-
-
Save wantongtang/629ff5dbbcbe9782727143c07f0df7ab to your computer and use it in GitHub Desktop.
MikroTik (RouterOS) script for setup OpenVPN server and generate certificates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Setup OpenVPN Server | |
# | |
# Edit variables below and copy paste the script | |
# in a MikroTik terminal window. | |
# | |
:global CN [/system identity get name] | |
:global COUNTRY "UA" | |
:global STATE "KV" | |
:global LOC "Kyiv" | |
:global ORG "" | |
:global OU "" | |
:global USERNAME "user" | |
:global PASSWORD "password" | |
## generate CA certificate | |
/certificate | |
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \ | |
organization="$ORG" unit="$OU" common-name="$CN" key-size=4096 \ | |
days-valid=3650 key-usage=crl-sign,key-cert-sign | |
sign ca-template ca-crl-host=127.0.0.1 name="$CN" | |
:if ( [/system resource get cpu-frequency] <= 600 ) do={:delay 30} \ | |
else={:delay 10} | |
## generate server certificate | |
/certificate | |
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \ | |
organization="$ORG" unit="$OU" common-name="server@$CN" key-size=4096 \ | |
days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server | |
sign server-template ca="$CN" name="server@$CN" | |
:if ( [/system resource get cpu-frequency] <= 600 ) do={:delay 30} \ | |
else={:delay 10} | |
## create client template | |
/certificate | |
add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \ | |
organization="$ORG" unit="$OU" common-name="client" \ | |
key-size=4096 days-valid=3650 key-usage=tls-client | |
:if ( [/system resource get cpu-frequency] <= 600 ) do={:delay 30} \ | |
else={:delay 10} | |
## create pool | |
/ip pool | |
add name=VPN-POOL ranges=192.168.252.2-192.168.252.254 | |
## add profile | |
/ppp profile | |
add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \ | |
remote-address=VPN-POOL use-encryption=yes | |
## setup server | |
/interface ovpn-server server | |
set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ | |
default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes | |
## add a firewall rule | |
/ip firewall filter | |
add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" | |
## add user | |
/ppp secret | |
add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn | |
## generate client certificate | |
/certificate | |
add name=client-template-to-issue copy-from="client-template" \ | |
common-name="$USERNAME@$CN" | |
sign client-template-to-issue ca="$CN" name="$USERNAME@$CN" | |
## export the CA, client certificate and private key | |
/certificate | |
export-certificate "$CN" export-passphrase="" | |
export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" | |
/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create a file 'user.auth' with a username and password | |
# and copy the certificates from the MikroTik | |
# | |
# cat << EOF > user.auth | |
# user | |
# password | |
# EOF | |
client | |
dev tun | |
proto tcp-client | |
remote <MikroTik_IP> 1194 | |
nobind | |
persist-tun | |
cipher AES-256-CBC | |
verb 2 | |
mute 3 | |
auth-user-pass user.auth | |
ca cert_export_MikroTik.crt | |
cert cert_export_user@MikroTik.crt | |
key cert_export_user@MikroTik.key |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment