OpenVPN Configuration Step by Step

OpenVPN Configuration Step by Step - MikroTik Wiki
1/6/15, 4:47 PM
OpenVPN Configuration Step by Step

From MikroTik Wiki
In this article i will talk about Open VPN , And How to Setup that as completly , such Basic Configuration , Certificate , OpenVPN
Configurations .
in many topics and Forums Users talk about OpenVPN and proximate 90% of their have problem to run and correct installations of
OpenVPN .
so , i decide to show you how you can do it correctly , Let's go !
What is OpenVPN ?
OpenVPN has been ported to various platforms, including Linux and Windows, and it's configuration is throughout likewise on each of these
systems, so it makes it easier to support and maintain.
Also, OpenVPN is one of the few VPN protocols that can make use of a proxy, which might be handy sometimes.
and You are able to use Various Port ( TCP Port ) for Your VPN Connections .
For More Information Click Here (http://wiki.mikrotik.com/wiki/OpenVPN)
Requirements :
RouterOS or Routerboard ( In This Article I have RB493AH , Version 6 RC 13 )
Public or Private IP Address or Valid Domain Name ( My Router 91.108.151.193 , Domain Name : Reza.IPExperts.Ir )
If you have a Domain Name same as this Article , you can Point all request for Certificate to your Domain , Unless you should use
your IP Address !
Public or Private Certificate for OpenVPN ( i will use CaCert (http://Cacerts.Org) Free Certificate )
PPP Package ( To Install Openvpn Service )
OpenVPN GUI for Windows ( if you OpenVPN Client is Windows User OpenVPN GUI (http://openvpn.se/) , in this Article Client is another
Routerboard )
Linux Operation System with Openssl Service
Basic Configuration :
Please Set IP Address and Default Route and other Basic Configurations in Your MikroTik ( DNS , NTP , etc. )
http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
Page 1 of 35
1/6/15, 4:47 PM
ip address
add address=91.108.151.193/28 comment="Public IP" interface="WLAN 1 - Home" \
network=91.108.151.192
Add a Default Route
Page 2 of 35
1/6/15, 4:47 PM
ip route
add distance=1 gateway=91.108.151.194
Certificate :
OpenVPN use Certificate to setup Connections , So Open a New Terminal window and create a certificate request with your Information :
Page 3 of 35
1/6/15, 4:47 PM
certificate create-certificate-request
You will be asked a number of questions , Some of them are important , some of them is not .
select name for certificate request file.
it will be created after you finish entering all required information.
certificate request file name: certificate-request.pem
select name of private key file.
if such file does not exist, it will be created later.
Page 4 of 35
1/6/15, 4:47 PM
file name: private-key.pem

private key file already exists and will be overwritten if you continue.
please enter passphrase that will be used to encrypt generated private key file.
you must enter it twice to be sure you have not made any typing errors.
Page 5 of 35
1/6/15, 4:47 PM
passphrase: 123456 [IMPORTANT]

verify passphrase: 123456 [IMPORTANT]
enter number of bits for RSA key.
longer keys take more time to generate.
Page 6 of 35
1/6/15, 4:47 PM
rsa key bits: 2048 [Default]

now you will be asked to enter values that make up distinguished name of your certificate.
you can leave some of them empty.
CA may reject your certificate request if some of these values are incorrect or missing, so please check what are the requirements of your CA.
Page 7 of 35
1/6/15, 4:47 PM
enter two character country code.

country name: IR [NOT IMPORTANT]
Page 8 of 35
1/6/15, 4:47 PM
enter full name of state or province.

state or province name: Khuzestan [NOT IMPORTANT]
Page 9 of 35
1/6/15, 4:47 PM
enter locality (e.g. city) name

locality name: Ahvaz [NOT IMPORTANT]
Page 10 of 35
1/6/15, 4:47 PM
enter name of the organization

organization name: IPExperts [NOT IMPORTANT]
Page 11 of 35
1/6/15, 4:47 PM
enter organizational unit name

organization unit name: IT Department [NOT IMPORTANT]
Page 12 of 35
1/6/15, 4:47 PM
enter common name.

for ssl web servers this must be the fully qualified domain name (FQDN) of the server that will use this certificate (like
www.someverysecuresitename.com) .
this is checked by browsers.
common name: reza.ipexperts.ir [IMPORTANT] or common name : 91.108.151.193 [IMPORTANT]
Page 13 of 35
1/6/15, 4:47 PM
enter email address

email address: R.Moghadam@Hotmail.Com [NOT IMPORTANT]
Page 14 of 35
1/6/15, 4:47 PM
now you can enter challenge password.

it's use depends on your CA.
it may be used to revoke this certificate.
challenge password: 123456 [NOT IMPORTANT]
Page 15 of 35
1/6/15, 4:47 PM
you can enter unstructured address, if your CA accepts or requires it.

unstructured address: Reza Moghadam [NOT IMPORTANT]
Page 16 of 35
1/6/15, 4:47 PM
After a few seconds you will receive notification that the Certificate Request file was created:
Page 17 of 35
1/6/15, 4:47 PM
You can see Certificate-Request.pem and Private-key.pem is added in Files Menu
Page 18 of 35
1/6/15, 4:47 PM
CaCerts :
Please Drag and Drop Request Files Include ( Certificate-Request.pem and Private-Key.pem ) to your Desktop .
first open Certificate-Request.pem file with Wordpad , Copy All String Include Begin and Ends of Certificate Request , Then Login to your
Account in Cacert and Make a New Server Certificate .
Page 19 of 35
1/6/15, 4:47 PM
Paste your Certificate-Request.pem Strings to CSR Fields in Your Account ( New Server Certificate ) and Submit That .
Page 20 of 35
1/6/15, 4:47 PM
Domain is Accepted .
Page 21 of 35
1/6/15, 4:47 PM
Copy and Paste your Certificate Response from Cacert in a Wordpad and save that with .pem file ( In Here : certificate-response.pem )
Private Key :
We need a Private-Key as Key file , But Generated private keys will be in pkcs8 format, which is not supported in RouterOS.
To import such keys we should use Openssl Tool in Linux Distributes and make a Privat-Key File .
We can setup Openssl via these command :
apt-get install openssl
or
yum install openssl
Upload or Move Private-Key.pem file to That Linux OS with Openssl Service ( Bitvise SSH Client )
Page 22 of 35
1/6/15, 4:47 PM
make your Private-Key.key file via these command :
openssl rsa -in private-key.pem -text
copy and paste export String ( Include Begin and End ) to a New File ( Ex. Private-Key.Key )
Page 23 of 35
1/6/15, 4:47 PM
Import Certificate
Import Files ( Certificate-Response.pem , Private-Key.Key ) to Your MikroTik Files Menu .
First Import Certificate-Response.pem file with that Paraphrase
Page 24 of 35
1/6/15, 4:47 PM
Second Import Private-Key.Key file with that Paraphrase
Page 25 of 35
1/6/15, 4:47 PM
Once you have imported the private key, your certificate should get a "KR" written next to it K: Decrypted-Private-Key R: RSA
Now you will be able to use this key for OVPN.
Page 26 of 35
1/6/15, 4:47 PM
OpenVPN Server Configuration :

we should make a IP Pool for Openvpn clients .
Page 27 of 35
1/6/15, 4:47 PM
ip pool
add name=PPP ranges=1.1.1.1-1.1.1.100,1.1.1.150-1.1.1.200
Make a Profile for OpenVPN Service .
Page 28 of 35
1/6/15, 4:47 PM
Warning: screenshot shows incorrect local address, it should be 1.1.1.254 as per command below
ppp profile
set 0 dns-server=4.2.2.4,8.8.8.8
add dns-server=4.2.2.4,8.8.8.8 local-address=1.1.1.254 name=\
"OpenVPN Profile" remote-address=PPP
Make a Username & Passowrd for OpenVPN Client
Page 29 of 35
1/6/15, 4:47 PM
ppp secret
add name=1 password=1 profile="OpenVPN Profile"
Enable OpenVPN Service and Select Valid Certificate .
Page 30 of 35
1/6/15, 4:47 PM
interface ovpn-server server

set certificate=cert1 enabled=yes
NAT :
add a masquared firewall nat rule to share internet with OpenVPN Client .
Page 31 of 35
1/6/15, 4:47 PM
Page 32 of 35
1/6/15, 4:47 PM
ip firewall nat
add action=masquerade chain=srcnat src-address=1.1.1.0/24
OpenVPN Client :
Make a OpenVPN Client and Set Address of OpenVPN Server and Username & Password .
Page 33 of 35
1/6/15, 4:47 PM
interface ovpn-client
add auth=none cipher=none connect-to=reza.ipexperts.ir mac-address=\
02:FB:D1:D8:20:B7 name=ovpn-out1 password=1 user=1
Finally :
you can see OpenVPN Client is Connected and you will able to Ping it .
Page 34 of 35
1/6/15, 4:47 PM
Reza Moghadam
--MikroTik Certified Trainer 12:02, 4 April 2013 (UTC)
Retrieved from "http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&oldid=26115"
This page was last modified on 26 February 2014, at 13:23.

This page has been accessed 165,932 times.
Page 35 of 35

OpenVPN Configuration Step by Step - MikroTik Wiki

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

OpenVPN Configuration Step by Step - MikroTik Wiki

Transféré par

Droits d'auteur :

Formats disponibles

OpenVPN Configuration Step by Step - MikroTik Wiki