OpenVPN: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(No difference)
|
Revision as of 11:40, 31 October 2007
Server configuration
RouterOS as server
Define a profile:
/ppp profile add change-tcp-mss=default comment="" local-address=192.168.0.4 \ name="your_profile" only-one=default remote-address=192.168.0.5 \ use-compression=default use-encryption=required use-vj-compression=default
Add a user:
/ppp secret add caller-id="" comment="" disabled=no limit-bytes-in=0 \ limit-bytes-out=0 name="username" password="password" \ routes="" service=any
OpenVPN server configuration:
/interface ovpn-server server set auth=sha1,md5 certificate=router_cert \ cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \ enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=32 \ port=1194 require-client-certificate=yes
Add an OpenVPN server instance:
/interface ovpn-server add comment="" disabled=no name="ovpn-client.example.com" user="username"
Firewall settings:
/ip firewall filter add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp
Client configuration
RouterOS as client
/interface ovpn-client add add-default-route=no auth=sha1 certificate=cert1 cipher=aes256 comment="" connect-to=openvpn.example.com disabled=no \ max-mtu=1500 mode=ip name="ovpn-out1" password="password" port=1194 profile=default-encryption user="username"
Linux as client
This is a working client.conf file for the Linux OpenVPN client. The certificates are signed by CAcert.org.
dev tun0 proto tcp-client remote openvpn.example.com 1194 # Remote OpenVPN Servername or IP address ca rootCA.cert cert client.cert key client.key tls-client tls-remote openvpn.example.com # FQDN, the same as in the certificate port 1194 # necessary? user nobody group nogroup #comp-lzo # Do not use compression. It doesn't work with RouterOS (tested with 3.0rc9) # More reliable detection when a system loses its connection. ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key # Silence the output of replay warnings, which are a common false # alarm on WiFi networks. This option preserves the security of # the replay protection code without the verbosity associated with # warnings about duplicate packets. mute-replay-warnings # Verbosity level. # 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose verb 3 cipher AES-256-CBC auth SHA1 pull auth-user-pass auth.conf
The file auth.conf holds your username/password combination. On the first line must be the username and on the second line your password.
username password