MikrotTik: OpenVPN

From Luky-Wiki
Revision as of 20:26, 6 October 2013 by Lukas Dzunko (talk | contribs) (Created page with "'''Attention: this page is work in progress.''' I am using OVPN client / server on MikroTik to connect several network/location. This document describe my findings and my way...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Attention: this page is work in progress.

I am using OVPN client / server on MikroTik to connect several network/location. This document describe my findings and my way of configuration.

While i was designing my network i found following limitations (features ?) of OVPN implementation:

  • It is not possible to create connection without CA imported in each MikroTik. If "require-client-certificate" is set then also valid certificates for chain for both client and server is required.
  • It is not possible to create "password less" connection. Each connection is authorized by certificate, username and password
  • Only TCP connection as base channel for OVPN is supported by MikroTik (v 6.4)
  • Prior to version 6.4 it was not possible to specify server by FQDN. Only IP address was supported in previous versions of firmware
  • It is required that client address is managed and assigned by OVPN Server. (e.g. it is not possible to set IP on server and client outside of OVPN configuration)

Steps to successfully create OVPN connection:

Generate valid certificates

1.1 installation I am using easy-rsa to genearate certificates. If you are usinng gentoo then install ti s tool by following command:

emerge easy-rsa

Ubuntu users can use

apt-get install easy-rsa


1.2 prepare CA dir Ubuntu conain additional command to help with initial setup.

make-cadir ovpn

on other linux system find location of easy-rsa installation and copy it to your working dir

1.2 "vars" for certificates Before certificates can be generated it is neccesary to customize "vars" file inside new ca directory ("ovpn" in this example)

I preffer strict security so i changed key size from 1024 to 2048 export KEY_SIZE=2048

There are details about certificates at end of "vars" file. It is required that you modify it to reflect your settings. For example like this: export KEY_COUNTRY="SK" export KEY_PROVINCE="SK" export KEY_CITY="Bratislava" export KEY_ORG="My company name" export KEY_OU="MikroTik OVPN" export KEY_CN="changeme" export KEY_NAME="changeme" export KEY_EMAIL="myself@mydomain.tld"

CN and NAME will be different for each certificate so i left it as "changeme". Easy-rsa will ask to confirm each KEY_* variable during certificate generation, so it is possible to change both values for each key.

1.3 ca dir cleanup even when you are creating certificates for first time it is good practice to call cleanup command. Later if you recreate certificates from scratch this will ensure that you are working in clean ca directory

$ cd ovpn $ . ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /.../.../ovpn $ ./clean-all $

1.4 generate CA certificate Note: If you removed some of variables from "vars" configuration file then command ". ./vars" will not modify them and variables will be still present in shell enviroment .... TODO: nejak lepsie vysvetlit

$ ./build-ca Generating a 2048 bit RSA private key ...........+++ .............+++ writing new private key to 'ca.key'

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [SK]: State or Province Name (full name) [SK]: Locality Name (eg, city) [Bratislava]: Organization Name (eg, company) [My company Name]: Organizational Unit Name (eg, section) [MikroTik OVPN]: Common Name (eg, your name or your server's hostname) [changeme]:server.domain.tld Name [changeme]:server.domain.tld Email Address [myself@mydomain.tld]: $

1.5 Generate Diffie helman (only if you are using also OpenVPN on Linux, for client it is not neccesary)

(dots reduced)

$ ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ............................... $

1.6 Generate server certificate It is importatnt that all certificates under one CA chain have unique Name/Common Name. I need client and server certificate for one machine so i will generate certificates using FQDN for servers and using hostname for clients. This will also help to simply idenfity type of certificate without tools.

$ ./build-key-server server.domain.tld Generating a 2048 bit RSA private key ..................................................................................................+++ ..........+++ writing new private key to 'server.domain.tld.key'

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [SK]: State or Province Name (full name) [SK]: Locality Name (eg, city) [Bratislava]: Organization Name (eg, company) [My company Name]: Organizational Unit Name (eg, section) [MikroTik OVPN]: Common Name (eg, your name or your server's hostname) [server.domain.tld]: Name [changeme]:server.domain.tld Email Address [myself@mydomain.tld]:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /home/lukas/Desktop/a/ovpn/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName  :PRINTABLE:'SK' stateOrProvinceName  :PRINTABLE:'SK' localityName  :PRINTABLE:'Bratislava' organizationName  :PRINTABLE:'My company Name' organizationalUnitName:PRINTABLE:'MikroTik OVPN' commonName  :PRINTABLE:'server.domain.tld' name  :PRINTABLE:'server.domain.tld' emailAddress  :IA5STRING:'myself@mydomain.tld' Certificate is to be certified until Oct 4 18:10:34 2023 GMT (3650 days) Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $

1.7 Client certificate $ ./build-key-server server.domain.tld Generating a 2048 bit RSA private key ..................................................................................................+++ ..........+++ writing new private key to 'server.domain.tld.key'

You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.

Country Name (2 letter code) [SK]: State or Province Name (full name) [SK]: Locality Name (eg, city) [Bratislava]: Organization Name (eg, company) [My company Name]: Organizational Unit Name (eg, section) [MikroTik OVPN]: Common Name (eg, your name or your server's hostname) [server.domain.tld]: Name [changeme]:server.domain.tld Email Address [myself@mydomain.tld]:

Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /home/lukas/Desktop/a/ovpn/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName  :PRINTABLE:'SK' stateOrProvinceName  :PRINTABLE:'SK' localityName  :PRINTABLE:'Bratislava' organizationName  :PRINTABLE:'My company Name' organizationalUnitName:PRINTABLE:'MikroTik OVPN' commonName  :PRINTABLE:'server.domain.tld' name  :PRINTABLE:'server.domain.tld' emailAddress  :IA5STRING:'myself@mydomain.tld' Certificate is to be certified until Oct 4 18:10:34 2023 GMT (3650 days) Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $

1.8 Keys $ ls -1 keys/ 01.pem 02.pem ca.crt ca.key client1.crt client1.csr client1.key dh2048.pem index.txt index.txt.attr index.txt.attr.old index.txt.old serial serial.old server.domain.tld.crt server.domain.tld.csr server.domain.tld.key $


1.9 Note to pkitool This tools should help to use all commands abowe, but for unknow reason it was not working well for me. SO i stay with "old way" at least for now :o)

2. OVPN Server configuration 2.1 Import Certificates

Retrieved from "https://lukas.dzunko.sk/index.php?title=MikrotTik:_OpenVPN&oldid=394"