Mikrotik as OpenVPN server in 3 steps

Автор | 02.11.2019

Connect to Mikrotik via SSH and start writing text below

Set global VARs

:global COMMONNAME "openVPN"
:global COUNTRY "UA"
:global STATE "KV"
:global LOCALITY "Kyiv"
:global ORG "My org"
:global UNIT ""
:global KEYSIZE "1024"
:global USERNAME "admins"
:global PASSWORD "8charsPassword"
:global NET "77"
:global PORT "7777"

Make server and client CRT

/certificate
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=crl-sign,key-cert-sign
sign ca-template ca-crl-host=127.0.0.1 name="$COMMONNAME"
:delay [6]
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="server@$COMMONNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$COMMONNAME" name="server@$COMMONNAME"
:delay [6]
add name=$USERNAME country="$COUNTRY" state="$STATE" locality="$LOCALITY" organization="$ORGANIZATION" unit="$UNIT" common-name="$USERNAME" key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client
sign $USERNAME  ca="$COMMONNAME" name="$USERNAME"

Create pool, profile, interface, firewall

/ip pool
add name=VPN-POOL-devops ranges="10.$NET.1.2-10.$NET.1.254"

/ppp profile
add dns-server="10.$NET.1.1" local-address="10.$NET.1.1" name=VPN-PROFILE remote-address=VPN-POOL use-encryption=yes

/interface ovpn-server server
set auth=sha1 certificate="server@$COMMONNAME" cipher=aes128,aes192,aes256 default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes port="$PORT" max-mtu=1460


/ip firewall filter
add chain=input dst-port=$PORT protocol=tcp comment="Allow OpenVPN" action=accept place-before=0

add chain=input action=accept protocol=tcp src-address=10.$NET.1.0/24 in-interface-list=dynamic log=no log-prefix="" place-before=2

/ppp secret
add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn


/certificate
add name="$USERNAME-to-issue" copy-from="$USERNAME" common-name="$USERNAME@$COMMONNAME"
sign "$USERNAME-to-issue" ca="$COMMONNAME" name="$USERNAME@$COMMONNAME"


/certificate
export-certificate "$COMMONNAME" export-passphrase=""
export-certificate "$USERNAME@$COMMONNAME" export-passphrase="$PASSWORD"

Goto menu Files in Mikrotik admin panel and download ca.crt + client.crt + client.key

Then make file SomeName.ovpn with content:

client
# в этой строчке мы указываем адрес в интернете нашего микротика
remote <your.server.IP> <Port>
dev tun
proto tcp
tun-mtu 1460


nobind
persist-key
persist-tun

keepalive 10 120
verb 3
cipher AES-256-CBC
auth SHA1

remote-cert-tls server
# эта строка задаёт файл с логином-паролем которые мы прописывали в PPP-Secrets на микротике
auth-user-pass auth.cfg

# в этой части мы задаём настройки сетей которые находятся за микротиком,
# а 172.21.108.1 это адрес микротика который мы указывали в PPP профиле

#route-method exe
#route-delay 2
#route 192.168.1.0 255.255.255.0 172.21.108.1

#for internet access
redirect-gateway autolocal

<ca>
-----BEGIN CERTIFICATE-----

.....Put your ca crt from downloaded files.....

-----END CERTIFICATE-----

</ca>
<cert>
-----BEGIN CERTIFICATE-----

.....Put your client crt from downloaded files.....

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----

.....Put your client key from downloaded files.....

-----END RSA PRIVATE KEY-----

</key>

Put your key and crt and change host:port vars

and file auth.cfg

user
pasword

with this two files you can start client

Залишити відповідь