Last active
October 23, 2025 06:03
-
Star
(168)
You must be signed in to star a gist -
Fork
(87)
You must be signed in to fork a gist
-
-
Save SmartFinn/8324a55a2020c56b267b to your computer and use it in GitHub Desktop.
Revisions
-
SmartFinn revised this gist
Apr 1, 2020 . 1 changed file with 8 additions and 12 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -20,29 +20,25 @@ :global CN [/system identity get name] :global PORT 1194 ## generate a CA certificate /certificate add name=ca-template common-name="$CN" days-valid=3650 \ key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$CN" :delay 10 ## generate a server certificate /certificate add name=server-template common-name="server@$CN" days-valid=3650 \ key-usage=digital-signature,key-encipherment,tls-server sign server-template ca="$CN" name="server@$CN" :delay 10 ## create a client template /certificate add name=client-template common-name="client" days-valid=3650 \ key-usage=tls-client ## create IP pool /ip pool @@ -108,7 +104,7 @@ add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn add name=client-template-to-issue copy-from=client-template \ common-name="$USERNAME@$CN" sign client-template-to-issue ca="$CN" name="$USERNAME@$CN" :delay 10 ## export the CA, client certificate, and private key /certificate -
Apr 1, 2020 . 1 changed file with 8 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -217,20 +217,23 @@ issued-revoke [find name="$USERNAME@$CN"] ## Revert OpenVPN server configuration on MikroTik ```ini ## Revert OpenVPN configuration /interface ovpn-server server set enabled=no default-profile=default port=1194 /ip pool remove [find name=VPN-POOL] /ppp secret remove [find profile=VPN-PROFILE] /ppp profile remove [find name=VPN-PROFILE] /ip firewall filter remove [find comment="Allow OpenVPN"] remove [find comment="Accept DNS requests from VPN clients"] /certificate ## delete the certificates manually -
Apr 1, 2020 . 1 changed file with 4 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -62,10 +62,12 @@ set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ ## add a firewall rule /ip firewall filter add chain=input action=accept dst-port="$PORT" protocol=tcp \ comment="Allow OpenVPN" add chain=input action=accept dst-port=53 protocol=udp \ src-address=192.168.252.0/24 \ comment="Accept DNS requests from VPN clients" move [find comment="Allow OpenVPN"] 0 move [find comment="Accept DNS requests from VPN clients"] 1 ## Setup completed. Do not forget to create a user. -
Mar 31, 2020 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -14,7 +14,7 @@ ```ini # Setup OpenVPN Server and generate certs # # Change variables below if needed then copy the whole script # and paste into MikroTik terminal window. # @@ -89,7 +89,7 @@ add chain=srcnat src-address=192.168.252.0/24 out-interface-list=WAN \ ```ini # Add a new user and generate/export certs # # Change variables below if needed then copy the whole script # and paste into MikroTik terminal window. # -
Mar 31, 2020 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -64,6 +64,7 @@ set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ add chain=input action=accept dst-port="$PORT" protocol=tcp \ comment="Allow OpenVPN" place-before=0 add chain=input action=accept dst-port=53 protocol=udp \ src-address=192.168.252.0/24 \ comment="Accept DNS requests from VPN clients" place-before=1 ## Setup completed. Do not forget to create a user. -
Mar 31, 2020 . 1 changed file with 10 additions and 18 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -19,38 +19,30 @@ # :global CN [/system identity get name] :global PORT 1194 :global KEYSIZE 2048 ## functions :global waitSec do={:return ($KEYSIZE * 10 / 1024 + 3)} ## generate a CA certificate /certificate add name=ca-template common-name="$CN" key-size="$KEYSIZE" days-valid=3650 \ key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$CN" :delay [$waitSec] ## generate a server certificate /certificate add name=server-template common-name="server@$CN" key-size="$KEYSIZE" \ days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server sign server-template ca="$CN" name="server@$CN" :delay [$waitSec] ## create a client template /certificate add name=client-template common-name="client" key-size="$KEYSIZE" \ days-valid=3650 key-usage=tls-client ## create IP pool /ip pool @@ -64,8 +56,8 @@ add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \ ## setup OpenVPN server /interface ovpn-server server set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ default-profile=VPN-PROFILE mode=ip netmask=24 port="$PORT" \ enabled=yes require-client-certificate=yes ## add a firewall rule /ip firewall filter @@ -110,7 +102,7 @@ add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn ## generate a client certificate /certificate add name=client-template-to-issue copy-from=client-template \ common-name="$USERNAME@$CN" sign client-template-to-issue ca="$CN" name="$USERNAME@$CN" :delay 20 -
Mar 31, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -138,7 +138,7 @@ export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" 2. Create `user.auth` file The file auth.auth holds your username/password combination. On the first line must be the username and on the second line your password. ``` -
Mar 31, 2020 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -132,8 +132,8 @@ export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" sftp admin@MikroTik_IP:cert_export_\* ``` Also, you can download the certificates from the web interface or Winbox. Open Winbox/WebFig → <kbd>Files</kbd> for this. 2. Create `user.auth` file -
Mar 31, 2020 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,7 +5,7 @@ - [Setup OpenVPN server and generate certificates](#setup-openvpn-server-and-generate-certificates) - [Add a new user](#add-a-new-user) - [Setup OpenVPN client](#setup-openvpn-client) - [Decrypt private key to avoid password asking (optional)](#decrypt-private-key-to-avoid-password-asking-optional) - [Delete a user and revoke his certificate](#delete-a-user-and-revoke-his-certificate) - [Revert OpenVPN server configuration on MikroTik](#revert-openvpn-server-configuration-on-mikrotik) @@ -189,7 +189,7 @@ export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" sudo openvpn USERNAME.ovpn ``` ## Decrypt private key to avoid password asking (optional) ``` openssl rsa -passin pass:password -in [email protected] -out [email protected] -
Mar 31, 2020 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -156,7 +156,7 @@ export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" nobind persist-key persist-tun cipher AES-128-CBC auth SHA1 pull verb 2 -
Mar 31, 2020 . 1 changed file with 6 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -74,6 +74,8 @@ add chain=input action=accept dst-port="$PORT" protocol=tcp \ add chain=input action=accept dst-port=53 protocol=udp \ comment="Accept DNS requests from VPN clients" place-before=1 ## Setup completed. Do not forget to create a user. ``` **NOTE:** To allow clients to surf the Internet, make sure that there are permissive rules, such as: @@ -118,6 +120,8 @@ sign client-template-to-issue ca="$CN" name="$USERNAME@$CN" export-certificate "$CN" export-passphrase="" export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" ## Done. You will find the created certificates in Files. ``` ## Setup OpenVPN client @@ -211,6 +215,8 @@ remove [find name=$USERNAME profile=VPN-PROFILE] /certificate issued-revoke [find name="$USERNAME@$CN"] ## Done. ``` ## Revert OpenVPN server configuration on MikroTik -
Jan 14, 2020 . 1 changed file with 4 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -69,8 +69,10 @@ set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ ## add a firewall rule /ip firewall filter add chain=input action=accept dst-port="$PORT" protocol=tcp \ comment="Allow OpenVPN" place-before=0 add chain=input action=accept dst-port=53 protocol=udp \ comment="Accept DNS requests from VPN clients" place-before=1 ``` -
Jan 8, 2020 . 1 changed file with 3 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -25,6 +25,7 @@ :global ORG "My organization" :global OU "" :global KEYSIZE "2048" :global PORT "1194" ## functions :global waitSec do={:return ($KEYSIZE * 10 / 1024 + 3)} @@ -63,12 +64,12 @@ add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \ ## setup OpenVPN server /interface ovpn-server server set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ default-profile=VPN-PROFILE enabled=yes mode=ip netmask=24 port="$PORT" \ require-client-certificate=yes ## add a firewall rule /ip firewall filter add chain=input dst-port="$PORT" protocol=tcp comment="Allow OpenVPN" \ place-before=0 ``` -
Jan 7, 2020 . 1 changed file with 24 additions and 7 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -14,8 +14,8 @@ ```ini # Setup OpenVPN Server and generate certs # # Change variables below then copy the whole script # and paste into MikroTik terminal window. # :global CN [/system identity get name] @@ -27,7 +27,7 @@ :global KEYSIZE "2048" ## functions :global waitSec do={:return ($KEYSIZE * 10 / 1024 + 3)} ## generate a CA certificate /certificate @@ -68,17 +68,31 @@ set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ ## add a firewall rule /ip firewall filter add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" \ place-before=0 ``` **NOTE:** To allow clients to surf the Internet, make sure that there are permissive rules, such as: ```ini /ip firewall filter add chain=forward action=accept src-address=192.168.252.0/24 \ out-interface-list=WAN place-before=0 add chain=forward action=accept in-interface-list=WAN \ dst-address=192.168.252.0/24 place-before=1 /ip firewall nat add chain=srcnat src-address=192.168.252.0/24 out-interface-list=WAN \ action=masquerade ``` ## Add a new user ```ini # Add a new user and generate/export certs # # Change variables below then copy the whole script # and paste into MikroTik terminal window. # :global CN [/system identity get name] @@ -155,8 +169,11 @@ export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" cert [email protected] key [email protected] # Uncomment the following line if Internet access is needed #redirect-gateway def1 # Add routes to networks behind MikroTik #route 192.168.88.0 255.255.255.0 ``` 4. Try to connect -
May 6, 2019 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -63,7 +63,8 @@ add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \ ## setup OpenVPN server /interface ovpn-server server set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ default-profile=VPN-PROFILE enabled=yes mode=ip netmask=24 port=1194 \ require-client-certificate=yes ## add a firewall rule /ip firewall filter -
Aug 5, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -207,7 +207,7 @@ remove [find name=VPN-PROFILE] /ip firewall filter remove [find comment="Allow OpenVPN"] /ppp secret remove [find profile=VPN-PROFILE] /certificate -
Feb 9, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -53,7 +53,7 @@ add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \ ## create IP pool /ip pool add name=VPN-POOL ranges=192.168.252.128-192.168.252.224 ## add VPN profile /ppp profile -
Feb 5, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -199,7 +199,7 @@ issued-revoke [find name="$USERNAME@$CN"] # /ip pool remove [find name=VPN-POOL] /ppp profile remove [find name=VPN-PROFILE] -
Jan 25, 2018 . 1 changed file with 11 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,10 +3,10 @@ ## Contents - [Setup OpenVPN server and generate certificates](#setup-openvpn-server-and-generate-certificates) - [Add a new user](#add-a-new-user) - [Setup OpenVPN client](#setup-openvpn-client) - [Decrypt private key to avoid password asking](#decrypt-private-key-to-avoid-password-asking) - [Delete a user and revoke his certificate](#delete-a-user-and-revoke-his-certificate) - [Revert OpenVPN server configuration on MikroTik](#revert-openvpn-server-configuration-on-mikrotik) ## Setup OpenVPN server and generate certificates @@ -71,9 +71,11 @@ add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" ``` ## Add a new user ```ini # Add a new user and generate/export certs # # Change variables below and paste the script # into MikroTik terminal window. # @@ -168,9 +170,11 @@ export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" openssl rsa -passin pass:password -in [email protected] -out [email protected] ``` ## Delete a user and revoke his certificate ```ini # Delete a user and revoke his certificate # # Change variables below and paste the script # into MikroTik terminal window. # @@ -191,6 +195,9 @@ issued-revoke [find name="$USERNAME@$CN"] ## Revert OpenVPN server configuration on MikroTik ```ini # Revert OpenVPN configuration # /ip pool remove [find naem=VPN-POOL] -
Jan 25, 2018 . 1 changed file with 6 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,6 +5,7 @@ - [Setup OpenVPN server and generate certificates](#setup-openvpn-server-and-generate-certificates) - [Add a user](#add-a-user) - [Setup OpenVPN client](#setup-openvpn-client) - [Decrypt private key to avoid password asking](#decrypt-private-key-to-avoid-password-asking) - [Delete a user and revoke a certificate](#delete-a-user-and-revoke-a-certificate) - [Revert OpenVPN server configuration on MikroTik](#revert-openvpn-server-configuration-on-mikrotik) @@ -161,6 +162,11 @@ export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" sudo openvpn USERNAME.ovpn ``` ## Decrypt private key to avoid password asking ``` openssl rsa -passin pass:password -in [email protected] -out [email protected] ``` ## Delete a user and revoke a certificate -
Jan 25, 2018 . 2 changed files with 0 additions and 104 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,76 +0,0 @@ This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,28 +0,0 @@ -
Jan 25, 2018 . 1 changed file with 203 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,203 @@ # OpenVPN Server and certificate management on MikroTik ## Contents - [Setup OpenVPN server and generate certificates](#setup-openvpn-server-and-generate-certificates) - [Add a user](#add-a-user) - [Setup OpenVPN client](#setup-openvpn-client) - [Delete a user and revoke a certificate](#delete-a-user-and-revoke-a-certificate) - [Revert OpenVPN server configuration on MikroTik](#revert-openvpn-server-configuration-on-mikrotik) ## Setup OpenVPN server and generate certificates ```ini # Setup OpenVPN Server and generate certs # # Change variables below and paste the script # into MikroTik terminal window. # :global CN [/system identity get name] :global COUNTRY "UA" :global STATE "KV" :global LOC "Kyiv" :global ORG "My organization" :global OU "" :global KEYSIZE "2048" ## functions :global waitSec do={:return ($KEYSIZE * 10 / 1024)} ## generate a CA certificate /certificate add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \ days-valid=3650 key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$CN" :delay [$waitSec] ## generate a server certificate /certificate add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \ days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server sign server-template ca="$CN" name="server@$CN" :delay [$waitSec] ## create a client template /certificate add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="client" \ key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client ## create IP pool /ip pool add name=VPN-POOL ranges=192.168.252.2-192.168.252.254 ## add VPN profile /ppp profile add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \ remote-address=VPN-POOL use-encryption=yes ## setup OpenVPN server /interface ovpn-server server set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes ## add a firewall rule /ip firewall filter add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" ``` ## Add a user ```ini # Change variables below and paste the script # into MikroTik terminal window. # :global CN [/system identity get name] :global USERNAME "user" :global PASSWORD "password" ## add a user /ppp secret add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn ## generate a client certificate /certificate add name=client-template-to-issue copy-from="client-template" \ common-name="$USERNAME@$CN" sign client-template-to-issue ca="$CN" name="$USERNAME@$CN" :delay 20 ## export the CA, client certificate, and private key /certificate export-certificate "$CN" export-passphrase="" export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" ``` ## Setup OpenVPN client 1. Copy the exported certificates from the MikroTik ```sh sftp admin@MikroTik_IP:cert_export_\* ``` Also, you can download the certificates from the web interface. Go to `WebFig` → `Files` for this. 2. Create `user.auth` file The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password. ``` user password ``` 3. Create OpenVPN config that named like `USERNAME.ovpn`: ```ini client dev tun proto tcp-client remote MikroTik_IP 1194 nobind persist-key persist-tun cipher AES-256-CBC auth SHA1 pull verb 2 mute 3 # Create a file 'user.auth' with a username and a password # # cat << EOF > user.auth # user # password # EOF auth-user-pass user.auth # Copy the certificates from MikroTik and change # the filenames below if needed ca cert_export_MikroTik.crt cert [email protected] key [email protected] # Add routes to networks behind MikroTik #route 192.168.10.0 255.255.255.0 ``` 4. Try to connect ``` sudo openvpn USERNAME.ovpn ``` ## Delete a user and revoke a certificate ```ini # Change variables below and paste the script # into MikroTik terminal window. # :global CN [/system identity get name] :global USERNAME "user" ## delete a user /ppp secret remove [find name=$USERNAME profile=VPN-PROFILE] ## revoke a client certificate /certificate issued-revoke [find name="$USERNAME@$CN"] ``` ## Revert OpenVPN server configuration on MikroTik ```ini /ip pool remove [find naem=VPN-POOL] /ppp profile remove [find name=VPN-PROFILE] /ip firewall filter remove [find comment="Allow OpenVPN"] /ppp secrets remove [find profile=VPN-PROFILE] /certificate ## delete the certificates manually ``` -
Jan 25, 2018 . 1 changed file with 5 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,25 +10,25 @@ :global LOC "Kyiv" :global ORG "My org" :global OU "" :global KEYSIZE "2048" :global USERNAME "user" :global PASSWORD "password" ## functions :global waitSec do={:return ($KEYSIZE * 10 / 1024)} ## generate a CA certificate /certificate add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \ days-valid=3650 key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$CN" :delay [$waitSec] ## generate a server certificate /certificate add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \ days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server sign server-template ca="$CN" name="server@$CN" :delay [$waitSec] @@ -37,7 +37,7 @@ sign server-template ca="$CN" name="server@$CN" /certificate add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="client" \ key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client ## create IP pool /ip pool -
Jan 25, 2018 . 2 changed files with 38 additions and 32 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,55 +1,54 @@ # Setup OpenVPN Server and generate certs # # Change variables below and paste the script # into MikroTik terminal window. # :global CN [/system identity get name] :global COUNTRY "UA" :global STATE "KV" :global LOC "Kyiv" :global ORG "My org" :global OU "" :global KEY_SIZE "2048" :global USERNAME "user" :global PASSWORD "password" ## functions :global waitSec do={:return ($KEY_SIZE * 10 / 1024)} ## generate a CA certificate /certificate add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEY_SIZE" \ days-valid=3650 key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$CN" :delay [$waitSec] ## generate a server certificate /certificate add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEY_SIZE" \ days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server sign server-template ca="$CN" name="server@$CN" :delay [$waitSec] ## create a client template /certificate add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="client" \ key-size="$KEY_SIZE" days-valid=3650 key-usage=tls-client ## create IP pool /ip pool add name=VPN-POOL ranges=192.168.252.2-192.168.252.254 ## add VPN profile /ppp profile add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \ remote-address=VPN-POOL use-encryption=yes ## setup OpenVPN server /interface ovpn-server server set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes @@ -58,19 +57,20 @@ set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ /ip firewall filter add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" ## add a user /ppp secret add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn ## generate a client certificate /certificate add name=client-template-to-issue copy-from="client-template" \ common-name="$USERNAME@$CN" sign client-template-to-issue ca="$CN" name="$USERNAME@$CN" :delay [$waitSec] ## export the CA, client certificate, and private key /certificate export-certificate "$CN" export-passphrase="" export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" / This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,22 +1,28 @@ client dev tun proto tcp-client remote <MikroTik_IP> 1194 nobind persist-tun cipher AES-256-CBC auth SHA1 pull verb 2 mute 3 # Create a file 'user.auth' with a username and a password # # cat << EOF > user.auth # user # password # EOF auth-user-pass user.auth # Copy the certificates from MikroTik and change # the filenames below if needed ca cert_export_MikroTik.crt cert [email protected] key [email protected] # Add routes to networks behind MikroTik #route 192.168.10.0 255.255.255.0 -
Mar 22, 2016 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Mar 22, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -19,4 +19,4 @@ mute 3 auth-user-pass user.auth ca cert_export_MikroTik.crt cert [email protected] key [email protected] -
Mar 22, 2016 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Mar 22, 2016 . 1 changed file with 22 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,22 @@ # Create a file 'user.auth' with a username and password # and copy the certificates from the MikroTik # # cat << EOF > user.auth # user # password # EOF client dev tun proto tcp-client remote <MikroTik_IP> 1194 nobind persist-tun cipher AES-256-CBC verb 2 mute 3 auth-user-pass user.auth ca cert_export_MikroTik.crt cert [email protected] key [email protected] -
Mar 22, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,76 @@ # Setup OpenVPN Server # # Edit variables below and copy paste the script # in a MikroTik terminal window. # :global CN [/system identity get name] :global COUNTRY "UA" :global STATE "KV" :global LOC "Kyiv" :global ORG "" :global OU "" :global USERNAME "user" :global PASSWORD "password" ## generate CA certificate /certificate add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="$CN" key-size=4096 \ days-valid=3650 key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$CN" :if ( [/system resource get cpu-frequency] <= 600 ) do={:delay 30} \ else={:delay 10} ## generate server certificate /certificate add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="server@$CN" key-size=4096 \ days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server sign server-template ca="$CN" name="server@$CN" :if ( [/system resource get cpu-frequency] <= 600 ) do={:delay 30} \ else={:delay 10} ## create client template /certificate add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="client" \ key-size=4096 days-valid=3650 key-usage=tls-client :if ( [/system resource get cpu-frequency] <= 600 ) do={:delay 30} \ else={:delay 10} ## create pool /ip pool add name=VPN-POOL ranges=192.168.252.2-192.168.252.254 ## add profile /ppp profile add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \ remote-address=VPN-POOL use-encryption=yes ## setup server /interface ovpn-server server set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes ## add a firewall rule /ip firewall filter add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" ## add user /ppp secret add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn ## generate client certificate /certificate add name=client-template-to-issue copy-from="client-template" \ common-name="$USERNAME@$CN" sign client-template-to-issue ca="$CN" name="$USERNAME@$CN" ## export the CA, client certificate and private key /certificate export-certificate "$CN" export-passphrase="" export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" /