Difference between revisions of "Mikrotik: OpenVPN - Site to Site"

From OnnoWiki
Jump to navigation Jump to search
 
(10 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
  
  %MikroTik Identity% HQ
+
  MikroTik Identity  HQ
  %Client Name%       Cabang
+
  Client Name        Cabang
  %MikroTik Local IP% 192.168.88.198
+
  MikroTik Local IP  192.168.88.198
  %Passphrase%        123456789
+
  Private Key        123456789
  
  
 
==MIKROTIK A (SERVER): CERTIFICATE SETUP & EXPORT==
 
==MIKROTIK A (SERVER): CERTIFICATE SETUP & EXPORT==
 +
 +
 +
===Setup Router Mikrotik Biasa===
 +
 +
/ip dhcp-client print
 +
/ip dhcp-client add interface=ether1 disable=no
 +
/interface bridge
 +
add name=bridge1
 +
/interface bridge port
 +
add bridge=bridge1 interface=ether2
 +
add bridge=bridge1 interface=ether3
 +
add bridge=bridge1 interface=ether4
 +
add bridge=bridge1 interface=ether5
 +
add bridge=bridge1 interface=ether6
 +
add bridge=bridge1 interface=ether7
 +
add bridge=bridge1 interface=ether8
 +
/ip address add interface=bridge1 address=192.168.100.1/24
 +
/ip route add gateway=bridge1
 +
/ip dns set servers=1.1.1.1
 +
/ip dns set allow-remote-request=yes
 +
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
 +
/ip firewall nat print
 +
 +
/ip dhcp-server setup
 +
  
 
===CREATE THE CERTIFICATES===
 
===CREATE THE CERTIFICATES===
Line 18: Line 43:
 
===SIGN THE CERTIFICATES===
 
===SIGN THE CERTIFICATES===
  
Butuh waktu, jangan copy paste sekaligus.
+
'''SATU PER SATU''' Butuh waktu, jangan copy paste sekaligus.
  
  /certificate sign ca-template ca-crl-host=192.168.88.198 name=CA-HQ
+
  /certificate sign ca-template ca-crl-host=192.168.3.73 name=CA-HQ     # 192.168.3.73 IP address "public" WAN Mikrotik
 
  /certificate sign ca=CA-HQ server-template name=SERVER
 
  /certificate sign ca=CA-HQ server-template name=SERVER
 
  /certificate sign ca=CA-HQ client-Cabang-template name=client-Cabang
 
  /certificate sign ca=CA-HQ client-Cabang-template name=client-Cabang
Line 28: Line 53:
 
  /certificate set CA-HQ trusted=yes
 
  /certificate set CA-HQ trusted=yes
 
  /certificate set SERVER trusted=yes
 
  /certificate set SERVER trusted=yes
 
The Certificates window should now look similar to this screenshot.
 
  
 
===EXPORT THE CERTIFICATES===
 
===EXPORT THE CERTIFICATES===
Line 36: Line 59:
 
  /certificate export-certificate client-Cabang export-passphrase=123456789
 
  /certificate export-certificate client-Cabang export-passphrase=123456789
  
Ambil file menggunakan FTP
+
Ambil file menggunakan FTP ke Mikrotik SERVER
 
 
cert_export_CA-HQ.crt
 
cert_export_client-Cabang.key
 
cert_export_client-Cabang.crt
 
 
 
==MIKROTIK B (CLIENT): CERTIFICATE SETUP & IMPORT==
 
 
 
Upload file menggunakan FTP
 
  
 
  cert_export_CA-HQ.crt
 
  cert_export_CA-HQ.crt
 
  cert_export_client-Cabang.key
 
  cert_export_client-Cabang.key
 
  cert_export_client-Cabang.crt
 
  cert_export_client-Cabang.crt
 
 
===IMPORT THE CERTIFICATES===
 
 
/certificate import file-name=cert_export_CA-HQ.crt passphrase=""
 
/certificate import file-name=cert_export_client-Cabang.crt passphrase=123456789
 
/certificate import file-name=cert_export_client-Cabang.key passphrase=123456789
 
  
  
Line 76: Line 84:
  
 
  /ip route add dst-address=192.168.200.0/24 gateway=10.10.200.2
 
  /ip route add dst-address=192.168.200.0/24 gateway=10.10.200.2
 
OR Navigate to IP > Routes and create a new Route (modify settings as needed):
 
  
 
==MIKROTIK A (SERVER): OPENVPN FIREWALL/NAT CONFIGURATION==
 
==MIKROTIK A (SERVER): OPENVPN FIREWALL/NAT CONFIGURATION==
Line 83: Line 89:
 
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
 
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
  
  # /ip firewall filter add chain=input dst-port=1194 protocol=tcp
+
  /ip firewall filter add chain=input dst-port=1194 protocol=tcp
  # /ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.200.0/24 place-before=0
+
  /ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.200.0/24 place-before=0
 +
 
  
==MIKROTIK B (CLIENT): OPENVPN PPP CONFIGURATION==
+
==Monitor==
 +
 
 +
  /interface ovpn-server monitor 0
 +
 
 +
==MIKROTIK B (CLIENT): CERTIFICATE SETUP & IMPORT==
 +
 
 +
===Setup Router Mikrotik Biasa===
 +
 
 +
/ip dhcp-client print
 +
/ip dhcp-client add interface=ether1 disable=no
 +
/interface bridge
 +
add name=bridge1
 +
/interface bridge port
 +
add bridge=bridge1 interface=ether2
 +
add bridge=bridge1 interface=ether3
 +
add bridge=bridge1 interface=ether4
 +
add bridge=bridge1 interface=ether5
 +
add bridge=bridge1 interface=ether6
 +
add bridge=bridge1 interface=ether7
 +
add bridge=bridge1 interface=ether8
 +
/ip address add interface=bridge1 address=192.168.200.1/24
 +
/ip route add gateway=bridge1
 +
/ip dns set servers=1.1.1.1
 +
/ip dns set allow-remote-request=yes
 +
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
 +
/ip firewall nat print
 +
 
 +
/ip dhcp-server setup
 +
 
 +
 
 +
===Download file menggunakan FTP===
 +
 
 +
cert_export_CA-HQ.crt
 +
cert_export_client-Cabang.key
 +
cert_export_client-Cabang.crt
 +
 
 +
 
 +
===IMPORT THE CERTIFICATES===
  
===CREATE A OVPN CLIENT (MODIFY COMMAND AS NEEDED)===
+
/certificate import file-name=cert_export_CA-HQ.crt passphrase=""
 +
/certificate import file-name=cert_export_client-Cabang.crt passphrase=123456789
 +
/certificate import file-name=cert_export_client-Cabang.key passphrase=123456789
  
/interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=71.157.75.49 mac-address=02:2F:03:6C:10:59 name=ovpn-Texas password=NyTx325 profile=default-encryption user=NewYork
 
  
/interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=10.10.200.1 name=ovpn-ke-HQ password=123456789 profile=default-encryption user=Cabang
 
  
 +
==MIKROTIK B (CLIENT): OPENVPN PPP CONFIGURATION==
  
 +
===CREATE A OVPN CLIENT (MODIFY COMMAND AS NEEDED)===
  
OR Navigate to PPP > Interface, create a new OVPN Client:
+
# /interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=71.157.75.49 mac-address=02:2F:03:6C:10:59 name=ovpn-Texas password=NyTx325 profile=default-encryption user=NewYork
  
 +
/interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=10.10.200.1 name=ovpn-ke-HQ password=123456789 profile=default-encryption user=Cabang
  
MIKROTIK B (CLIENT): OPENVPN ROUTES CONFIGURATION
+
===CREATE A ROUTE (MODIFY COMMAND AS NEEDED)===
CREATE A ROUTE (MODIFY COMMAND AS NEEDED):
 
  
 
  /ip route add dst-address=192.168.100.0/24 gateway=10.10.200.1
 
  /ip route add dst-address=192.168.100.0/24 gateway=10.10.200.1

Latest revision as of 11:56, 29 December 2022

Sumber: https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/


MikroTik Identity  HQ
Client Name        Cabang
MikroTik Local IP  192.168.88.198
Private Key        123456789


MIKROTIK A (SERVER): CERTIFICATE SETUP & EXPORT

Setup Router Mikrotik Biasa

/ip dhcp-client print
/ip dhcp-client add interface=ether1 disable=no
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
/ip address add interface=bridge1 address=192.168.100.1/24
/ip route add gateway=bridge1
/ip dns set servers=1.1.1.1
/ip dns set allow-remote-request=yes
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
/ip firewall nat print
/ip dhcp-server setup


CREATE THE CERTIFICATES

/certificate add name=ca-template common-name=CA-HQ key-usage=key-cert-sign,crl-sign
/certificate add name=server-template common-name=SERVER
/certificate add name=client-Cabang-template common-name=client-Cabang

SIGN THE CERTIFICATES

SATU PER SATU Butuh waktu, jangan copy paste sekaligus.

/certificate sign ca-template ca-crl-host=192.168.3.73 name=CA-HQ     # 192.168.3.73 IP address "public" WAN Mikrotik
/certificate sign ca=CA-HQ server-template name=SERVER
/certificate sign ca=CA-HQ client-Cabang-template name=client-Cabang

ENABLE “TRUSTED” FOR THE CERTIFICATE AUTHORITY AND SERVER ONLY

/certificate set CA-HQ trusted=yes
/certificate set SERVER trusted=yes

EXPORT THE CERTIFICATES

/certificate export-certificate CA-HQ
/certificate export-certificate client-Cabang export-passphrase=123456789

Ambil file menggunakan FTP ke Mikrotik SERVER

cert_export_CA-HQ.crt
cert_export_client-Cabang.key
cert_export_client-Cabang.crt


MIKROTIK A (SERVER): OPENVPN PPP CONFIGURATION

IMPORT THE CERTIFICATES

/ppp profile add name=openvpn local-address=10.10.200.1 remote-address=10.10.200.2 change-tcp-mss=yes use-compression=no use-encryption=required

CREATE A PPP SECRET (MODIFY COMMAND AS NEEDED)

/ppp secret add name=Cabang password=123456789 profile=openvpn service=ovpn


CONFIGURE THE OVPN SERVER (MODIFY COMMAND AS NEEDED)

/interface ovpn-server server set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn enabled=yes require-client-certificate=yes

CREATE A ROUTE (MODIFY COMMAND AS NEEDED)

/ip route add dst-address=192.168.200.0/24 gateway=10.10.200.2

MIKROTIK A (SERVER): OPENVPN FIREWALL/NAT CONFIGURATION

CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):

/ip firewall filter add chain=input dst-port=1194 protocol=tcp
/ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.200.0/24 place-before=0


Monitor

 /interface ovpn-server monitor 0

MIKROTIK B (CLIENT): CERTIFICATE SETUP & IMPORT

Setup Router Mikrotik Biasa

/ip dhcp-client print
/ip dhcp-client add interface=ether1 disable=no
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
/ip address add interface=bridge1 address=192.168.200.1/24
/ip route add gateway=bridge1
/ip dns set servers=1.1.1.1
/ip dns set allow-remote-request=yes
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
/ip firewall nat print
/ip dhcp-server setup


Download file menggunakan FTP

cert_export_CA-HQ.crt
cert_export_client-Cabang.key
cert_export_client-Cabang.crt


IMPORT THE CERTIFICATES

/certificate import file-name=cert_export_CA-HQ.crt passphrase=""
/certificate import file-name=cert_export_client-Cabang.crt passphrase=123456789
/certificate import file-name=cert_export_client-Cabang.key passphrase=123456789


MIKROTIK B (CLIENT): OPENVPN PPP CONFIGURATION

CREATE A OVPN CLIENT (MODIFY COMMAND AS NEEDED)

# /interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=71.157.75.49 mac-address=02:2F:03:6C:10:59 name=ovpn-Texas password=NyTx325 profile=default-encryption user=NewYork
/interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=10.10.200.1 name=ovpn-ke-HQ password=123456789 profile=default-encryption user=Cabang

CREATE A ROUTE (MODIFY COMMAND AS NEEDED)

/ip route add dst-address=192.168.100.0/24 gateway=10.10.200.1


MIKROTIK B (CLIENT): OPENVPN FIREWALL/NAT CONFIGURATION CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):

# /ip firewall filter add chain=input dst-port=1194 protocol=tcp
# /ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.100.0/24 place-before=0

Referensi