Mikrotik: OpenVPN - Site to Site
Revision as of 11:32, 11 January 2021 by Onnowpurbo (talk | contribs) (→=CREATE A ROUTE (MODIFY COMMAND AS NEEDED))
Sumber: https://www.marthur.com/networking/mikrotik-setup-a-site-to-site-openvpn-connection/314/
%MikroTik Identity% HQ %Client Name% Cabang %MikroTik Local IP% 192.168.88.198 %Passphrase% 123456789
MIKROTIK A (SERVER): CERTIFICATE SETUP & EXPORT
CREATE THE CERTIFICATES
/certificate add name=ca-template common-name=CA-HQ key-usage=key-cert-sign,crl-sign /certificate add name=server-template common-name=SERVER /certificate add name=client-Cabang-template common-name=client-Cabang
SIGN THE CERTIFICATES
Butuh waktu, jangan copy paste sekaligus.
/certificate sign ca-template ca-crl-host=192.168.88.198 name=CA-HQ /certificate sign ca=CA-HQ server-template name=SERVER /certificate sign ca=CA-HQ client-Cabang-template name=client-Cabang
ENABLE “TRUSTED” FOR THE CERTIFICATE AUTHORITY AND SERVER ONLY
/certificate set CA-HQ trusted=yes /certificate set SERVER trusted=yes
The Certificates window should now look similar to this screenshot.
EXPORT THE CERTIFICATES
/certificate export-certificate CA-HQ /certificate export-certificate client-Cabang export-passphrase=123456789
Ambil file menggunakan FTP
cert_export_CA-HQ.crt cert_export_client-Cabang.key cert_export_client-Cabang.crt
MIKROTIK B (CLIENT): CERTIFICATE SETUP & IMPORT
Upload file menggunakan FTP
cert_export_CA-HQ.crt cert_export_client-Cabang.key cert_export_client-Cabang.crt
IMPORT THE CERTIFICATES
/certificate import file-name=cert_export_CA-HQ.crt passphrase="" /certificate import file-name=cert_export_client-Cabang.crt passphrase=123456789 /certificate import file-name=cert_export_client-Cabang.key passphrase=123456789
MIKROTIK A (SERVER): OPENVPN PPP CONFIGURATION
IMPORT THE CERTIFICATES
/ppp profile add name=openvpn local-address=10.10.200.1 remote-address=10.10.200.2 change-tcp-mss=yes use-compression=no use-encryption=required
CREATE A PPP SECRET (MODIFY COMMAND AS NEEDED)
/ppp secret add name=Cabang password=123456789 profile=openvpn service=ovpn
CONFIGURE THE OVPN SERVER (MODIFY COMMAND AS NEEDED)
/interface ovpn-server server set certificate=SERVER cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn enabled=yes require-client-certificate=yes
CREATE A ROUTE (MODIFY COMMAND AS NEEDED)
/ip route add dst-address=192.168.200.0/24 gateway=10.10.200.2
OR Navigate to IP > Routes and create a new Route (modify settings as needed):
MIKROTIK A (SERVER): OPENVPN FIREWALL/NAT CONFIGURATION
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
# /ip firewall filter add chain=input dst-port=1194 protocol=tcp # /ip firewall nat add chain=srcnat src-address=192.168.100.0/24 dst-address=192.168.200.0/24 place-before=0
MIKROTIK B (CLIENT): OPENVPN PPP CONFIGURATION
CREATE A OVPN CLIENT (MODIFY COMMAND AS NEEDED)
/interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=71.157.75.49 mac-address=02:2F:03:6C:10:59 name=ovpn-Texas password=NyTx325 profile=default-encryption user=NewYork
/interface ovpn-client add certificate=cert_export_client-Cabang.crt_0 cipher=aes256 connect-to=10.10.200.1 name=ovpn-ke-HQ password=123456789 profile=default-encryption user=Cabang
OR Navigate to PPP > Interface, create a new OVPN Client:
MIKROTIK B (CLIENT): OPENVPN ROUTES CONFIGURATION
CREATE A ROUTE (MODIFY COMMAND AS NEEDED):
/ip route add dst-address=192.168.100.0/24 gateway=10.10.200.1
MIKROTIK B (CLIENT): OPENVPN FIREWALL/NAT CONFIGURATION
CREATE THE FIREWALL FILTER AND NAT BYPASS RULES (MODIFY COMMAND AS NEEDED):
# /ip firewall filter add chain=input dst-port=1194 protocol=tcp # /ip firewall nat add chain=srcnat src-address=192.168.88.0/24 dst-address=192.168.100.0/24 place-before=0