OpenVPN: Difference between revisions
Jump to navigation
Jump to search
(New page: Example) |
No edit summary |
||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==Server configuration== | |||
===RouterOS as server=== | |||
Define a profile: | |||
/ppp profile | |||
add change-tcp-mss=default comment="" local-address=192.168.0.4 \ | |||
name="your_profile" only-one=default remote-address=192.168.0.5 \ | |||
use-compression=default use-encryption=required use-vj-compression=default | |||
Add a user: | |||
/ppp secret | |||
add caller-id="" comment="" disabled=no limit-bytes-in=0 \ | |||
limit-bytes-out=0 name="username" password="password" \ | |||
routes="" service=any | |||
OpenVPN server configuration: | |||
/interface ovpn-server server | |||
set auth=sha1,md5 certificate=router_cert \ | |||
cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \ | |||
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=32 \ | |||
port=1194 require-client-certificate=yes | |||
Add an OpenVPN server instance: | |||
/interface ovpn-server | |||
add comment="" disabled=no name="ovpn-client.example.com" user="username" | |||
Firewall settings: | |||
/ip firewall filter | |||
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp | |||
==Client configuration== | |||
===RouterOS as client=== | |||
/interface ovpn-client | |||
add add-default-route=no auth=sha1 certificate=cert1 cipher=aes256 comment="" connect-to=openvpn.example.com disabled=no \ | |||
max-mtu=1500 mode=ip name="ovpn-out1" password="password" port=1194 profile=default-encryption user="username" | |||
===Linux as client=== | |||
This is a working ''client.conf'' file for the Linux OpenVPN client. The certificates are signed by [http://CAcert.org CAcert.org]. | |||
dev tun0 | |||
proto tcp-client | |||
remote openvpn.example.com 1194 # Remote OpenVPN Servername or IP address | |||
ca rootCA.cert | |||
cert client.cert | |||
key client.key | |||
tls-client | |||
tls-remote openvpn.example.com # FQDN, the same as in the certificate | |||
port 1194 # necessary? | |||
user nobody | |||
group nogroup | |||
#comp-lzo # Do not use compression. It doesn't work with RouterOS (tested with 3.0rc9) | |||
# More reliable detection when a system loses its connection. | |||
ping 15 | |||
ping-restart 45 | |||
ping-timer-rem | |||
persist-tun | |||
persist-key | |||
# Silence the output of replay warnings, which are a common false | |||
# alarm on WiFi networks. This option preserves the security of | |||
# the replay protection code without the verbosity associated with | |||
# warnings about duplicate packets. | |||
mute-replay-warnings | |||
# Verbosity level. | |||
# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose | |||
verb 3 | |||
cipher AES-256-CBC | |||
auth SHA1 | |||
pull | |||
auth-user-pass auth.conf | |||
The file auth.conf holds your username/password combination. On the first line must be the username and on the second line your password. | |||
username | |||
password | |||
[[Category:VPN]] |
Revision as of 09:40, 31 October 2007
Server configuration
RouterOS as server
Define a profile:
/ppp profile add change-tcp-mss=default comment="" local-address=192.168.0.4 \ name="your_profile" only-one=default remote-address=192.168.0.5 \ use-compression=default use-encryption=required use-vj-compression=default
Add a user:
/ppp secret add caller-id="" comment="" disabled=no limit-bytes-in=0 \ limit-bytes-out=0 name="username" password="password" \ routes="" service=any
OpenVPN server configuration:
/interface ovpn-server server set auth=sha1,md5 certificate=router_cert \ cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \ enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=32 \ port=1194 require-client-certificate=yes
Add an OpenVPN server instance:
/interface ovpn-server add comment="" disabled=no name="ovpn-client.example.com" user="username"
Firewall settings:
/ip firewall filter add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp
Client configuration
RouterOS as client
/interface ovpn-client add add-default-route=no auth=sha1 certificate=cert1 cipher=aes256 comment="" connect-to=openvpn.example.com disabled=no \ max-mtu=1500 mode=ip name="ovpn-out1" password="password" port=1194 profile=default-encryption user="username"
Linux as client
This is a working client.conf file for the Linux OpenVPN client. The certificates are signed by CAcert.org.
dev tun0 proto tcp-client remote openvpn.example.com 1194 # Remote OpenVPN Servername or IP address ca rootCA.cert cert client.cert key client.key tls-client tls-remote openvpn.example.com # FQDN, the same as in the certificate port 1194 # necessary? user nobody group nogroup #comp-lzo # Do not use compression. It doesn't work with RouterOS (tested with 3.0rc9) # More reliable detection when a system loses its connection. ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key # Silence the output of replay warnings, which are a common false # alarm on WiFi networks. This option preserves the security of # the replay protection code without the verbosity associated with # warnings about duplicate packets. mute-replay-warnings # Verbosity level. # 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose verb 3 cipher AES-256-CBC auth SHA1 pull auth-user-pass auth.conf
The file auth.conf holds your username/password combination. On the first line must be the username and on the second line your password.
username password