Tutorijal Mikrotik - PureVPN

Razno
Post Reply
Admin
Site Admin
Posts: 14706
Joined: 2020-02-19 17:10:20

Tutorijal Mikrotik - PureVPN

Post by Admin »

Primjer podešavanja mikrotik routera za rad sa PureVPN servisom.

Osnovni preduvijet je da je mikrotik router podešen, tj ima pristup internetu, podešen NAT, IP adrese i DNS.

1. Isključimo u firewallu fasttrack i dodamo portove za Purevpn (ostala pravila u filteru su osnovna mikrotik pravila).

Code: Select all

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=input dst-port=500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
Firewall filter sada izgleda ovako u winboxu:
Clipboard01.png
Clipboard01.png (34.45 KiB) Viewed 986 times
2. Dodamo lokalne ip adrese u nasoj mreži koje će koristiti PureVPN servis.

Code: Select all

/ip firewall address-list
add address=10.0.0.11 list=local
add address=10.0.0.0/24 disabled=yes list=local
add address=192.168.11.0/24 list=local
To u winboxu izgleda ovako:
Clipboard02.png
Clipboard02.png (13.29 KiB) Viewed 983 times

3. Dodavanje certifikata u mikrotik.
Prema službenom uputstvu od PureVPN https://support.purevpn.com/en_US/route ... tik-router
vidimo da je link na službeni certifikat ovdje:https://jmp.sh/4OzUZvIY
Downloadamo navedeni certifikat i uploadamo ga mikrotik router.
Import radimo iz winboxa System-Certificates-Import kao što je prikazano na slici:
Clipboard03.png
Clipboard03.png (4.88 KiB) Viewed 975 times
4. IP > IPsec podešavanja

Skracena verzija iz terminala:

Code: Select all

/ip ipsec mode-config
add name=PureVPN responder=no src-address-list=local use-responder-dns=no
/ip ipsec policy group
add name=PureVPN
/ip ipsec profile
add enc-algorithm=aes-256,aes-128,3des hash-algorithm=sha256 name=PureVPN
/ip ipsec peer
add address=nl-ddux-1.pointtoserver.com comment=Netherland disabled=yes name=\
    PureVPN2 profile=PureVPN
add address=sx0407117-ikev.ptoserver.com comment=Germany name=PureVPN3 \
    profile=PureVPN
add address=sx0510157-ikev.ptoserver.com comment=Netherland disabled=yes \
    name=PureVPN profile=PureVPN
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-256-gcm,aes-128-cbc \
    name=PureVPN
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    PureVPN peer=PureVPN policy-template-group=PureVPN username=\
    purevpnusername
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    PureVPN peer=PureVPN2 policy-template-group=PureVPN username=\
    purevpnusername
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=\
    PureVPN peer=PureVPN3 policy-template-group=PureVPN username=\
    purevpnusername
/ip ipsec policy
add comment=PureVPN dst-address=0.0.0.0/0 group=PureVPN src-address=0.0.0.0/0 \
    template=yes
U ovoj mojoj verziji postavljena su 3 peera sa 3 odvojena indentitia za brže prebacivanje na 2 ili 3 server u slučaju potrebe , samo u winboxu disable aktivni peer i enable drugi peer.
Naravno u wiboxu podesite pravi username i pasword koji je vidljiv u vašem PureVPN accountu https://my.purevpn.com/
kao što je prikazano na ovoj slici Settings - Subscriptions :
Screenshot Member Area Subscriptions.png
Screenshot Member Area Subscriptions.png (10.77 KiB) Viewed 969 times
Konačno sva podešavanja izgledaju kao što je prikazano na slikama:
Pics01.png
Pics01.png (10.72 KiB) Viewed 968 times
Za razliku od službenog tutorijala ja opciju Use responder DNS postavljam na no , jer prema službenom tutorijalu nisam dobivao DNS response i stranice se nisu otvarale , tako da ja koristim vlastiti DNS tj mikrotik.
Pics02.png
Pics02.png (7.48 KiB) Viewed 968 times
Pics03.png
Pics03.png (4.16 KiB) Viewed 968 times
Pics04.png
Pics04.png (16.07 KiB) Viewed 968 times
Pics05.png
Pics05.png (15.19 KiB) Viewed 968 times
Pics06.png
Pics06.png (11.19 KiB) Viewed 968 times
Pics07.png
Pics07.png (14.09 KiB) Viewed 968 times
Pics08.png
Pics08.png (15.25 KiB) Viewed 968 times
Pics09.png
Pics09.png (19.14 KiB) Viewed 968 times
Pics10.png
Pics10.png (11.07 KiB) Viewed 968 times
Konačno provjera rada u mikrotiku:
Clipboard11.png
Clipboard11.png (12.88 KiB) Viewed 966 times
Vidimo lokane adrese , remote adrese , dinamičku dodijeljenu adresu i naravno byte kako rastu čim više surfamo tj imamo nekakvu internetsku aktivnost.

Također provjerimo dali je mikrotiku pravilno dodjeljena nova ip adresa:
Clipboard12.png
Clipboard12.png (8.44 KiB) Viewed 966 times
U firewalu također provjerimo da je generiran dinamički src-nat:
Clipboard13.png
Clipboard13.png (39.83 KiB) Viewed 966 times
također možemo provjeriti u terminalu:

Code: Select all

/ip firewall nat print
response

Code: Select all

Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; ipsec mode-config
      chain=srcnat action=src-nat to-addresses=172.94.9.13 src-address-list=local 
      dst-address-list=!local 

IP-Route provjerimo dali je kreirana route sa default gatewayem:
route.png
route.png (10.47 KiB) Viewed 946 times
Za slučaj problema uključimo logiranje :

Code: Select all

/system logging add action=memory topics=ipsec,!debug
Evo kako izgleda log:
Clipboard14.png
Clipboard14.png (73.68 KiB) Viewed 965 times
Završnu provjeru radim online na https://www.ipaddress.com/
rezultat izgleda ovako:
Screenshot What Is My IP Address Free IP Lookup.png
Screenshot What Is My IP Address Free IP Lookup.png (198.95 KiB) Viewed 960 times
To je to , mikrotik uredno radi sa PureVPN.

Post Reply

Return to “Razno”