476
edits
Changes
Template:Netoworking rutxxx configuration example mikrotik openvpn (view source)
Revision as of 09:44, 1 April 2020
, 09:44, 1 April 2020no edit summary
This guide provides a configuration example with details on how to configure OpenVPN connection between MikroTik and RUTxxx routers. The server will be MikroTik device and the client will be our RUTxxx router.
This guide provides a configuration example with details on how to configure OpenVPN connection between MikroTik and RUTxxx routers. The server will be MikroTik device and the client will be our RUTxxx router.
==Prerequisites==
* One RUTxxx router of any type
* One Mikrotik router (this configuration example was created using Mikrotik rb750gr3)
* Server must have a Public Static or Public Dynamic IP address
* At least one end device (PC, Laptop) to configure the routers
* WinBox application
==Configuration scheme==
[[File:Networking_rutxxx_configuration_example_ovpn_mikrotik_topology_v1.png|border|class=tlt-border|1100x1100px]]
==Server (Mikrotik) configuration==
Connect to MikroTik by using '''WinBox''' application and press '''New Terminal'''.
[[File:Networking_rutxxx_configuration_example_l2tp_ipsec_mikrotik_1_v1.jpg|border|class=tlt-border]]
Now create certificates by using these commands (these will be valid for 10 years):
/certificate
add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=*.example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client
Created certificates will need signing, use these commands:
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate
Now you need to export those certificates:
/certificate
export-certificate ca-certificate export-passphrase=""
export-certificate client-certificate export-passphrase='''12345678'''
Now go to '''Files''' and export those certificates by simply dragging them to your desktop.
[[File:Networking_rutxxx_configuration_example_ovpn_mikrotik_1_v2.jpg|border|class=tlt-border]]
[[File:Networking_rutxxx_configuration_example_ovpn_mikrotik_2_v1.jpg|border|class=tlt-border]]
Now go back to '''Terminal''' and create a separate pool of IP addresses for clients by using this command:
/ip
pool add name="vpn-pool" ranges=192.168.8.10-192.168.8.99
Instead of editing the default encrypted profile, we need to create a new one. Assumption is your MikroTik will also be a DNS server. And while at it, create a bit more secure user/password:
/ppp
profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool
secret add name='''user''' profile=vpn-profile password='''password'''
Adjust firewall by using this command:
/ip firewall filter
add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN"
Now enable OpenVPN server interface:
/interface ovpn-server server
set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes
==Client (RUTxxx) configuration==
Access RUTxxx WebUI and go to '''Service > VPN > OpenVPN'''. There create a new configuration by selecting role '''Client''', writing '''New configuration name''' and pressing '''Add New''' button. It should appear after a few seconds. Then press '''Edit'''.
[[File:Networking_rutxxx_configuration_example_ovpn_mikrotik_3_v1.jpg|border|class=tlt-border]]
Then apply the following configuration.
[[File:Networking_rutxxx_configuration_example_ovpn_mikrotik_4_v1.jpg|border|class=tlt-border]]
# '''Enable''' Instance.
# Select '''Protocol''' (TCP).
# Select '''Authentication''' (TLS/Password).
# Select '''Encryption''' (AES-128-CBC 128).
# Write '''Remote host/IP address''' (MikroTik public IP address).
# Write '''Keep alive''' (10 120).
# Write '''Remote network IP address''' (192.168.8.0).
# Write '''Remote network IP netmask''' (255.255.255.0).
# Write '''User name''' and '''Password''' which you created on Mikrotik (you created it by using this command: secret add name='''user''' profile=vpn-profile password='''password''').
# Upload '''Certificate authority''', '''Client certificate''', '''Client key''' (use those exported files).
# Write '''Private key decryption password''' (you created it by using this command: export-certificate client-certificate export-passphrase='''12345678''').
# Press '''Save'''.
==Testing configuration==
Go to '''Status > Routes''' and in the '''Active IP Routes''' table you should see these two new routes.
[[File:Networking_rutxxx_configuration_example_ovpn_mikrotik_5_v1.jpg|border|class=tlt-border]]
Try to ping the remote VPN endpoint via '''CLI''' or '''SSH''' using this command:
ping 192.168.8.250
[[File:Networking rutxxx configuration example ovpn mikrotik 6 v1.jpg|border|class=tlt-border]]
