Skip to content

Instantly share code, notes, and snippets.

@saper-2

saper-2/client.ovpn

Created May 26, 2020 15:49
Show Gist options
  • Save saper-2/5b7149ac7b5f7c8f2ed3a81a88bbb876 to your computer and use it in GitHub Desktop.
Save saper-2/5b7149ac7b5f7c8f2ed3a81a88bbb876 to your computer and use it in GitHub Desktop.
Download ZIP
OpenVPN Mikrotik
Raw
readme
# set pool address range inside LAN network address space
/ip pool add name=openvpn-pool ranges=<LAN_START_IP_ADDR_FOR_OVPN>-<LAN_END_IP_ADDR_FOR_OVPN>
# create openvpn profile
/ppp profile add name=OpenVPN remote-address=openvpn-pool bridge=<LAN_BRIDGE> change-tcp-mss=yes dns-server=<MT_ROUTER_LAN_IP> local-address=<MT_ROUTER_LAN_IP>
# add users with passwords
/ppp secret
add name=<USER> password="<PASSWORD>" service=ovpn
#create certs: CA , for server and users - "sign" can return "timeout" - wait until cert get signed (background job)
/cert
# CA cert
add name=mt-ca key-usage=key-cert-sign,crl-sign,key-agreement country=PL state=wojewodztwo locality=miasto organization="SOME NAME" unit=IT common-name=mt-ca key-size=4096 days-valid=1860
sign mt-ca ca-crl-host=<DNS-PUBLLIC-NAME_OR_PUBLIC-IP_OR_LAN-IP_OR_127.0.0.1> name=mt-ca
# server cert
add name=ovpn common-name=mt-ovpn key-size=4096 days-valid=1860
sign ovpn ca=mt-ca name=ovpn
# ####################
# ### client cert ####
# add name=<CERT_NAME> common-name=cli-<CERT_NAME> key-size=4096 days-valid=1860
# or create template
add name=ovpn-cli-tpl common-name=ovpn-cli-template key-size=4096 days-valid=1859
# add cert from template
add copy-from=ovpn-cli-tpl common-name=cli-<CERT_NAME> name=<CERT_NAME>
# SIGN cert:
sign <CERT_NAME> ca=mt-ca name=<CERT_NAME>
# expor CA & client cert , export-passphrase is required and can not be empty to get complete (public & private) cert
export-certificate mt-ca
export-certificate <CERT_NAME> export-passphrase=xxxx1234
# setup openvpn server
/interface ovpn-server server set certificate=ovpn cipher=aes256 default-profile=OpenVPN enabled=yes mode=ethernet \
require-client-certificate=yes
# add rules to firewal:
# add action=accept chain=<services or "input"> comment="allow OpenVPN" dst-port=<OPENVPN_SERVER_PORT_25885> protocol=tcp
# in client *.ovpn file place content of client cert files (ca, cert & priv key) between tags ca, cert & key.
# when vpn connection will be initiated, OpenVPN client ask for client cert export passphrase (use checkbox to save it :) ).
# Should be all....
Raw
client.ovpn
#client, protocol TCP, set file name as you like - it'll be displayed in OpenVPN client as connection name.
proto tcp-client
remote domain.com 12345 # Remote OpenVPN Server DNS/IP and port
# tap allow to access LAN traffic without additional routing - not supported by ios and Android
dev tap
# 'tun' - require additional routing to access LAN resources, but works with android and ios
nobind
persist-key
persist-tun
tls-client
cipher AES-256-CBC
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
*** BASE64 encoded CA.crt (from file ca.crt exported from MT)***
-----END CERTIFICATE-----
</ca>
<cert>
*** like in CA, client .crt file content including "BEGIN" & "END" lines ***
</cert>
<key>
*** like previous, client private key .key file content including "BEGIN" & "END" lines ***
</key>
verb 3
pull
# specify file for ppp user & password (1st line: ppp-user, 2nd line: ppp-password)
auth-user-pass userpass.txt
# tell OpenVPN to setup route for accessing LAN. Specify LAN subnet, mask and route priority (the higher number the lower priority)
route 10.0.0.0 255.0.0.0 vpn_gateway 101
Raw
userpass.txt
ppp-login
ppp-password
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment