We may want to hide our home or office network IP so that our identity is also hidden.
You can take a low cost cloud server (VPS) from 1&1-IONOS to get this setup for as low as $4.
I installed MikroTik CHR (Cloud Hosted Router) image on my IONOS USA Cloud VPS as server-side MikroTik routerboard. You can download the MikroTik CHR image from https://ftp.eubilal.com/mikrotikchr.vmdk or download directly from mikrotik.com. So both side (server side & client side) will be MikroTik RouterOS.
Tested with RouterOS version 6.47.6
Server/Cloud Side MikroTik/CHR Configuration:
If the VPS provider offer external firewall configuration panel, then open the necessary ports to configure our expected setup.
Or, you can keep all port open in external firewall, and then manage with CHR's internal firewall.
1) Login to Winbox by your VPS real IP with username "admin" and password blank
After first login, change the admin password. Then you may start the setup by following instructions:
2) Create SSL Certificates
Currently you are logged in to server-side MikroTik, and submit the command below from here in server-side MikroTik terminal:
/certificate
add name=vpn-ca common-name=vpn.local days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
sign vpn-ca
set vpn-ca trusted=yes
add name=vpnserver common-name=vpnserver.local days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
sign vpnserver ca=vpn-ca
set vpnserver trusted=yes
add name=vpnclient common-name=vpnclient.local days-valid=3650 key-size=2048 key-usage=tls-client
sign vpnclient ca=vpn-ca
set vpnclient trusted=yes
Export SSL-Cert to use on Client-side MikroTik routerboard.
Currently you are logged in to server-side MikroTik, and submit the below command from here in server-side MikroTik terminal:
/certificate
export-certificate vpn-ca export-passphrase=""
export-certificate vpnclient export-passphrase=12345678
(you should use your own password)
After exported, you will find the certificate files (CA Cert, SSL Cert, and Private Key) in MikroTik’s File List. (Winbox > Files)
Download the Certs from file list and save those files in your local computer. (Use drag and drop to download)
3) Create VPN Network
We will decide a range of IP addresses for server side VPN Network creation to give IP to client router.
( Example: 172.16.22.0/24 )
Currently you are logged in to server-side MikroTik, and submit the command below from here in server-side MikroTik terminal:
Add VPN IP address Pool
/ip
pool add name="vpn-pool" ranges=172.16.22.2-172.16.22.254
Create a VPN Authentication (Auth) profile.
/ppp
profile add name="vpn-profile" local-address=172.16.22.1 remote-address=vpn-pool dns-server=8.8.8.8,1.1.1.1 use-encryption=yes
Attention ! Here 172.16.22.1 ip-address is the main and default gateway ip.
Keep in mind at this CHR ip 172.16.22.1 to use it as the cloud MikroTik's private IP.
4) Create VPN Users/Client
Your VPN network Host is the server-side MikroTik's real IP.
Create a VPN User (Currently you are logged in to server-side MikroTik, and submit the command below from here in server-side MikroTik terminal):
/ppp
secret add name=homerouter password=dSw3eVcRt profile=vpn-profile remote-address=172.16.22.2
If you have more home/office router available, then create more users as needed. Just remember that the remote IP address (remote-address=) will increment by 1 to each user.
Example (in terminal, /ppp):
secret add name=headofficerouter password=dRk8vHa5j profile=vpn-profile remote-address=172.16.22.3
secret add name=branchrouter password=gWk2vLa4c profile=vpn-profile remote-address=172.16.22.4
5) Keep Note of VPN User Credentials
So, from the above config, you get the VPN username and password.
When configure a VPN in your home or site-office (Client router MikroTik) use the example below as we have already configured at above:
VPN Host: xx.xx.xx.xx (VPN-Server side MikroTik's Real IP)
User: homerouter
Password: dSw3eVcRt
VPN-Server Network (Private):
IP-Range: 172.16.22.0/24
Subnet Mask: 255.255.255.0
Gateway: 172.16.22.1
6) Run/Enable OpenVPN Server
* Currently you are logged in to server-side MikroTik, and do the below job from here in server-side MikroTik.
Important ! Please create/enable “OVPN Server” from the Winbox GUI, not by command line input. Keep the below information handy.
Port = 1194 (or custom port 51194)
Mode = ip
Netmask = 24
Max MTU = 1500
Keepalive Timeout = 86400
Default Profile = default-encryption
Certificate = vpnserver
Require Client Certificate = yes
Auth = sha1
Cipher = aes 128, aes 256
Enable the server, and configure the settings. Then apply.
Now that our VPN server is running ok.
7) Configure Firewall to Accept VPN Connections
* Currently you are logged in to server-side MikroTik, and submit the command below from here in server-side MikroTik terminal:
/ip firewall filter
add chain=input protocol=tcp dst-port=1194,51194 action=accept comment="Allow VPN Connect"
(place above the "established, related" input rule)
add chain=input in-interface=all-ppp action=accept comment="Allow remote vpn users to reach to this router"
(place above the "established, related" input rule)
add chain=input protocol=tcp dst-port=8291,58291 action=accept comment="Allow MikroTik Access"
add chain=forward in-interface=all-ppp action=accept comment="Allow remote vpn users to reach to this router/services"
(place above the "established, related" forward rule)
add chain=forward dst-address=172.16.22.0/24 out-interface=all-ppp action=accept comment="Allow Local/Lan users to reach to other vpn routers/services"
(place above the "established, related" forward rule)
Remember ! Drag and drop the allow rules to above the drop rules.
/ip firewall nat
add chain=srcnat src-address=172.16.22.0/24 out-interface=ether1 action=masquerade comment="Allow OVPN Clients to Browse the Internet via Cloud/Server Network"
add chain=srcnat dst-address=172.16.22.0/24 out-interface=all-ppp action=masquerade comment="Allow Local/Lan users to reach to other vpn routers/services"
Done ! Server side configuration is ok.
Client Side (Home/Office Router) MikroTik Configuration:
8) Upload and import the SSL certificate files first
* Currently you are logged in to client-side MikroTik, and do the below job from here in client-side MikroTik.
To upload: Winbox > Files > Drag & Drop SSL Cert Files (which SSL cert files you downloaded from Server side MikroTik)
To import: Winbox > System > Certificates > Import (GUI Button)
When importing private key file, enter 12345678 as password, or the password you set before.
9) Create a OpenVPN Client Connection Interface
* Currently you are logged in to client-side MikroTik, and do the below job from here in client-side MikroTik.
Keep the below information handy. As you get the credentials from Server side MikroTik.
Connect to = xx.xx.xx.xx (VPN-Server side MikroTik's Real IP)
Port = 1194 (or custom port 51194)
Mode = ip
User: homerouter
Password: dSw3eVcRt
Profile = default-encryption
Certificate = vpnclient.crt
Verify Server Certificate = no
Auth = sha1
Cipher = aes128
Use Peer DNS = yes
Add Default Route = no
Apply the settings.
As we have set Add Default Route = NO so we have to add the route manually (Winbox > IP > Routes) by using gateway = ovpn-out1
10) Add Route (Winbox > IP > Routes)
* Currently you are logged in to client-side MikroTik, and submit the command below from here in client-side MikroTik terminal:
/ip route
add dst-address=0.0.0.0/0 gateway=172.16.22.1%ovpn-out1 check-gateway=ping distance=12 comment="VPN Route"
add dst-address=0.0.0.0/0 gateway=172.16.22.1%ovpn-out1 distance=22 routing-mark=Browsing_via_CHR
11) Add Masquerade in Firewall
If you have already set Out Interface List = WAN in your Firewall NAT (Winbox > IP > Firewall > NAT), then you just add the ovpn-out1 interface to your WAN interface list (Winbox > Interfaces > Interface List). Or else add a new masquerade by below command.
* Currently you are logged in to client-side MikroTik, and submit the command below from here in client-side MikroTik terminal:
/ip firewall nat
add chain=srcnat out-interface=ovpn-out1 action=masquerade comment="Allow Internet Browsing via CHR Network"
12) Set More Firewall
* Currently you are logged in to client-side MikroTik, and submit the terminal command here in client-side MikroTik.
/ip firewall filter
add chain=input in-interface=ovpn-out1 action=accept comment="Allow remote vpn users to reach to this router"
(place above the "established, related" input rule)
add chain=input protocol=tcp dst-port=8291,58291 action=accept comment="Allow MikroTik Access"
add chain=forward in-interface=ovpn-out1 action=accept comment="Allow remote vpn users to reach to local services"
(place above the "established, related" forward rule)
add chain=forward dst-address=172.16.22.0/24 out-interface=ovpn-out1 action=accept comment="Allow Local/Lan users to reach to other vpn routers/services"
(place above the "established, related" forward rule)
Remember ! Drag and drop the allow rules, move up to above the drop rules.
/ip firewall nat
add chain=srcnat dst-address=172.16.22.0/24 out-interface=ovpn-out1 action=masquerade comment="Allow Local/Lan users to reach to other vpn routers/services"
Configuration is almost done !
13) Finally, Set Rules for Local/Lan User(s) to Browse Internet via Remote VPN/CHR Network
* Currently you are logged in to client-side MikroTik, and do the below job from here in client-side MikroTik.
Winbox > IP > Routes > Rules
Add a routing rule
Src. Address = 192.168.88.156 (A local LAN user, who will browse internet via remote vpn/chr server network)
Action = lookup (If you want to require the LAN user to browse internet via remote vpn/chr network only, then select here "lookup only in table")
Table = Browsing_via_CHR
Apply the rule, and test that the LAN ip 192.168.88.156 user's browsing status, as it seems he/she is browsing internet from USA.
Test IP: http://whatismyipaddress.com
Enjoy foreign internet from your home/office !
Note: Your CHR bandwidth will be throttled down to 1 Mbps until you upgrade MikroTik license.
Speed test: http://fast.com
Post a Comment
Post a Comment