password=123456789 profile=openvpn service=ovpn


CONFIGURE THE OVPN SERVER (MODIFY COMMAND AS NEEDED)

/interface ovpn-server server set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn enabled=yes require-client-certificate=yes

CREATE A ROUTE (MODIFY COMMAND AS NEEDED)

/ip route add dst-address=192.168.200.0/24 gateway=10.10.200.2

MIKROTIK A (SERVER): OPENVPN FIREWALL/NAT CONFIGURATION

CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):

/ip firewall filter add chain=input dst-port=1194 protocol=tcp
/ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.200.0/24 place-before=0


Monitor

 /interface ovpn-server monitor 0

MIKROTIK B (CLIENT): CERTIFICATE SETUP & IMPORT

Setup Router Mikrotik Biasa

/ip dhcp-client print
/ip dhcp-client add interface=ether1 disable=no
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
/ip address add interface=bridge1 address=192.168.200.1/24
/ip route add gateway=bridge1
/ip dns set servers=1.1.1.1
/ip dns set allow-remote-request=yes
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
/ip firewall nat print
/ip dhcp-server setup


Download file menggunakan FTP

cert_export_CA-HQ.crt
cert_export_client-Cabang.key
cert_export_client-Cabang.crt


IMPORT THE CERTIFICATES

/certificate import file-name=cert_export_CA-HQ.crt passphrase=""
/certificate import file-name=cert_export_client-Cabang.crt passphrase=123456789
/certificate import file-name=cert_export_client-Cabang.key passphrase=123456789


MIKROTIK B (CLIENT): OPENVPN PPP CONFIGURATION

CREATE A OVPN CLIENT (MODIFY COMMAND AS NEEDED)

# /interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=71.157.75.49 mac-address=02:2F:03:6C:10:59 name=ovpn-Texas password=NyTx325 profile=default-encryption user=NewYork
/interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=10.10.200.1 name=ovpn-ke-HQ password=123456789 profile=default-encryption user=Cabang

CREATE A ROUTE (MODIFY COMMAND AS NEEDED)

/ip route add dst-address=192.168.100.0/24 gateway=10.10.200.1


MIKROTIK B (CLIENT): OPENVPN FIREWALL/NAT CONFIGURATION CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):

# /ip firewall filter add chain=input dst-port=1194 protocol=tcp
# /ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.100.0/24 place-before=0

Referensi