Académique Documents
Professionnel Documents
Culture Documents
us/
Prepared By
Rodrigo Anrrango
Network Specialist and Consultant
https://SmartISP.us/install
https://SmartISP.us/
Introduction
The goal of this project is to configure an Ubuntu OpenVPN server and a Mikrotik OpenVPN client.
Network Topology
In this project we are using the following topology:
Devices
OpenVPN Server
A VPS server with Ubuntu 16.04.4 LTS.
Mikrotik
A Mikrotik RB951Ui-2HnD router as OpenVPN client.
Server Configurations
Run the following commands as root:
apt-get update
apt-get install openvpn easy-rsa
make-cadir ~/openvpn-ca
cd ~/openvpn-ca
Step 3: Configure the CA Variables
https://SmartISP.us/
nano vars
export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="New York City"
export KEY_ORG="DigitalOcean"
export KEY_EMAIL="admin@example.com"
export KEY_OU="Community"
export KEY_NAME="server"
cd ~/openvpn-ca
source vars
./clean-all
./build-ca
./build-key-server server
Accept the default values by pressing ENTER. Do not enter a challenge password for this setup. Towards
the end, you will have to enter y to two questions to sign and commit the certificate.
./build-dh
openvpn --genkey --secret keys/ta.key
cd ~/openvpn-ca
source vars
./build-key client1
cd ~/openvpn-ca/keys
sudo cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn
gunzip -c /usr/share/doc/openvpn/examples/sample-config-
files/server.conf.gz | sudo tee /etc/openvpn/server.conf
https://SmartISP.us/
nano /etc/openvpn/server.conf
cipher AES-128-CBC
nano /etc/sysctl.conf
Allow IP Forwarding:
net.ipv4.ip_forward=1
sysctl –p
nano /etc/ufw/before.rules
Add the part in red (replace eth0 with your actual interface):
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#
nano /etc/default/ufw
Change the value from DROP to ACCEPT:
DEFAULT_FORWARD_POLICY="ACCEPT"
mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf
~/client-configs/base.conf
nano ~/client-configs/base.conf
Find the directives that set the ca, cert, and key. Comment out these directives:
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
https://SmartISP.us/
cipher AES-128-CBC
;comp-lzo
nano ~/client-configs/make_config.sh
#!/bin/bash
KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf
cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn
cd ~/client-configs
./make_config.sh client1
Mikrotik Configurations
Step 1: Copy Certificates and Keys
Go to openvpn-ca/keys directory on OpenVPN server and download these three files to your local
computer:
Open Mikrtok router using Winbox and drag and drop these files:
Go to PPP -> Profiles and create a new profile. Give it a name of your choice. Go to Protocols and disable
MPLS and IPv6. “Use Encryption” option should be set to “required”. Go to Limits tab and set Only One
to “yes”. Save this profile.
Go to PPP -> Interface and add a new “OVPN Client” interface. Give it a name of your choice. Go to “Dial
Out” tab and set the following properties:
https://SmartISP.us/
The username and password can be anything. However, it is mandatory and cannot be blank. If
everything went well your VPN should be connected.
nano /etc/openvpn/server.conf
;client-config-dir ccd
client-config-dir ccd
mkdir /etc/openvpn/ccd
touch /etc/openvpn/ccd/client1
nano /etc/openvpn/ccd/client1
The routing table will now have a routing entry for 172.20.30.0/24:
Troubleshooting:
To troubleshoot you can go to OpenVPN server and run the following command to see Syslogs related to
OpenVPN:
tailf /var/log/syslog | grep vpn
Any errors encountered during connection will be displayed here.
Useful Links:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-
04
https://github.com/missinglink/mikrotik-openvpn-client
https://www.cyberciti.biz/faq/howto-setup-openvpn-server-on-ubuntu-linux-14-04-or-16-04-lts/
https://www.smartisp.us/vpn/