Difference between revisions of "Mikrotik: OpenVPN - Server ke PC dari wiki mikrotik"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
(13 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
Sumber: https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN | Sumber: https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN | ||
+ | [[File:Ipsec-road-warrior (1).png]] | ||
+ | |||
+ | |||
+ | ==Kondisi Jaringan== | ||
+ | |||
+ | Office 192.168.3.73/24 | ||
+ | Office LAN 192.168.100.0/24 | ||
+ | VPN Pool 192.168.77.0/24 gw 192.168.77.1 | ||
+ | |||
+ | Client 192.168.3.77/24 | ||
==Certificate== | ==Certificate== | ||
Line 7: | Line 17: | ||
/certificate | /certificate | ||
− | add name=ca-template common-name= | + | add name=ca-template common-name=itts.ac.id days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign |
− | add name=server-template common-name=*. | + | add name=server-template common-name=*.itts.ac.id days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server |
− | add name=client-template common-name=client. | + | add name=client-template common-name=client.itts.ac.id days-valid=3650 key-size=2048 key-usage=tls-client |
− | add name=client1-template common-name=client1. | + | add name=client1-template common-name=client1.itts.ac.id days-valid=3650 key-size=2048 key-usage=tls-client |
− | |||
===Certificate Sign=== | ===Certificate Sign=== | ||
− | Proses signing akan membutuhkan waktu, harap sabar. | + | '''SATU PER SATU''', jangan COPAS Sekaligus. Proses signing akan membutuhkan waktu, harap sabar. |
/certificate | /certificate | ||
− | sign ca-template name=ca | + | sign ca-template name=ca |
− | sign server-template name=server | + | sign server-template name=server ca=ca |
− | sign client-template name=client | + | sign client-template name=client ca=ca |
− | sign client1-template name=client1 | + | sign client1-template name=client1 ca=ca |
===Certificate Trust=== | ===Certificate Trust=== | ||
/certificate | /certificate | ||
− | set ca | + | set ca trusted=yes |
− | set server | + | set server trusted=yes |
===Certificate Export=== | ===Certificate Export=== | ||
+ | |||
+ | |||
+ | /file print | ||
+ | /file remove numbers=0 | ||
+ | /file remove numbers=1 | ||
+ | .... dst.... | ||
+ | |||
/certificate | /certificate | ||
− | export-certificate ca | + | export-certificate ca export-passphrase="" |
− | export-certificate client | + | export-certificate client export-passphrase=123456789 |
− | export-certificate client1 | + | export-certificate client1 export-passphrase=123456789 |
Cek bahwa sudah di generate menggunakan | Cek bahwa sudah di generate menggunakan | ||
/file print | /file print | ||
− | |||
− | |||
− | |||
==Server== | ==Server== | ||
− | /interface | + | /ip dhcp-client print |
− | /interface | + | /ip dhcp-client add interface=ether1 disable=no |
− | /interface | + | /interface bridge |
− | + | add name=bridge1 | |
+ | /interface bridge port | ||
+ | add bridge=bridge1 interface=ether2 | ||
+ | add bridge=bridge1 interface=ether3 | ||
+ | add bridge=bridge1 interface=ether4 | ||
+ | add bridge=bridge1 interface=ether5 | ||
+ | add bridge=bridge1 interface=ether6 | ||
+ | add bridge=bridge1 interface=ether7 | ||
+ | add bridge=bridge1 interface=ether8 | ||
+ | /ip address add interface=bridge1 address=192.168.100.1/24 | ||
+ | /ip route add gateway=bridge1 | ||
+ | /ip dns set servers=1.1.1.1 | ||
+ | /ip dns set allow-remote-request=yes | ||
+ | /ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade | ||
+ | /ip firewall nat print | ||
+ | /ip dhcp-server setup | ||
/ip pool add name=ovpn-pool range=192.168.77.2-192.168.77.254 | /ip pool add name=ovpn-pool range=192.168.77.2-192.168.77.254 | ||
/ppp profile add name=ovpn local-address=192.168.77.1 remote-address=ovpn-pool | /ppp profile add name=ovpn local-address=192.168.77.1 remote-address=ovpn-pool | ||
/ppp secret | /ppp secret | ||
+ | add name=client password=123456 profile=ovpn | ||
add name=client1 password=123456 profile=ovpn | add name=client1 password=123456 profile=ovpn | ||
− | add name= | + | /interface ovpn-server server set enabled=yes certificate=server |
− | + | ||
+ | ==Client Mikrotik== | ||
+ | |||
+ | /interface ovpn-client | ||
+ | add name=ovpn-client1 connect-to=2.2.2.2 user=client password=123456 disabled=no | ||
+ | /ip route | ||
+ | add dst-address=192.168.100.0/24 gateway=ovpn-client1 | ||
+ | /ip firewall nat add chain=srcnat action=masquerade out-interface=ovpn-client1 | ||
+ | |||
+ | ==Client Linux== | ||
+ | |||
+ | dev tun | ||
+ | proto tcp-client | ||
+ | remote 2.2.2.2 1194 | ||
+ | tls-client | ||
+ | ca cert_export_ca.crt | ||
+ | key cert_export_client1.key cert_export_client.key | ||
+ | cert cert_export_client1.crt cert_export_client.crt client.ovpn | ||
+ | |||
+ | user nobody | ||
+ | group nogroup | ||
+ | #comp-lzo # Do not use compression. | ||
+ | # More reliable detection when a system loses its connection. | ||
+ | ping 15 | ||
+ | ping-restart 45 | ||
+ | ping-timer-rem | ||
+ | persist-tun | ||
+ | persist-key | ||
+ | mute-replay-warnings | ||
+ | verb 3 | ||
+ | cipher BF-CBC | ||
+ | auth SHA1 | ||
+ | pull | ||
+ | auth-user-pass auth.cfg | ||
+ | |||
Latest revision as of 10:04, 12 January 2023
Sumber: https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN
Kondisi Jaringan
Office 192.168.3.73/24 Office LAN 192.168.100.0/24 VPN Pool 192.168.77.0/24 gw 192.168.77.1
Client 192.168.3.77/24
Certificate
Certificate Generate
/certificate add name=ca-template common-name=itts.ac.id days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign add name=server-template common-name=*.itts.ac.id days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server add name=client-template common-name=client.itts.ac.id days-valid=3650 key-size=2048 key-usage=tls-client add name=client1-template common-name=client1.itts.ac.id days-valid=3650 key-size=2048 key-usage=tls-client
Certificate Sign
SATU PER SATU, jangan COPAS Sekaligus. Proses signing akan membutuhkan waktu, harap sabar.
/certificate sign ca-template name=ca sign server-template name=server ca=ca sign client-template name=client ca=ca sign client1-template name=client1 ca=ca
Certificate Trust
/certificate set ca trusted=yes set server trusted=yes
Certificate Export
/file print /file remove numbers=0 /file remove numbers=1 .... dst....
/certificate export-certificate ca export-passphrase="" export-certificate client export-passphrase=123456789 export-certificate client1 export-passphrase=123456789
Cek bahwa sudah di generate menggunakan
/file print
Server
/ip dhcp-client print /ip dhcp-client add interface=ether1 disable=no /interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether2 add bridge=bridge1 interface=ether3 add bridge=bridge1 interface=ether4 add bridge=bridge1 interface=ether5 add bridge=bridge1 interface=ether6 add bridge=bridge1 interface=ether7 add bridge=bridge1 interface=ether8 /ip address add interface=bridge1 address=192.168.100.1/24 /ip route add gateway=bridge1 /ip dns set servers=1.1.1.1 /ip dns set allow-remote-request=yes /ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade /ip firewall nat print /ip dhcp-server setup
/ip pool add name=ovpn-pool range=192.168.77.2-192.168.77.254 /ppp profile add name=ovpn local-address=192.168.77.1 remote-address=ovpn-pool /ppp secret add name=client password=123456 profile=ovpn add name=client1 password=123456 profile=ovpn /interface ovpn-server server set enabled=yes certificate=server
Client Mikrotik
/interface ovpn-client add name=ovpn-client1 connect-to=2.2.2.2 user=client password=123456 disabled=no /ip route add dst-address=192.168.100.0/24 gateway=ovpn-client1 /ip firewall nat add chain=srcnat action=masquerade out-interface=ovpn-client1
Client Linux
dev tun proto tcp-client remote 2.2.2.2 1194 tls-client ca cert_export_ca.crt key cert_export_client1.key cert_export_client.key cert cert_export_client1.crt cert_export_client.crt client.ovpn
user nobody group nogroup #comp-lzo # Do not use compression. # More reliable detection when a system loses its connection. ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key mute-replay-warnings verb 3 cipher BF-CBC auth SHA1 pull auth-user-pass auth.cfg