Cara setting OpenVPN di Mikrotik sebenarnya tidak jauh berbeda dengan setting di OpenVPN Ubuntu yang pada artikel sebelumnya sudah saya jelaskan secara terperinci.
Pada artikel kali ini saya akan memberikan cara cepat setting openvpn mikrotik menggunakan script, dengan bantuan script mikrotik ini anda akan lebih cepat dalam membuat certficate openvpn mikrotik sehingga menjadi solusi untuk anda yang ingin membuat openvpn mikrotik server dengan jumlah client yang banyak.
Peralatan yang digunakan :
- Tested on Mikrotik RB3011
- Mikrotik ROS 6
- Mikrotik Level 5 License
OpenVPN Mikrotik Step by Step Script
Copy dan Paste Script dibawah ini pada terminal command mikrotik anda di winbox, jangan lupa untuk sesuaikan variables yang ada di script dengan kondisi topologi jaringan mikrotik anda.
Konfigurasi dan Generate Certificate OpenVPN Mikrotik
# Konfigurasi OpenVPN Server dan generate certifacate
#
# Ubah Variables yang dibutuhkan dan sesuakain pada jaringan anda
# Lalu Paste seluruh Scripts di Terminal Command Mikrotik
#
:global CN [/system identity get name]
:global PORT 1194
## generate a CA certificate
/certificate
add name=ca-template common-name="$CN" days-valid=3650 \
key-usage=crl-sign,key-cert-sign
sign ca-template ca-crl-host=127.0.0.1 name="$CN"
:delay 10
## generate a server certificate
/certificate
add name=server-template common-name="server@$CN" days-valid=3650 \
key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$CN" name="server@$CN"
:delay 10
## create a client template
/certificate
add name=client-template common-name="client" days-valid=3650 \
key-usage=tls-client
## create IP pool
/ip pool
add name=VPN-POOL ranges=192.168.252.128-192.168.252.224
## add VPN profile
/ppp profile
add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \
remote-address=VPN-POOL use-encryption=yes
## setup OpenVPN server
/interface ovpn-server server
set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \
default-profile=VPN-PROFILE mode=ip netmask=24 port="$PORT" \
enabled=yes require-client-certificate=yes
## add a firewall rule
/ip firewall filter
add chain=input action=accept dst-port="$PORT" protocol=tcp \
comment="Allow OpenVPN"
add chain=input action=accept dst-port=53 protocol=udp \
src-address=192.168.252.0/24 \
comment="Accept DNS requests from VPN clients"
move [find comment="Allow OpenVPN"] 0
move [find comment="Accept DNS requests from VPN clients"] 1
## Setup selesai, jangan lupa untuk membuat user openvpn anda
Firewal dan Nat Rule OpenVPN Mikrotik
Jangan lupa untuk menambahkan Firewall filter dan Nat Rule di mikrotik, agar client OpenVPN Mikrotik anda bisa terhubung ke internet, berikut scriptnya :
/ip firewall filter
add chain=forward action=accept src-address=192.168.252.0/24 \
out-interface-list=WAN place-before=0
add chain=forward action=accept in-interface-list=WAN \
dst-address=192.168.252.0/24 place-before=1
/ip firewall nat
add chain=srcnat src-address=192.168.252.0/24 out-interface-list=WAN \
action=masquerade
Add User OpenVPN Server Mikrotik
Jalankan Script dibawah ini untuk membuat user OpenVPN Mikrotik, anda bisa menjalankan script ini untuk membuat banyak user client openvpn dengan mengubah Variable Username dan Password dengan user client Openvpn yang ingin anda buat.
# Add a new user and generate/export certs
#
# Change variables below if needed then copy the whole script
# and paste into MikroTik terminal window.
#
:global CN [/system identity get name]
:global USERNAME "user"
:global PASSWORD "password"
## add a user
/ppp secret
add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn
## generate a client certificate
/certificate
add name=client-template-to-issue copy-from=client-template \
common-name="$USERNAME@$CN"
sign client-template-to-issue ca="$CN" name="$USERNAME@$CN"
:delay 10
## export the CA, client certificate, and private key
/certificate
export-certificate "$CN" export-passphrase=""
export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD"
## Done. You will find the created certificates in Files.
Langkah selanjutnya adalah download file hasil export certificate dan user yang sudah di generate dan install OpenVPN Windows Client dan Import .ovpn.
Setup OpenVPN Client
Copy file hasil generate certificate di mikrotik :
sftp [email protected]_IP:cert_export_\*
Atau anda juga bisa mendownload file hasil generate certificate secara manual melalui menu “Files” di winbox mikrotik
Create User dan Password File
Buat file dengan ekstensi .auth pada baris pertama berisikan username dan baris kedua berisi password
user
password
Membuat Konfigrasi OpenVPN File
client
dev tun
proto tcp-client
remote MikroTik_IP 1194
nobind
persist-key
persist-tun
cipher AES-128-CBC
auth SHA1
pull
verb 2
mute 3
# Create a file 'user.auth' with a username and a password
#
# cat << EOF > user.auth
# user
# password
# EOF
auth-user-pass user.auth
# Copy the certificates from MikroTik and change
# the filenames below if needed
ca cert_export_MikroTik.crt
cert [email protected]
key [email protected]
# Uncomment the following line if Internet access is needed
#redirect-gateway def1
# Add routes to networks behind MikroTik
#route 192.168.88.0 255.255.255.0
Script Hapus OpenVPN Mikrotik
# Delete a user and revoke his certificate
#
# Change variables below and paste the script
# into MikroTik terminal window.
#
:global CN [/system identity get name]
:global USERNAME "user"
## delete a user
/ppp secret
remove [find name=$USERNAME profile=VPN-PROFILE]
## revoke a client certificate
/certificate
issued-revoke [find name="$USERNAME@$CN"]
## Done.
Revert Konfigurasi OpenVPN Mikrotik
## Revert OpenVPN configuration
/interface ovpn-server server
set enabled=no default-profile=default port=1194
/ip pool
remove [find name=VPN-POOL]
/ppp secret
remove [find profile=VPN-PROFILE]
/ppp profile
remove [find name=VPN-PROFILE]
/ip firewall filter
remove [find comment="Allow OpenVPN"]
remove [find comment="Accept DNS requests from VPN clients"]
/certificate
## delete the certificates manually
Demikian Script OpenVPN Mikrotik Server, semoga dapat membantu anda yang membutuhkan cara cepat membuat user client OpenVPN di Mikrotik. Selamat Mencoba