Created
July 9, 2021 04:01
-
-
Save alexfkl/81231d58616e0ba55265b2adb8a25c6f to your computer and use it in GitHub Desktop.
Revisions
-
bondarenkod revised this gist
Mar 31, 2018 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -167,6 +167,8 @@ export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" pull verb 2 mute 3 # defaul gateway, don't use next line if you need access to the vpn'ated network only redirect-gateway autolocal # Create a file 'user.auth' with a username and a password # -
Mar 31, 2018 . 1 changed file with 65 additions and 37 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -11,6 +11,10 @@ ## Setup OpenVPN server and generate certificates ```ini # Setup OpenVPN Server and generate certs # @@ -26,48 +30,66 @@ :global OU "" :global KEYSIZE "2048" :global USEDPOOLNAME "VPN-POOL" :global NEWPOOLNAME "VPN-POOL" :log info ("creating ovpn: start"); ## functions #:global waitSec do={:return ($KEYSIZE * 10 / 1024)} :global delayex do={ \ :local delaysec ($KEYSIZE * 10 / 1024); \ :if ($delaysec <= 1) do={ :set $delaysec 1 } :log info ("delay $delaysec: start"); \ :delay $delaysec; \ :log info ("delay $delaysec: end"); } #$delayex; ## generate a CA certificate /certificate add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \ days-valid=3650 key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$CN" :log info ("delay:" . [$waitSec]); $delayex; ## generate a server certificate /certificate add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \ days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server sign server-template ca="$CN" name="server@$CN" $delayex; ## create a client template /certificate add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="client" \ key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client ## create IP pool /ip pool add name=VPN-POOL ranges=192.168.232.128-192.168.252.224 ## add VPN profile /ppp profile add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \ remote-address=default-dhcp use-encryption=yes ## setup OpenVPN server /interface ovpn-server server set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes ## add a firewall rule /ip firewall filter add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" :log info ("creating ovpn: done"); ``` @@ -80,9 +102,14 @@ add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" # into MikroTik terminal window. # :global CN [/system identity get name] :global USERNAME "testuser" :global PASSWORD "testpassword" :log info ("Granting accsess for user [" . $USERNAME . "]"); ## add a user /ppp secret @@ -99,6 +126,7 @@ sign client-template-to-issue ca="$CN" name="$USERNAME@$CN" /certificate export-certificate "$CN" export-passphrase="" export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" :log info ("Accsess granted for user [" . $USERNAME . "], certs were generated"); ``` -
SmartFinn revised this gist
Feb 9, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -53,7 +53,7 @@ add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \ ## create IP pool /ip pool add name=VPN-POOL ranges=192.168.252.128-192.168.252.224 ## add VPN profile /ppp profile -
Feb 5, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -199,7 +199,7 @@ issued-revoke [find name="$USERNAME@$CN"] # /ip pool remove [find name=VPN-POOL] /ppp profile remove [find name=VPN-PROFILE] -
Jan 25, 2018 . 1 changed file with 11 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,10 +3,10 @@ ## Contents - [Setup OpenVPN server and generate certificates](#setup-openvpn-server-and-generate-certificates) - [Add a new user](#add-a-new-user) - [Setup OpenVPN client](#setup-openvpn-client) - [Decrypt private key to avoid password asking](#decrypt-private-key-to-avoid-password-asking) - [Delete a user and revoke his certificate](#delete-a-user-and-revoke-his-certificate) - [Revert OpenVPN server configuration on MikroTik](#revert-openvpn-server-configuration-on-mikrotik) ## Setup OpenVPN server and generate certificates @@ -71,9 +71,11 @@ add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" ``` ## Add a new user ```ini # Add a new user and generate/export certs # # Change variables below and paste the script # into MikroTik terminal window. # @@ -168,9 +170,11 @@ export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" openssl rsa -passin pass:password -in [email protected] -out [email protected] ``` ## Delete a user and revoke his certificate ```ini # Delete a user and revoke his certificate # # Change variables below and paste the script # into MikroTik terminal window. # @@ -191,6 +195,9 @@ issued-revoke [find name="$USERNAME@$CN"] ## Revert OpenVPN server configuration on MikroTik ```ini # Revert OpenVPN configuration # /ip pool remove [find naem=VPN-POOL] -
Jan 25, 2018 . 1 changed file with 6 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -5,6 +5,7 @@ - [Setup OpenVPN server and generate certificates](#setup-openvpn-server-and-generate-certificates) - [Add a user](#add-a-user) - [Setup OpenVPN client](#setup-openvpn-client) - [Decrypt private key to avoid password asking](#decrypt-private-key-to-avoid-password-asking) - [Delete a user and revoke a certificate](#delete-a-user-and-revoke-a-certificate) - [Revert OpenVPN server configuration on MikroTik](#revert-openvpn-server-configuration-on-mikrotik) @@ -161,6 +162,11 @@ export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" sudo openvpn USERNAME.ovpn ``` ## Decrypt private key to avoid password asking ``` openssl rsa -passin pass:password -in [email protected] -out [email protected] ``` ## Delete a user and revoke a certificate -
Jan 25, 2018 . 2 changed files with 0 additions and 104 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,76 +0,0 @@ This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,28 +0,0 @@ -
Jan 25, 2018 . 1 changed file with 203 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,203 @@ # OpenVPN Server and certificate management on MikroTik ## Contents - [Setup OpenVPN server and generate certificates](#setup-openvpn-server-and-generate-certificates) - [Add a user](#add-a-user) - [Setup OpenVPN client](#setup-openvpn-client) - [Delete a user and revoke a certificate](#delete-a-user-and-revoke-a-certificate) - [Revert OpenVPN server configuration on MikroTik](#revert-openvpn-server-configuration-on-mikrotik) ## Setup OpenVPN server and generate certificates ```ini # Setup OpenVPN Server and generate certs # # Change variables below and paste the script # into MikroTik terminal window. # :global CN [/system identity get name] :global COUNTRY "UA" :global STATE "KV" :global LOC "Kyiv" :global ORG "My organization" :global OU "" :global KEYSIZE "2048" ## functions :global waitSec do={:return ($KEYSIZE * 10 / 1024)} ## generate a CA certificate /certificate add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \ days-valid=3650 key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$CN" :delay [$waitSec] ## generate a server certificate /certificate add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \ days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server sign server-template ca="$CN" name="server@$CN" :delay [$waitSec] ## create a client template /certificate add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="client" \ key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client ## create IP pool /ip pool add name=VPN-POOL ranges=192.168.252.2-192.168.252.254 ## add VPN profile /ppp profile add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \ remote-address=VPN-POOL use-encryption=yes ## setup OpenVPN server /interface ovpn-server server set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes ## add a firewall rule /ip firewall filter add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" ``` ## Add a user ```ini # Change variables below and paste the script # into MikroTik terminal window. # :global CN [/system identity get name] :global USERNAME "user" :global PASSWORD "password" ## add a user /ppp secret add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn ## generate a client certificate /certificate add name=client-template-to-issue copy-from="client-template" \ common-name="$USERNAME@$CN" sign client-template-to-issue ca="$CN" name="$USERNAME@$CN" :delay 20 ## export the CA, client certificate, and private key /certificate export-certificate "$CN" export-passphrase="" export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" ``` ## Setup OpenVPN client 1. Copy the exported certificates from the MikroTik ```sh sftp admin@MikroTik_IP:cert_export_\* ``` Also, you can download the certificates from the web interface. Go to `WebFig` → `Files` for this. 2. Create `user.auth` file The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password. ``` user password ``` 3. Create OpenVPN config that named like `USERNAME.ovpn`: ```ini client dev tun proto tcp-client remote MikroTik_IP 1194 nobind persist-key persist-tun cipher AES-256-CBC auth SHA1 pull verb 2 mute 3 # Create a file 'user.auth' with a username and a password # # cat << EOF > user.auth # user # password # EOF auth-user-pass user.auth # Copy the certificates from MikroTik and change # the filenames below if needed ca cert_export_MikroTik.crt cert [email protected] key [email protected] # Add routes to networks behind MikroTik #route 192.168.10.0 255.255.255.0 ``` 4. Try to connect ``` sudo openvpn USERNAME.ovpn ``` ## Delete a user and revoke a certificate ```ini # Change variables below and paste the script # into MikroTik terminal window. # :global CN [/system identity get name] :global USERNAME "user" ## delete a user /ppp secret remove [find name=$USERNAME profile=VPN-PROFILE] ## revoke a client certificate /certificate issued-revoke [find name="$USERNAME@$CN"] ``` ## Revert OpenVPN server configuration on MikroTik ```ini /ip pool remove [find naem=VPN-POOL] /ppp profile remove [find name=VPN-PROFILE] /ip firewall filter remove [find comment="Allow OpenVPN"] /ppp secrets remove [find profile=VPN-PROFILE] /certificate ## delete the certificates manually ``` -
Jan 25, 2018 . 1 changed file with 5 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,25 +10,25 @@ :global LOC "Kyiv" :global ORG "My org" :global OU "" :global KEYSIZE "2048" :global USERNAME "user" :global PASSWORD "password" ## functions :global waitSec do={:return ($KEYSIZE * 10 / 1024)} ## generate a CA certificate /certificate add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \ days-valid=3650 key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$CN" :delay [$waitSec] ## generate a server certificate /certificate add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \ days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server sign server-template ca="$CN" name="server@$CN" :delay [$waitSec] @@ -37,7 +37,7 @@ sign server-template ca="$CN" name="server@$CN" /certificate add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="client" \ key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client ## create IP pool /ip pool -
Jan 25, 2018 . 2 changed files with 38 additions and 32 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,55 +1,54 @@ # Setup OpenVPN Server and generate certs # # Change variables below and paste the script # into MikroTik terminal window. # :global CN [/system identity get name] :global COUNTRY "UA" :global STATE "KV" :global LOC "Kyiv" :global ORG "My org" :global OU "" :global KEY_SIZE "2048" :global USERNAME "user" :global PASSWORD "password" ## functions :global waitSec do={:return ($KEY_SIZE * 10 / 1024)} ## generate a CA certificate /certificate add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEY_SIZE" \ days-valid=3650 key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$CN" :delay [$waitSec] ## generate a server certificate /certificate add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEY_SIZE" \ days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server sign server-template ca="$CN" name="server@$CN" :delay [$waitSec] ## create a client template /certificate add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="client" \ key-size="$KEY_SIZE" days-valid=3650 key-usage=tls-client ## create IP pool /ip pool add name=VPN-POOL ranges=192.168.252.2-192.168.252.254 ## add VPN profile /ppp profile add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \ remote-address=VPN-POOL use-encryption=yes ## setup OpenVPN server /interface ovpn-server server set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes @@ -58,19 +57,20 @@ set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ /ip firewall filter add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" ## add a user /ppp secret add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn ## generate a client certificate /certificate add name=client-template-to-issue copy-from="client-template" \ common-name="$USERNAME@$CN" sign client-template-to-issue ca="$CN" name="$USERNAME@$CN" :delay [$waitSec] ## export the CA, client certificate, and private key /certificate export-certificate "$CN" export-passphrase="" export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" / This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,22 +1,28 @@ client dev tun proto tcp-client remote <MikroTik_IP> 1194 nobind persist-tun cipher AES-256-CBC auth SHA1 pull verb 2 mute 3 # Create a file 'user.auth' with a username and a password # # cat << EOF > user.auth # user # password # EOF auth-user-pass user.auth # Copy the certificates from MikroTik and change # the filenames below if needed ca cert_export_MikroTik.crt cert [email protected] key [email protected] # Add routes to networks behind MikroTik #route 192.168.10.0 255.255.255.0 -
Mar 22, 2016 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Mar 22, 2016 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -19,4 +19,4 @@ mute 3 auth-user-pass user.auth ca cert_export_MikroTik.crt cert [email protected] key [email protected] -
Mar 22, 2016 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Mar 22, 2016 . 1 changed file with 22 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,22 @@ # Create a file 'user.auth' with a username and password # and copy the certificates from the MikroTik # # cat << EOF > user.auth # user # password # EOF client dev tun proto tcp-client remote <MikroTik_IP> 1194 nobind persist-tun cipher AES-256-CBC verb 2 mute 3 auth-user-pass user.auth ca cert_export_MikroTik.crt cert [email protected] key [email protected] -
Mar 22, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,76 @@ # Setup OpenVPN Server # # Edit variables below and copy paste the script # in a MikroTik terminal window. # :global CN [/system identity get name] :global COUNTRY "UA" :global STATE "KV" :global LOC "Kyiv" :global ORG "" :global OU "" :global USERNAME "user" :global PASSWORD "password" ## generate CA certificate /certificate add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="$CN" key-size=4096 \ days-valid=3650 key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$CN" :if ( [/system resource get cpu-frequency] <= 600 ) do={:delay 30} \ else={:delay 10} ## generate server certificate /certificate add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="server@$CN" key-size=4096 \ days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server sign server-template ca="$CN" name="server@$CN" :if ( [/system resource get cpu-frequency] <= 600 ) do={:delay 30} \ else={:delay 10} ## create client template /certificate add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="client" \ key-size=4096 days-valid=3650 key-usage=tls-client :if ( [/system resource get cpu-frequency] <= 600 ) do={:delay 30} \ else={:delay 10} ## create pool /ip pool add name=VPN-POOL ranges=192.168.252.2-192.168.252.254 ## add profile /ppp profile add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \ remote-address=VPN-POOL use-encryption=yes ## setup server /interface ovpn-server server set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes ## add a firewall rule /ip firewall filter add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN" ## add user /ppp secret add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn ## generate client certificate /certificate add name=client-template-to-issue copy-from="client-template" \ common-name="$USERNAME@$CN" sign client-template-to-issue ca="$CN" name="$USERNAME@$CN" ## export the CA, client certificate and private key /certificate export-certificate "$CN" export-passphrase="" export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" /