====== Openvpn ======


===== Certification Autorithy =====

Create certificate folder 
<code>
apt-get install easy-rsa
make-cadir /etc/easy-rsa-legnago
cd /etc/easy-rsa-legnago
</code>

Edit vars and
<code>
source vars
./clean-all
./build-dh
./pkitool --initca
</code>

==== server certificate ====

<code>
NAME=legnago-gw
./pkitool --pass --server $NAME # create passphrase here
openssl rsa -in keys/$NAME.key -out keys/$NAME.pem # give passphrase here
chmod 600 keys/$NAME.pem
</code>

==== client certificate ====

<code>
NAME=nms
./pkitool --pass $NAME
openssl rsa -in keys/$NAME.key -out keys/$NAME.pem
</code>

===== Mikrotik server =====

Upload and import certificates
<code>
/certificate
import file=server.crt
import file=server.pem
import file=ca.crt
</code>

<del>Simplier method</del>
<code bash>
openssl genrsa -des3 -out ca.key 4096

# specify dns name of mikrotik server in common name
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

# now import in mikrotik ca.crt and after ca.key
</code>

ip pool
<code>
/ip pool add name=ovpn-pool ranges=10.15.32.34-10.15.32.38
</code>

profile and vpn user
<code>
/ppp profile 
add change-tcp-mss=default comment="" local-address=10.15.32.33 \
name="your_profile" only-one=default remote-address=ovpn-pool \
use-compression=default use-encryption=required use-vj-compression=default
</code>

define vpn user
<code>
/ppp secret 
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="username" password="password" \
routes="" service=any
</code>

openvpn instance
<code>
/interface ovpn-server server 
set auth=sha1,md5 certificate=router_cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
port=1194 require-client-certificate=no
</code>

===== Linux client =====

<code>
apt-get install openvpn
</code>

/etc/openvpn/client1.conf
<code>
dev tun
proto tcp-client

remote legnago.csgalileo.org 1194 

ca  /etc/easy-rsa-legnago/keys/ca.crt
cert /etc/easy-rsa-legnago/keys/nms.crt
key  /etc/easy-rsa-legnago/keys/nms.pem

tls-client
port 1194 

user nobody
group nogroup

#comp-lzo # Do not use compression. It doesn't work with RouterOS (at least up to RouterOS 3.0rc9)

# More reliable detection when a system loses its connection.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

# Silence  the output of replay warnings, which are a common false
# alarm on WiFi networks.  This option preserves the  security  of
# the replay protection code without the verbosity associated with
# warnings about duplicate packets.
mute-replay-warnings

# Verbosity level.
# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
verb 3

cipher AES-256-CBC
auth SHA1
pull

auth-user-pass auth.cfg 
script-security 2
up /etc/openvpn/up.sh
</code>

/etc/openvpn/up.sh (chmod +x)
<code>
#!/bin/sh

ip route add 10.90.0.0/16 via 10.15.32.33
</code>

/etc/openvpn/auth.cfg
<code>
username
password
</code>

Start service with systemd
<code>
systemctl start openvpn@client1
systemctl enable openvpn@client1
</code>

===== Linux server =====

<file txt /etc/openvpn/server.conf>
proto tcp
dev tun

ca /etc/easy-rsa/keys/ca.crt
cert /etc/easy-rsa/keys/captive.crt
key /etc/easy-rsa/keys/captive.pem
dh /etc/easy-rsa/keys/dh2048.pem

server 10.4.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher BF-CBC
max-clients 100
client-config-dir ccd

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup

persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
#status /var/log/openvpn/captive.stats
log /var/log/openvpn/captive.log


# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
#log         openvpn.log
#log-append  openvpn.log
verb 0

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20

#fragment 1300
mssfix 1300
#link-mtu 1503
#tun-mtu 1460


#client-connect /etc/openvpn/on-client-connect
script-security 2
push "explicit-exit-notify"

management localhost 7505

client-to-client

</file>

===== Mikrotik client =====

Import certificates
<code>
import file-name=ca.crt
import file-name=galileo.crt
import file-name=galileo.pem
</code>


===== LXD =====

To enable tun inside container
<code>
lxc config device add <NAME> tun unix-char path=/dev/net/tun
</code>