Mikrotik: OpenVPN - Server ke PC

From OnnoWiki
Revision as of 10:49, 9 January 2021 by Onnowpurbo (talk | contribs)
Jump to navigation Jump to search

Sumber: https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/


Certificate Generate

/certificate
add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=*.example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client
add name=client1-template common-name=client1.example.com days-valid=3650 key-size=2048 key-usage=tls-client


Certificate Sign

Proses signing akan membutuhkan waktu, harap sabar.

/certificate
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate
sign client1-template name=client1-certificate ca=ca-certificate

Certificate Trust

/certificate
set ca-certificate trusted=yes
set server-certificate trusted=yes

Certificate Export

/certificate
export-certificate ca-certificate export-passphrase=""
export-certificate client-certificate export-passphrase=12345678
export-certificate client1-certificate export-passphrase=12345678

Cek bahwa sudah di generate menggunakan

/file print


Siapkan OpenVPN di Mikrotik

OpenVPN Pool Address

/ip
pool add name="vpn-pool" ranges=192.168.8.10-192.168.8.99

OpenVPN user

/ppp
profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool
secret add name=user profile=vpn-profile password=password

OpenVPN Enable

/interface ovpn-server server
set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes



Di sisi Client

Bisa di download ke PC / client menggunakan ftp, file yang dibutuhkan adalah

cert_export_ca-certificate.crt
cert_export_client-certificate.crt
cert_export_client-certificate.key

Nantinya bisa di rename menjadi

ca.crt, client.crt, & client.key


dengan ftp

cd /etc/openvpn/client
ftp 192.168.88.198
username admin
password 
mget *
quit


cd /etc/openvpn/client
mv cert_export_ca-certificate.crt ca.crt
mv cert_export_client1-certificate.crt client1.crt
mv cert_export_client1-certificate.key client1.key
mv cert_export_client-certificate.crt client.crt
mv cert_export_client-certificate.key client.key



Now finally we can copy both ca.crt and client.crt to C:\Program Files\OpenVPN\config\ directory alongside client.ovpn.

You don’t have client.ovpn? Well, one is in sample-config directory and we just need to change/add highlighted items:

client
dev tun
proto tcp
remote example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1 


verb 3 A bit annoying step is being asked for the private key passphrase (in the addition to username/password). Mikrotik doesn’t allow export without it but fortunately we can use OpenSSL to change that:

> openssl.exe rsa -in client.key -out client.key Enter pass phrase for client.key: 12345678 writing RSA key With this, your VPN connection should work like a charm.

PS: Do not forget to adjust firewall if necessary (TCP port 1194).

/ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN" PPS: Do check SSTP guide too.

[2017-01-26: Adjusted certificate creation to work on RouterOS 6.38 and later] [2017-01-26: Changed key size to 2048 (instead of 4096) so it doesn’t take ages to generate certificates. :)] [2017-02-25: Changed example to use AES-128 for lower CPU usage on router.]

Referensi