Difference between revisions of "MikrotTik: OpenVPN"

Revision as of 20:48, 6 October 2013

Attention: this page is work in progress.

I am using OVPN client / server on MikroTik to connect several network/location. This document describe my findings and my way of configuration.

While i was designing my network i found following limitations (features ?) of OVPN implementation:

• It is not possible to create connection without CA imported in each MikroTik. If "require-client-certificate" is set then also valid certificates for chain for both client and server is required.
• It is not possible to create "password less" connection. Each connection is authorized by certificate, username and password
• Only TCP connection as base channel for OVPN is supported by MikroTik (v 6.4)
• Prior to version 6.4 it was not possible to specify server by FQDN. Only IP address was supported in previous versions of firmware
• It is required that client address is managed and assigned by OVPN Server. (e.g. it is not possible to set IP on server and client outside of OVPN configuration)

Steps to successfully create OVPN connection:

Generate valid certificates

I used "valid" in name of this section because I get wrongly generated certificates using "pkitool". I am not sure if this was fail of this tool or my fail but right now i am using different way to generate certificate. Maybe in future I'll debug what was wrong with pkitool.

easy-rsa installation

Gentoo users:

emearge easy-rsa

Ubuntu users:

apt-get install easy-rsa

Other users: please try to find easy-rsa using your distributions package manager or download it from [[1]]

Prepare CA directory

Ubuntu have additional command to create CA directory. Select empty directory and then use (I selected "ovpn"):

make-cadir ovpn

Gentoo users can use following rsync command:

rsync -av /usr/share/easy-rsa/ ovpn/

On other Linux distribution you should find easy-rsa installation and copy it to desired working directory.

Variables configuration (e.g. "vars")

Before certificates can be generated it is necessary to customize "vars" file inside new ca directory ("ovpn" in this example)

I prefer strict security so i changed key size from 1024 to 2048

export KEY_SIZE=2048

There are details about certificates at end of "vars" file. It is required that you modify it to reflect your settings. For example like this:

export KEY_COUNTRY="SK"
export KEY_PROVINCE="SK"
export KEY_CITY="Bratislava"
export KEY_ORG="My company name"
export KEY_OU="MikroTik OVPN"
export KEY_CN="changeme"
export KEY_NAME="changeme"
export KEY_EMAIL="myself@mydomain.tld"

CN and NAME will be different for each certificate so i left it as "changeme". Easy-rsa will ask to confirm each KEY_* variable during certificate generation, so it is possible to change both values for each certificate.

CA directory cleanup

Even when you are creating certificates for first time it is good practice to call cleanup command. Later if you recreate certificates from scratch this will ensure that you are working in clean CA directory. Inside CA directory execute:

$ . ./vars 
NOTE: If you run ./clean-all, I will be doing a rm -rf on /.../.../ovpn
$ ./clean-all 
$ 

Generate CA certificate

Note: If you set some variables in "vars" file and remove them from file then it is necessary to clean them also from shell environment. Clean environment by calling unset for particular variable or open clean shell session.

$ ./build-ca 
Generating a 2048 bit RSA private key
...........+++
.............+++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SK]:
State or Province Name (full name) [SK]:
Locality Name (eg, city) [Bratislava]:
Organization Name (eg, company) [My company Name]:
Organizational Unit Name (eg, section) [MikroTik OVPN]:
Common Name (eg, your name or your server's hostname) [changeme]:server.domain.tld
Name [changeme]:server.domain.tld
Email Address [myself@mydomain.tld]:
$ 

I changed server name simply by typing it while tool was asking for it. Other variables are confirmed by hitting return.

Generate Diffie–Hellman

Note: This step is necessary only if you are running OpenVPN server also on Linux. If you are running only MikroTik OVPN and OpenVPN clients then you can skip this step. Note: Without proper HW random generator this can take long time. Grab cup of coffee or try to generate some entropy on your machine while DH is genererated.

$ ./build-dh 
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...............................
$ 

(output reduced)

Generate server certificate

1.6 Generate server certificate It is importatnt that all certificates under one CA chain have unique Name/Common Name. I need client and server certificate for one machine so i will generate certificates using FQDN for servers and using hostname for clients. This will also help to simply idenfity type of certificate without tools.

$ ./build-key-server server.domain.tld Generating a 2048 bit RSA private key ..................................................................................................+++ ..........+++ writing new private key to 'server.domain.tld.key'

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [SK]: State or Province Name (full name) [SK]: Locality Name (eg, city) [Bratislava]: Organization Name (eg, company) [My company Name]: Organizational Unit Name (eg, section) [MikroTik OVPN]: Common Name (eg, your name or your server's hostname) [server.domain.tld]: Name [changeme]:server.domain.tld Email Address [myself@mydomain.tld]:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /home/lukas/Desktop/a/ovpn/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName  :PRINTABLE:'SK' stateOrProvinceName  :PRINTABLE:'SK' localityName  :PRINTABLE:'Bratislava' organizationName  :PRINTABLE:'My company Name' organizationalUnitName:PRINTABLE:'MikroTik OVPN' commonName  :PRINTABLE:'server.domain.tld' name  :PRINTABLE:'server.domain.tld' emailAddress  :IA5STRING:'myself@mydomain.tld' Certificate is to be certified until Oct 4 18:10:34 2023 GMT (3650 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $

1.7 Client certificate $ ./build-key-server server.domain.tld Generating a 2048 bit RSA private key ..................................................................................................+++ ..........+++ writing new private key to 'server.domain.tld.key'

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [SK]: State or Province Name (full name) [SK]: Locality Name (eg, city) [Bratislava]: Organization Name (eg, company) [My company Name]: Organizational Unit Name (eg, section) [MikroTik OVPN]: Common Name (eg, your name or your server's hostname) [server.domain.tld]: Name [changeme]:server.domain.tld Email Address [myself@mydomain.tld]:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /home/lukas/Desktop/a/ovpn/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName  :PRINTABLE:'SK' stateOrProvinceName  :PRINTABLE:'SK' localityName  :PRINTABLE:'Bratislava' organizationName  :PRINTABLE:'My company Name' organizationalUnitName:PRINTABLE:'MikroTik OVPN' commonName  :PRINTABLE:'server.domain.tld' name  :PRINTABLE:'server.domain.tld' emailAddress  :IA5STRING:'myself@mydomain.tld' Certificate is to be certified until Oct 4 18:10:34 2023 GMT (3650 days) Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $

1.8 Keys $ ls -1 keys/ 01.pem 02.pem ca.crt ca.key client1.crt client1.csr client1.key dh2048.pem index.txt index.txt.attr index.txt.attr.old index.txt.old serial serial.old server.domain.tld.crt server.domain.tld.csr server.domain.tld.key $

1.9 Note to pkitool This tools should help to use all commands abowe, but for unknow reason it was not working well for me. SO i stay with "old way" at least for now :o)

2. OVPN Server configuration 2.1 Import Certificates