-
Star
(168)
You must be signed in to star a gist -
Fork
(87)
You must be signed in to fork a gist
-
-
Save SmartFinn/8324a55a2020c56b267b to your computer and use it in GitHub Desktop.
| # Setup OpenVPN Server and generate certs | |
| # | |
| # Change variables below and paste the script | |
| # into MikroTik terminal window. | |
| # | |
| :global CN [/system identity get name] | |
| :global COUNTRY "UA" | |
| :global STATE "KV" | |
| :global LOC "Kyiv" | |
| :global ORG "My org" | |
| :global OU "" | |
| :global KEYSIZE "2048" | |
| :global USERNAME "user" | |
| :global PASSWORD "password" | |
| ## functions | |
| :global waitSec do={:return ($KEYSIZE * 10 / 1024)} | |
| ## generate a CA certificate | |
| /certificate | |
| add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \ | |
| organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \ | |
| days-valid=3650 key-usage=crl-sign,key-cert-sign | |
| sign ca-template ca-crl-host=127.0.0.1 name="$CN" | |
| :delay [$waitSec] | |
| ## generate a server certificate | |
| /certificate | |
| add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \ | |
| organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \ | |
| days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server | |
| sign server-template ca="$CN" name="server@$CN" | |
| :delay [$waitSec] | |
| ## create a client template | |
| /certificate | |
| add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \ | |
| organization="$ORG" unit="$OU" common-name="client" \ | |
| key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client | |
| ## create IP pool | |
| /ip pool | |
| add name=VPN-POOL ranges=192.168.252.2-192.168.252.254 | |
| ## add VPN profile | |
| /ppp profile | |
| add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \ | |
| remote-address=VPN-POOL use-encryption=yes | |
| ## setup OpenVPN server | |
| /interface ovpn-server server | |
| set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ | |
| default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes | |
| ## add a firewall rule | |
| /ip firewall filter | |
| add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" | |
| ## add a user | |
| /ppp secret | |
| add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn | |
| ## generate a client certificate | |
| /certificate | |
| add name=client-template-to-issue copy-from="client-template" \ | |
| common-name="$USERNAME@$CN" | |
| sign client-template-to-issue ca="$CN" name="$USERNAME@$CN" | |
| :delay [$waitSec] | |
| ## export the CA, client certificate, and private key | |
| /certificate | |
| export-certificate "$CN" export-passphrase="" | |
| export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" | |
| / |
| client | |
| dev tun | |
| proto tcp-client | |
| remote <MikroTik_IP> 1194 | |
| nobind | |
| persist-tun | |
| cipher AES-256-CBC | |
| auth SHA1 | |
| pull | |
| verb 2 | |
| mute 3 | |
| # Create a file 'user.auth' with a username and a password | |
| # | |
| # cat << EOF > user.auth | |
| # user | |
| # password | |
| # EOF | |
| auth-user-pass user.auth | |
| # Copy the certificates from MikroTik and change | |
| # the filenames below if needed | |
| ca cert_export_MikroTik.crt | |
| cert [email protected] | |
| key [email protected] | |
| # Add routes to networks behind MikroTik | |
| #route 192.168.10.0 255.255.255.0 |
Hi,
Mikrotik has changed the structure of /ipsec and some new tabs are added in its new firmware (6.43.14) , do you have a compatible code with this new firmware ?
Thanks...
Great job with the script, only problem I have is that I can't connect to the devices in my local lan. I managed to make internet work by allowing remote requests in IP -> DNS but I can't go to my samba shares, etc. Can You help?
Great job with the script, only problem I have is that I can't connect to the devices in my local lan. I managed to make internet work by allowing remote requests in IP -> DNS but I can't go to my samba shares, etc. Can You help?
/ip firewall nat
add action=accept chain=srcnat dst-address=network-vpn/xx src-address=
network-lan/xx
add action=accept chain=srcnat dst-address=network-lan/xx src-address=
network-vpn/xx
Hey guys, I'm using this website to generate my .ovpn files with a mikrotik server: https://ovpnconfig.com.br
Hey guys, I'm using this website to generate my .ovpn files with a mikrotik server: https://ovpnconfig.com.br
Is trustworthy?
Hey guys, I'm using this website to generate my .ovpn files with a mikrotik server: https://ovpnconfig.com.br
Is trustworthy?
Yes, I developed it. The website doesn't require that you send your credentials, just generate the .ovpn file. You need do create the auth-user-pass manually and edit the line "auth-user-pass" with your credentials file name.
ex: auth-user-pass credentials.txt.
The real motivation to develop this site was the time that I lost editing the .ovpn files, decrypting the key..
Any doubts or suggestions you can contact me: [email protected]
Hey guys, I'm using this website to generate my .ovpn files with a mikrotik server: https://ovpnconfig.com.br
Is trustworthy?
Yes, I developed it. The website doesn't require that you send your credentials, just generate the .ovpn file. You need do create the auth-user-pass manually and edit the line "auth-user-pass" with your credentials file name.
ex: auth-user-pass credentials.txt.The real motivation to develop this site was the time that I lost editing the .ovpn files, decrypting the key..
Any doubts or suggestions you can contact me: [email protected]
Excellent thanks.
Hey, guys, the next thing is pretty ugly but it works. Maybe some of you can use it.
{
# Variables.
:local CN [/system identity get name]
:local USERNAME "USER"
:local PASSWORD "PASS"
:local PORT "1194"
:local IPMIKROTIK "1.2.3.4"
:local Contenido ("client" . "\n" . "dev tun" . "\n" . "proto tcp-client" . "\n" . "remote " . "$IPMIKROTIK" . " $PORT" . "\n" . "nobind" . "\n" . "persist-key" . "\n" . "persist-tun" . "\n" . "cipher AES-256-CBC" . "\n" . "auth SHA1" . "\n" . "pull" . "\n" . "verb 2" . "\n" . "mute 3" . "\n" . "\n" . "auth-user-pass user.txt" . "\n" . "\n" . "ca cert_export_" . "$CN" . ".crt" . "\n" . "cert " . "cert_export_" . "$USERNAME@" . "$CN" . ".crt" . "\n" . "key " . "cert_export_" . "$USERNAME@" . "$CN" . ".key" . "\n" . "\n" . "# Uncomment the following line if Internet #access is needed" . "\n" . "#redirect-gateway def1" . "\n" . "\n" . "# Add routes to #networks behind MikroTik" . "\n" . "#route 192.168.88.0 255.255.255.0" . "\n")
:delay 2
# Create file.
/file print file=("user" . ".txt") where name=""
# Wait for the file to be created.
:delay 2
# Set file's content.
/file set ("user" . ".txt") contents=("$USERNAME" . "\n" . "$PASSWORD")
# Create file.
/file print file=("$USERNAME" . "@$CN" . ".txt") where name=""
# Wait for the file to be created.
:delay 2
# Set file's content.
/file set ("$USERNAME" . "@$CN" . ".txt") contents=($Contenido)
# It is necessary to delete the extension ".txt" to "ovpn" after downloading
:delay 2
}
Hi, folks,
I was able to setup VPN and able to connect and access all machines in my local network, however how hard didn't I try (adding, modifying, removing, disabling/enabling various firewall rules) I still wasn't able to get internet working inside the network.
When I do ping it timeouts:
ping: google.com: Temporary failure in name resolution
Any suggestions?
Appreciate any help.
Here's my dns config
Here's my firewall config
Ok, problem solved. I didn't need to add any additional rules such as op mentioned in "NOTE: To allow clients to surf the Internet..." section. All I did is configured my "OpenVPN" network in "IP -> DHCP Server -> Networks" section (Adding gateway solved the problem).
Everything seems to be working fine except I can't get the key-file to export. I'm running 6.46.1. Anyone got an idea on how to fix that?
@joacimmelin you have to set a non-empty passphrase to export-passphrase=PASSWORD option to export the key-file.
@SmartFinn ok, the script says:
export the CA, client certificate, and private key
/certificate
export-certificate "$CN" export-passphrase=""
export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD"
I then assume it's the last row in the above example that exports the key?
Thanks for any help.
@joacimmelin yes, by default the script exports the key with passphrase "password", but if you set (or didn't set at all) :global PASSWORD "" variable to empty then key-file isn't exported. I didn't face another case of that issue.
This works great, thanks a lot.
Here is a bash script that downloads the certificates, and generate the ovpn config files that you descire at https://gist.github.com/SmartFinn/8324a55a2020c56b267b#setup-openvpn-client , section 2 and 3
export OVPN_USERNAME=$1
export OVPN_PASSWORD=$2
export CN=$3
sftp -P 22 <Mikrokit_admin>@<your_Mikrokit_IP>:cert_export_$CN.crt
sftp -P 22 <Mikrokit_admin>@<your_Mikrokit_IP>:cert_export_$OVPN_USERNAME\*
cat >> $OVPN_USERNAME.auth << EOF
$OVPN_USERNAME
$OVPN_PASSWORD
EOF
cat >> $OVPN_USERNAME.ovpn << EOF
client
dev tun
proto tcp-client
remote <VPN IP>1194
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA1
pull
verb 2
mute 3
auth-user-pass $OVPN_USERNAME.auth
ca cert_export_$CN.crt
cert cert_export_$OVPN_USERNAME@$CN.crt
key cert_export_$OVPN_USERNAME@$CN.key
redirect-gateway def1
EOF
Use by doing :
sh <the_script_name> <username> <password> <CN>
Hope that helps anybody that wants to crete many users configuration.
So I am trying this Between Mikrotik and ASUS Router RT-ACRH17. It has a built in OVPN client capability. I imported the Certificate but I keep getting a "Could not read Auth username from stdin" . I notice you create a user.auth file and then a username.ovpn file. Can these all be in one file?
I notice you create a user.auth file and then a username.ovpn file. Can these all be in one file?
No, it cannot be. You do not need this file because fields Username/Password do the same. But, that weird to see the error when Username/Password filled. I can not help you because I never faced with ASUS routers.
For me Work!
After export certificates in OpenVPN folder, need remove passphrase with this command:
*Need install OpenSSL Utilities and use openssl.exe for remove passphrase
Command for Windows:
- Navigate to folder certificates
- Paste location to openssl.exe and run this command
C:\Users\Username\Desktop\crt>"C:\Program Files (x86)\OpenVPN\bin\openssl.exe" rsa -in cert_export_MikroTik.crt -out [email protected]
Enter global PASSWOR: password
Now work for me.
i dont kow why but i am able to connect to the vpn but when i go to any explorer i am not able to access the websites, but i am able to ping their corespoding ip adresses and i am also able to connect to the local network of the router. basically i am not able to resolve dns names but iam able to ping their respective ip adrresses , i am able to reach the local network of the router.
if anyone is able to help i´d appreciate it.
@davidromba make sure that Allow Remote Requests option in IP → DNS is enabled (/ip dns set allow-remote-requests=yes) and the servers list is not empty, or just change DNS servers for VPN clients with /ppp profile set VPN-PROFILE dns-server=8.8.8.8,8.8.4.4
Thanks your advice almost worked i also needed to uncomment the "redirect-gateway def1" on the ovpn file.
any way to pass ipv6 address to the clients?
Hey guys, I'm using this website to generate my .ovpn files with a mikrotik server: https://ovpnconfig.com.br
Is trustworthy?
Source code of https://ovpnconfig.com.br is available now: https://github.com/deyvissonbrenoveras/ovpnconfig.com.br.
Works, I can connect, can access internet, but can not access my server with mstsc, and the shared folders.
I tried everything above. Could someone please help?
Thanks!
Hello
Can you do this on my own device?
I followed the steps carefully, but it didn't work for me
Hello, after a router restore openvpn stopped working. What can be the issue?
I have found the issue.... after updating from routers 6 to 7 the vpn stops working.
Downgrading again to 6 will make things again working.
Hi, this script doesn't work on the latest version 7.8v
I've also found that there is an error raised by the script on routeros version 7.8. At least one of the issues is that Mikrotik has change the names of the aes ciphers. When running the script you will receive an error on this section:
setup OpenVPN server
/interface ovpn-server server
set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256
default-profile=VPN-PROFILE mode=ip netmask=24 port="$PORT"
enabled=yes require-client-certificate=yes
To fix the error you need to change the names used in the "cipher=" portion. If you use "aes128-cbc,aes192-cbc,aes256-cbc" then that portion of the script will not throw an error.
Thanks a lot for the script. I got VPN connection between Android 13 and Mikrotik working, but there was no access to LAN and no firewall filter rules helped.
I have 192.168.200.0 addresses assigned to VPN clients and 192.168.100.0 LAN (so route 192.168.100.0 255.255.255.0 was added to client open vpn profile just like in the script above).
However adding firewal nat masquerade helped.
/ip firewall nat add action=masquerade
chain=srcnat
src-address=192.168.200.0/24
comment="Allow OpenVPN clients to access LAN"
@lfdmn that is not an error, I even didn't try to fix it. Try to add
tun-mtu 1400to client's ovpn file.