OpenVPN

From MikroTik Wiki
Revision as of 09:40, 31 October 2007 by Normis (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Server configuration

RouterOS as server

Define a profile:

/ppp profile 
add change-tcp-mss=default comment="" local-address=192.168.0.4 \
name="your_profile" only-one=default remote-address=192.168.0.5 \
use-compression=default use-encryption=required use-vj-compression=default 

Add a user:

/ppp secret 
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="username" password="password" \
routes="" service=any 

OpenVPN server configuration:

/interface ovpn-server server 
set auth=sha1,md5 certificate=router_cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=32 \
port=1194 require-client-certificate=yes

Add an OpenVPN server instance:

/interface ovpn-server 
add comment="" disabled=no name="ovpn-client.example.com" user="username"

Firewall settings:

/ip firewall filter 
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp

Client configuration

RouterOS as client

/interface ovpn-client
add add-default-route=no auth=sha1 certificate=cert1 cipher=aes256 comment="" connect-to=openvpn.example.com disabled=no \
max-mtu=1500 mode=ip name="ovpn-out1" password="password" port=1194 profile=default-encryption user="username"

Linux as client

This is a working client.conf file for the Linux OpenVPN client. The certificates are signed by CAcert.org.

dev tun0
proto tcp-client

remote openvpn.example.com 1194 # Remote OpenVPN Servername or IP address

ca   rootCA.cert
cert client.cert
key  client.key

tls-client
tls-remote openvpn.example.com # FQDN, the same as in the certificate

port 1194 # necessary?

user nobody
group nogroup

#comp-lzo # Do not use compression. It doesn't work with RouterOS (tested with 3.0rc9)

# More reliable detection when a system loses its connection.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

# Silence  the output of replay warnings, which are a common false
# alarm on WiFi networks.  This option preserves the  security  of
# the replay protection code without the verbosity associated with
# warnings about duplicate packets.
mute-replay-warnings

# Verbosity level.
# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
verb 3

cipher AES-256-CBC
auth SHA1
pull

auth-user-pass auth.conf 

The file auth.conf holds your username/password combination. On the first line must be the username and on the second line your password.

username
password