ROS OVPN四, 07/05/2020 - 17:45 的修訂版本

修訂版本可以讓你追蹤文章的多個版本的不同之處。

最後更新: 2020-050-07

Step

1. Make certificate templates
2. Sign certificates
3. trust CA & Cert (Set "T" flag)
4. Export client certificates
5. Check

Software& Hardware

/system resource print

                   uptime: 1w1d21h7m13s
                  version: 6.44.4 (stable)
               build-time: May/09/2019 12:14:50
         factory-software: 6.43.2
              free-memory: 38.7MiB
             total-memory: 64.0MiB
                      cpu: MIPS 74Kc V4.12
                cpu-count: 1
            cpu-frequency: 600MHz
                 cpu-load: 0%
           free-hdd-space: 110.1MiB
          total-hdd-space: 128.0MiB
  write-sect-since-reboot: 9559
         write-sect-total: 9559
               bad-blocks: 0%
        architecture-name: mipsbe
               board-name: RB2011iL
                 platform: MikroTik

 


Set NTP

 

/system ntp client set enabled=yes server-dns-names=time.google.com

/system clock print

 


Make certificate templates

 

 * If CA certificate is removed then all issued certificates in chain are also removed

 * 建立 CA, Cert. 前留意 Router 當前時間, 否則建立了過期的 CA, Cert.

[0]

/certificate

[1]

add name=ca-template common-name=myCa days-valid=3650 key-size=4096 key-usage=key-cert-sign,crl-sign

add name=server-template common-name=myServer

key-usage(RFC 5280)

  1. name: Name of the certificate. Name can be edited.
  2. subject-alt-name: contact email address

[2]

sign ca-template name=myCa

sign server-template ca=myCa name=myServer

* Certificate templates are deleted right after certificate issue or certificate request command is executed

* templates without Flags

ca-crl-host - CRL host if issuing CA certificate

ca - which CA to use if signing issued certificates

Flags

  • T - trusted
  • A - authority

[3]

set myServer trusted=yes

[4]

export-certificate myCa

export-certificate myCa export-passphrase=xxxx

/file print

cert_export_myCa.crt

cert_export_myServer.crt

* 加 'export-passphrase=xxxx' 會 export  crt & key

Remark

/certificate> import file-name=xxxx passphrase=xxxx

[5]

print

print detail

Remark: Cleint Cert.

add name=client1-template common-name=myClient1


OVPN Server

 

Sub-menu: /interface ovpn-server

Server configuration

/interface ovpn-server server print

Port

  • ether1 - Internet
  • ether2 - Local control
  • ether3 - Vpn bridge

Config 1: FW Rule

/ip firewall filter
add action=accept chain=input dst-port=1194 protocol=tcp \
comment="OpenVPN" disabled=no

Config 2: Add bridge & Config Port

/interface bridge add name=vpn-bridge

/interface bridge port> set [find interface=ether3] bridge=vpn-bridge

OR

/interface bridge port> add interface=ether3 bridge=vpn-bridge

Remark

Interface Name: ovpn-USERNAME

Checking

  • /interface bridge print
  • /interface bridge port print

Config 3: Add a vpn user

# 必須加 local-address 及 remote-address 否則會有 Error

<ovpn-client1>: terminating... - could not add address: local address cannot be 0.0.0.0 (6)
could not add address: local address cannot be 0.0.0.0 (6)

/ppp secret add name=client1 password=123 local-address=10.0.0.1 remote-address=10.0.0.2

# 不加 detail 見唔到 local-address

/ppp secret print detail

Config 4:

/ppp profile add name=ovpn bridge=vpn-bridge

Config 5:

/interface ovpn-server server

set auth=sha1,md5 \
cipher=blowfish128,aes128,aes192,aes256 \
default-profile=ovpn \
certificate=myServer require-client-certificate=no \
mode=ethernet enabled=yes

Checking

/interface ovpn-server server print

                     enabled: yes
                        port: 1194
                        mode: ethernet
                     netmask: 32
                 mac-address: FE:5D:C9:??:??:??
                     max-mtu: 1500
           keepalive-timeout: 60
             default-profile: default
                 certificate: myServer
  require-client-certificate: no
                        auth: sha1,md5
                      cipher: blowfish128,aes128,aes192,aes256

/interface ovpn-server monitor 0

no such item

/interface ovpn-server monitor <ovpn-client1>

     status: connected
     uptime: 1w19h8m5s
       user: client1
  caller-id: 192.168.88.229
   encoding: AES-256-CBC/SHA1
        mtu: 1500

/ip address print

...
 2 D 10.0.0.1/32        10.0.0.3        <ovpn-client1>

/ppp active print

Flags: R - radius
 #   NAME         SERVICE CALLER-ID         ADDRESS         UPTIME   ENCODING
 0   client1      ovpn    192.168.88.229    10.0.0.2        2m7s     AES-256-CBC/SHA1

/ppp active remove 0

 


OVPN Client

 

Sub-menu: /interface ovpn-client

Port:

  • ether1 - Internet
  • ether2 - Local control
  • ether3 - Vpn bridge

Config Client

/interface ovpn-client

add name="ovpn-out1" connect-to=192.168.88.228 port=1194 \
default-profile=ovpn \
mode=ethernet \
user="client1" password="123" \
cipher=aes256 auth=sha1 \
add-default-route=no

Checking

/interface ovpn-client print

/interface ovpn-client monitor 0

 

 


More Security

 

1. 用 winbox upload cert_export_myCa.crt 上去

2. Import CA Cert.

/certificate

import file-name=cert_export_myCa.crt

passphrase:
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

/certificate print

Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #         NAME                 COMMON-NAME    SUBJECT-ALT-NAME      FINGERPRINT
 0    A  T cert_export_myCa.... myCa                                 c6cca0b76f301055860fc...

3. Config client

/interface ovpn-client

set 0 verify-server-certificate=yes

/interface ovpn-client disable ovpn-out1

/interface ovpn-client enable ovpn-out1

/interface ovpn-client monitor ovpn-out1


Troubleshoot