Difference between revisions of "Template:Netoworking rutxxx configuration example mikrotik openvpn"

From Teltonika Networks Wiki
(31 intermediate revisions by 2 users not shown)
Line 4: Line 4:
  
 
This guide provides a configuration example with details on how to configure OpenVPN connection between MikroTik and RUTxxx routers. The server will be MikroTik device and the client will be our RUTxxx router.
 
This guide provides a configuration example with details on how to configure OpenVPN connection between MikroTik and RUTxxx routers. The server will be MikroTik device and the client will be our RUTxxx router.
 
==Prerequisites==
 
 
* One RUTxxx router of any type
 
* One Mikrotik router (this configuration example was created using Mikrotik rb750gr3)
 
* Server must have a Public Static or Public Dynamic IP address
 
* At least one end device (PC, Laptop) to configure the routers
 
* WinBox application
 
 
==Configuration scheme==
 
 
[[File:Networking_rutxxx_configuration_example_ovpn_mikrotik_topology_v1.png|border|class=tlt-border|1100x1100px]]
 
 
==Server (Mikrotik) configuration==
 
 
Connect to MikroTik by using '''WinBox''' application and press '''New Terminal'''.
 
 
[[File:Networking_rutxxx_configuration_example_l2tp_ipsec_mikrotik_1_v1.jpg|border|class=tlt-border]]
 
 
Now create certificates by using these commands (these will be valid for 10 years):
 
 
/certificate
 
 
add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
 
 
add name=server-template common-name=*.example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
 
 
add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client
 
 
Created certificates will need signing, use these commands:
 
 
sign ca-template name=ca-certificate
 
 
sign server-template name=server-certificate ca=ca-certificate
 
 
sign client-template name=client-certificate ca=ca-certificate
 
 
Now you need to export those certificates:
 
 
/certificate
 
 
export-certificate ca-certificate export-passphrase=""
 
 
export-certificate client-certificate export-passphrase='''12345678'''
 
 
Now go to '''Files''' and export those certificates by simply dragging them to your desktop.
 
 
[[File:Networking_rutxxx_configuration_example_ovpn_mikrotik_1_v2.jpg|border|class=tlt-border]]
 
 
[[File:Networking_rutxxx_configuration_example_ovpn_mikrotik_2_v1.jpg|border|class=tlt-border]]
 
 
Now go back to '''Terminal''' and create a separate pool of IP addresses for clients by using this command:
 
 
/ip
 
 
pool add name="vpn-pool" ranges=192.168.8.10-192.168.8.99
 
 
Instead of editing the default encrypted profile, we need to create a new one. Assumption is your MikroTik will also be a DNS server. And while at it, create a bit more secure user/password:
 
 
/ppp
 
 
profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool
 
 
secret add name='''user''' profile=vpn-profile password='''password'''
 
 
Adjust firewall by using this command:
 
 
/ip firewall filter
 
 
add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN"
 
 
Now enable OpenVPN server interface:
 
 
/interface ovpn-server server
 
 
set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes
 
 
==Client (RUTxxx) configuration==
 
 
Access RUTxxx WebUI and go to '''Service > VPN > OpenVPN'''. There create a new configuration by selecting role '''Client''', writing '''New configuration name''' and pressing '''Add New''' button. It should appear after a few seconds. Then press '''Edit'''.
 
 
[[File:Networking_rutxxx_configuration_example_ovpn_mikrotik_3_v1.jpg|border|class=tlt-border]]
 
 
Then apply the following configuration.
 
 
[[File:Networking_rutxxx_configuration_example_ovpn_mikrotik_4_v1.jpg|border|class=tlt-border]]
 
 
 
# '''Enable''' Instance.
 
# Select '''Protocol''' (TCP).
 
# Select '''Authentication''' (TLS/Password).
 
# Select '''Encryption''' (AES-128-CBC 128).
 
# Write '''Remote host/IP address''' (MikroTik public IP address).
 
# Write '''Keep alive''' (10 120).
 
# Write '''Remote network IP address''' (192.168.8.0).
 
# Write '''Remote network IP netmask''' (255.255.255.0).
 
# Write '''User name''' and '''Password''' which you created on Mikrotik (you created it by using this command: secret add name='''user''' profile=vpn-profile password='''password''').
 
# Upload '''Certificate authority''', '''Client certificate''', '''Client key''' (use those exported files).
 
# Write '''Private key decryption password''' (you created it by using this command: export-certificate client-certificate export-passphrase='''12345678''').
 
# Press '''Save'''.
 
 
==Testing configuration==
 
 
Go to '''Status > Routes''' and in the '''Active IP Routes''' table you should see these two new routes.
 
 
[[File:Networking_rutxxx_configuration_example_ovpn_mikrotik_5_v1.jpg|border|class=tlt-border]]
 
 
Try to ping the remote VPN endpoint via '''CLI''' or '''SSH''' using this command:
 
 
ping 192.168.8.250
 
 
[[File:Networking rutxxx configuration example ovpn mikrotik 6 v1.jpg|border|class=tlt-border]]
 

Revision as of 18:16, 2 March 2020

Introduction

OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.

This guide provides a configuration example with details on how to configure OpenVPN connection between MikroTik and RUTxxx routers. The server will be MikroTik device and the client will be our RUTxxx router.

Retrieved from "https://wiki.teltonika-networks.com/index.php?title=Template:Netoworking_rutxxx_configuration_example_mikrotik_openvpn&oldid=55949"