Show pageOld revisionsBacklinksAdd to bookExport to PDFBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Openvpn ====== ===== Certification Autorithy ===== Create certificate folder <code> apt-get install easy-rsa make-cadir /etc/easy-rsa-legnago cd /etc/easy-rsa-legnago </code> Edit vars and <code> source vars ./clean-all ./build-dh ./pkitool --initca </code> ==== server certificate ==== <code> NAME=legnago-gw ./pkitool --pass --server $NAME # create passphrase here openssl rsa -in keys/$NAME.key -out keys/$NAME.pem # give passphrase here chmod 600 keys/$NAME.pem </code> ==== client certificate ==== <code> NAME=nms ./pkitool --pass $NAME openssl rsa -in keys/$NAME.key -out keys/$NAME.pem </code> ===== Mikrotik server ===== Upload and import certificates <code> /certificate import file=server.crt import file=server.pem import file=ca.crt </code> <del>Simplier method</del> <code bash> openssl genrsa -des3 -out ca.key 4096 # specify dns name of mikrotik server in common name openssl req -new -x509 -days 3650 -key ca.key -out ca.crt # now import in mikrotik ca.crt and after ca.key </code> ip pool <code> /ip pool add name=ovpn-pool ranges=10.15.32.34-10.15.32.38 </code> profile and vpn user <code> /ppp profile add change-tcp-mss=default comment="" local-address=10.15.32.33 \ name="your_profile" only-one=default remote-address=ovpn-pool \ use-compression=default use-encryption=required use-vj-compression=default </code> define vpn user <code> /ppp secret add caller-id="" comment="" disabled=no limit-bytes-in=0 \ limit-bytes-out=0 name="username" password="password" \ routes="" service=any </code> openvpn instance <code> /interface ovpn-server server set auth=sha1,md5 certificate=router_cert \ cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \ enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \ port=1194 require-client-certificate=no </code> ===== Linux client ===== <code> apt-get install openvpn </code> /etc/openvpn/client1.conf <code> dev tun proto tcp-client remote legnago.csgalileo.org 1194 ca /etc/easy-rsa-legnago/keys/ca.crt cert /etc/easy-rsa-legnago/keys/nms.crt key /etc/easy-rsa-legnago/keys/nms.pem tls-client port 1194 user nobody group nogroup #comp-lzo # Do not use compression. It doesn't work with RouterOS (at least up to RouterOS 3.0rc9) # More reliable detection when a system loses its connection. ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key # Silence the output of replay warnings, which are a common false # alarm on WiFi networks. This option preserves the security of # the replay protection code without the verbosity associated with # warnings about duplicate packets. mute-replay-warnings # Verbosity level. # 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose verb 3 cipher AES-256-CBC auth SHA1 pull auth-user-pass auth.cfg script-security 2 up /etc/openvpn/up.sh </code> /etc/openvpn/up.sh (chmod +x) <code> #!/bin/sh ip route add 10.90.0.0/16 via 10.15.32.33 </code> /etc/openvpn/auth.cfg <code> username password </code> Start service with systemd <code> systemctl start openvpn@client1 systemctl enable openvpn@client1 </code> ===== Linux server ===== <file txt /etc/openvpn/server.conf> proto tcp dev tun ca /etc/easy-rsa/keys/ca.crt cert /etc/easy-rsa/keys/captive.crt key /etc/easy-rsa/keys/captive.pem dh /etc/easy-rsa/keys/dh2048.pem server 10.4.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 cipher BF-CBC max-clients 100 client-config-dir ccd # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # # You can uncomment this out on # non-Windows systems. user nobody group nogroup persist-key persist-tun # Output a short status file showing # current connections, truncated # and rewritten every minute. #status /var/log/openvpn/captive.stats log /var/log/openvpn/captive.log # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose #log openvpn.log #log-append openvpn.log verb 0 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. mute 20 #fragment 1300 mssfix 1300 #link-mtu 1503 #tun-mtu 1460 #client-connect /etc/openvpn/on-client-connect script-security 2 push "explicit-exit-notify" management localhost 7505 client-to-client </file> ===== Mikrotik client ===== Import certificates <code> import file-name=ca.crt import file-name=galileo.crt import file-name=galileo.pem </code> ===== LXD ===== To enable tun inside container <code> lxc config device add <NAME> tun unix-char path=/dev/net/tun </code> tips/vpn/openvpn.txt Last modified: 2018/06/14 17:54by scipio