tips:vpn:openvpn

Book Creator
 Add this page to your book
Book Creator
 Remove this page from your book  

 Manage book(0 page(s))
 Help

This is an old revision of the document!

Openvpn

Certification Autorithy

Create certificate folder 

apt-get install easy-rsa
make-cadir /etc/easy-rsa-legnago
cd /etc/easy-rsa-legnago

Edit vars and 

source vars
./clean-all
./build-dh
./pkitool --initca

server certificate

NAME=legnago-gw
./pkitool --pass --server $NAME # create passphrase here
openssl rsa -in keys/$NAME.key -out keys/$NAME.pem # give passphrase here
chmod 600 keys/$NAME.pem

client certificate

NAME=nms
./pkitool --pass $NAME
openssl rsa -in keys/$NAME.key -out keys/$NAME.pem

Mikrotik server

Upload and import certificates 

/certificate
import file=server.crt
import file=server.pem
import file=ca.crt

ip pool 

/ip pool add name=ovpn-pool ranges=10.15.32.34-10.15.32.38

profile and vpn user 

/ppp profile 
add change-tcp-mss=default comment="" local-address=10.15.32.33 \
name="your_profile" only-one=default remote-address=ovpn-pool \
use-compression=default use-encryption=required use-vj-compression=default

define vpn user 

/ppp secret 
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="username" password="password" \
routes="" service=any

openvpn instance 

/interface ovpn-server server 
set auth=sha1,md5 certificate=router_cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
port=1194 require-client-certificate=no

Linux client

apt-get install openvpn

/etc/openvpn/client1.conf 

dev tun
proto tcp-client

remote legnago.csgalileo.org 1194 

ca  /etc/easy-rsa-legnago/keys/ca.crt
cert /etc/easy-rsa-legnago/keys/nms.crt
key  /etc/easy-rsa-legnago/keys/nms.pem

tls-client
port 1194 

user nobody
group nogroup

#comp-lzo # Do not use compression. It doesn't work with RouterOS (at least up to RouterOS 3.0rc9)

# More reliable detection when a system loses its connection.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

# Silence  the output of replay warnings, which are a common false
# alarm on WiFi networks.  This option preserves the  security  of
# the replay protection code without the verbosity associated with
# warnings about duplicate packets.
mute-replay-warnings

# Verbosity level.
# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
verb 3

cipher AES-256-CBC
auth SHA1
pull

auth-user-pass auth.cfg 
script-security 2
up /etc/openvpn/up.sh

/etc/openvpn/up.sh (chmod +x) 

#!/bin/sh

ip route add 10.90.0.0/16 via 10.15.32.33

/etc/openvpn/auth.cfg 

username
password

Start service with systemd 

systemctl start openvpn@client1

Linux server

/etc/openvpn/server.conf
 

LXD

To enable tun inside container 

lxc config device add <NAME> tun unix-char path=/dev/net/tun
  • tips/vpn/openvpn.1476714452.txt.gz
  • Last modified: 2016/10/17 16:27
  • by scipio