OpenVPN: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
(New page: Example)
 
No edit summary
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
Example
==Server configuration==
===RouterOS as server===
Define a profile:
/ppp profile
add change-tcp-mss=default comment="" local-address=192.168.0.4 \
name="your_profile" only-one=default remote-address=192.168.0.5 \
use-compression=default use-encryption=required use-vj-compression=default
 
Add a user:
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="username" password="password" \
routes="" service=any
 
OpenVPN server configuration:
/interface ovpn-server server
set auth=sha1,md5 certificate=router_cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=32 \
port=1194 require-client-certificate=yes
 
Add an OpenVPN server instance:
/interface ovpn-server
add comment="" disabled=no name="ovpn-client.example.com" user="username"
 
Firewall settings:
/ip firewall filter
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp
 
==Client configuration==
===RouterOS as client===
/interface ovpn-client
add add-default-route=no auth=sha1 certificate=cert1 cipher=aes256 comment="" connect-to=openvpn.example.com disabled=no \
max-mtu=1500 mode=ip name="ovpn-out1" password="password" port=1194 profile=default-encryption user="username"
 
===Linux as client===
This is a working ''client.conf'' file for the Linux OpenVPN client. The certificates are signed by [http://CAcert.org CAcert.org].
dev tun0
proto tcp-client
remote openvpn.example.com 1194 # Remote OpenVPN Servername or IP address
ca  rootCA.cert
cert client.cert
key  client.key
tls-client
tls-remote openvpn.example.com # FQDN, the same as in the certificate
port 1194 # necessary?
user nobody
group nogroup
#comp-lzo # Do not use compression. It doesn't work with RouterOS (tested with 3.0rc9)
# More reliable detection when a system loses its connection.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
# Silence  the output of replay warnings, which are a common false
# alarm on WiFi networks.  This option preserves the  security  of
# the replay protection code without the verbosity associated with
# warnings about duplicate packets.
mute-replay-warnings
# Verbosity level.
# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
verb 3
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass auth.conf
 
The file auth.conf holds your username/password combination. On the first line must be the username and on the second line your password.
username
password
 
[[Category:VPN]]

Revision as of 09:40, 31 October 2007

Server configuration

RouterOS as server

Define a profile:

/ppp profile 
add change-tcp-mss=default comment="" local-address=192.168.0.4 \
name="your_profile" only-one=default remote-address=192.168.0.5 \
use-compression=default use-encryption=required use-vj-compression=default 

Add a user:

/ppp secret 
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="username" password="password" \
routes="" service=any 

OpenVPN server configuration:

/interface ovpn-server server 
set auth=sha1,md5 certificate=router_cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=32 \
port=1194 require-client-certificate=yes

Add an OpenVPN server instance:

/interface ovpn-server 
add comment="" disabled=no name="ovpn-client.example.com" user="username"

Firewall settings:

/ip firewall filter 
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp

Client configuration

RouterOS as client

/interface ovpn-client
add add-default-route=no auth=sha1 certificate=cert1 cipher=aes256 comment="" connect-to=openvpn.example.com disabled=no \
max-mtu=1500 mode=ip name="ovpn-out1" password="password" port=1194 profile=default-encryption user="username"

Linux as client

This is a working client.conf file for the Linux OpenVPN client. The certificates are signed by CAcert.org.

dev tun0
proto tcp-client

remote openvpn.example.com 1194 # Remote OpenVPN Servername or IP address

ca   rootCA.cert
cert client.cert
key  client.key

tls-client
tls-remote openvpn.example.com # FQDN, the same as in the certificate

port 1194 # necessary?

user nobody
group nogroup

#comp-lzo # Do not use compression. It doesn't work with RouterOS (tested with 3.0rc9)

# More reliable detection when a system loses its connection.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

# Silence  the output of replay warnings, which are a common false
# alarm on WiFi networks.  This option preserves the  security  of
# the replay protection code without the verbosity associated with
# warnings about duplicate packets.
mute-replay-warnings

# Verbosity level.
# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
verb 3

cipher AES-256-CBC
auth SHA1
pull

auth-user-pass auth.conf 

The file auth.conf holds your username/password combination. On the first line must be the username and on the second line your password.

username
password