最後更新: 2020-050-07
目錄
- Setup NTP Client(必須)
- Create CA & Server Certificate
- OVPN Server Setup
- OVPN Client
- More Security Client Connection
- Troubleshoot
Setup NTP Client(必須)
/system ntp client set enabled=yes server-dns-names=time.google.com
/system clock print
Create CA & Server Certificate
* If CA certificate is removed then all issued certificates in chain are also removed
* 建立 CA, Cert. 前留意 Router 當前時間, 否則建立了過期的 CA, Cert.
Steps
- Make certificate templates
- Sign certificates
- Trust CA (Set "T" flag)
- Export CA Cert.
- Checking
- Add Client Key & Cert. (非必須)
[1]
/certificate
add name=ca-template common-name=myCa days-valid=3650 key-size=4096 key-usage=key-cert-sign,crl-sign
add name=server-template common-name=myServer days-valid=3650
key-usage(RFC 5280)
- name: Name of the certificate. Name can be edited.
- subject-alt-name: contact email address
[2]
sign ca-template name=myCa # 由於 key-size=4096, 所以要等好耐
sign server-template ca=myCa name=myServer
* Certificate templates are deleted right after certificate issue or certificate request command is executed
* templates without Flags
/certificate print
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT
0 K A T myCa myCa 4089f912357...
1 K A myServer myServer af2303eaa1c...
[3]
set myCa trusted=yes # Default trusted
[4]
export-certificate myCa # 會 export 到 /file 內
/file print
... cert_export_myCa.crt
Remark: Export CA
/certificate export-certificate myCa # 會 export 到 /file 內
[5] Checking
/certificate print
/certificate print detail # 可以見到過期時間
Add Client Key & Cert. (可選擇)
* ROS OVPN Server 設定了 "require-client-certificate=yes" 才是必須
/certificate add name=client1-template common-name=myClient1 days-valid=3650
/certificate sign client1-template ca=myCa name=myClient1
Export Cert. & Key
# 加 'export-passphrase=xxxx' 會同時 export .crt 及 .key
/certificate export-certificate myClient1 export-passphrase=12345678 #必須 8 位 pw
有加密的 Key File
-----BEGIN ENCRYPTED PRIVATE KEY----- ... -----END ENCRYPTED PRIVATE KEY-----
OVPN Server Setup
Sub-menu: /interface ovpn-server
Server configuration
/interface ovpn-server server print
Port
- ether1 - Internet
- ether2 - Local control
- ether3 - Vpn bridge
Config 1: FW Rule
/ip firewall filter
add action=accept chain=input dst-port=1194 protocol=tcp \
comment="OpenVPN" disabled=no
Config 2: Add bridge & Config Port
/interface bridge add name=vpn-bridge
/interface bridge port set [find interface=ether3] bridge=vpn-bridge
OR
/interface bridge port add interface=ether3 bridge=vpn-bridge
Checking
/interface print
會出現新的 Interface, Name: ovpn-USRNAME
Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS 2 DR <ovpn-USRNAME> ovpn-in 1500 ...
# 當 OVPN server mode=ethernet 時行 bridge 才有新 NIC, mode=ip 是沒有的
/interface bridge port print
Config 3
/ip pool add name=ovpn-pool range=10.10.10.10-10.10.10.19
Config 4: Add a vpn user (必須)
* 由於 ROS 的 OVPN 不支持 TLS authentication, 所以必須加 User Account
( Client 必須用 username/password 去 Login )
# 必須加 local-address 及 remote-address 否則會有 Error
<ovpn-client1>: terminating... - could not add address: local address cannot be 0.0.0.0 (6) could not add address: local address cannot be 0.0.0.0 (6)
/ppp secret add name=client1 password=123 local-address=10.0.0.1 remote-address=10.0.0.2
# 不加 detail 見唔到 local-address
/ppp secret print detail
Config 5
/ppp profile add name=ovpn bridge=vpn-bridge local-address=10.10.10.1 remote-address=ovpn-pool
Config 6
/interface ovpn-server server
set default-profile=ovpn \
auth=sha1 cipher=aes128,aes192,aes256 \
certificate=myServer require-client-certificate=no \
mode=ethernet enabled=yes
require-client-certificate
The server checks whether the client's certificate belongs to the same certificate chain.
"<ca>...</ca>" 係必須的, 當選了 "Require Client Certificate" 時 就必須 "<cert>" 及 "<key>"
mode
一共有兩種 mode, 分別係 ip 及 ethernet
當 server 是 ip 時 client 必須是 tun; 反之 server 是 ethernet 時 client 就是 tap
Checking
/interface ovpn-server server print
enabled: yes port: 1194 mode: ethernet netmask: 32 mac-address: FE:5D:C9:??:??:?? max-mtu: 1500 keepalive-timeout: 60 default-profile: default certificate: myServer require-client-certificate: no auth: sha1 cipher: aes128,aes192,aes256
查看 Client 的連線
/interface ovpn-server print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENCODING
0 DR <ovpn-USRNAME> USRNAME 1500 210.0.220.18 7m16s AES-128-CBC/SHA1
/ppp active print
Flags: R - radius # NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING 0 USRNAME ovpn R.R.R.R 192.168.71.238 8m6s AES-128-CBC/SHA1
/interface ovpn-server monitor 0
status: connected uptime: 8m6s user: USRNAME caller-id: R.R.R.R encoding: AES-128-CBC/SHA1 mtu: 1500
/ip address print
Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK INTERFACE 2 D 192.168.71.254/32 192.168.71.238 <ovpn-USRNAME>
# 斷它線
# 斷線後 Client 有機會 reconnect
/ppp active remove 0
OVPN Client
Sub-menu: /interface ovpn-client
Package: ppp
Currently unsupported OpenVPN features:
- UDP mode
- LZO compression
- TLS authentication
- authentication without username/password
==== 方案1
(192.168.3.x)DG(R.R.R.R) <------- HY(192.168.1.x) # DG is Server 10.3.0.1 10.3.0.X # Tunnel IP
[1] 建立與 Server 的 VPN 連線
/interface ovpn-client
add name=ovpn-dg connect-to=R.R.R.R user=client1 password=1234 disabled=no
[2] 設定 route 訪問 server 那邊 network(192.168.3.0/24)
/ip route
add dst-address=192.168.3.0/24 gateway=ovpn-dg
[3] 用 route 的 IP 去訪問, 使不用在 Server 設定 route 到本地(192.168.1.x)
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ovpn-dg
==== 方案2
Port:
- ether1 - Internet
- ether2 - Local control
- ether3 - Vpn bridge
Config Client
/interface ovpn-client
add name="ovpn-out1" connect-to=192.168.88.228 port=1194 \
default-profile=ovpn \
mode=ethernet \
user="client1" password="123" \
cipher=aes256 auth=sha1 \
add-default-route=no
Checking
/interface ovpn-client print
Or
/interface ovpn-client 0
/interface ovpn-client ovpn-dg
Or
/interface ovpn-client monitor 0
/interface ovpn-client ovpn-dg
Other Setting
certificate (string | none; Default: none)
Name of the client certificate imported into certificate list.
mode (ip | ethernet; Default: ip)
Layer3 or layer2 tunnel mode (alternatively tun, tap)
profile (name; Default: default)
Used PPP profile.
More Security Client Connection
1. 用 winbox upload cert_export_myCa.crt 上去
2. Import CA Cert.
/certificate
import file-name=cert_export_myCa.crt
passphrase: certificates-imported: 1 private-keys-imported: 0 files-imported: 1 decryption-failures: 0 keys-with-no-certificate: 0
/certificate print
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted # NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT 0 A T cert_export_myCa.... myCa c6cca0b76f301055860fc...
3. Config client
/interface ovpn-client
add name=ovpn-client1 connect-to=R.R.R.R user=client1 password=123 disabled=no
set 0 verify-server-certificate=yes
4. Checking
/interface ovpn-client disable ovpn-out1
/interface ovpn-client enable ovpn-out1
/interface ovpn-client monitor ovpn-out1
Client Config Example
client.ovpn
# OVPN Client Config
tls-client
remote Server.Domain
port 11194
proto tcp-client
# 如果想去 Server 的 Lan, 建議用 tun,
# 因為 ROS 的 OVPN 的 ethernet(tap) 有 bug
dev tun
persist-key
persist-tun
#auth-user-pass auth.txt
auth-user-pass
# 使用了 'auth-user-pass' 後就必須用上 'pull'
pull
# 由於 ROS 的 OVPN 不會商討 cipher 及 auth,
# 所以 client 要設定好它
cipher AES-128-CBC
auth SHA1
#redirect-gateway def1
remote-cert-tls server
verb 3
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>
remote-cert-tls server | client
To avoid a possible Man-in-the-Middle attack where an authorized client tries to connect to another client by impersonating the server,
make sure to enforce some kind of server certificate verification by clients.
Server Mode
- Key usage: digitalSignature, keyEncipherment / digitalSignature, keyAgreement
- Extended key usage: TLS Server