Skip to content

Instantly share code, notes, and snippets.

@cnjax

cnjax/OpenVPN Mikrotik with Certificates.md

Created August 19, 2020 02:41
Show Gist options
  • Save cnjax/858dc7331e043d51a76175e77b2d6203 to your computer and use it in GitHub Desktop.
Save cnjax/858dc7331e043d51a76175e77b2d6203 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
OpenVPN Mikrotik with Certificates.md

OpenVPN Server and certificate management on MikroTik

Contents

Setup OpenVPN server and generate certificates

# Setup OpenVPN Server and generate certs
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global COUNTRY "ES"
:global STATE "Asturias"
:global LOC "Gijon"
:global ORG "ACME"
:global OU ""
:global KEYSIZE "2048"

## functions
:global waitSec do={:return ($KEYSIZE * 10 / 1024)}

## generate a CA certificate
/certificate
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \
  days-valid=3650 key-usage=crl-sign,key-cert-sign
sign ca-template ca-crl-host=127.0.0.1 name="$CN"
:delay [$waitSec]

## generate a server certificate
/certificate
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \
  days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$CN" name="server@$CN"
:delay [$waitSec]

## create a client template
/certificate
add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="client" \
  key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client

## create IP pool
/ip pool add name=OVPN-Pool ranges=192.168.68.10-192.168.68.25

## add VPN profile
/ppp profile
add dns-server=192.168.68.1 local-address=192.168.68.1 name=OVPN-Profile \
  remote-address=OVPN-Pool use-encryption=yes

## setup OpenVPN server
/interface ovpn-server server
set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \
  default-profile=OVPN-Profile enabled=yes keepalive-timeout=disabled \
  mac-address=00:00:00:00:00:00 max-mtu=1450 port=993 \
  require-client-certificate=yes

## add a firewall rule
/ip firewall filter
add chain=input dst-port=993 protocol=tcp comment="Allow OpenVPN"

Add a new user

# Add a new user and generate/export certs
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global USERNAME "user"
:global PASSWORD "password"

## add a user
/ppp secret
add name=$USERNAME password=$PASSWORD profile=OVPN-Profile service=ovpn

## generate a client certificate
/certificate
add name=client-template-to-issue copy-from="client-template" \
  common-name="$USERNAME@$CN"
sign client-template-to-issue ca="$CN" name="$USERNAME@$CN"
:delay 20

## export the CA, client certificate, and private key
/certificate
export-certificate "$CN" export-passphrase=""
export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD"

Setup OpenVPN client

  1. Copy the exported certificates from the MikroTik

    sftp admin@MikroTik_IP:cert_export_\*

    Also, you can download the certificates from the web interface. Go to WebFigFiles for this.

  2. Create user.auth file

    The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password.

    user
password

  3. Create OpenVPN config that named like USERNAME.ovpn:

    ##############################################
#
client
dev tun
proto tcp-client
remote Mikrotik 993
nobind
persist-key
persist-tun
verb 2
mute 3
pull
cipher AES-256-CBC
auth SHA1

##############################################
#
# Proxy capabilities
#
# http-proxy YYY.YYY.YYY.YYY 8080

##############################################
#
# Create a file 'user.auth' with a user and a password
#
# cat << EOF > user.auth
# user
# password
# EOF
auth-user-pass user.auth

# CA CERT
ca cert_export_Mikrotik.crt

# USER CERTS
cert cert_export_user@Mikrotik.crt
key cert_export_user@Mikrotik.key

# Add routes to networks behind MikroTik, if needed
# route 192.168.1.0 255.255.255.0

  4. Try to connect

    sudo openvpn USERNAME.ovpn

Decrypt private key to avoid password asking

openssl rsa -passin pass:password -in cert_export_user@MikroTik.key -out cert_export_user@MikroTik.key

where -pass:password should show the password assigned before to the mentioned user.

Delete a user and revoke his certificate

# Delete a user and revoke his certificate
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global USERNAME "user"

## delete a user
/ppp secret
remove [find name=$USERNAME profile=OVPN-Profile]

## revoke a client certificate
/certificate
issued-revoke [find name="$USERNAME@$CN"]

Revert OpenVPN server configuration on MikroTik

# Revert OpenVPN configuration
#

/ip pool
remove [find name=OVPN-Pool]

/ppp profile
remove [find name=OVPN-Profile]

/ip firewall filter
remove [find comment="Allow OpenVPN"]

/ppp secrets
remove [find profile=OVPN-Profile]

/certificate
## delete the certificates manually
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment