Table of Contents

Openvpn

Certification Autorithy

Create certificate folder

apt-get install easy-rsa
make-cadir /etc/easy-rsa-legnago
cd /etc/easy-rsa-legnago

Edit vars and

source vars
./clean-all
./build-dh
./pkitool --initca

server certificate

NAME=legnago-gw
./pkitool --pass --server $NAME # create passphrase here
openssl rsa -in keys/$NAME.key -out keys/$NAME.pem # give passphrase here
chmod 600 keys/$NAME.pem

client certificate

NAME=nms
./pkitool --pass $NAME
openssl rsa -in keys/$NAME.key -out keys/$NAME.pem

Mikrotik server

Upload and import certificates

/certificate
import file=server.crt
import file=server.pem
import file=ca.crt

Simplier method

openssl genrsa -des3 -out ca.key 4096
 
# specify dns name of mikrotik server in common name
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
 
# now import in mikrotik ca.crt and after ca.key

ip pool

/ip pool add name=ovpn-pool ranges=10.15.32.34-10.15.32.38

profile and vpn user

/ppp profile 
add change-tcp-mss=default comment="" local-address=10.15.32.33 \
name="your_profile" only-one=default remote-address=ovpn-pool \
use-compression=default use-encryption=required use-vj-compression=default

define vpn user

/ppp secret 
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="username" password="password" \
routes="" service=any

openvpn instance

/interface ovpn-server server 
set auth=sha1,md5 certificate=router_cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
port=1194 require-client-certificate=no

Linux client

apt-get install openvpn

/etc/openvpn/client1.conf

dev tun
proto tcp-client

remote legnago.csgalileo.org 1194 

ca  /etc/easy-rsa-legnago/keys/ca.crt
cert /etc/easy-rsa-legnago/keys/nms.crt
key  /etc/easy-rsa-legnago/keys/nms.pem

tls-client
port 1194 

user nobody
group nogroup

#comp-lzo # Do not use compression. It doesn't work with RouterOS (at least up to RouterOS 3.0rc9)

# More reliable detection when a system loses its connection.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

# Silence  the output of replay warnings, which are a common false
# alarm on WiFi networks.  This option preserves the  security  of
# the replay protection code without the verbosity associated with
# warnings about duplicate packets.
mute-replay-warnings

# Verbosity level.
# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
verb 3

cipher AES-256-CBC
auth SHA1
pull

auth-user-pass auth.cfg 
script-security 2
up /etc/openvpn/up.sh

/etc/openvpn/up.sh (chmod +x)

#!/bin/sh

ip route add 10.90.0.0/16 via 10.15.32.33

/etc/openvpn/auth.cfg

username
password

Start service with systemd

systemctl start openvpn@client1
systemctl enable openvpn@client1

Linux server

/etc/openvpn/server.conf
proto tcp
dev tun
 
ca /etc/easy-rsa/keys/ca.crt
cert /etc/easy-rsa/keys/captive.crt
key /etc/easy-rsa/keys/captive.pem
dh /etc/easy-rsa/keys/dh2048.pem
 
server 10.4.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher BF-CBC
max-clients 100
client-config-dir ccd
 
# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nogroup
 
persist-key
persist-tun
 
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
#status /var/log/openvpn/captive.stats
log /var/log/openvpn/captive.log
 
 
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
#log         openvpn.log
#log-append  openvpn.log
verb 0
 
# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
mute 20
 
#fragment 1300
mssfix 1300
#link-mtu 1503
#tun-mtu 1460
 
 
#client-connect /etc/openvpn/on-client-connect
script-security 2
push "explicit-exit-notify"
 
management localhost 7505
 
client-to-client

Mikrotik client

Import certificates

import file-name=ca.crt
import file-name=galileo.crt
import file-name=galileo.pem

LXD

To enable tun inside container

lxc config device add <NAME> tun unix-char path=/dev/net/tun