Difference between revisions of "Mikrotik: OpenVPN - Site to Site"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) |
Onnowpurbo (talk | contribs) |
||
| Line 57: | Line 57: | ||
/certificate import file-name=cert_export_client-Cabang.key passphrase=123456789 | /certificate import file-name=cert_export_client-Cabang.key passphrase=123456789 | ||
| − | |||
| − | MIKROTIK A (SERVER): OPENVPN PPP CONFIGURATION | + | ==MIKROTIK A (SERVER): OPENVPN PPP CONFIGURATION== |
| − | |||
| − | |||
| − | + | ===IMPORT THE CERTIFICATES=== | |
| + | /ppp profile add name=openvpn local-address=10.10.200.1 remote-address=10.10.200.2 change-tcp-mss=yes use-compression=no use-encryption=required | ||
| − | + | ==CREATE A PPP SECRET (MODIFY COMMAND AS NEEDED)== | |
| − | + | /ppp secret add name=Cabang password=123456789 profile=openvpn service=ovpn | |
| − | |||
| − | + | ===CONFIGURE THE OVPN SERVER (MODIFY COMMAND AS NEEDED)=== | |
| + | /interface ovpn-server server set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn enabled=yes require-client-certificate=yes | ||
| − | + | ===CREATE A ROUTE (MODIFY COMMAND AS NEEDED)== | |
| − | / | + | /ip route add dst-address=192.168.200.0/24 gateway=10.10.200.2 |
| + | |||
| + | OR Navigate to IP > Routes and create a new Route (modify settings as needed): | ||
| − | |||
| + | ==MIKROTIK A (SERVER): OPENVPN FIREWALL/NAT CONFIGURATION== | ||
| − | CREATE | + | CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED): |
| − | /ip | + | # /ip firewall filter add chain=input dst-port=1194 protocol=tcp |
| + | # /ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.200.0/24 place-before=0 | ||
| − | + | ==MIKROTIK B (CLIENT): OPENVPN PPP CONFIGURATION== | |
| + | ===CREATE A OVPN CLIENT (MODIFY COMMAND AS NEEDED)=== | ||
| − | + | /interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=71.157.75.49 mac-address=02:2F:03:6C:10:59 name=ovpn-Texas password=NyTx325 profile=default-encryption user=NewYork | |
| − | |||
| − | / | + | /interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=10.10.200.1 name=ovpn-ke-HQ password=123456789 profile=default-encryption user=Cabang |
| − | |||
| − | |||
| − | |||
| − | |||
OR Navigate to PPP > Interface, create a new OVPN Client: | OR Navigate to PPP > Interface, create a new OVPN Client: | ||
| Line 106: | Line 103: | ||
CREATE A ROUTE (MODIFY COMMAND AS NEEDED): | CREATE A ROUTE (MODIFY COMMAND AS NEEDED): | ||
| − | /ip route add dst-address=192.168.100.0/24 gateway= | + | /ip route add dst-address=192.168.100.0/24 gateway=10.10.200.1 |
| − | |||
| − | |||
| Line 114: | Line 109: | ||
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED): | CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED): | ||
| − | /ip firewall filter add chain=input dst-port=1194 protocol=tcp | + | # /ip firewall filter add chain=input dst-port=1194 protocol=tcp |
| − | /ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.100.0/24 place-before=0 | + | # /ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.100.0/24 place-before=0 |
==Referensi== | ==Referensi== | ||
* https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/ | * https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/ | ||
Revision as of 11:30, 11 January 2021
Sumber: https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/
%MikroTik Identity% HQ %Client Name% Cabang %MikroTik Local IP% 192.168.88.198 %Passphrase% 123456789
MIKROTIK A (SERVER): CERTIFICATE SETUP & EXPORT
CREATE THE CERTIFICATES
/certificate add name=ca-template common-name=CA-HQ key-usage=key-cert-sign,crl-sign /certificate add name=server-template common-name=SERVER /certificate add name=client-Cabang-template common-name=client-Cabang
SIGN THE CERTIFICATES
Butuh waktu, jangan copy paste sekaligus.
/certificate sign ca-template ca-crl-host=192.168.88.198 name=CA-HQ /certificate sign ca=CA-HQ server-template name=SERVER /certificate sign ca=CA-HQ client-Cabang-template name=client-Cabang
ENABLE “TRUSTED” FOR THE CERTIFICATE AUTHORITY AND SERVER ONLY
/certificate set CA-HQ trusted=yes /certificate set SERVER trusted=yes
The Certificates window should now look similar to this screenshot.
EXPORT THE CERTIFICATES
/certificate export-certificate CA-HQ /certificate export-certificate client-Cabang export-passphrase=123456789
Ambil file menggunakan FTP
cert_export_CA-HQ.crt cert_export_client-Cabang.key cert_export_client-Cabang.crt
MIKROTIK B (CLIENT): CERTIFICATE SETUP & IMPORT
Upload file menggunakan FTP
cert_export_CA-HQ.crt cert_export_client-Cabang.key cert_export_client-Cabang.crt
IMPORT THE CERTIFICATES
/certificate import file-name=cert_export_CA-HQ.crt passphrase="" /certificate import file-name=cert_export_client-Cabang.crt passphrase=123456789 /certificate import file-name=cert_export_client-Cabang.key passphrase=123456789
MIKROTIK A (SERVER): OPENVPN PPP CONFIGURATION
IMPORT THE CERTIFICATES
/ppp profile add name=openvpn local-address=10.10.200.1 remote-address=10.10.200.2 change-tcp-mss=yes use-compression=no use-encryption=required
CREATE A PPP SECRET (MODIFY COMMAND AS NEEDED)
/ppp secret add name=Cabang password=123456789 profile=openvpn service=ovpn
CONFIGURE THE OVPN SERVER (MODIFY COMMAND AS NEEDED)
/interface ovpn-server server set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn enabled=yes require-client-certificate=yes
=CREATE A ROUTE (MODIFY COMMAND AS NEEDED)
/ip route add dst-address=192.168.200.0/24 gateway=10.10.200.2
OR Navigate to IP > Routes and create a new Route (modify settings as needed):
MIKROTIK A (SERVER): OPENVPN FIREWALL/NAT CONFIGURATION
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
# /ip firewall filter add chain=input dst-port=1194 protocol=tcp # /ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.200.0/24 place-before=0
MIKROTIK B (CLIENT): OPENVPN PPP CONFIGURATION
CREATE A OVPN CLIENT (MODIFY COMMAND AS NEEDED)
/interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=71.157.75.49 mac-address=02:2F:03:6C:10:59 name=ovpn-Texas password=NyTx325 profile=default-encryption user=NewYork
/interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=10.10.200.1 name=ovpn-ke-HQ password=123456789 profile=default-encryption user=Cabang
OR Navigate to PPP > Interface, create a new OVPN Client:
MIKROTIK B (CLIENT): OPENVPN ROUTES CONFIGURATION
CREATE A ROUTE (MODIFY COMMAND AS NEEDED):
/ip route add dst-address=192.168.100.0/24 gateway=10.10.200.1
MIKROTIK B (CLIENT): OPENVPN FIREWALL/NAT CONFIGURATION
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
# /ip firewall filter add chain=input dst-port=1194 protocol=tcp # /ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.100.0/24 place-before=0