Created
May 26, 2020 15:49
-
-
Save saper-2/5b7149ac7b5f7c8f2ed3a81a88bbb876 to your computer and use it in GitHub Desktop.
OpenVPN Mikrotik
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# set pool address range inside LAN network address space | |
/ip pool add name=openvpn-pool ranges=<LAN_START_IP_ADDR_FOR_OVPN>-<LAN_END_IP_ADDR_FOR_OVPN> | |
# create openvpn profile | |
/ppp profile add name=OpenVPN remote-address=openvpn-pool bridge=<LAN_BRIDGE> change-tcp-mss=yes dns-server=<MT_ROUTER_LAN_IP> local-address=<MT_ROUTER_LAN_IP> | |
# add users with passwords | |
/ppp secret | |
add name=<USER> password="<PASSWORD>" service=ovpn | |
#create certs: CA , for server and users - "sign" can return "timeout" - wait until cert get signed (background job) | |
/cert | |
# CA cert | |
add name=mt-ca key-usage=key-cert-sign,crl-sign,key-agreement country=PL state=wojewodztwo locality=miasto organization="SOME NAME" unit=IT common-name=mt-ca key-size=4096 days-valid=1860 | |
sign mt-ca ca-crl-host=<DNS-PUBLLIC-NAME_OR_PUBLIC-IP_OR_LAN-IP_OR_127.0.0.1> name=mt-ca | |
# server cert | |
add name=ovpn common-name=mt-ovpn key-size=4096 days-valid=1860 | |
sign ovpn ca=mt-ca name=ovpn | |
# #################### | |
# ### client cert #### | |
# add name=<CERT_NAME> common-name=cli-<CERT_NAME> key-size=4096 days-valid=1860 | |
# or create template | |
add name=ovpn-cli-tpl common-name=ovpn-cli-template key-size=4096 days-valid=1859 | |
# add cert from template | |
add copy-from=ovpn-cli-tpl common-name=cli-<CERT_NAME> name=<CERT_NAME> | |
# SIGN cert: | |
sign <CERT_NAME> ca=mt-ca name=<CERT_NAME> | |
# expor CA & client cert , export-passphrase is required and can not be empty to get complete (public & private) cert | |
export-certificate mt-ca | |
export-certificate <CERT_NAME> export-passphrase=xxxx1234 | |
# setup openvpn server | |
/interface ovpn-server server set certificate=ovpn cipher=aes256 default-profile=OpenVPN enabled=yes mode=ethernet \ | |
require-client-certificate=yes | |
# add rules to firewal: | |
# add action=accept chain=<services or "input"> comment="allow OpenVPN" dst-port=<OPENVPN_SERVER_PORT_25885> protocol=tcp | |
# in client *.ovpn file place content of client cert files (ca, cert & priv key) between tags ca, cert & key. | |
# when vpn connection will be initiated, OpenVPN client ask for client cert export passphrase (use checkbox to save it :) ). | |
# Should be all.... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#client, protocol TCP, set file name as you like - it'll be displayed in OpenVPN client as connection name. | |
proto tcp-client | |
remote domain.com 12345 # Remote OpenVPN Server DNS/IP and port | |
# tap allow to access LAN traffic without additional routing - not supported by ios and Android | |
dev tap | |
# 'tun' - require additional routing to access LAN resources, but works with android and ios | |
nobind | |
persist-key | |
persist-tun | |
tls-client | |
cipher AES-256-CBC | |
remote-cert-tls server | |
<ca> | |
-----BEGIN CERTIFICATE----- | |
*** BASE64 encoded CA.crt (from file ca.crt exported from MT)*** | |
-----END CERTIFICATE----- | |
</ca> | |
<cert> | |
*** like in CA, client .crt file content including "BEGIN" & "END" lines *** | |
</cert> | |
<key> | |
*** like previous, client private key .key file content including "BEGIN" & "END" lines *** | |
</key> | |
verb 3 | |
pull | |
# specify file for ppp user & password (1st line: ppp-user, 2nd line: ppp-password) | |
auth-user-pass userpass.txt | |
# tell OpenVPN to setup route for accessing LAN. Specify LAN subnet, mask and route priority (the higher number the lower priority) | |
route 10.0.0.0 255.0.0.0 vpn_gateway 101 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ppp-login | |
ppp-password |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment