setting an openvpn on linux and mikrotik to securely ... · setting an openvpn on linux and...

SettinganOpenVPNonLinuxandMikroTiktosecurelyaccessaweb

server

TeddyYuliswarMikroTikCertifiedTrainer#TR0442

Indonetworkers.comTrainingCenter(ITC)Jl.S.ParmanNo.189BUlakKarangUtara

Padang– WestSumatera-Indonesia

Indonetworkers.com/training

Case

1.  Wewanttohaveaweb-basedapplicationthatisonaserverthatcanonlybeaccessedbyofficeemployees-ourbranchoffices(notallowedtobeaccessedpublicly)or

2.  Wewanttomanageclientroutersthatdonothavepublicipviaasinglewebbasedapp

Problem

AttheHeadOfficeandBranch(both)thereisnodedicatedinternetforexample:

1.  FromISPDynamicInternetIP2.  UndertheNATRouter/DoesnothaveapublicIP

Whatdoweneedtosolvedthisproblem?

Whatarethesteps?

WhatisOpenVPN?

SymmetricEncryption

ExampleSymmetricEncryption

•  Blowfish,AES,RC4,DES,RC5,andRC6•  ThemostwidelyusednowAES-128,AES-192,andAES-256.

AsymmetricEncryption

ExampleAsymmetricEncryption

Mostareusedineverydaycommunicationchannels,especiallythroughtheInternet.Popularasymmetrickeyencryption:EIGamal,RSA,DSA,Ellipticcurvetechniques,PKCS

WhyOpenVPN?

OpenVPN PPTP L2TP/IPsec SSTP IKEv2/IPSec

Encryption 160-bit,256-bit 128-bit 256-bit 256-bit 256-bit

Security VeryhighWeak Highsecurity(might

beweakenedbyNSA) High High

SpeedFast Speedy,duetolow

encryptionMedium,duetodoubleencapsulation Fast Veryfast

Stability Verystable Verystable Stable Verystable Verystable

Compatibility

Strongdesktopsupport,butmobilecouldbeimproved.Requiresthird-partysoftware.

StrongWindowsdesktopsupport.

Multipledeviceandplatformsupport.

Windows-platform,butworksonotherLinuxdistributions.

LimitedplatformsupportbeyondWindowsandBlackberry

FinalWordMostrecommendedchoice.Fastandsecure.

NativeonWindows.Weaksecurity.Usefulforgeo-restrictedcontent.

Versatileandsecure.AdecentalternativetoOpenVPN.

FasterandmoresecurealternativetoPPTPandL2TP.

Secure,stable,andmobile-oriented.

Source:https://thebestvpn.com/pptp-l2tp-openvpn-sstp-ikev2-protocols/

OpenVPNusesSSL/TLS

SSLandTLS

•  SecureSocketsLayer(SSL)andTransportLayerSecurity(TLS)SSLareuniversallyacceptedstandardsforauthenticatedandencryptedcommunicationbetweenclientsandservers.

•  SSL/TLSusesacombinationofpublickeyandsymmetric-keyencryption

•  OpenVPNusesSSL/TLSforPublicKeyInfrastructure,thenSSL/TLSusesAEStoencryptthepublickey,thenthepublickeyissenttotheclient

Sotheprocessis,ServerSide:1.  Createpublicandprivatekeys2.  PublickeyencryptionwithAES3.  Encryptdatawithaprivatekey4.  Makeahashwithshaormd55.  SenddatainencryptedformandalsosendpublicAES

encryptedkeys,aswellasfingerprinthashes

ClientSide:1.  Receivedata,publickey,fingerprinthash2.  Checkdataintegritywithhashes3.  Decryptionofthepublickey4.  Decryptdatawithapublickeythathasbeen

decryptedinpoint35.  Finish

FutureDataCommunicationisalmostcertaintouse:

1.  PublicKeyInfrastructurefordataencryption2.  SymmetricEncryptionTosendapublickey3.  HashingforDataIntegritychecking

OpenVPNonMikroTikRouterOS

Server Client

LAN

NetworkTopology

KantorPusat

OpenVPNClient

OpenVPNClient

Internet

Internet

WebServer

Internet

OpenVPNServer

*OntheOpenVPNMikrotikservertheremustbeaPublicIPStaticorifDynamicIPEnableCloudIP

NetworkTopology

OpenVPNClient

OpenVPNClient

OpenVPNClient

Internet

Internet

WebServer+OpenVPNServer

Internet

VPS

NetworkTopology

OpenVPNClient

InternetLTE/4G

WebServer+OpenVPNServer

VPS

OpenVPNClient

InternetLTE/4G

OpenVPNClient

InternetLTE/4G

VPS

7

configurationyum update -ywget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpmrpm -ivh epel-release-latest-7.noarch.rpm

yum install openvpn openssl

openssl dhparam -out /etc/openvpn/dh.pem 2048

openssl genrsa -out /etc/openvpn/ca.key 2048chmod 600 /etc/openvpn/ca.key

openssl req -new -key /etc/openvpn/ca.key -out /etc/openvpn/ca.csr -subj /CN=OpenVPN-CA/openssl x509 -req -in /etc/openvpn/ca.csr -out /etc/openvpn/ca.crt -signkey /etc/openvpn/ca.key -days 365echo 01 > /etc/openvpn/ca.srl

openssl genrsa -out /etc/openvpn/server.key 2048chmod 600 /etc/openvpn/server.keyopenssl req -new -key /etc/openvpn/server.key -out /etc/openvpn/server.csr -subj /CN=OpenVPN/openssl x509 -req -in /etc/openvpn/server.csr -out /etc/openvpn/server.crt -CA /etc/openvpn/ca.crt -CAkey /etc/openvpn/ca.key -days 365

openssl genrsa -out /etc/openvpn/client.key 2048chmod 600 /etc/openvpn/client.keyopenssl req -new -key /etc/openvpn/client.key -out /etc/openvpn/client.csr -subj /CN=OpenVPN-Client/openssl x509 -req -in /etc/openvpn/client.csr -out /etc/openvpn/client.crt -CA /etc/openvpn/ca.crt -CAkey /etc/openvpn/ca.key -days 36525

nano /etc/openvpn/server.conf port 1194

proto tcpdev tun1194ca /etc/openvpn/ca.crt

cert /etc/openvpn/server.crtkey /etc/openvpn/server.key # This file should be kept secretdh /etc/openvpn/dh.pem

#client-config-dir /etc/openvpn/ccdserver 10.8.0.0 255.255.255.0ifconfig-pool-persist ipp.txtclient-to-client

push "route 10.8.0.0 255.255.255.0"push "redirect-gateway def bypass-dhcp"push "dhcp-option DNS 8.8.8.8"

push "dhcp-option DNS 8.8.4.4"duplicate-cnkeepalive 10 120cipher AES-256-CBC

;comp-lzouser nobodygroup nobodypersist-tun

status openvpn-status.logverb 3

•  systemctlenableopenvpn@server•  systemctlstartopenvpn@server

**don'tforgetthefirewalldoriptablesset(accordingtoeachtaste)J

tail-f/etc/openvpn/openvpn-status.log

Demo

ThankYouSpecialthankstoShohibulAminandMuhammadRizaNurtam

MoreInfoanddiscussion:teddy@cit.co.id