Mikrotik OpenVPN 2: различия между версиями

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску
Строка 38: Строка 38:
   
 
====Вариант 2 (терировал с ROS7)====
 
====Вариант 2 (терировал с ROS7)====
  +
<PRE>
  +
:global CA_NAME "Mikrotik_OpenVPN_Ca"
  +
:global OPENVPN_CERT_NAME "Mikrotik_OpenVPN_Server_Cert"
  +
</PRE>
 
<PRE>
 
<PRE>
 
/certificate
 
/certificate
add name=ca country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign
+
add name="$CA_NAME" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign
  +
</PRE>
  +
/certificate
 
sign ca ca-crl-host=127.0.0.1
 
sign ca ca-crl-host=127.0.0.1
 
</PRE>
 
</PRE>
 
<PRE>
 
<PRE>
 
certificate
 
certificate
add name=ovpn-server country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="UNIT" common-name="$COMMONNAME" key-size=$KEYSIZE days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
+
add name=ovpn-server country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size=$KEYSIZE days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign ovpn-server ca="ca"
+
sign ovpn-server ca="$CA_NAME"
  +
</PRE>
  +
  +
<PRE>
  +
/certificate
  +
add name=mikrotik country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="mikrotik" key-size=$KEYSIZE days-valid=3650 key-usage=tls-client
  +
sign mikrotik ca="$CA_NAME"
 
</PRE>
 
</PRE>
   

Версия 11:54, 23 ноября 2021


Mikrotik Openvpn v2

Mikrotik

:global COMMONNAME "openVPN"
:global COUNTRY "UA"
:global STATE "KH"
:global LOCALITY "KHARKOV"
:global ORG "sirmax@home"
:global UNIT ""
:global KEYSIZE "1024"
:global USERNAME "openvpn"
:global PASSWORD "Xu3thoo4"
:global ORGANIZATION "home.net"

Сертификаты

Вариант 1

/certificate 
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign  sign ca-template ca-crl-host=127.0.0.1 name="$COMMONNAME"
/certificate 
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="server@$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$COMMONNAME" name="server@$COMMONNAME"

add name=$USERNAME country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$USERNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client

Вариант 2 (терировал с ROS7)

:global CA_NAME "Mikrotik_OpenVPN_Ca"
:global OPENVPN_CERT_NAME "Mikrotik_OpenVPN_Server_Cert"
/certificate 
add name="$CA_NAME" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign 

/certificate sign ca ca-crl-host=127.0.0.1

certificate 
add name=ovpn-server country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size=$KEYSIZE days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server 
sign ovpn-server ca="$CA_NAME"
/certificate 
add name=mikrotik country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="mikrotik" key-size=$KEYSIZE days-valid=3650 key-usage=tls-client 
sign mikrotik ca="$CA_NAME"

1

/ip pool
add name=OPEN-VPN-POOL ranges=10.2.1.2-10.2.1.254
/ppp profile
add dns-server=8.8.8.8 local-address=10.2.1.1 name=OPEN-VPN-PROFILE remote-address=OPEN-VPN-POOL use-encryption=yes
/interface ovpn-server server
set auth=sha1 certificate="server@$COMMONNAME" cipher=aes128,aes192,aes256 default-profile=OPEN-VPN-PROFILE enabled=yes require-client-certificate=yes
/ip firewall filter add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" place-before=0
/ppp secret add name=$USERNAME password=$PASSWORD profile=OPEN-VPN-PROFILE service=ovpn
/certificate add name="$USERNAME-to-issue" copy-from="$USERNAME" common-name="$USERNAME@$COMMONNAME"
/certificate sign "$USERNAME-to-issue" ca="$COMMONNAME" name="$USERNAME@$COMMONNAME"
export-certificate "$COMMONNAME" export-passphrase="12345678"
export-certificate "$USERNAME@$COMMONNAME" export-passphrase="$PASSWORD"
/file print
9 cert_export_openVPN.crt          .crt file       948 may/08/2019 14:12:51
10 cert_export_openvpn@openVPN.crt .crt file       924 may/08/2019 14:13:00
11 cert_export_openvpn@openVPN.key .key file       1054 may/08/2019 14:13:00

Сертефиуаты забрать по scp

OpenVPN Client

client
dev tun
proto tcp
remote 159.224.49.4 1194
#remote 192.168.1.200 1194
resolv-retry infinite
nobind
auth-user-pass login.txt
pull
redirect-gateway
persist-key
persist-tun
ns-cert-type server
#comp-lzo № не поддерживается 
verb 3
auth SHA1 # Важно что б совпадало с тем что на стороне микротика
cipher AES-128-CBC # Важно что б совпадало с тем что на стороне микротика
<ca>
-----BEGIN CERTIFICATE-----
MIICkDCCAfmgAwIBAgIIC2/evsYh1B8wDQYJKoZIhvcNAQELBQAwPjELMAkGA1UE
<SKIP>
ruMGgvJo+v/CM80fSXwu9SVLzdhT2j97VestLovSQ1fkkGvP
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIICfjCCAeegAwIBAgIIUNKWrvezxRowDQYJKoZIhvcNAQELBQAwPjELMAkGA1UE
<SKIP>
9VSL8diJznoIUW8Zy/MEvoSx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDEnsJljdeQN5aSBI2ferSbqod1QEos52ajaW1kyOKhKsslpnKz
<SKIP>
IIrKJPxpHIqtTxBxuKAmls5vwvvpZvjgEg+aSZOziqw=
-----END RSA PRIVATE KEY-----
</key>

Файл с логином-паролем

auth-user-pass login.txt
cat login.txt
openvpn
Xu3thoo4
Пароль тот же самый что и в начале задан со стороны микротика