Mikrotik OpenVPN 2: различия между версиями
Материал из noname.com.ua
Перейти к навигацииПерейти к поискуSirmax (обсуждение | вклад) |
Sirmax (обсуждение | вклад) |
||
| (не показано 18 промежуточных версий этого же участника) | |||
| Строка 7: | Строка 7: | ||
==Mikrotik== |
==Mikrotik== |
||
| + | |||
<PRE> |
<PRE> |
||
:global COMMONNAME "openVPN" |
:global COMMONNAME "openVPN" |
||
| Строка 17: | Строка 18: | ||
:global USERNAME "openvpn" |
:global USERNAME "openvpn" |
||
:global PASSWORD "Xu3thoo4" |
:global PASSWORD "Xu3thoo4" |
||
| + | :global ORGANIZATION "home.net" |
||
</PRE> |
</PRE> |
||
| + | ===Сертификаты=== |
||
| − | |||
| + | ====Вариант 1==== |
||
<PRE> |
<PRE> |
||
/certificate |
/certificate |
||
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$COMMONNAME" |
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$COMMONNAME" |
||
| + | </PRE> |
||
| + | <PRE> |
||
| − | |||
| + | /certificate |
||
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="server@$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server |
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="server@$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server |
||
| + | </PRE> |
||
| − | |||
| + | <PRE> |
||
sign server-template ca="$COMMONNAME" name="server@$COMMONNAME" |
sign server-template ca="$COMMONNAME" name="server@$COMMONNAME" |
||
| Строка 31: | Строка 37: | ||
</PRE> |
</PRE> |
||
| + | ====Вариант 2 (терировал с ROS7)==== |
||
| + | <PRE> |
||
| + | :global caName "Mikrotik_OpenVPN_Ca" |
||
| + | :global openvpnCertName "Mikrotik_OpenVPN_Server_Cert" |
||
| + | :global openvpnClientName "homeopenvpnclient" |
||
| + | </PRE> |
||
| + | |||
| + | <PRE> |
||
| + | /certificate add name="$caName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign |
||
| + | </PRE> |
||
| + | |||
| + | <PRE> |
||
| + | /certificate sign "$caName" ca-crl-host=127.0.0.1 |
||
| + | </PRE> |
||
| + | |||
| + | <PRE> |
||
| + | /certificate add name="$openvpnCertName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size=$KEYSIZE days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server |
||
| + | </PRE> |
||
| + | |||
| + | <PRE> |
||
| + | /certificate sign "$openvpnCertName" ca="$caName" |
||
| + | </PRE> |
||
| + | |||
| + | <PRE> |
||
| + | /certificate add name="$openvpnClientName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$openvpnClientName" key-size=$KEYSIZE days-valid=3650 key-usage=tls-client |
||
| + | </PRE> |
||
| + | |||
| + | <PRE> |
||
| + | /certificate sign $openvpnClientName ca="$caName" |
||
| + | </PRE> |
||
| + | |||
| + | ===Настройка сервера=== |
||
| + | ====Вариант 1 (тестировался с ROS6)==== |
||
<PRE> |
<PRE> |
||
/ip pool |
/ip pool |
||
| Строка 53: | Строка 92: | ||
/ppp secret add name=$USERNAME password=$PASSWORD profile=OPEN-VPN-PROFILE service=ovpn |
/ppp secret add name=$USERNAME password=$PASSWORD profile=OPEN-VPN-PROFILE service=ovpn |
||
</PRE> |
</PRE> |
||
| + | |||
<PRE> |
<PRE> |
||
| Строка 63: | Строка 103: | ||
export-certificate "$USERNAME@$COMMONNAME" export-passphrase="$PASSWORD" |
export-certificate "$USERNAME@$COMMONNAME" export-passphrase="$PASSWORD" |
||
</PRE> |
</PRE> |
||
| − | < |
+ | <PRE> |
/file print |
/file print |
||
9 cert_export_openVPN.crt .crt file 948 may/08/2019 14:12:51 |
9 cert_export_openVPN.crt .crt file 948 may/08/2019 14:12:51 |
||
| Строка 71: | Строка 111: | ||
Сертефиуаты забрать по scp |
Сертефиуаты забрать по scp |
||
| + | ====Вариант 2 (тестировался с ROS7)==== |
||
| + | <PRE> |
||
| + | :global caName "Mikrotik_OpenVPN_Ca" |
||
| + | :global openvpnCertName "Mikrotik_OpenVPN_Server_Cert" |
||
| + | :global openvpnClientName "homeopenvpnclient" |
||
| + | </PRE> |
||
| + | <PRE> |
||
| + | /ip pool add name=openvpn_server_pool ranges=192.168.18.2-192.168.18.10 |
||
| + | </PRE> |
||
| + | |||
| + | <PRE> |
||
| + | /ppp profile add local-address=192.168.18.1 name=openvpn_profile remote-address=openvpn_server_pool |
||
| + | </PRE> |
||
| + | <PRE> |
||
| + | /ppp secret add name=$openvpnClientName password=$PASSWORD profile=openvpn_profile service=ovpn |
||
| + | </PRE> |
||
| + | Или |
||
| + | <PRE> |
||
| + | /ppp secret add name=$openvpnClientName password=$PASSWORD profile=openvpn_profile service=ovpn remote-address=192.168.18.2 local-address=192.168.18.1 |
||
| + | </PRE> |
||
| + | |||
| + | <PRE> |
||
| + | /interface ovpn-server server set auth=sha1 certificate=$openvpnCertName cipher=aes256 default-profile=openvpn_profile enabled=yes require-client-certificate=yes |
||
| + | </PRE> |
||
| + | |||
| + | ==OpenVPN Client== |
||
| + | <PRE> |
||
| + | client |
||
| + | dev tun |
||
| + | proto tcp |
||
| + | remote 159.224.49.4 1194 |
||
| + | #remote 192.168.1.200 1194 |
||
| + | resolv-retry infinite |
||
| + | nobind |
||
| + | auth-user-pass login.txt |
||
| + | pull |
||
| + | redirect-gateway |
||
| + | persist-key |
||
| + | persist-tun |
||
| + | ns-cert-type server |
||
| + | #comp-lzo № не поддерживается |
||
| + | verb 3 |
||
| + | auth SHA1 # Важно что б совпадало с тем что на стороне микротика |
||
| + | cipher AES-128-CBC # Важно что б совпадало с тем что на стороне микротика |
||
| + | <ca> |
||
| + | -----BEGIN CERTIFICATE----- |
||
| + | MIICkDCCAfmgAwIBAgIIC2/evsYh1B8wDQYJKoZIhvcNAQELBQAwPjELMAkGA1UE |
||
| + | <SKIP> |
||
| + | ruMGgvJo+v/CM80fSXwu9SVLzdhT2j97VestLovSQ1fkkGvP |
||
| + | -----END CERTIFICATE----- |
||
| + | </ca> |
||
| + | <cert> |
||
| + | -----BEGIN CERTIFICATE----- |
||
| + | MIICfjCCAeegAwIBAgIIUNKWrvezxRowDQYJKoZIhvcNAQELBQAwPjELMAkGA1UE |
||
| + | <SKIP> |
||
| + | 9VSL8diJznoIUW8Zy/MEvoSx |
||
| + | -----END CERTIFICATE----- |
||
| + | </cert> |
||
| + | <key> |
||
| + | -----BEGIN RSA PRIVATE KEY----- |
||
| + | MIICXAIBAAKBgQDEnsJljdeQN5aSBI2ferSbqod1QEos52ajaW1kyOKhKsslpnKz |
||
| + | <SKIP> |
||
| + | IIrKJPxpHIqtTxBxuKAmls5vwvvpZvjgEg+aSZOziqw= |
||
| + | -----END RSA PRIVATE KEY----- |
||
| + | </key> |
||
| + | </PRE> |
||
| + | Файл с логином-паролем |
||
| + | <PRE> |
||
| + | auth-user-pass login.txt |
||
| + | </PRE> |
||
| + | <PRE> |
||
| + | cat login.txt |
||
| + | openvpn |
||
| + | Xu3thoo4 |
||
| + | </PRE> |
||
| + | Пароль тот же самый что и в начале задан со стороны микротика |
||
| + | |||
| + | |||
| + | |||
| + | * https://interface31.ru/tech_it/2020/01/nastroyka-openvpn-servera-na-routerah-mikrotik.html |
||
Текущая версия на 12:49, 23 ноября 2021
Mikrotik Openvpn v2
Mikrotik
:global COMMONNAME "openVPN" :global COUNTRY "UA" :global STATE "KH" :global LOCALITY "KHARKOV" :global ORG "sirmax@home" :global UNIT "" :global KEYSIZE "1024" :global USERNAME "openvpn" :global PASSWORD "Xu3thoo4" :global ORGANIZATION "home.net"
Сертификаты
Вариант 1
/certificate add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$COMMONNAME"
/certificate add name=server-template country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="server@$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$COMMONNAME" name="server@$COMMONNAME" add name=$USERNAME country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$USERNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client
Вариант 2 (терировал с ROS7)
:global caName "Mikrotik_OpenVPN_Ca" :global openvpnCertName "Mikrotik_OpenVPN_Server_Cert" :global openvpnClientName "homeopenvpnclient"
/certificate add name="$caName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign "$caName" ca-crl-host=127.0.0.1
/certificate add name="$openvpnCertName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size=$KEYSIZE days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign "$openvpnCertName" ca="$caName"
/certificate add name="$openvpnClientName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$openvpnClientName" key-size=$KEYSIZE days-valid=3650 key-usage=tls-client
/certificate sign $openvpnClientName ca="$caName"
Настройка сервера
Вариант 1 (тестировался с ROS6)
/ip pool add name=OPEN-VPN-POOL ranges=10.2.1.2-10.2.1.254
/ppp profile add dns-server=8.8.8.8 local-address=10.2.1.1 name=OPEN-VPN-PROFILE remote-address=OPEN-VPN-POOL use-encryption=yes
/interface ovpn-server server set auth=sha1 certificate="server@$COMMONNAME" cipher=aes128,aes192,aes256 default-profile=OPEN-VPN-PROFILE enabled=yes require-client-certificate=yes
/ip firewall filter add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" place-before=0
/ppp secret add name=$USERNAME password=$PASSWORD profile=OPEN-VPN-PROFILE service=ovpn
/certificate add name="$USERNAME-to-issue" copy-from="$USERNAME" common-name="$USERNAME@$COMMONNAME" /certificate sign "$USERNAME-to-issue" ca="$COMMONNAME" name="$USERNAME@$COMMONNAME"
export-certificate "$COMMONNAME" export-passphrase="12345678" export-certificate "$USERNAME@$COMMONNAME" export-passphrase="$PASSWORD"
/file print 9 cert_export_openVPN.crt .crt file 948 may/08/2019 14:12:51 10 cert_export_openvpn@openVPN.crt .crt file 924 may/08/2019 14:13:00 11 cert_export_openvpn@openVPN.key .key file 1054 may/08/2019 14:13:00
Сертефиуаты забрать по scp
Вариант 2 (тестировался с ROS7)
:global caName "Mikrotik_OpenVPN_Ca" :global openvpnCertName "Mikrotik_OpenVPN_Server_Cert" :global openvpnClientName "homeopenvpnclient"
/ip pool add name=openvpn_server_pool ranges=192.168.18.2-192.168.18.10
/ppp profile add local-address=192.168.18.1 name=openvpn_profile remote-address=openvpn_server_pool
/ppp secret add name=$openvpnClientName password=$PASSWORD profile=openvpn_profile service=ovpn
Или
/ppp secret add name=$openvpnClientName password=$PASSWORD profile=openvpn_profile service=ovpn remote-address=192.168.18.2 local-address=192.168.18.1
/interface ovpn-server server set auth=sha1 certificate=$openvpnCertName cipher=aes256 default-profile=openvpn_profile enabled=yes require-client-certificate=yes
OpenVPN Client
client dev tun proto tcp remote 159.224.49.4 1194 #remote 192.168.1.200 1194 resolv-retry infinite nobind auth-user-pass login.txt pull redirect-gateway persist-key persist-tun ns-cert-type server #comp-lzo № не поддерживается verb 3 auth SHA1 # Важно что б совпадало с тем что на стороне микротика cipher AES-128-CBC # Важно что б совпадало с тем что на стороне микротика <ca> -----BEGIN CERTIFICATE----- MIICkDCCAfmgAwIBAgIIC2/evsYh1B8wDQYJKoZIhvcNAQELBQAwPjELMAkGA1UE <SKIP> ruMGgvJo+v/CM80fSXwu9SVLzdhT2j97VestLovSQ1fkkGvP -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- MIICfjCCAeegAwIBAgIIUNKWrvezxRowDQYJKoZIhvcNAQELBQAwPjELMAkGA1UE <SKIP> 9VSL8diJznoIUW8Zy/MEvoSx -----END CERTIFICATE----- </cert> <key> -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDEnsJljdeQN5aSBI2ferSbqod1QEos52ajaW1kyOKhKsslpnKz <SKIP> IIrKJPxpHIqtTxBxuKAmls5vwvvpZvjgEg+aSZOziqw= -----END RSA PRIVATE KEY----- </key>
Файл с логином-паролем
auth-user-pass login.txt
cat login.txt openvpn Xu3thoo4
Пароль тот же самый что и в начале задан со стороны микротика
