Mikrotik OpenVPN 2

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску


Mikrotik Openvpn v2

Mikrotik

:global COMMONNAME "openVPN"
:global COUNTRY "UA"
:global STATE "KH"
:global LOCALITY "KHARKOV"
:global ORG "sirmax@home"
:global UNIT ""
:global KEYSIZE "1024"
:global USERNAME "openvpn"
:global PASSWORD "Xu3thoo4"
:global ORGANIZATION "home.net"

Сертификаты

Вариант 1

/certificate 
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign  sign ca-template ca-crl-host=127.0.0.1 name="$COMMONNAME"
/certificate 
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="server@$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$COMMONNAME" name="server@$COMMONNAME"

add name=$USERNAME country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$USERNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client

Вариант 2 (терировал с ROS7)

:global caName "Mikrotik_OpenVPN_Ca"
:global openvpnCertName "Mikrotik_OpenVPN_Server_Cert"
:global openvpnClientName "homeopenvpnclient"
/certificate add name="$caName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign 
/certificate sign "$caName" ca-crl-host=127.0.0.1
/certificate add name="$openvpnCertName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size=$KEYSIZE days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server 
/certificate sign "$openvpnCertName" ca="$caName"
/certificate add name="$openvpnClientName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$openvpnClientName" key-size=$KEYSIZE days-valid=3650 key-usage=tls-client 
/certificate sign $openvpnClientName ca="$caName"

Настройка сервера

Вариант 1 (тестировался с ROS6)

/ip pool
add name=OPEN-VPN-POOL ranges=10.2.1.2-10.2.1.254
/ppp profile
add dns-server=8.8.8.8 local-address=10.2.1.1 name=OPEN-VPN-PROFILE remote-address=OPEN-VPN-POOL use-encryption=yes
/interface ovpn-server server
set auth=sha1 certificate="server@$COMMONNAME" cipher=aes128,aes192,aes256 default-profile=OPEN-VPN-PROFILE enabled=yes require-client-certificate=yes
/ip firewall filter add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" place-before=0
/ppp secret add name=$USERNAME password=$PASSWORD profile=OPEN-VPN-PROFILE service=ovpn


/certificate add name="$USERNAME-to-issue" copy-from="$USERNAME" common-name="$USERNAME@$COMMONNAME"
/certificate sign "$USERNAME-to-issue" ca="$COMMONNAME" name="$USERNAME@$COMMONNAME"
export-certificate "$COMMONNAME" export-passphrase="12345678"
export-certificate "$USERNAME@$COMMONNAME" export-passphrase="$PASSWORD"
/file print
9 cert_export_openVPN.crt          .crt file       948 may/08/2019 14:12:51
10 cert_export_openvpn@openVPN.crt .crt file       924 may/08/2019 14:13:00
11 cert_export_openvpn@openVPN.key .key file       1054 may/08/2019 14:13:00

Сертефиуаты забрать по scp

Вариант 2 (тестировался с ROS7)

:global caName "Mikrotik_OpenVPN_Ca"
:global openvpnCertName "Mikrotik_OpenVPN_Server_Cert"
:global openvpnClientName "homeopenvpnclient"
/ip pool add name=openvpn_server_pool ranges=192.168.18.2-192.168.18.10
/ppp profile add local-address=192.168.18.1 name=openvpn_profile remote-address=openvpn_server_pool
/ppp secret add name=$openvpnClientName password=$PASSWORD profile=openvpn_profile service=ovpn

Или

/ppp secret add name=$openvpnClientName password=$PASSWORD profile=openvpn_profile service=ovpn remote-address=192.168.18.2 local-address=192.168.18.1
/interface ovpn-server server set auth=sha1 certificate=$openvpnCertName cipher=aes256 default-profile=openvpn_profile enabled=yes require-client-certificate=yes

OpenVPN Client

client
dev tun
proto tcp
remote 159.224.49.4 1194
#remote 192.168.1.200 1194
resolv-retry infinite
nobind
auth-user-pass login.txt
pull
redirect-gateway
persist-key
persist-tun
ns-cert-type server
#comp-lzo № не поддерживается 
verb 3
auth SHA1 # Важно что б совпадало с тем что на стороне микротика
cipher AES-128-CBC # Важно что б совпадало с тем что на стороне микротика
<ca>
-----BEGIN CERTIFICATE-----
MIICkDCCAfmgAwIBAgIIC2/evsYh1B8wDQYJKoZIhvcNAQELBQAwPjELMAkGA1UE
<SKIP>
ruMGgvJo+v/CM80fSXwu9SVLzdhT2j97VestLovSQ1fkkGvP
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIICfjCCAeegAwIBAgIIUNKWrvezxRowDQYJKoZIhvcNAQELBQAwPjELMAkGA1UE
<SKIP>
9VSL8diJznoIUW8Zy/MEvoSx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDEnsJljdeQN5aSBI2ferSbqod1QEos52ajaW1kyOKhKsslpnKz
<SKIP>
IIrKJPxpHIqtTxBxuKAmls5vwvvpZvjgEg+aSZOziqw=
-----END RSA PRIVATE KEY-----
</key>

Файл с логином-паролем

auth-user-pass login.txt
cat login.txt
openvpn
Xu3thoo4
Пароль тот же самый что и в начале задан со стороны микротика