Configuring MikroTik as an OVPN Server Using Client Certificates and a Revocation List
Before me there was a task to configure MikroTik as an OVPN server using client certificates and the ability to revoke them. I did not find a clear How-To on the Internet on this topic, so I decided to invent my own bike. In this article, I will describe the configuration scheme for this miracle that has turned out and works for me.
Regarding PKI, there are two options:
1. Using the built-in PKI in ROS:
2. Using a third-party PKI - openssl, or windows server PKI (DO NOT use trusted CAs such as StartSSL, they issue client certificates not only to you):
I will consider only the first option, because, firstly, it suits me, and secondly, it is more flexible. Also, I will not dwell on the parameters of certificates and other different parameters of standard ROS tools, because their comprehensive description is on the official MikroTik Wiki .
1.1. CA certificate: Note: ca-crl-host = - required parameter, otherwise the revocation list will not be created; the full path to the revocation list will be specified in the certificate parameters, column "[1] Distribution list of revocation list (CRL)"; in principle, you can specify any of the ip-addresses of our Mikrotik, the one that we indicate - and it will be registered in the certificate. Domain names are not supported by the parameter, unfortunately. 1.2. Server certificate: Note: for a key-usage server certificate, it’s better not to change why this is described here (and if you really want to change it, it says what needs to be registered in the client’s config for this). Note: unlike SSTP, OVPN does not check if the common-name of the server certificate matches the fqdn of this server.
1.3. Template for customer certificates: 1.3.1 Certificate of the first client: 1.3.2. Certificate of the second and subsequent clients: See section 3.1, but we change the value of the parameters. For the first command, this value must be unique within the same CA. For the second team, this value must be unique within one microtic. 1.4 In the future, to revoke certificates, use the command: Where% cert-name% is the name = field of the signed certificate, that is, the PKI mikrotika displayed.
Note: you can configure it in tun mode (“ip” in ROS), or you can configure it in tap mode (“ethernet” in ROS). Tun mode is a regular tunnel. Tap mode - emulation of full ethernet, in particular in tap mode, clients can be combined into bridge mode and they will see each other perfectly. In theory, you can start a DHCP server in tap mode, but this is not implemented in the current version of ROS.
2tun. 1. We set the address pool for OVPN clients (can be set directly in the PPP-profile): 2tun. 2. We create a PPP-profile for the OVPN server: Optional! The remaining parameters are to your liking and in accordance with your goals. For example: dns = 192.168.100.1 use-ipv6 = no 2tun. 3. Configure user authentication mode: 2tun. 4. Add users: 2tun. 5. Turn on the OVPN server:
2tap. 1. We set the address pool for OVPN clients (can be set directly in the PPP-profile): 2tap.1 +. We create a bridge for OVPN connections: Note: IP is not necessary to assign a bridge to a bridge, it is already in the PPP-profile (besides, if you specify the address for the bridge, but do not specify local-address = in the PPP-profile, the client will not connect ) Note: arp must be enabled, otherwise clients will not see each other. 2tun. 2. We create a PPP-profile for the OVPN server: Optional! The remaining parameters are to your liking and in accordance with your goals. For example: dns = 192.168.100.1 use-ipv6 = no 2tap.3. Configure user authentication mode: 2tap. 4. Add users: 2tap. 5. Turn on the OVPN server:
Notes for both modes:
1. The presence of the user is mandatory, even despite authorization by certificates; you can create one user for all clients and register the same username / password in client configs, but this makes it impossible to track the connection and actions of a specific user - inconvenient, somewhat unsafe.
2. I do not consider RADIUS authentication simply because I have not tested it. I can only assume that it will work only for username / password, and certificates will still be checked on Mikrotik.
3. Make sure that the address pool matches the subnet specified in the OVPN server settings. The ROS OVPN server will not figure out whether the local-address = server and the client address assigned from the pool belong to the same network, moreover, if, for example, mask 29 is used, and ranges = 192.168.100.0 / 29 are set as the pool, Broadcast 192.168.100.7, as I had, can be easily assigned to a client. Exactly the same situation may arise if the indicated pool is larger than the mask implies - only the problem will not be revealed right away, but a little later.
3.1. Export CA certificate: Note: We only need the certificate itself, the private key is NOT needed, therefore the parameter export-passphrase = "" must be empty. 3.2. Export of client certificates: Note: export-passphrase = - required parameter for exporting private keys; we use our password for each client; DO NOT use the same password that was specified in paragraph 2.4 for users! 3.3. We extract the received certificate and key files from Mikrotik in any convenient way (as a rule, I drag files back and forth directly from the winbox).
1. Get the OVPN distribution from openvpn.net .
2. Install, leave all options by default, including the tap interface, which will be needed for any configuration mode.
3. Go to OpenVPN \ config (by default C: \ Program Files \ OpenVPN \ config) and create the client.ovpn file there (or copy it from OpenVPN \ sample-config).
4. Create a client configuration, or make changes with sample-config.
Note: to use the routing parameters specified in the config, the OVPN service itself, or the OVPN GUI, must be started with administrator rights.
Note: the list of most parameters is here but it is somewhat outdated.
1.1 We put the CA certificate file and certificate file and client key file in Mikrotik in any convenient way
1.2 Import the CA certificate 1.3 Import the certificate and client key 2. Configure the client Values in {} are specified in accordance with the previous settings and your needs.
Thank you for attention.
Using PKI ROS
Regarding PKI, there are two options:
1. Using the built-in PKI in ROS:
- + we can issue and revoke certificates directly on Mikrotik, otherwise we will have to manually update crl on it after each revocation
- - accidental deletion from Mikrotik of the CA certificate used for signing and revoking certificates - fatal, importing the previously uploaded certificate and CA key will not help, and further use will be possible only using openssl and manually downloading crl after each revocation (of course, if you have There is an actual backup of all this)
- + if we backup the entire Mikrotik config, then CA will backup along with it
2. Using a third-party PKI - openssl, or windows server PKI (DO NOT use trusted CAs such as StartSSL, they issue client certificates not only to you):
- + protected from the lack of the first option
- - in the case of openssl, you must manually upload crl to Mikrotik after each certificate revoked
- + in the case of windows server PKI it is theoretically possible to implement authentication through the SCEP mechanism, but has not yet verified
- - in the case of windows server PKI you need a domain, without it this same PKI will not work
I will consider only the first option, because, firstly, it suits me, and secondly, it is more flexible. Also, I will not dwell on the parameters of certificates and other different parameters of standard ROS tools, because their comprehensive description is on the official MikroTik Wiki .
Configure OVPN server on ROS
1. Configuring PKI
1.1. CA certificate: Note: ca-crl-host = - required parameter, otherwise the revocation list will not be created; the full path to the revocation list will be specified in the certificate parameters, column "[1] Distribution list of revocation list (CRL)"; in principle, you can specify any of the ip-addresses of our Mikrotik, the one that we indicate - and it will be registered in the certificate. Domain names are not supported by the parameter, unfortunately. 1.2. Server certificate: Note: for a key-usage server certificate, it’s better not to change why this is described here (and if you really want to change it, it says what needs to be registered in the client’s config for this). Note: unlike SSTP, OVPN does not check if the common-name of the server certificate matches the fqdn of this server.
/certificate add name=template-CA country="" state="" locality="" organization="" unit="" common-name="test-CA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign template-CA ca-crl-host=127.0.0.1 name="test-CA"
/certificate add name=template-SRV country="" state="" locality="" organization="" unit="" common-name="test-srv-OVPN" key-size=4096 days-valid=1095 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign template-SRV ca="test-CA" name="test-srv-OVPN"
1.3. Template for customer certificates: 1.3.1 Certificate of the first client: 1.3.2. Certificate of the second and subsequent clients: See section 3.1, but we change the value of the parameters. For the first command, this value must be unique within the same CA. For the second team, this value must be unique within one microtic. 1.4 In the future, to revoke certificates, use the command: Where% cert-name% is the name = field of the signed certificate, that is, the PKI mikrotika displayed.
/certificate add name=template-CL country="" state="" locality="" organization="" unit="" common-name="test-client-ovpn-template" key-size=4096 days-valid=365 key-usage=tls-client
/certificate add name=template-CL-to-issue copy-from="template-CL" common-name="test-client-ovpn-1"
/certificate sign template-CL-to-issue ca="test-CA" name="test-client-ovpn-1"
common-name="test-client-ovpn-1"
name="test-client-ovpn-1"certificate issued-revoke %cert-name%
2. Configure OVPN server
Note: you can configure it in tun mode (“ip” in ROS), or you can configure it in tap mode (“ethernet” in ROS). Tun mode is a regular tunnel. Tap mode - emulation of full ethernet, in particular in tap mode, clients can be combined into bridge mode and they will see each other perfectly. In theory, you can start a DHCP server in tap mode, but this is not implemented in the current version of ROS.
2tun. Tun mode
2tun. 1. We set the address pool for OVPN clients (can be set directly in the PPP-profile): 2tun. 2. We create a PPP-profile for the OVPN server: Optional! The remaining parameters are to your liking and in accordance with your goals. For example: dns = 192.168.100.1 use-ipv6 = no 2tun. 3. Configure user authentication mode: 2tun. 4. Add users: 2tun. 5. Turn on the OVPN server:
/ip pool add name=OVPN_srv_pool ranges=192.168.100.2-192.168.254
/ppp profile add name=OVPN_server local-address=192.168.100.1 remote-address=OVPN_srv_pool
/ppp aaa set accounting=yes
/ppp secret add name=test-user-1 password=P@ssword1 service=ovpn profile=OVPN_server
/ppp secret add name=test-user-2 password=P@ssword2 service=ovpn profile=OVPN_server
/interface ovpn-server server set auth=sha1 cipher=blowfish128 default-profile=OVPN_server mode=ip netmask=24 require-client-certificate=yes certificate=test-srv-OVPN enabled=yes
2tap. Tap mode
2tap. 1. We set the address pool for OVPN clients (can be set directly in the PPP-profile): 2tap.1 +. We create a bridge for OVPN connections: Note: IP is not necessary to assign a bridge to a bridge, it is already in the PPP-profile (besides, if you specify the address for the bridge, but do not specify local-address = in the PPP-profile, the client will not connect ) Note: arp must be enabled, otherwise clients will not see each other. 2tun. 2. We create a PPP-profile for the OVPN server: Optional! The remaining parameters are to your liking and in accordance with your goals. For example: dns = 192.168.100.1 use-ipv6 = no 2tap.3. Configure user authentication mode: 2tap. 4. Add users: 2tap. 5. Turn on the OVPN server:
/ip pool add name=OVPN_srv_pool ranges=192.168.100.2-192.168.254
/interface bridge add name=OVPN_bridge arp=enabled
/ppp profile add name=OVPN_server local-address=192.168.100.1 remote-address=OVPN_srv_pool bridge=OVPN_bridge
/ppp aaa set accounting=yes
/ppp secret add name=test-user-1 password=P@ssword1 service=ovpn profile=OVPN_server
/ppp secret add name=test-user-2 password=P@ssword2 service=ovpn profile=OVPN_server
/interface ovpn-server server set auth=sha1 cipher=blowfish128 default-profile=OVPN_server mode=ethernet netmask=24 require-client-certificate=yes certificate=test-srv-OVPN enabled=yes
Notes for both modes:
1. The presence of the user is mandatory, even despite authorization by certificates; you can create one user for all clients and register the same username / password in client configs, but this makes it impossible to track the connection and actions of a specific user - inconvenient, somewhat unsafe.
2. I do not consider RADIUS authentication simply because I have not tested it. I can only assume that it will work only for username / password, and certificates will still be checked on Mikrotik.
3. Make sure that the address pool matches the subnet specified in the OVPN server settings. The ROS OVPN server will not figure out whether the local-address = server and the client address assigned from the pool belong to the same network, moreover, if, for example, mask 29 is used, and ranges = 192.168.100.0 / 29 are set as the pool, Broadcast 192.168.100.7, as I had, can be easily assigned to a client. Exactly the same situation may arise if the indicated pool is larger than the mask implies - only the problem will not be revealed right away, but a little later.
3. Export certificates to configure clients
3.1. Export CA certificate: Note: We only need the certificate itself, the private key is NOT needed, therefore the parameter export-passphrase = "" must be empty. 3.2. Export of client certificates: Note: export-passphrase = - required parameter for exporting private keys; we use our password for each client; DO NOT use the same password that was specified in paragraph 2.4 for users! 3.3. We extract the received certificate and key files from Mikrotik in any convenient way (as a rule, I drag files back and forth directly from the winbox).
/certificate export-certificate test-CA export-passphrase=""
/certificate export-certificate test-client-ovpn-1 export-passphrase=private-key-password1
/certificate export-certificate test-client-ovpn-2 export-passphrase=private-key-password2
Windows client setup
1. Get the OVPN distribution from openvpn.net .
2. Install, leave all options by default, including the tap interface, which will be needed for any configuration mode.
3. Go to OpenVPN \ config (by default C: \ Program Files \ OpenVPN \ config) and create the client.ovpn file there (or copy it from OpenVPN \ sample-config).
4. Create a client configuration, or make changes with sample-config.
The contents of client.ovpn with small comments
# The mode in which the OVPN service works
# Attention! We specify only one parameter of the two
# For the tup mode, specify the parameter
# For tap mode, specify the parameter
# This parameter is specified only in the case of tap mode, and instead of MyTap we substitute the tap interface name in windows (ipconfig / all, or network connections in the control panel)
# Protocol used. ROS OVPN server works only in tcp mode
# Server address to which we will connect, and port. Instead of ovpn.my.domain - dns name or ip address. You can specify multiple servers. # This parameter is needed only if more than one server is used; When this parameter is specified during connection, the client randomly selects one of the specified servers
# Timeout between attempts to determine the IP address by the specified DNS server name, in seconds (or infinity - infinite)
# If this parameter is specified, the client will use a dynamic outgoing port for connection
# Allow the client to save the tunnel settings when reconnecting, and so do not re-read key files # proxy settings # Disable messages about duplicate packets # Path to the certificate file # ca - certificate of CA, which issued the client certificate and the server # cert - the client certificate # key - the private key certifi ata client
# auth-user-pass tells the client that it should use the username and password for authentication (but not instead of certificates, but with certificates)
# auth-user-pass tells the OVPN client to use the username and password (but not instead of certificates, and together with certificates)
# user-pwd.txt points to the file in which the login and password are stored; the first line in the file is the login, the second is the password; in the absence of this argument, a username and password will be requested each time you connect
# Note: If you use a certificate with a private key, to which you already need to enter a key each time you connect, I do not consider it necessary to force the user to remember the username with password
# Tells the client that it should check the server certificate for the correctness of the key-usage used
# Key for encrypting the start of the authentication process (handshake), an additional security measure. It makes sense when using only login / password, without certificates.
# Setting a special encryption method, by default blowfish128 is used.
# Using lzo compression. OVPN on ROS is not supported.
# Log level. The greater the value, the more detailed.
# Blocking of repeated messages in the log
# Above were given the parameters that are present in the “native” example of the config for the client + 1 parameter we need
# Below I will give some more, in my opinion, useful parameters.
# The route set when the connection was started
# The route does not indicate the gateway, but directly to the connection
# Pause before setting the routes after the connection is established (in seconds)
# If we want to set the OVPN connection as the main @bibliary gateway
client# Attention! We specify only one parameter of the two
# For the tup mode, specify the parameter
dev tun# For tap mode, specify the parameter
dev tap# This parameter is specified only in the case of tap mode, and instead of MyTap we substitute the tap interface name in windows (ipconfig / all, or network connections in the control panel)
dev-node MyTap# Protocol used. ROS OVPN server works only in tcp mode
proto tcp# Server address to which we will connect, and port. Instead of ovpn.my.domain - dns name or ip address. You can specify multiple servers. # This parameter is needed only if more than one server is used; When this parameter is specified during connection, the client randomly selects one of the specified servers
remote ovpn.my.domain 1194
;remote my-server-2 1194;remote-random# Timeout between attempts to determine the IP address by the specified DNS server name, in seconds (or infinity - infinite)
resolv-retry infinite# If this parameter is specified, the client will use a dynamic outgoing port for connection
nobind# Allow the client to save the tunnel settings when reconnecting, and so do not re-read key files # proxy settings # Disable messages about duplicate packets # Path to the certificate file # ca - certificate of CA, which issued the client certificate and the server # cert - the client certificate # key - the private key certifi ata client
persist-key
persist-tun;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #];mute-replay-warningsca cert_export_test-CA.crt
cert cert_export_test-client-ovpn-1.crt
key cert_export_test-client-ovpn-1.key# auth-user-pass tells the client that it should use the username and password for authentication (but not instead of certificates, but with certificates)
# auth-user-pass tells the OVPN client to use the username and password (but not instead of certificates, and together with certificates)
# user-pwd.txt points to the file in which the login and password are stored; the first line in the file is the login, the second is the password; in the absence of this argument, a username and password will be requested each time you connect
# Note: If you use a certificate with a private key, to which you already need to enter a key each time you connect, I do not consider it necessary to force the user to remember the username with password
--auth-user-pass user-pwd.txt# Tells the client that it should check the server certificate for the correctness of the key-usage used
remote-cert-tls server# Key for encrypting the start of the authentication process (handshake), an additional security measure. It makes sense when using only login / password, without certificates.
;tls-auth ta.key 1# Setting a special encryption method, by default blowfish128 is used.
;cipher x# Using lzo compression. OVPN on ROS is not supported.
;comp-lzo# Log level. The greater the value, the more detailed.
verb 3# Blocking of repeated messages in the log
;mute 20# Above were given the parameters that are present in the “native” example of the config for the client + 1 parameter we need
# Below I will give some more, in my opinion, useful parameters.
# The route set when the connection was started
# The route does not indicate the gateway, but directly to the connection
route 192.168.88.0 255.255.255.0# Pause before setting the routes after the connection is established (in seconds)
route-delay 5# If we want to set the OVPN connection as the main @bibliary gateway
route-gateway 192.168.100.1
redirect-gateway def1 //Спасибо пользователю за правку. Согласно докам этот вариант верен, но протестировать на момент редактирования не имею возможности.
Note: to use the routing parameters specified in the config, the OVPN service itself, or the OVPN GUI, must be started with administrator rights.
Note: the list of most parameters is here but it is somewhat outdated.
Configure MikroTik client
1 Import certificates
1.1 We put the CA certificate file and certificate file and client key file in Mikrotik in any convenient way
1.2 Import the CA certificate 1.3 Import the certificate and client key 2. Configure the client Values in {} are specified in accordance with the previous settings and your needs.
/certificate import file-name=cert_export_test-CA.crt passphrase=""
/certificate import file-name=cert_export_test-client-ovpn-1.crt passphrase=""
/certificate import file-name=cert_export_test-client-ovpn-1.key passphrase=private-key-password1
/interface ovpn-client add name=OVPN_client connect-to={ovpn.my.domain|xxx.xxx.xxx.xxx} port=1194 mode={ip|ethernet} user=test-user-1 password=P@ssword1 profile=default certificate=cert_32 auth=sha1 cipher=blowfish128 add-default-route={no|yes} disabled=no
For experiments, the following hardware and software were used:
RouterBoard 2011UiAS-2HnD with RouterOS 6.32.2 on board - 2 pcs., One as a server, the other as a client; both serve as border gateways - at home and at work.
A laptop with Windows 10 Pro x64 on a bot - 1 pc., As a client; serves for work and as a laboratory.
A laptop with Windows 10 Pro x64 on a bot - 1 pc., As a client; serves for work and as a laboratory.
The following resources were used for cognition:
wiki.mikrotik.com
openvpn.net/index.php/open-source/documentation/howto.html
tuxnotes.ru/note/1
www.v13.gr/blog/?p=386
And a lot of little things from the search results .
openvpn.net/index.php/open-source/documentation/howto.html
tuxnotes.ru/note/1
www.v13.gr/blog/?p=386
And a lot of little things from the search results .
Thank you for attention.