[go: up one dir, main page]
Scribd
Upload
301 views24 pages

OpenVPN Configuration Step by Step

This document provides step-by-step instructions for configuring an OpenVPN server on a MikroTik router. It covers generating and importing certificates, creating an IP pool and PPP profile for clients, enabling the OpenVPN service, and configuring NAT and a client connection. The process includes using OpenSSL to convert keys to a compatible format and submitting a certificate signing request to a free CA for signed certificates.

Uploaded by

MechanicalLatest
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
301 views24 pages

OpenVPN Configuration Step by Step

This document provides step-by-step instructions for configuring an OpenVPN server on a MikroTik router. It covers generating and importing certificates, creating an IP pool and PPP profile for clients, enabling the OpenVPN service, and configuring NAT and a client connection. The process includes using OpenSSL to convert keys to a compatible format and submitting a certificate signing request to a free CA for signed certificates.

Uploaded by

MechanicalLatest
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

OpenVPN Configuration Step by Step 1

OpenVPN Configuration Step by Step


In this article i will talk about Open VPN , And How to Setup that as completly , such Basic Configuration ,
Certificate , OpenVPN Configurations .
in many topics and Forums Users talk about OpenVPN and proximate 90% of their have problem to run and correct
installations of OpenVPN .
so , i decide to show you how you can do it correctly , Let's go !
What is OpenVPN ?
OpenVPN has been ported to various platforms, including Linux and Windows, and it's configuration is throughout
likewise on each of these systems, so it makes it easier to support and maintain.
Also, OpenVPN is one of the few VPN protocols that can make use of a proxy, which might be handy sometimes.
and You are able to use Various Port ( TCP Port ) for Your VPN Connections .
For More Information Click Here [1]
Requirements :
RouterOS or Routerboard ( In This Article I have RB493AH , Version 6 RC 13 )
Public or Private IP Address or Valid Domain Name ( My Router 91.108.151.193 , Domain Name :
Reza.IPExperts.Ir )
If you have a Domain Name same as this Article , you can Point all request for Certificate to your Domain ,
Unless you should use your IP Address !
Public or Private Certificate for OpenVPN ( i will use CaCert [2] Free Certificate )
PPP Package ( To Install Openvpn Service )
OpenVPN GUI for Windows ( if you OpenVPN Client is Windows User OpenVPN GUI [3] , in this Article Client is
another Routerboard )
Linux Operation System with Openssl Service
Basic Configuration :
Please Set IP Address and Default Route and other Basic Configurations in Your MikroTik ( DNS , NTP , etc. )
OpenVPN Configuration Step by Step 2

ip address
add address=91.108.151.193/28 comment="Public IP" interface="WLAN 1 - Home" \
network=91.108.151.192

Add a Default Route


OpenVPN Configuration Step by Step 3

ip route
add distance=1 gateway=91.108.151.194

Certificate :
OpenVPN use Certificate to setup Connections , So Open a New Terminal window and create a certificate request
with your Information :

certificate create-certificate-request

You will be asked a number of questions , Some of them are important , some of them is not .
select name for certificate request file.
it will be created after you finish entering all required information.
certificate request file name: certificate-request.pem
select name of private key file.
if such file does not exist, it will be created later.
OpenVPN Configuration Step by Step 4

file name: private-key.pem


private key file already exists and will be overwritten if you continue.
please enter passphrase that will be used to encrypt generated private key file.
you must enter it twice to be sure you have not made any typing errors.
OpenVPN Configuration Step by Step 5

passphrase: 123456 [IMPORTANT]


verify passphrase: 123456 [IMPORTANT]
enter number of bits for RSA key.
longer keys take more time to generate.

rsa key bits: 2048 [Default]


now you will be asked to enter values that make up distinguished name of your certificate.
you can leave some of them empty.
CA may reject your certificate request if some of these values are incorrect or missing, so please check what are the
requirements of your CA.
OpenVPN Configuration Step by Step 6

enter two character country code.


country name: IR [NOT IMPORTANT]

enter full name of state or province.


state or province name: Khuzestan [NOT IMPORTANT]
OpenVPN Configuration Step by Step 7

enter locality (e.g. city) name


locality name: Ahvaz [NOT IMPORTANT]

enter name of the organization


organization name: IPExperts [NOT IMPORTANT]
OpenVPN Configuration Step by Step 8

enter organizational unit name


organization unit name: IT Department [NOT IMPORTANT]

enter common name.


OpenVPN Configuration Step by Step 9

for ssl web servers this must be the fully qualified domain name (FQDN) of the server that will use this certificate
(like www.someverysecuresitename.com) .
this is checked by browsers.
common name: reza.ipexperts.ir [IMPORTANT] or common name : 91.108.151.193 [IMPORTANT]

enter email address


email address: R.Moghadam@Hotmail.Com [NOT IMPORTANT]
OpenVPN Configuration Step by Step 10

now you can enter challenge password.


it's use depends on your CA.
it may be used to revoke this certificate.
challenge password: 123456 [NOT IMPORTANT]
OpenVPN Configuration Step by Step 11

you can enter unstructured address, if your CA accepts or requires it.


unstructured address: Reza Moghadam [NOT IMPORTANT]

After a few seconds you will receive notification that the Certificate Request file was created:

You can see Certificate-Request.pem and Private-key.pem is added in Files Menu


OpenVPN Configuration Step by Step 12

CaCerts :
Please Drag and Drop Request Files Include ( Certificate-Request.pem and Private-Key.pem ) to your Desktop .
first open Certificate-Request.pem file with Wordpad , Copy All String Include Begin and Ends of Certificate
Request , Then Login to your Account in Cacert and Make a New Server Certificate .
OpenVPN Configuration Step by Step 13

Paste your Certificate-Request.pem Strings to CSR Fields in Your Account ( New Server Certificate ) and Submit
That .

Domain is Accepted .

Copy and Paste your Certificate Response from Cacert in a Wordpad and save that with .pem file ( In Here :
certificate-response.pem )
OpenVPN Configuration Step by Step 14

Private Key :
We need a Private-Key as Key file , But Generated private keys will be in pkcs8 format, which is not supported in
RouterOS.
To import such keys we should use Openssl Tool in Linux Distributes and make a Privat-Key File .
We can setup Openssl via these command :

apt-get install openssl


or
yum install openssl

Upload or Move Private-Key.pem file to That Linux OS with Openssl Service ( Bitvise SSH Client )
OpenVPN Configuration Step by Step 15

make your Private-Key.key file via these command :

openssl rsa -in private-key.pem -text

copy and paste export String ( Include Begin and End ) to a New File ( Ex. Private-Key.Key )
OpenVPN Configuration Step by Step 16

Import Certificate
Import Files ( Certificate-Response.pem , Private-Key.Key ) to Your MikroTik Files Menu .

First Import Certificate-Response.pem file with that Paraphrase


OpenVPN Configuration Step by Step 17

Second Import Private-Key.Key file with that Paraphrase

Once you have imported the private key, your certificate should get a "KR" written next to it K:
Decrypted-Private-Key R: RSA
Now you will be able to use this key for OVPN.
OpenVPN Configuration Step by Step 18

OpenVPN Server Configuration :


we should make a IP Pool for Openvpn clients .

ip pool
add name=PPP ranges=1.1.1.1-1.1.1.100,1.1.1.150-1.1.1.200
OpenVPN Configuration Step by Step 19

Make a Profile for OpenVPN Service .

Warning: screenshot shows incorrect local address, it should be 1.1.1.254 as per command below

ppp profile
set 0 dns-server=4.2.2.4,8.8.8.8
add dns-server=4.2.2.4,8.8.8.8 local-address=1.1.1.254 name=\
"OpenVPN Profile" remote-address=PPP

Make a Username & Passowrd for OpenVPN Client


OpenVPN Configuration Step by Step 20

ppp secret
add name=1 password=1 profile="OpenVPN Profile"

Enable OpenVPN Service and Select Valid Certificate .


OpenVPN Configuration Step by Step 21

interface ovpn-server server


set certificate=cert1 enabled=yes

NAT :
add a masquared firewall nat rule to share internet with OpenVPN Client .
OpenVPN Configuration Step by Step 22

ip firewall nat
add action=masquerade chain=srcnat src-address=1.1.1.0/24

OpenVPN Client :
Make a OpenVPN Client and Set Address of OpenVPN Server and Username & Password .

interface ovpn-client
add auth=none cipher=none connect-to=reza.ipexperts.ir mac-address=\
02:FB:D1:D8:20:B7 name=ovpn-out1 password=1 user=1

Finally :
you can see OpenVPN Client is Connected and you will able to Ping it .
OpenVPN Configuration Step by Step 23

Reza Moghadam
--MikroTik Certified Trainer 12:02, 4 April 2013 (UTC)

References
[1] http:/ / wiki. mikrotik. com/ wiki/ OpenVPN
[2] http:/ / Cacerts. Org
[3] http:/ / openvpn. se/
Article Sources and Contributors 24

Article Sources and Contributors


OpenVPN Configuration Step by Step  Source: http://wiki.mikrotik.com/index.php?oldid=26115  Contributors: Marisb, Nest, Reza.moghadam

Image Sources, Licenses and Contributors


File:O1.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O1.jpg  License: unknown  Contributors: Reza.moghadam
File:O2.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O2.jpg  License: unknown  Contributors: Reza.moghadam
File:O3.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O3.jpg  License: unknown  Contributors: Reza.moghadam
File:O4.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O4.jpg  License: unknown  Contributors: Reza.moghadam
File:O5.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O5.jpg  License: unknown  Contributors: Reza.moghadam
File:O6.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O6.jpg  License: unknown  Contributors: Reza.moghadam
File:O7.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O7.jpg  License: unknown  Contributors: Reza.moghadam
File:O8.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O8.jpg  License: unknown  Contributors: Reza.moghadam
File:O9.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O9.jpg  License: unknown  Contributors: Reza.moghadam
File:O10.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O10.jpg  License: unknown  Contributors: Reza.moghadam
File:O11.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O11.jpg  License: unknown  Contributors: Reza.moghadam
File:O12.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O12.jpg  License: unknown  Contributors: Reza.moghadam
File:O13.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O13.jpg  License: unknown  Contributors: Reza.moghadam
File:O14.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O14.jpg  License: unknown  Contributors: Reza.moghadam
File:O15.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O15.jpg  License: unknown  Contributors: Reza.moghadam
File:O16.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O16.jpg  License: unknown  Contributors: Reza.moghadam
File:O17.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O17.jpg  License: unknown  Contributors: Reza.moghadam
File:O18.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O18.jpg  License: unknown  Contributors: Reza.moghadam
File:O19.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O19.jpg  License: unknown  Contributors: Reza.moghadam
File:O20.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O20.jpg  License: unknown  Contributors: Reza.moghadam
File:O21.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O21.jpg  License: unknown  Contributors: Reza.moghadam
File:O22.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O22.jpg  License: unknown  Contributors: Reza.moghadam
File:O23.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O23.jpg  License: unknown  Contributors: Reza.moghadam
File:O24.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O24.jpg  License: unknown  Contributors: Reza.moghadam
File:O25.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O25.jpg  License: unknown  Contributors: Reza.moghadam
File:O26.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O26.jpg  License: unknown  Contributors: Reza.moghadam
File:O27.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O27.jpg  License: unknown  Contributors: Reza.moghadam
File:O28.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O28.jpg  License: unknown  Contributors: Reza.moghadam
File:O29.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O29.jpg  License: unknown  Contributors: Reza.moghadam
File:O30.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O30.jpg  License: unknown  Contributors: Reza.moghadam
File:O31.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O31.jpg  License: unknown  Contributors: Reza.moghadam
Image:Icon-warn.png  Source: http://wiki.mikrotik.com/index.php?title=File:Icon-warn.png  License: unknown  Contributors: Marisb, Route
File:O32.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O32.jpg  License: unknown  Contributors: Reza.moghadam
File:O33.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O33.jpg  License: unknown  Contributors: Reza.moghadam
File:O36.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O36.jpg  License: unknown  Contributors: Reza.moghadam
File:O37.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O37.jpg  License: unknown  Contributors: Reza.moghadam
File:O34.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O34.jpg  License: unknown  Contributors: Reza.moghadam
File:O35.jpg  Source: http://wiki.mikrotik.com/index.php?title=File:O35.jpg  License: unknown  Contributors: Reza.moghadam

You might also like