Created
February 4, 2021 17:07
-
-
Save sandikodev/c93489f3ad8f6afa29e097f5fdfc05c1 to your computer and use it in GitHub Desktop.
Revisions
-
Jonathan created this gist
May 2, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,230 @@ # OpenVPN Server and certificate management on MikroTik ## Contents - [Setup OpenVPN server and generate certificates](#setup-openvpn-server-and-generate-certificates) - [Add a new user](#add-a-new-user) - [Setup OpenVPN client](#setup-openvpn-client) - [Decrypt private key to avoid password asking](#decrypt-private-key-to-avoid-password-asking) - [Delete a user and revoke his certificate](#delete-a-user-and-revoke-his-certificate) - [Revert OpenVPN server configuration on MikroTik](#revert-openvpn-server-configuration-on-mikrotik) ## Setup OpenVPN server and generate certificates ```ini # Setup OpenVPN Server and generate certs # # Change variables below and paste the script # into MikroTik terminal window. # :global CN [/system identity get name] :global COUNTRY "ES" :global STATE "Asturias" :global LOC "Gijon" :global ORG "ACME" :global OU "" :global KEYSIZE "2048" ## functions :global waitSec do={:return ($KEYSIZE * 10 / 1024)} ## generate a CA certificate /certificate add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \ days-valid=3650 key-usage=crl-sign,key-cert-sign sign ca-template ca-crl-host=127.0.0.1 name="$CN" :delay [$waitSec] ## generate a server certificate /certificate add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \ days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server sign server-template ca="$CN" name="server@$CN" :delay [$waitSec] ## create a client template /certificate add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \ organization="$ORG" unit="$OU" common-name="client" \ key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client ## create IP pool /ip pool add name=OVPN-Pool ranges=192.168.68.10-192.168.68.25 ## add VPN profile /ppp profile add dns-server=192.168.68.1 local-address=192.168.68.1 name=OVPN-Profile \ remote-address=OVPN-Pool use-encryption=yes ## setup OpenVPN server /interface ovpn-server server set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \ default-profile=OVPN-Profile enabled=yes keepalive-timeout=disabled \ mac-address=00:00:00:00:00:00 max-mtu=1450 port=993 \ require-client-certificate=yes ## add a firewall rule /ip firewall filter add chain=input dst-port=993 protocol=tcp comment="Allow OpenVPN" ``` ## Add a new user ```ini # Add a new user and generate/export certs # # Change variables below and paste the script # into MikroTik terminal window. # :global CN [/system identity get name] :global USERNAME "user" :global PASSWORD "password" ## add a user /ppp secret add name=$USERNAME password=$PASSWORD profile=OVPN-Profile service=ovpn ## generate a client certificate /certificate add name=client-template-to-issue copy-from="client-template" \ common-name="$USERNAME@$CN" sign client-template-to-issue ca="$CN" name="$USERNAME@$CN" :delay 20 ## export the CA, client certificate, and private key /certificate export-certificate "$CN" export-passphrase="" export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD" ``` ## Setup OpenVPN client 1. Copy the exported certificates from the MikroTik ```sh sftp admin@MikroTik_IP:cert_export_\* ``` Also, you can download the certificates from the web interface. Go to `WebFig` → `Files` for this. 2. Create `user.auth` file The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password. ``` user password ``` 3. Create OpenVPN config that named like `USERNAME.ovpn`: ```ini ############################################## # client dev tun proto tcp-client remote Mikrotik 993 nobind persist-key persist-tun verb 2 mute 3 pull cipher AES-256-CBC auth SHA1 ############################################## # # Proxy capabilities # # http-proxy YYY.YYY.YYY.YYY 8080 ############################################## # # Create a file 'user.auth' with a user and a password # # cat << EOF > user.auth # user # password # EOF auth-user-pass user.auth # CA CERT ca cert_export_Mikrotik.crt # USER CERTS cert [email protected] key [email protected] # Add routes to networks behind MikroTik, if needed # route 192.168.1.0 255.255.255.0 ``` 4. Try to connect ``` sudo openvpn USERNAME.ovpn ``` ## Decrypt private key to avoid password asking ``` openssl rsa -passin pass:password -in [email protected] -out [email protected] ``` where -pass:password should show the password assigned before to the mentioned user. ## Delete a user and revoke his certificate ```ini # Delete a user and revoke his certificate # # Change variables below and paste the script # into MikroTik terminal window. # :global CN [/system identity get name] :global USERNAME "user" ## delete a user /ppp secret remove [find name=$USERNAME profile=OVPN-Profile] ## revoke a client certificate /certificate issued-revoke [find name="$USERNAME@$CN"] ``` ## Revert OpenVPN server configuration on MikroTik ```ini # Revert OpenVPN configuration # /ip pool remove [find name=OVPN-Pool] /ppp profile remove [find name=OVPN-Profile] /ip firewall filter remove [find comment="Allow OpenVPN"] /ppp secrets remove [find profile=OVPN-Profile] /certificate ## delete the certificates manually ```
Jonathan
created
this gist