Configuring OpenVPN in Mikrotik / Ubuntu bundle

  • Tutorial
In any company where there is more than one office, sooner or later there is a need to combine these same offices. Many providers offer such services, but they will ask for money for it, and who knows what is going on on the side of the provider? Therefore, we will do everything ourselves and consider the option of combining using Mikrotik RB750, Ubuntu and OpenVPN.


Why Mikrotik?

The point is in native support, ease of setup, more stable behavior, low (in comparison) pings and many other nice features that the RB750 provides. Third-party firmware like tomato or dd-wrt were excluded from consideration, because there were (and remain) doubts about their stability. Asus WL-520GU was also tested, but the pings were 20-30 ms higher.

So let's go.

On a server in the central office, is Ubuntu. Installing openvpn on it is as follows.

$ sudo su
# apt-get update
# apt-get upgrade
# apt-get install openvpn
# cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
# cd /etc/openvpn/easy-rsa/2.0
# ln -s openssl-1.0.0.cnf openssl.cnf
# source vars
# ./clean-all
Создаем пару корневой сертификат ca.crt и ключ ca.key
# ./build-ca
Создаем пару сертификат сервера server.crt и ключ server.key
# ./build-key-server server
Создаем пару сертификат клиента client1.crt и ключ client1.key
# ./build-key client1
Ключи Диффи Хелмана
# ./build-dh
# cd keys
# mkdir /etc/openvpn/.keys && /etc/openvpn/.ccd
# cp ca.crt ca.key dh1024.pem server.crt server.key /etc/openvpn/keys
# cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
# cd /etc/openvpn
# gunzip -d /etc/openvpn/server.conf.gz
# nano /etc/sysctl.conf
Находим строку и снимаем с нее комментарий:
# Enable packet forwarding

All the nuances of the configuration were in the openvpn configuration file on the server, as a result it turned out like this (commented only on significant points, the description of the rest of the config parameters is in mana, the Internet, example configs, etc.):

port 1194
# Mikrotik не умеет работать с UDP
proto tcp
dev tun
ca .keys/ca.crt
cert .keys/server.crt
key .keys/server.key  # This file should be kept secret
dh .keys/dh1024.pem
client-config-dir .ccd
keepalive 10 120
tun-mtu 1500
mssfix 1450
cipher AES-256-CBC   # AES
auth sha1
# Компрессия микротиком так же не поддерживается
user nobody
group nogroup
#Сохраняем туннель при обрыве на время keepalive
#Не пересчитываем ключи при обрыве связи
status /var/log/openvpn-status.log
log  /var/log/openvpn.log
verb 3
mute 10


# Клиентская подсеть за mikrotik (192) и адрес openvpn у роутера (10)
# Добавим шлюз по умолчанию для машин за микротиком

Now Mikrotik

I will describe the configuration from the very beginning, including the organization of the switch, the setting of addresses, routes, DHCP, and so on.
We go into the web interface of the router, download winbox.
We start winbox (it is possible to connect both by IP and MAC), open a new terminal, and write the following (achtung, resetting the router configuration): system reset-configuration
Connect to the second port of Mikrotik, run the same winbox, and remove config
click on the request that appears. Organize the switch on ports 2-5, port 1 will act as a WAN port.
To do this, specify the ether2 master port on all interfaces 3-5:
in the IP-> Addresses menu, assign the ip lan of the interface
Add a gate to access the Internet in the IP-> Routes menu (in this particular case, the DSL modem with the address is the gate)
Note that is the addressing between the router and the DSL modem through which it goes to the Internet, and is the VPN network.
You can configure DNS here IP-> DNS, and DHCP in the IP-> DHCP Server-> DHCP setup menu, specifying the pool settings.
Let's push our entire internal subnet behind NAT, for this we’ll configure masquerading.
Go to IP-> Firewall-> NAT and add a rule by analogy:

Happiness is near

It remains to copy the root certificate (ca.crt) and the client certificate and key (client1.crt, client1.key) that we generated during the installation / configuration of the server. On Mikrotik, select the Files menu, and see a window with the file system of the router. This is where you need to put our keys, drag-n-drop works.
In order for the router to know that it has certificates, they need to be imported through System-> Certifates, add ca.crt, client1.crt, client1.key, the client key will automatically become “Decrypted”.
The OpenVPN connection itself is created in the Interfaces menu, when you click on the red plus, we will see OVPN Client in the drop-down list.
On the Dial Out tab, specify the address of our server, port, client certificate and encryption types.


As a result, we have a completely secure VPN, with minimal costs for equipment and communication services, which can be arranged within a couple of minutes.

Also popular now: