Configuring OpenVPN in Mikrotik / Ubuntu bundle
- Tutorial
In any company where there is more than one office, sooner or later there is a need to combine these same offices. Many providers offer such services, but they will ask for money for it, and who knows what is going on on the side of the provider? Therefore, we will do everything ourselves and consider the option of combining using Mikrotik RB750, Ubuntu and OpenVPN.
The point is in native support, ease of setup, more stable behavior, low (in comparison) pings and many other nice features that the RB750 provides. Third-party firmware like tomato or dd-wrt were excluded from consideration, because there were (and remain) doubts about their stability. Asus WL-520GU was also tested, but the pings were 20-30 ms higher.
On a server in the central office, is Ubuntu. Installing openvpn on it is as follows.
All the nuances of the configuration were in the openvpn configuration file on the server, as a result it turned out like this (commented only on significant points, the description of the rest of the config parameters is in mana, the Internet, example configs, etc.):
I will describe the configuration from the very beginning, including the organization of the switch, the setting of addresses, routes, DHCP, and so on.
We go into the web interface of the router, download winbox.
We start winbox (it is possible to connect both by IP and MAC), open a new terminal, and write the following (achtung, resetting the router configuration):
Connect to the second port of Mikrotik, run the same winbox, and
click on the request that appears. Organize the switch on ports 2-5, port 1 will act as a WAN port.
To do this, specify the ether2 master port on all interfaces 3-5:
in the IP-> Addresses menu, assign the ip lan of the interface
Add a gate to access the Internet in the IP-> Routes menu (in this particular case, the DSL modem with the address 10.100.0.1 is the gate)
Note that 10.100.0.0 is the addressing between the router and the DSL modem through which it goes to the Internet, and 10.0.141.0 is the VPN network.
You can configure DNS here IP-> DNS, and DHCP in the IP-> DHCP Server-> DHCP setup menu, specifying the pool settings.
Let's push our entire internal subnet behind NAT, for this we’ll configure masquerading.
Go to IP-> Firewall-> NAT and add a rule by analogy:
It remains to copy the root certificate (ca.crt) and the client certificate and key (client1.crt, client1.key) that we generated during the installation / configuration of the server. On Mikrotik, select the Files menu, and see a window with the file system of the router. This is where you need to put our keys, drag-n-drop works.
In order for the router to know that it has certificates, they need to be imported through System-> Certifates, add ca.crt, client1.crt, client1.key, the client key will automatically become “Decrypted”.
The OpenVPN connection itself is created in the Interfaces menu, when you click on the red plus, we will see OVPN Client in the drop-down list.
On the Dial Out tab, specify the address of our server, port, client certificate and encryption types.
As a result, we have a completely secure VPN, with minimal costs for equipment and communication services, which can be arranged within a couple of minutes.
Why Mikrotik?
The point is in native support, ease of setup, more stable behavior, low (in comparison) pings and many other nice features that the RB750 provides. Third-party firmware like tomato or dd-wrt were excluded from consideration, because there were (and remain) doubts about their stability. Asus WL-520GU was also tested, but the pings were 20-30 ms higher.
So let's go.
On a server in the central office, is Ubuntu. Installing openvpn on it is as follows.
$ sudo su
# apt-get update
# apt-get upgrade
# apt-get install openvpn
# cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
# cd /etc/openvpn/easy-rsa/2.0
# ln -s openssl-1.0.0.cnf openssl.cnf
# source vars
# ./clean-all
Создаем пару корневой сертификат ca.crt и ключ ca.key
# ./build-ca
Создаем пару сертификат сервера server.crt и ключ server.key
# ./build-key-server server
Создаем пару сертификат клиента client1.crt и ключ client1.key
# ./build-key client1
Ключи Диффи Хелмана
# ./build-dh
# cd keys
# mkdir /etc/openvpn/.keys && /etc/openvpn/.ccd
# cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/keys
# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
# cd /etc/openvpn
# gunzip -d /etc/openvpn/server.conf.gz
# nano /etc/sysctl.conf
Находим строку и снимаем с нее комментарий:
# Enable packet forwarding
net.ipv4.ip_forward=1
All the nuances of the configuration were in the openvpn configuration file on the server, as a result it turned out like this (commented only on significant points, the description of the rest of the config parameters is in mana, the Internet, example configs, etc.):
port 1194
# Mikrotik не умеет работать с UDP
proto tcp
dev tun
ca .keys/ca.crt
cert .keys/server.crt
key .keys/server.key # This file should be kept secret
dh .keys/dh1024.pem
server 10.0.141.0 255.255.255.0
client-config-dir .ccd
client-to-client
keepalive 10 120
tun-mtu 1500
mssfix 1450
cipher AES-256-CBC # AES
auth sha1
# Компрессия микротиком так же не поддерживается
;comp-lzo
user nobody
group nogroup
#Сохраняем туннель при обрыве на время keepalive
persist-key
#Не пересчитываем ключи при обрыве связи
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 3
mute 10
/etc/openvpn/.ccd/client1
# Клиентская подсеть за mikrotik (192) и адрес openvpn у роутера (10)
iroute 192.168.141.0 255.255.255.0 10.0.141.2
# Добавим шлюз по умолчанию для машин за микротиком
ifconfig-push 10.0.141.2 10.0.141.1
Now Mikrotik
I will describe the configuration from the very beginning, including the organization of the switch, the setting of addresses, routes, DHCP, and so on.
We go into the web interface of the router, download winbox.
We start winbox (it is possible to connect both by IP and MAC), open a new terminal, and write the following (achtung, resetting the router configuration):
system reset-configurationConnect to the second port of Mikrotik, run the same winbox, and
remove configclick on the request that appears. Organize the switch on ports 2-5, port 1 will act as a WAN port.
To do this, specify the ether2 master port on all interfaces 3-5:
in the IP-> Addresses menu, assign the ip lan of the interface
Add a gate to access the Internet in the IP-> Routes menu (in this particular case, the DSL modem with the address 10.100.0.1 is the gate)
Note that 10.100.0.0 is the addressing between the router and the DSL modem through which it goes to the Internet, and 10.0.141.0 is the VPN network.
You can configure DNS here IP-> DNS, and DHCP in the IP-> DHCP Server-> DHCP setup menu, specifying the pool settings.
Let's push our entire internal subnet behind NAT, for this we’ll configure masquerading.
Go to IP-> Firewall-> NAT and add a rule by analogy:
Happiness is near
It remains to copy the root certificate (ca.crt) and the client certificate and key (client1.crt, client1.key) that we generated during the installation / configuration of the server. On Mikrotik, select the Files menu, and see a window with the file system of the router. This is where you need to put our keys, drag-n-drop works.
In order for the router to know that it has certificates, they need to be imported through System-> Certifates, add ca.crt, client1.crt, client1.key, the client key will automatically become “Decrypted”.
The OpenVPN connection itself is created in the Interfaces menu, when you click on the red plus, we will see OVPN Client in the drop-down list.
On the Dial Out tab, specify the address of our server, port, client certificate and encryption types.
Total.
As a result, we have a completely secure VPN, with minimal costs for equipment and communication services, which can be arranged within a couple of minutes.