Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and...
Transcript of Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and...
![Page 1: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/1.jpg)
SettinganOpenVPNonLinuxandMikroTiktosecurelyaccessaweb
server
TeddyYuliswarMikroTikCertifiedTrainer#TR0442
![Page 2: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/2.jpg)
Indonetworkers.comTrainingCenter(ITC)Jl.S.ParmanNo.189BUlakKarangUtara
Padang– WestSumatera-Indonesia
Indonetworkers.com/training
![Page 3: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/3.jpg)
Case
1. Wewanttohaveaweb-basedapplicationthatisonaserverthatcanonlybeaccessedbyofficeemployees-ourbranchoffices(notallowedtobeaccessedpublicly)or
2. Wewanttomanageclientroutersthatdonothavepublicipviaasinglewebbasedapp
![Page 4: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/4.jpg)
Problem
AttheHeadOfficeandBranch(both)thereisnodedicatedinternetforexample:
1. FromISPDynamicInternetIP2. UndertheNATRouter/DoesnothaveapublicIP
![Page 5: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/5.jpg)
![Page 6: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/6.jpg)
Whatdoweneedtosolvedthisproblem?
![Page 7: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/7.jpg)
Whatarethesteps?
![Page 8: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/8.jpg)
WhatisOpenVPN?
![Page 9: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/9.jpg)
SymmetricEncryption
![Page 10: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/10.jpg)
ExampleSymmetricEncryption
• Blowfish,AES,RC4,DES,RC5,andRC6• ThemostwidelyusednowAES-128,AES-192,andAES-256.
![Page 11: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/11.jpg)
AsymmetricEncryption
![Page 12: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/12.jpg)
ExampleAsymmetricEncryption
Mostareusedineverydaycommunicationchannels,especiallythroughtheInternet.Popularasymmetrickeyencryption:EIGamal,RSA,DSA,Ellipticcurvetechniques,PKCS
![Page 13: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/13.jpg)
WhyOpenVPN?
![Page 14: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/14.jpg)
OpenVPN PPTP L2TP/IPsec SSTP IKEv2/IPSec
Encryption 160-bit,256-bit 128-bit 256-bit 256-bit 256-bit
Security VeryhighWeak Highsecurity(might
beweakenedbyNSA) High High
SpeedFast Speedy,duetolow
encryptionMedium,duetodoubleencapsulation Fast Veryfast
Stability Verystable Verystable Stable Verystable Verystable
Compatibility
Strongdesktopsupport,butmobilecouldbeimproved.Requiresthird-partysoftware.
StrongWindowsdesktopsupport.
Multipledeviceandplatformsupport.
Windows-platform,butworksonotherLinuxdistributions.
LimitedplatformsupportbeyondWindowsandBlackberry
FinalWordMostrecommendedchoice.Fastandsecure.
NativeonWindows.Weaksecurity.Usefulforgeo-restrictedcontent.
Versatileandsecure.AdecentalternativetoOpenVPN.
FasterandmoresecurealternativetoPPTPandL2TP.
Secure,stable,andmobile-oriented.
Source:https://thebestvpn.com/pptp-l2tp-openvpn-sstp-ikev2-protocols/
![Page 15: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/15.jpg)
OpenVPNusesSSL/TLS
![Page 16: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/16.jpg)
SSLandTLS
• SecureSocketsLayer(SSL)andTransportLayerSecurity(TLS)SSLareuniversallyacceptedstandardsforauthenticatedandencryptedcommunicationbetweenclientsandservers.
• SSL/TLSusesacombinationofpublickeyandsymmetric-keyencryption
![Page 17: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/17.jpg)
• OpenVPNusesSSL/TLSforPublicKeyInfrastructure,thenSSL/TLSusesAEStoencryptthepublickey,thenthepublickeyissenttotheclient
![Page 18: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/18.jpg)
Sotheprocessis,ServerSide:1. Createpublicandprivatekeys2. PublickeyencryptionwithAES3. Encryptdatawithaprivatekey4. Makeahashwithshaormd55. SenddatainencryptedformandalsosendpublicAES
encryptedkeys,aswellasfingerprinthashes
![Page 19: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/19.jpg)
ClientSide:1. Receivedata,publickey,fingerprinthash2. Checkdataintegritywithhashes3. Decryptionofthepublickey4. Decryptdatawithapublickeythathasbeen
decryptedinpoint35. Finish
![Page 20: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/20.jpg)
FutureDataCommunicationisalmostcertaintouse:
1. PublicKeyInfrastructurefordataencryption2. SymmetricEncryptionTosendapublickey3. HashingforDataIntegritychecking
![Page 21: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/21.jpg)
OpenVPNonMikroTikRouterOS
Server Client
![Page 22: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/22.jpg)
LAN
NetworkTopology
KantorPusat
OpenVPNClient
OpenVPNClient
Internet
Internet
WebServer
Internet
OpenVPNServer
*OntheOpenVPNMikrotikservertheremustbeaPublicIPStaticorifDynamicIPEnableCloudIP
![Page 23: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/23.jpg)
NetworkTopology
OpenVPNClient
OpenVPNClient
OpenVPNClient
Internet
Internet
WebServer+OpenVPNServer
Internet
VPS
![Page 24: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/24.jpg)
NetworkTopology
OpenVPNClient
InternetLTE/4G
WebServer+OpenVPNServer
VPS
OpenVPNClient
InternetLTE/4G
OpenVPNClient
InternetLTE/4G
![Page 25: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/25.jpg)
VPS
7
![Page 26: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/26.jpg)
configurationyum update -ywget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpmrpm -ivh epel-release-latest-7.noarch.rpm
yum install openvpn openssl
openssl dhparam -out /etc/openvpn/dh.pem 2048
openssl genrsa -out /etc/openvpn/ca.key 2048chmod 600 /etc/openvpn/ca.key
openssl req -new -key /etc/openvpn/ca.key -out /etc/openvpn/ca.csr -subj /CN=OpenVPN-CA/openssl x509 -req -in /etc/openvpn/ca.csr -out /etc/openvpn/ca.crt -signkey /etc/openvpn/ca.key -days 365echo 01 > /etc/openvpn/ca.srl
![Page 27: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/27.jpg)
openssl genrsa -out /etc/openvpn/server.key 2048chmod 600 /etc/openvpn/server.keyopenssl req -new -key /etc/openvpn/server.key -out /etc/openvpn/server.csr -subj /CN=OpenVPN/openssl x509 -req -in /etc/openvpn/server.csr -out /etc/openvpn/server.crt -CA /etc/openvpn/ca.crt -CAkey /etc/openvpn/ca.key -days 365
openssl genrsa -out /etc/openvpn/client.key 2048chmod 600 /etc/openvpn/client.keyopenssl req -new -key /etc/openvpn/client.key -out /etc/openvpn/client.csr -subj /CN=OpenVPN-Client/openssl x509 -req -in /etc/openvpn/client.csr -out /etc/openvpn/client.crt -CA /etc/openvpn/ca.crt -CAkey /etc/openvpn/ca.key -days 36525
![Page 28: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/28.jpg)
nano /etc/openvpn/server.conf port 1194
proto tcpdev tun1194ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crtkey /etc/openvpn/server.key # This file should be kept secretdh /etc/openvpn/dh.pem
#client-config-dir /etc/openvpn/ccdserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtclient-to-client
push "route 10.8.0.0 255.255.255.0"push "redirect-gateway def bypass-dhcp"push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"duplicate-cnkeepalive 10 120cipher AES-256-CBC
;comp-lzouser nobodygroup nobodypersist-tun
status openvpn-status.logverb 3
![Page 29: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/29.jpg)
• systemctlenableopenvpn@server• systemctlstartopenvpn@server
**don'tforgetthefirewalldoriptablesset(accordingtoeachtaste)J
![Page 30: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/30.jpg)
tail-f/etc/openvpn/openvpn-status.log
![Page 31: Setting an OpenVPN on Linux and MikroTik to securely ... · Setting an OpenVPN on Linux and MikroTik to securely access a web server Teddy Yuliswar MikroTik Certified Trainer #TR0442](https://reader030.fdocuments.in/reader030/viewer/2022040103/5d58080188c993f35b8b5620/html5/thumbnails/31.jpg)
Demo