I found lots of how-to guides already but none really matched what I wanted to achieve and quite a few seemed pretty out of date, with commands for RouterOS that no longer work.
What I wanted to end up with is something like this:
So fairly standard for a VPN but I was keen that once set up, it just keeps working. Things at Site A on 192.168.88.0/24 subnet should be able to access things at Site B on the 192.168.89.0/24 subnet automatically. It also needed to survive a reboot of either router.
One big stumbling block I ran into with OpenVPN on Mikrotiks is that they don't support push-route so you can get the VPN server to push routes to the client(s). So in the end I had to set up static IPs for the VPN to use (on the 10.9.9.50/32 subnet) and static routes by IP address.
Worth noting that the Mikrotik routers also don't support OpenVPN over UDP but this wasn't an issue for me.
How to set up
Steps are:
- set up NTP
- generate certificates
- set up server
- set up client
- add static routes on both ends
Set up NTP
It's important
that the time is correct on both routers for the certificates to work.
Ideally they need to be talking to some NTP servers.
In the web
interface or Winbox, go to System & SNTP Client. Add some NTP
servers, if using pool.ntp.org then ensure you add several DNS names:
Generating Certificates
There's several
ways of doing this, if you have OpenVPN installed on a "normal"
computer (such as a Linux server or desktop) then you can use the
Easy-RSA package to generate certificates for you. There are also
websites which will do the job for you. I used the Mikrotik router
itself to do the job. All the work is done using one router.
Using newer
versions of RouterOS (I'm using 6.25 for this), you create certificate
templates first and then sign them. It's possible using the web
interface or the Winbox tool (which runs fine with wine) but I used the
command line interface because it was quicker.
Generate templates:
/certificate add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-signChange the common-name to something more descriptive if you want.
/certificate add name=server-template common-name=server
/certificate add name=client1-template common-name=client1
Then sign the certificates:
/certificate sign ca-template ca-crl-host=192.168.88.1 name=myCaSet CA and server cert as trusted:
/certificate sign ca=myCa server-template name=server
/certificate sign ca=myCa client1-template name=client1
/certificate set myCa trusted=yesNow export the CA and the client certificate so they can be copied onto the Mikrotik router for Site B:
/certificate set server trusted=yes
/certificate export-certificate myCaCopy these two files off router A and onto router B, this is easy to do in the web interface or Winbox.
/certificate export-certificate client1 export-passphrase=xxxxxxxx
In web interface or Winbox on router B, go to "System" & "Certificates" and import the CA and the client certificate.
Setup the Server
This is all
done on router A which is acting as the server. It doesn't matter which
router you use as the server but it should ideally have a static IP
address on the Internet facing interface (or at least be using some kind
of dynamic DNS service) - the client has to know where to access the
server! The client(s) could be on dynamic IPs.
Create a PPP profile for this VPN:
Note how the
static IP addresses to be used for the VPN (10.9.9.50 & 10.9.9.51)
are defined here. You can choose whatever IPs you want but they
shouldn't clash with any of the subnets already in use at any of the
sites you are going to connect on this VPN.
Create a PPP authentication for this client to use:
As well as
being used for authentication, it associates the client with the PPP
profile you created above so if you have multiple clients, create
multiple profiles and multiple authentications linking them together.
Click on the OVPN Server button on the PPP Interfaces tab and enable the OpenVPN server:
Select the
"server" certificate, make sure "require client certificate" is chosen.
You can use whatever authentication methods and ciphers you want, just
make sure that when you set up a client, you set it to use matching
settings.
The last job on the server is to open up the OpenVPN port on the firewall:
The last job on the server is to open up the OpenVPN port on the firewall:
Setup the Client
Assuming you have already loaded and imported the CA & client1 certificates, connecting to the OpenVPN server is simple.
Add a new PPP interface of type OVPN Client:
This should be
fairly self-explanatory by now! Make sure to use the correct username
& password as configured for the PPP Profile on the server, choose
the correct certificate and make sure the auth method & cipher are
compatible with your server settings.
For what I
want, I don't want the default route setting because I only want to use
the VPN to access devices on the remote network, all other traffic
should still go out over the local Internet connection. So we will add
static routes to do this next.
Add Static Routes
By now the VPN
is connected and working. But, site A wants to access devices on the
192.168.89.0/24 subnet at site B and site B wants to access devices on
the 192.168.88.0/24 subnet at site A. A static route is needed at each
end for this.
At site A, add a
new route. The only required information is the destination address
and the gateway to use. These will be the local network at site B, and
the OpenVPN address of site B:
Then at site B, do the same but using the local subnet at site A and the OpenVPN IP address at site A.
Once these are saved they will persist OpenVPN being restarted, Internet connection failures etc...
The great thing
I find with OpenVPN is that once you've got it up and running you can
just forget about it and it keeps on working. It is very good at
reconnecting after failures too (such as Internet connection drop outs,
router reboots etc...).
fonte:
http://paulswasteland.blogspot.com.br/2015/05/site-to-site-openvpn-using-mikrotik.html
0 comentários:
Postar um comentário