0
edits
Changes
Template:Netoworking rutxxx configuration example mikrotik openvpn (view source)
Revision as of 18:36, 2 March 2020
, 18:36, 2 March 2020no edit summary
* At least one end device (PC, Laptop) to configure the routers
* At least one end device (PC, Laptop) to configure the routers
* WinBox application
* WinBox application
==Configuration scheme==
[[File:|border|class=tlt-border]]
==Server (Mikrotik) configuration==
Connect to MikroTik by using '''WinBox''' application and press '''New Terminal'''.
[[File:|border|class=tlt-border]]
Now create certificates by using these commands (these will be valid for 10 years):
/certificate
add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=*.example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client
Created certificates will need signing, use these commands:
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate
Now you need to export those certificates:
/certificate
export-certificate ca-certificate export-passphrase=""
export-certificate client-certificate export-passphrase='''12345678'''
Now go to '''Files''' and export those certificates by simply dragging them to your desktop.
[[File:|border|class=tlt-border]]
[[File:|border|class=tlt-border]]
Now go back to '''Terminal''' and create a separate pool of IP addresses for clients by using this command:
/ip
pool add name="vpn-pool" ranges=192.168.8.10-192.168.8.99
Instead of editing the default encrypted profile, we need to create a new one. Assumption is your MikroTik will also be a DNS server. And while at it, you can create a bit more imaginative user/password:
/ppp
profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool
secret add name='''user''' profile=vpn-profile password='''password'''
Adjust firewall by using this command:
/ip firewall filter
add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN"
Now enable OpenVPN server interface:
/interface ovpn-server server
set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes
==Client (RUTxxx) configuration==
Access RUTxxx WebUI and go to '''Service > VPN > OpenVPN'''. There create a new configuration by selecting role '''Client''', writing '''New configuration name''' (anything you want) and pressing '''Add New''' button. It should appear after a few seconds. Then press '''Edit'''.
[[File:|border|class=tlt-border]]
Then apply the following configuration.
[[File:|border|class=tlt-border]]
# '''Enable''' Instance.
# Select '''Protocol''' (TCP).
# Select '''Authentication''' (TLS/Password).
# Select '''Encryption''' (AES-128-CBC 128).
# Write '''Remote host/IP address''' (MikroTik public IP address).
# Write '''Keep alive''' (10 120).
# Write '''Remote network IP address''' (192.168.8.0).
# Write '''Remote network IP netmask''' (255.255.255.0).
# Write '''User name''' and '''Password''' which you created on Mikrotik (you created it by using this command: secret add name='''user''' profile=vpn-profile password='''password''').
# Upload '''Certificate authority''', '''Client certificate''', '''Client key''' (use those exported files).
# Write '''Private key decryption password''' (you created it by using this command: export-certificate client-certificate export-passphrase='''12345678''').
# Press '''Save'''.
