Difference between revisions of "MikrotTik: OpenVPN"
Lukas Dzunko (talk | contribs) (→OVPN Common configuration) |
Lukas Dzunko (talk | contribs) (→Time / Date) |
||
| Line 247: | Line 247: | ||
== OVPN Common configuration == | == OVPN Common configuration == | ||
=== Time / Date === | === Time / Date === | ||
| + | First of all don't try to synchronize time over VPN connection. Most of the MikroTik RouterBoard devices don't have RTC (real time clock) and rely on NTP. If you try to synchronize time over VPN then you end up with chicken / egg problem. | ||
| + | |||
=== Firewall rules === | === Firewall rules === | ||
== OVPN Server configuration == | == OVPN Server configuration == | ||
== OVPN Client configuration == | == OVPN Client configuration == | ||
Revision as of 17:06, 8 October 2013
Attention: this page is work in progress.
I am using OVPN client / server on MikroTik to connect several network/location. This document describe my findings and my way of configuration.
While i was designing my network i found following limitations (features ?) of OVPN implementation:
- It is not possible to create connection without CA imported in each MikroTik. If "require-client-certificate" is set then also valid certificates for chain for both client and server is required.
- It is not possible to create "password less" connection. Each connection is authorized by certificate, username and password
- Only TCP connection as base channel for OVPN is supported by MikroTik (v 6.4)
- Prior to version 6.4 it was not possible to specify server by FQDN. Only IP address was supported in previous versions of firmware
- It is required that client address is managed and assigned by OVPN Server. (e.g. it is not possible to set IP on server and client outside of OVPN configuration)
Steps to successfully create OVPN connection:
Contents
Generate valid certificates
I used "valid" in name of this section because I get wrongly generated certificates using "pkitool". I am not sure if this was fail of this tool or my fail but right now i am using different way to generate certificate. Maybe in future I'll debug what was wrong with pkitool.
easy-rsa installation
Gentoo users:
emerge app-crypt/easy-rsa
Ubuntu users:
apt-get install easy-rsa
Other users: please try to find easy-rsa using your distributions package manager or download it from GitHub
Prepare CA directory
Ubuntu have additional command to create CA directory. Select empty directory and then use (I selected "ovpn"):
make-cadir ovpn
Gentoo users can use following rsync command:
rsync -av /usr/share/easy-rsa/ ovpn/
On other Linux distribution you should find easy-rsa installation and copy it to desired working directory.
Variables configuration (e.g. "vars")
Before certificates can be generated it is necessary to customize "vars" file inside new ca directory ("ovpn" in this example)
I prefer strict security so i changed key size from 1024 to 2048
export KEY_SIZE=2048
There are details about certificates at end of "vars" file. It is required that you modify it to reflect your settings. For example like this:
export KEY_COUNTRY="SK" export KEY_PROVINCE="SK" export KEY_CITY="Bratislava" export KEY_ORG="My company name" export KEY_OU="MikroTik OVPN" export KEY_CN="changeme" export KEY_NAME="changeme" export KEY_EMAIL="myself@mydomain.tld"
CN and NAME will be different for each certificate so i left it as "changeme". Easy-rsa will ask to confirm each KEY_* variable during certificate generation, so it is possible to change both values for each certificate.
CA directory cleanup
Even when you are creating certificates for first time it is good practice to call cleanup command. Later if you recreate certificates from scratch this will ensure that you are working in clean CA directory. Inside CA directory execute:
$ . ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /.../.../ovpn $ ./clean-all $
Generate CA certificate
Note: configuration is loaded as variables in shell environment. If you experiment with configuration then don't forget to overwrite/remove variables from shell. If you are unsure then simply close terminal session and start with clean one. After that start with ". ./vars" command.
$ ./build-ca Generating a 2048 bit RSA private key ...........+++ .............+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [SK]: State or Province Name (full name) [SK]: Locality Name (eg, city) [Bratislava]: Organization Name (eg, company) [My company Name]: Organizational Unit Name (eg, section) [MikroTik OVPN]: Common Name (eg, your name or your server's hostname) [changeme]:server.domain.tld Name [changeme]:server.domain.tld Email Address [myself@mydomain.tld]: $
I changed server name simply by typing it while tool was asking for it. Other variables are confirmed by hitting return.
Generate Diffie–Hellman
Note 1: This step is necessary only if you are running OpenVPN server also on Linux. If you are running only MikroTik OVPN and OpenVPN clients then you can skip this step.
Note 2: Without proper HW random generator this can take long time. Grab cup of coffee or try to generate some entropy on your machine while DH is genererated.
(output reduced)
$ ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ............................... $
Generate server certificate
It is important that all certificates under one CA chain have unique Name/Common Name. I need client and server certificate for one machine so I will generate certificates using FQDN for servers and using hostname for clients. This will also help to simply identify type of certificate without tools.
$ ./build-key-server server.domain.tld Generating a 2048 bit RSA private key ..................................................................................................+++ ..........+++ writing new private key to 'server.domain.tld.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [SK]: State or Province Name (full name) [SK]: Locality Name (eg, city) [Bratislava]: Organization Name (eg, company) [My company Name]: Organizational Unit Name (eg, section) [MikroTik OVPN]: Common Name (eg, your name or your server's hostname) [server.domain.tld]: Name [changeme]:server.domain.tld Email Address [myself@mydomain.tld]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /home/lukas/Desktop/a/ovpn/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'SK' stateOrProvinceName :PRINTABLE:'SK' localityName :PRINTABLE:'Bratislava' organizationName :PRINTABLE:'My company Name' organizationalUnitName:PRINTABLE:'MikroTik OVPN' commonName :PRINTABLE:'server.domain.tld' name :PRINTABLE:'server.domain.tld' emailAddress :IA5STRING:'myself@mydomain.tld' Certificate is to be certified until Oct 4 18:10:34 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $
Again Name/Common Name should be changed from "changeme" to something useful.
Note: Watch if database was successfully updated and certificate signed (last lines of output). It will prevent you from receiving strange errors later :o)
Generate client certificate
Client certificate is generated in same way as server:
$ ./build-key client Generating a 2048 bit RSA private key .............................................+++ .+++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [SK]: State or Province Name (full name) [SK]: Locality Name (eg, city) [Bratislava]: Organization Name (eg, company) [My company Name]: Organizational Unit Name (eg, section) [MikroTik OVPN]: Common Name (eg, your name or your server's hostname) [client]: Name [changeme]:client Email Address [myself@mydomain.tld]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /home/lukas/Desktop/a/ovpn/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'SK' stateOrProvinceName :PRINTABLE:'SK' localityName :PRINTABLE:'Bratislava' organizationName :PRINTABLE:'My company Name' organizationalUnitName:PRINTABLE:'MikroTik OVPN' commonName :PRINTABLE:'client' name :PRINTABLE:'client' emailAddress :IA5STRING:'myself@mydomain.tld' Certificate is to be certified until Oct 4 18:55:35 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $
Note: Watch if database was successfully updated and certificate signed (last lines of output). It will prevent you from receiving strange errors later :o)
Content of CA directory
ca.key - private CA Certificate key. Keep this file in safe ca.crt - CA Certificate key. server.domain.tld.crt server.domain.tld.key - public and private key for OVPN server client.crt client.key - public and private key for OVPN client dh2048.pem - Diffie–Hellman key for OpenVPN server on Linux
Note: "public" is only name of role. All files should be handled with care and keep in safe. To keep overall integrity of network it is good practice to follow these rules:
- ca.key is key used to generate all other keys. Protect it in most possible paranoid level. If necessary then store and access it on separate computer with no access to network of any kind
- protect ca.key with strong password and also all other keys if necessary
- upload only required keys to each device (e.g. don't upload all of them to each device)
For me my VPN network is important so I'll generate all keys in memory (in /dev/shm or other FS mounted as tmpfs). During this operation I'll disable swap and after I generate all required key's I'll destroy ca.key. Keys are small but there is still possibility that they will be swapped out by kernel. Trace of them can remain on system for some time if they was stored in swap even if keys are removed on OS level.
OVPN Common configuration
Time / Date
First of all don't try to synchronize time over VPN connection. Most of the MikroTik RouterBoard devices don't have RTC (real time clock) and rely on NTP. If you try to synchronize time over VPN then you end up with chicken / egg problem.
