Skip to content

Instantly share code, notes, and snippets.

@Rockheung

Rockheung/make-ovpn.md

Last active July 21, 2018 09:11
Show Gist options
  • Save Rockheung/6502856a83d55a10e650b2ef0984eebe to your computer and use it in GitHub Desktop.
Save Rockheung/6502856a83d55a10e650b2ef0984eebe to your computer and use it in GitHub Desktop.
Download ZIP
Simple openvpn script with Mikrotik CHR
Raw
make-ovpn.md

First, create RAW disk for CHR larger than 128MB. Exact 128MB would work, too.

Second, boot Linode in rescue mode with disk just created above.

After boot, download latest CHR image and write it on disk.

Download link is stable version of CHR raw image at this point.

wget --no-check-certificate https://download.mikrotik.com/routeros/6.41.3/chr-6.41.3.img.zip

If you have multiple disk, you should check which one is to be written. Use command fdisk -l

sudo gunzip -c chr-6.41.3.img.zip | sudo dd of=/dev/sda bs=1M

Shut it down, and make boot profile for CHR. It should be -

  • VM mode: full virtualisation
  • kernel: direct disk
  • Block device assignment: /dev/sda

I recommand using lish (linode monitoring tool on terminal) because of delaying.

Accessing CHR through linode's public ip address takes minutes. So frustrating step it was.

Lish via SSH. It needs password.

ssh -t rockheung@lish-tokyo2.linode.com MikroTik-CHR

default account is admin with no password.

YOU MUST DISABLE THIS ACCOUNT AND ADD YOUR OWN ADMIN ACCOUNT.

There would be so many login attempts by bots. Remember this linode has public ip.

/ user
add copy-from=admin name="passenger" group=full password=1q2w3e
disable admin

/ip
service set 0,1,4,5,6,7 disabled=yes
/ip
service set ssh port=2299

Make new three certificate templates for ca, server, client

/ certificate
add name=ca-template common-name=example.com days-valid=3652 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=*.example.com days-valid=3652 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=client.example.com days-valid=365 key-size=2048 key-usage=tls-client

Sign those certificates

sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate

Export ca and client certificate

/ certificate
export-certificate ca-certificate
export-certificate client-certificate export-passphrase=1q2w3e4r

Add ip pool and port for vpn

/ ip
pool add name="ovpn" ranges=192.168.90.10-192.168.90.254
/ ip firewall filter
add chain=input protocol=tcp dst-port=1194 action=accept comment="Allow OpenVPN"

Add masquerade for ether1. This is necessary for internet surfing

/ip firewall nat add chain=srcnat  out-interface=ether1 action=masquerade

Add profile for openvpn

/ ppp
profile add name="ovpn-profile" use-encryption=yes local-address=192.168.90.255 remote-address=ovpn
secret add name=rockheung profile=ovpn-profile password=q1w2e3r4

Start openvpn server

/ interface ovpn-server server
set default-profile=ovpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes

Done! download ca.crt, client.crt, and client.key files from /file via MikroTik web console.

And save openvpn conf below as text file. rename *.ovpn or *.conf

Of caurse certificate file's path should right

client
dev tun
proto tcp
remote example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3

If you want full perfomance of this MikroTik CHR, you can make account on MikroTik website and activate your CHR just built.

free license would limit speed. More info => https://wiki.mikrotik.com/wiki/Manual:CHR#CHR_Licensing

/ system
license renew
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment