Difference between revisions of "Manual:Interface/OVPN"

From MikroTik Wiki
Jump to: navigation, search
(Application Examples)
m (add port, missing descriptions and fix minor typos)
Line 48: Line 48:
 
|type=aes128 {{!}} aes192 {{!}} aes256 {{!}} blowfish128 {{!}} none
 
|type=aes128 {{!}} aes192 {{!}} aes256 {{!}} blowfish128 {{!}} none
 
|default=blowfish128
 
|default=blowfish128
|desc=Allowed cipher.
+
|desc=Allowed ciphers.
 
}}
 
}}
  
Line 156: Line 156:
 
<li>Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name).  
 
<li>Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name).  
 
</ul>
 
</ul>
Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent rules for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration.  
+
Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent rule for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration.  
  
  
Line 191: Line 191:
 
|type=aes128 {{!}} none
 
|type=aes128 {{!}} none
 
|default=aes128,blowfish128
 
|default=aes128,blowfish128
|desc=
+
|desc=Allowed ciphers.
 
}}
 
}}
  
Line 198: Line 198:
 
|type=name
 
|type=name
 
|default=default
 
|default=default
|desc=
+
|desc=Default profile to use.
 
}}
 
}}
  
Line 233: Line 233:
 
|type=ip {{!}} ethernet
 
|type=ip {{!}} ethernet
 
|default=ip
 
|default=ip
|desc=
+
|desc=Layer3 or layer2 tunnel mode (alternatively tun, tap)
 
}}
 
}}
  
Line 240: Line 240:
 
|type=integer
 
|type=integer
 
|default=24
 
|default=24
|desc=
+
|desc=Subnet mask to be applied to client.
 +
}}
 +
 
 +
{{Mr-arg-table
 +
|arg=port
 +
|type=integer
 +
|default=1194
 +
|desc=Port to run server on.
 
}}
 
}}
  
Line 253: Line 260:
  
 
<pre>
 
<pre>
[admin@bumba] /interface ovpn-server server> set enabled=yes  
+
[admin@bumba] /interface ovpn-server server set enabled=yes  
[admin@bumba] /interface ovpn-server server> set certificate=server  
+
[admin@bumba] /interface ovpn-server server set certificate=server  
[admin@bumba] /interface ovpn-server server> print  
+
[admin@bumba] /interface ovpn-server server print  
 
                     enabled: yes
 
                     enabled: yes
 
                         port: 1194
 
                         port: 1194
Line 272: Line 279:
  
 
{{Warning |  
 
{{Warning |  
It is very important that date on the router is in the range of certificate's date of expiration .  To overcome any certificate verification problems, enable <b>NTP</b> date synchronization on both server and client.}}
+
It is very important that the date on the router is within the range of the installed certificate's date of expiration.  To overcome any certificate verification problems, enable <b>NTP</b> date synchronization on both server and client.}}
  
 
==Monitoring==
 
==Monitoring==
Monitor command can be used to monitor status of the tunnel on both client and server.
+
Monitor command can be used to monitor the status of the tunnel on both client and server.
 
<pre>
 
<pre>
[admin@dzeltenais_burkaans] /interface ovpn-server> monitor 0
+
[admin@dzeltenais_burkaans] /interface ovpn-server monitor 0
 
     status: "connected"
 
     status: "connected"
 
     uptime: 17m47s
 
     uptime: 17m47s
Line 296: Line 303:
 
|arg=status
 
|arg=status
 
|type=
 
|type=
|desc=Current status. Value other than "connected" indicates that there are some problems estabising tunnel.
+
|desc=Current status. Value other than "connected" indicates that there are some problems establishing tunnel.
 
}}
 
}}
  
Line 326: Line 333:
 
|arg=caller-id
 
|arg=caller-id
 
|type=IP:ID
 
|type=IP:ID
|desc=
+
|desc=Source IP and Port of client.
 
}}
 
}}
  

Revision as of 19:48, 25 December 2013

Version.png

Applies to RouterOS: v5+


Summary

Standards:
Package: ppp


Icon-note.png

Note: RouterOS supports only TCP mode. LZO compression is not supported and username/password authentication is required


OVPN Client

Sub-menu: /interface ovpn-client

Properties

Property Description
add-default-route (yes | no; Default: no) Whether to add OVPN remote address as a default route.
auth (md5 | none | sha1; Default: sha1) Allowed authentication methods.
certificate (string | none; Default: none) Name of the client certificate imported into certificate list.
cipher (aes128 | aes192 | aes256 | blowfish128 | none; Default: blowfish128) Allowed ciphers.
comment (string; Default: ) Descriptive name of an item
connect-to (IP; Default: 0.0.0.0) Remote address of the OVPN server.
disabled (yes | no; Default: yes) Whether interface is disabled or not. By default it is disabled.
mac-address (MAC; Default: ) Mac address of OVPN interface. Will be auto generated if not specified.
max-mtu (integer; Default: 1500) Maximum Transmission Unit. Max packet size that OVPN interface will be able to send without packet fragmentation.
mode (ip | ethernet; Default: ip) Layer3 or layer2 tunnel mode (alternatively tun, tap)
name (string; Default: ) Descriptive name of the interface.
password (string; Default: "") Password used for authentication.
port (integer; Default: 1194) Port to connect to.
profile (name; Default: default) Used PPP profile.
user (string; Default: ) User name used for authentication.


Quick example

This example demonstrates how to set up OVPN client with username "test", password "123" and server 10.1.101.1


[admin@bumba] /interface ovpn-client> add connect-to=10.1.101.1 user=test password=123 disabled=no 
[admin@bumba] /interface ovpn-client> print 
Flags: X - disabled, R - running 
 0    name="ovpn-out1" mac-address=FE:7B:9C:F9:59:D0 max-mtu=1500 connect-to=10.1.101.1 
      port=1194 mode=ip user="test" password="123" profile=default certificate=none auth=sha1 
      cipher=blowfish128 add-default-route=no 

OVPN Server

Sub-menu: /interface ovpn-server


This sub-menu shows interfaces for each connected OVPN clients.

An interface is created for each tunnel established to the given server. There are two types of interfaces in OVPN server's configuration

  • Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user.
  • Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name).

Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent rule for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration.


Icon-note.png

Note: in both cases PPP users must be configured properly - static entries do not replace PPP configuration.



Server configuration

Sub-menu: /interface ovpn-server server


Properties:

Property Description
auth (; Default: sha1,md5) Authentication methods that server will accept.
certificate (name | none; Default: none) Name of the certificate that OVPN server will use.
cipher (aes128 | none; Default: aes128,blowfish128) Allowed ciphers.
default-profile (name; Default: default) Default profile to use.
enabled (yes | no; Default: no) Defines whether OVPN server is enabled or not.
keepalive-timeout (integer | disabled; Default: 60) Defines the time period (in seconds) after which the router is starting to send keepalive packets every second. If no traffic and no keepalive responses has came for that period of time (i.e. 2 * keepalive-timeout), not responding client is proclaimed disconnected
mac-address (MAC; Default: ) Auto Generated MAC address of the server.
max-mtu (integer; Default: 1500) Maximum Transmission Unit. Max packet size that OVPN interface will be able to send without packet fragmentation.
mode (ip | ethernet; Default: ip) Layer3 or layer2 tunnel mode (alternatively tun, tap)
netmask (integer; Default: 24) Subnet mask to be applied to client.
port (integer; Default: 1194) Port to run server on.
require-client-certificate (yes | no; Default: no) If set to yes, then server checks whether client's certificate belongs to the same certificate chain.


[admin@bumba] /interface ovpn-server server set enabled=yes 
[admin@bumba] /interface ovpn-server server set certificate=server 
[admin@bumba] /interface ovpn-server server print 
                     enabled: yes
                        port: 1194
                        mode: ip
                     netmask: 24
                 mac-address: FE:A5:57:72:9D:EC
                     max-mtu: 1500
           keepalive-timeout: 60
             default-profile: default
                 certificate: server
  require-client-certificate: no
                        auth: sha1,md5
                      cipher: blowfish128,aes128

Icon-warn.png

Warning: It is very important that the date on the router is within the range of the installed certificate's date of expiration. To overcome any certificate verification problems, enable NTP date synchronization on both server and client.


Monitoring

Monitor command can be used to monitor the status of the tunnel on both client and server.

[admin@dzeltenais_burkaans] /interface ovpn-server monitor 0
     status: "connected"
     uptime: 17m47s
  idle-time: 17m47s
       user: "test"
  caller-id: "10.1.101.18:43886"
        mtu: 1500

Read-only properties

Property Description
status () Current status. Value other than "connected" indicates that there are some problems establishing tunnel.
uptime (time) Elapsed time since tunnel was established.
idle-time (time) Elapsed time since last activity on the tunnel.
user (string) Username used to establish the tunnel.
mtu (integer) Negotiated and used MTU
caller-id (IP:ID) Source IP and Port of client.

Application Examples



[ Top | Back to Content ]