Setting OpenVPN Site to Site OPNsense and MikroTik – GNS3 LAB57

Setting OpenVPN Site to Site OPNsense dan MikroTik – GNS3 LAB57

Setting OpenVPN Remote Access OPNsense – GNS3 LAB58


  • OPNsense: OpenVPN Server
  • OPNsense WAN: 220.10.10.10/24
  • OPNsense LAN: 192.168.1.1/24
  • OPNsense OPT1: 192.168.2.1/24
  • OPNsense Gateway: 220.10.10.1
  • OPNsense OpenVPN: 10.10.10.0/24
  • MikroTik: OpenVPN Client
  • MikroTik WAN interface: 220.20.20.20/24
  • MikroTik LAN interface: 192.168.88.1/24
  • MikroTik Gateway: 220.20.20.1
  • Server Web: 192.168.1.100/24
  • User-Y: 192.168.2.11/24
  • User-X: 192.168.88.20

Setting OPNsense

  • Setting IP address OPNsense
  • Login ke dalam dashboard OPNsense > Interfaces > LAN / WAN
  • LAN > unchecklis Block Private Network dan Block Bogon Network > IPv4 Type: Static IPv4 > IPv4 address: 192.168.1.1 /24 > IPv4 Gateway: Auto-detect > Save
  • WAN > checklis Block Private Network dan Block Bogon Network > IPv4 Type: Static IPv4 > IPv4 address: 220.10.10.10 /24 > IPv4 Gateway: 220.10.10.1 > Save
  • Tambahkan Certificate Authority
  • System > Trust > Authorities > Add (+)
  • Description name: OPNsense-CA > Method: Create an Internal Certificate Authority
  • Key type: RSA > Key lenght: 2048 > Digest algorithm: SHA1 > Lifetime (days): 1000
  • Country code: ID (Indonesia) > State: DKI Jakarta > City: Jakarta Pusat > Organization: SYS-OPS.ID > Email: [email protected] > Common Name: opnsense-ca > Save
  • Tambahkan Certificate
  • System > Trust > Certificates > Add (+)
  • Server Certificate
  • Method: Create an Internal Certificate > Description name: OPNsense-cert
  • Certificate Authority: OPNsense-CA > Type: Server Certificate > key type: RSA > Key lenght: 2048 > Digest algorithm: SHA1 > Lifetime (days): 1000 > Private key location: Save on this Firewall
  • Common Name: opnsense > Save
  • – – –
  • Client Certificate
  • Method: Create an Internal Certificate > Description name: MikroTik-cert
  • Certificate Authority: OPNsense-CA > Type: Client Certificate > key type: RSA > Key lenght: 2048 > Digest algorithm: SHA1 > Lifetime (days): 1000 > Private key location: Save on this Firewall
  • Common Name: mikrotik > Save
  • Tambahkan rule firewall pada WAN untuk allow port OpenVPN: 1194
  • Firewall > Rules > WAN > Add (+)
  • Action: Pass > Interface: WAN > Direction: In > TCP/IP Version: IPv4 > Protocol: TCP/UDP > Source: any > Destination: any > Destination range: from: OpenVPN to: OpenVPN > Save

  • Tambahkan OpenVPN Server
  • VPN > OpenVPN > Servers > Add (+)
  • Description: OpenVPN-OPNsense > Server mode: Peer to Peer (SSL/TLS) > Protocol: TCP > Device mode: tun > Interface: WAN > Local Port: 1194
  • TLS Authentication: Disabled > Peer Certificate Authority: OPNsense-CA > Peer Certificate Revocation: None > Server Certificate: OPNsense-cert (OPNsense-CA)
  • Encryption Algoritm: AES-256-CBC (256 bit key, 128 bit block) > Auth Digest Algorithm: SHA1 (160 bit) > Certificate Depth: One (Client+Server)
  • IPv4 Tunnel Network: 10.10.10.0/24 (IP OpenVPN) > IPv4 Local Network: 192.168.1.0/24 (IP LAN OPNsense) > IPv4 Remote Network: 192.168.88.0/24 (IP LAN MikroTik) > Compression: No Preference > Address Pool: ceklis > Save
  • Tambahkan Routing pada OpenVPN agar LAN OPNsense dan LAN MikroTik terhubung
  • VPN > OpenVPN > Client Specific Overides > Add (+)
  • Servers: OpenVPN-OPNsense (1194/TCP) > Common Name: mikrotik > Advanced: iroute 0.0.0.0 0.0.0.0 > Save
  • Export Client Certificate .p12 (MikroTik-cert)
  • System > Trust > Certificates > MikroTik-cert > Export ca+user cert+user key in .p12

Setting MikroTik

  • Login ke dalam winbox mikrotik
  • Import Client Certificate
  • File > copy/paste (drag and drop) file client certificate MikroTik-cert.p12 ke dalam file mikrotik
  • System > Certificates > Import > name: mikrotik > File name: MikroTik-cert.p12 > Import
  • IP > Address > Add (+)
  • 220.20.20.20/24 interface ether2 (WAN) > 192.168.88.1/24 interface ether3 (LAN)
  • Tambahakn OpenVPN Client
  • PPP > Add (+) > OVPN Client
  • Name: OpenVPN > Connect To: 220.10.10.10 (IP WAN OPNsense) > Port: 1194 > Mode: ip > User: sys-ops.id (masukan saja dan tidak boleh kosong) > Profile: default-encryption > Certificate: mikrotik > Auth: sha1 > Cipher: aes 256 > Use Peer DNS: yes > OK
  • Tambahkan Static Route untuk akses ke LAN OPT1 (192.168.2.0/24)
  • IP > Route > Add (+) > Dst. Address: 192.168.2.0/24 > Gateway: OpenVPN > OK
  • Pastikan status OpenVPN Client sudah Connected dan akan mendapatkan IP address dari OpenVPN Server

Pengujian

  • Akses server web dan ping ke LAN OPNsense dari User-X
  • ping 192.168.1.100 (IP Server web) > berhasil terhubung
  • ping 192.168.2.11 (IP User-Y) > berhasil terhubung
  • Ping 192.168.88.20 dari Server web > berhasil terhubung
  • Ping 192.168.88.20 dari User-Y > berhasil terhubung
  • Cek status koneksi OpenVPN Server
  • VPN > OpenVPN > Conection State

herdiana3389

A system administrator with skills in system administration, virtualization, linux, windows, networking, cloud computing, container, etc.