Difference between revisions of "MikrotTik: OpenVPN"
Lukas Dzunko (talk | contribs) (→easy-rsa installation) |
Lukas Dzunko (talk | contribs) (→CA directory cleanup) |
||
| Line 68: | Line 68: | ||
NOTE: If you run ./clean-all, I will be doing a rm -rf on /.../.../ovpn | NOTE: If you run ./clean-all, I will be doing a rm -rf on /.../.../ovpn | ||
$ ./clean-all | $ ./clean-all | ||
| − | |||
</pre> | </pre> | ||
Revision as of 16:49, 8 October 2013
Attention: this page is work in progress.
I am using OVPN client / server on MikroTik to connect several network/location. This document describe my findings and my way of configuration.
While i was designing my network i found following limitations (features ?) of OVPN implementation:
- It is not possible to create connection without CA imported in each MikroTik. If "require-client-certificate" is set then also valid certificates for chain for both client and server is required.
- It is not possible to create "password less" connection. Each connection is authorized by certificate, username and password
- Only TCP connection as base channel for OVPN is supported by MikroTik (v 6.4)
- Prior to version 6.4 it was not possible to specify server by FQDN. Only IP address was supported in previous versions of firmware
- It is required that client address is managed and assigned by OVPN Server. (e.g. it is not possible to set IP on server and client outside of OVPN configuration)
Steps to successfully create OVPN connection:
Contents
Generate valid certificates
I used "valid" in name of this section because I get wrongly generated certificates using "pkitool". I am not sure if this was fail of this tool or my fail but right now i am using different way to generate certificate. Maybe in future I'll debug what was wrong with pkitool.
easy-rsa installation
Gentoo users:
emerge app-crypt/easy-rsa
Ubuntu users:
apt-get install easy-rsa
Other users: please try to find easy-rsa using your distributions package manager or download it from GitHub
Prepare CA directory
Ubuntu have additional command to create CA directory. Select empty directory and then use (I selected "ovpn"):
make-cadir ovpn
Gentoo users can use following rsync command:
rsync -av /usr/share/easy-rsa/ ovpn/
On other Linux distribution you should find easy-rsa installation and copy it to desired working directory.
Variables configuration (e.g. "vars")
Before certificates can be generated it is necessary to customize "vars" file inside new ca directory ("ovpn" in this example)
I prefer strict security so i changed key size from 1024 to 2048
export KEY_SIZE=2048
There are details about certificates at end of "vars" file. It is required that you modify it to reflect your settings. For example like this:
export KEY_COUNTRY="SK" export KEY_PROVINCE="SK" export KEY_CITY="Bratislava" export KEY_ORG="My company name" export KEY_OU="MikroTik OVPN" export KEY_CN="changeme" export KEY_NAME="changeme" export KEY_EMAIL="myself@mydomain.tld"
CN and NAME will be different for each certificate so i left it as "changeme". Easy-rsa will ask to confirm each KEY_* variable during certificate generation, so it is possible to change both values for each certificate.
CA directory cleanup
Even when you are creating certificates for first time it is good practice to call cleanup command. Later if you recreate certificates from scratch this will ensure that you are working in clean CA directory. Inside CA directory execute:
$ . ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /.../.../ovpn $ ./clean-all
Generate CA certificate
Note: If you set some variables in "vars" file and remove them from file then it is necessary to clean them also from shell environment. Clean environment by calling unset for particular variable or open clean shell session.
$ ./build-ca Generating a 2048 bit RSA private key ...........+++ .............+++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [SK]: State or Province Name (full name) [SK]: Locality Name (eg, city) [Bratislava]: Organization Name (eg, company) [My company Name]: Organizational Unit Name (eg, section) [MikroTik OVPN]: Common Name (eg, your name or your server's hostname) [changeme]:server.domain.tld Name [changeme]:server.domain.tld Email Address [myself@mydomain.tld]: $
I changed server name simply by typing it while tool was asking for it. Other variables are confirmed by hitting return.
Generate Diffie–Hellman
Note: This step is necessary only if you are running OpenVPN server also on Linux. If you are running only MikroTik OVPN and OpenVPN clients then you can skip this step. Note: Without proper HW random generator this can take long time. Grab cup of coffee or try to generate some entropy on your machine while DH is genererated.
$ ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ............................... $
(output reduced)
Generate server certificate
It is important that all certificates under one CA chain have unique Name/Common Name. I need client and server certificate for one machine so i will generate certificates using FQDN for servers and using hostname for clients. This will also help to simply identify type of certificate without tools.
$ ./build-key-server server.domain.tld Generating a 2048 bit RSA private key ..................................................................................................+++ ..........+++ writing new private key to 'server.domain.tld.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [SK]: State or Province Name (full name) [SK]: Locality Name (eg, city) [Bratislava]: Organization Name (eg, company) [My company Name]: Organizational Unit Name (eg, section) [MikroTik OVPN]: Common Name (eg, your name or your server's hostname) [server.domain.tld]: Name [changeme]:server.domain.tld Email Address [myself@mydomain.tld]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /home/lukas/Desktop/a/ovpn/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'SK' stateOrProvinceName :PRINTABLE:'SK' localityName :PRINTABLE:'Bratislava' organizationName :PRINTABLE:'My company Name' organizationalUnitName:PRINTABLE:'MikroTik OVPN' commonName :PRINTABLE:'server.domain.tld' name :PRINTABLE:'server.domain.tld' emailAddress :IA5STRING:'myself@mydomain.tld' Certificate is to be certified until Oct 4 18:10:34 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $
Again Name/Common Name should be changed from "changeme" to something useful.
Generate client certificate
Client certificate is generated in same way as server:
$ ./build-key client Generating a 2048 bit RSA private key .............................................+++ .+++ writing new private key to 'client.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [SK]: State or Province Name (full name) [SK]: Locality Name (eg, city) [Bratislava]: Organization Name (eg, company) [My company Name]: Organizational Unit Name (eg, section) [MikroTik OVPN]: Common Name (eg, your name or your server's hostname) [client]: Name [changeme]:client Email Address [myself@mydomain.tld]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /home/lukas/Desktop/a/ovpn/openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'SK' stateOrProvinceName :PRINTABLE:'SK' localityName :PRINTABLE:'Bratislava' organizationName :PRINTABLE:'My company Name' organizationalUnitName:PRINTABLE:'MikroTik OVPN' commonName :PRINTABLE:'client' name :PRINTABLE:'client' emailAddress :IA5STRING:'myself@mydomain.tld' Certificate is to be certified until Oct 4 18:55:35 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $
Note: Watch if database was successfully updated and certificate signed (last lines of output). It will prevent you from receiving strange errors later :o)
Content of CA directory
ca.key - private CA Certificate key. Keep this file in safe ca.crt - CA Certificate key. server.domain.tld.crt server.domain.tld.key - public and private key for OVPN server client.crt client.key - public and private key for OVPN client dh2048.pem - Diffie–Hellman key for OpenVPN server on Linux
Note: "public" is only name of role. All files should be handled with care and keep in safe. To keep overall integrity of network it is good practice to follow these rules::
- ca.key is key used to generate all other keys. Protect it in most possible paranoid level. If necessary then store and access it on separate computer with no access to network of any kind.
- protect ca.key with strong password and also all other keys if necessary
- upload only required keys to each device (e.g. don't upload all of them to each device)
For me my VPN network is important so I'll generate all keys in memory (in /dev/shm or other FS mounted as tmpfs). During this operation I'll disable swap and after I generate all required key's I'll destroy ca.key. There is very low possibility that kernel will decide to swap out keys if there is no other memory consuming activity but to be sure it is good option to disable swap for moment of key generation. Even with swap encryption enabled there is possibility that kernel swap-out keys and traces of them can be accessible for long time (till overwrite of exact address in swap will occur).
