Configurare Open VPN su Mikrotik RouterOS

La seguente guida (spudoratamente ispirata da qui ) spiega come installare una Open VPN sul sistema RouterOS di Mikrotik (testato sulla versione 6.41.3)

Partiamo da una configurazione Base del Mikrotik

/system reset-configuration

Assegnare l’identificativo al Mikrotik da

/system identity set name="MioMikrotik"

Impostare l’ora esatta con NTP:

/system ntp client set enabled=yes mode=unicast \
primary-ntp=[:resolve 0.it.pool.ntp.org] \
secondary-ntp=[:resolve 1.it.pool.ntp.org]

Impostare il fuso orario:

/system clock set time-zone-name=Europe/Rome

Copiare questo script personalizzando le variabili global alle prime linee

# Setup OpenVPN Server and generate certs
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global COUNTRY "IT"
:global STATE "MYSTATE"
:global LOC "MYCITY"
:global ORG "MyOrg"
:global OU ""
:global KEYSIZE "2048"

## functions
:global waitSec do={:return ($KEYSIZE * 10 / 1024)}

## generate a CA certificate
/certificate
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \
  days-valid=3650 key-usage=crl-sign,key-cert-sign
sign ca-template ca-crl-host=127.0.0.1 name="$CN"
:delay [$waitSec]

## generate a server certificate
/certificate
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \
  days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$CN" name="server@$CN"
:delay [$waitSec]

## create a client template
/certificate
add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="client" \
  key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client

## create IP pool
/ip pool
add name=VPN-POOL ranges=192.168.252.128-192.168.252.224

## add VPN profile
/ppp profile
add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \
  remote-address=VPN-POOL use-encryption=yes

## setup OpenVPN server
/interface ovpn-server server
set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \
  default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes

## add a firewall rule
/ip firewall filter
add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN"

## Sposto la regola del firewall prima della generica deny
/ip firewall filter move [find \
comment="Allow OpenVPN"] \
[find where chain=input in-interface-list="!LAN"]

ed incollarlo nel terminale del Mikrotik (io trovo comodo copiarlo dal terminale dopo essermi collegato via ssh al Mikrotik)

Stessa cosa col seguente script per la configurazione dell’utente client (questo andrà ripetuto per ogni nuovo utente da abilitare):

# Add a new user and generate/export certs
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global USERNAME "user"
:global PASSWORD "password"

## add a user
/ppp secret
add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn

## generate a client certificate
/certificate
add name=client-template-to-issue copy-from="client-template" \
  common-name="$USERNAME@$CN"
sign client-template-to-issue ca="$CN" name="$USERNAME@$CN"
:delay 20

## export the CA, client certificate, and private key
/certificate
export-certificate "$CN" export-passphrase=""
export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD"

A questo punto dal pc possiamo scaricare i certificati, tramite interfaccia web (impostare correttamente l’indirizzo ip del vostro Mikrotik es: 192.168.88.1):

http://MikroTik_IP/webfig/#Files

o da terminale con sftp:

sftp admin@MikroTik_IP:cert_export_\*

Creare nella stessa cartella dei certificati un file user.auth con indicati nome utente e password:

user
password

Sempre nella stessa cartella creare il file di configurazione lato client modificando i parametri in grassetto:

client
dev tun
proto tcp-client
remote MikroTik_IP 1194
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA1
pull
verb 2
mute 3

# Create a file 'user.auth' with a username and a password
#
# cat << EOF > user.auth
# user
# password
# EOF
auth-user-pass user.auth

# Copy the certificates from MikroTik and change
# the filenames below if needed
ca cert_export_MioMikroTik.crt
cert cert_export_user@MioMikroTik.crt
key cert_export_user@MioMikroTik.key

# Add routes to networks behind MikroTik
#route 192.168.10.0 255.255.255.0

A questo punto la configurazione è pronta per essere data in pasto al vostro client OVPN

Se preferite che non venga chiesta la password all’avvio della VPN è necessario trasformare la chiave privata in questo modo:

openssl rsa -passin pass:password -in cert_export_user@MioMikroTik.key -out cert_export_user_np@MioMikroTik.key

ed utilizzare questa nuova chiave privata.

Per rimuovere un utente e revocare il relativo certificato:

# Delete a user and revoke his certificate
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global USERNAME "user"

## delete a user
/ppp secret
remove [find name=$USERNAME profile=VPN-PROFILE]

## revoke a client certificate
/certificate
issued-revoke [find name="$USERNAME@$CN"]

Per rimuovere la configurazione OpenVPN dal Mikrotik:

# Revert OpenVPN configuration
#

/ip pool
remove [find name=VPN-POOL]

/ppp profile
remove [find name=VPN-PROFILE]

/ip firewall filter
remove [find comment="Allow OpenVPN"]

/ppp secrets
remove [find profile=VPN-PROFILE]

/certificate
## delete the certificates manually

I certificati vanno rimossi manualmente.

Buon Lavoro 😉

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.