Mikrotik OpenVPN 2: различия между версиями

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску
Строка 42: Строка 42:
 
:global openvpnCertName "Mikrotik_OpenVPN_Server_Cert"
 
:global openvpnCertName "Mikrotik_OpenVPN_Server_Cert"
 
:global openvpnClientName "homeopenvpnclient"
 
:global openvpnClientName "homeopenvpnclient"
 
 
</PRE>
 
</PRE>
  +
 
<PRE>
 
<PRE>
 
/certificate add name="$caName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign
 
/certificate add name="$caName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign
 
</PRE>
 
</PRE>
  +
  +
<PRE>
 
/certificate sign "$caName" ca-crl-host=127.0.0.1
 
/certificate sign "$caName" ca-crl-host=127.0.0.1
 
</PRE>
 
</PRE>
  +
 
<PRE>
 
<PRE>
 
/certificate add name="$openvpnCertName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size=$KEYSIZE days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
 
/certificate add name="$openvpnCertName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size=$KEYSIZE days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
  +
</PRE>
  +
  +
<PRE>
 
/certificate sign "$openvpnCertName" ca="$caName"
 
/certificate sign "$openvpnCertName" ca="$caName"
 
</PRE>
 
</PRE>
Строка 56: Строка 62:
 
<PRE>
 
<PRE>
 
/certificate add name="$openvpnClientName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$openvpnClientName" key-size=$KEYSIZE days-valid=3650 key-usage=tls-client
 
/certificate add name="$openvpnClientName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$openvpnClientName" key-size=$KEYSIZE days-valid=3650 key-usage=tls-client
  +
</PRE>
  +
  +
<PRE>
 
/certificate sign $openvpnClientName ca="$caName"
 
/certificate sign $openvpnClientName ca="$caName"
 
</PRE>
 
</PRE>

Версия 12:07, 23 ноября 2021


Mikrotik Openvpn v2

Mikrotik

:global COMMONNAME "openVPN"
:global COUNTRY "UA"
:global STATE "KH"
:global LOCALITY "KHARKOV"
:global ORG "sirmax@home"
:global UNIT ""
:global KEYSIZE "1024"
:global USERNAME "openvpn"
:global PASSWORD "Xu3thoo4"
:global ORGANIZATION "home.net"

Сертификаты

Вариант 1

/certificate 
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign  sign ca-template ca-crl-host=127.0.0.1 name="$COMMONNAME"
/certificate 
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="server@$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$COMMONNAME" name="server@$COMMONNAME"

add name=$USERNAME country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$USERNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client

Вариант 2 (терировал с ROS7)

:global caName "Mikrotik_OpenVPN_Ca"
:global openvpnCertName "Mikrotik_OpenVPN_Server_Cert"
:global openvpnClientName "homeopenvpnclient"
/certificate add name="$caName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign 
/certificate sign "$caName" ca-crl-host=127.0.0.1
/certificate add name="$openvpnCertName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size=$KEYSIZE days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server 
/certificate sign "$openvpnCertName" ca="$caName"
/certificate add name="$openvpnClientName" country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$openvpnClientName" key-size=$KEYSIZE days-valid=3650 key-usage=tls-client 
/certificate sign $openvpnClientName ca="$caName"

1

/ip pool
add name=OPEN-VPN-POOL ranges=10.2.1.2-10.2.1.254
/ppp profile
add dns-server=8.8.8.8 local-address=10.2.1.1 name=OPEN-VPN-PROFILE remote-address=OPEN-VPN-POOL use-encryption=yes
/interface ovpn-server server
set auth=sha1 certificate="server@$COMMONNAME" cipher=aes128,aes192,aes256 default-profile=OPEN-VPN-PROFILE enabled=yes require-client-certificate=yes
/ip firewall filter add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" place-before=0
/ppp secret add name=$USERNAME password=$PASSWORD profile=OPEN-VPN-PROFILE service=ovpn
/certificate add name="$USERNAME-to-issue" copy-from="$USERNAME" common-name="$USERNAME@$COMMONNAME"
/certificate sign "$USERNAME-to-issue" ca="$COMMONNAME" name="$USERNAME@$COMMONNAME"
export-certificate "$COMMONNAME" export-passphrase="12345678"
export-certificate "$USERNAME@$COMMONNAME" export-passphrase="$PASSWORD"
/file print
9 cert_export_openVPN.crt          .crt file       948 may/08/2019 14:12:51
10 cert_export_openvpn@openVPN.crt .crt file       924 may/08/2019 14:13:00
11 cert_export_openvpn@openVPN.key .key file       1054 may/08/2019 14:13:00

Сертефиуаты забрать по scp

OpenVPN Client

client
dev tun
proto tcp
remote 159.224.49.4 1194
#remote 192.168.1.200 1194
resolv-retry infinite
nobind
auth-user-pass login.txt
pull
redirect-gateway
persist-key
persist-tun
ns-cert-type server
#comp-lzo № не поддерживается 
verb 3
auth SHA1 # Важно что б совпадало с тем что на стороне микротика
cipher AES-128-CBC # Важно что б совпадало с тем что на стороне микротика
<ca>
-----BEGIN CERTIFICATE-----
MIICkDCCAfmgAwIBAgIIC2/evsYh1B8wDQYJKoZIhvcNAQELBQAwPjELMAkGA1UE
<SKIP>
ruMGgvJo+v/CM80fSXwu9SVLzdhT2j97VestLovSQ1fkkGvP
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIICfjCCAeegAwIBAgIIUNKWrvezxRowDQYJKoZIhvcNAQELBQAwPjELMAkGA1UE
<SKIP>
9VSL8diJznoIUW8Zy/MEvoSx
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDEnsJljdeQN5aSBI2ferSbqod1QEos52ajaW1kyOKhKsslpnKz
<SKIP>
IIrKJPxpHIqtTxBxuKAmls5vwvvpZvjgEg+aSZOziqw=
-----END RSA PRIVATE KEY-----
</key>

Файл с логином-паролем

auth-user-pass login.txt
cat login.txt
openvpn
Xu3thoo4
Пароль тот же самый что и в начале задан со стороны микротика