MikroTIK RouterOS and OpenVPN Certificates
What a mission. Had to do quite a lot of reading and digging around, but got it to work. What I used was Fedora Core 6 and MikroTik RouterOS 3.6.
Herewith the process I used.
SSH to the Fedora box as root:
[root] yum install openvpn
[root] wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
[root] tar zxvf openvpn-2.0.9.tar.gz
[root] mv openvpn-2.0.9/easy-rsa/ /etc/openvpn/easy-rsa/
[root] cd /etc/openvpn/easy-rsa/
Edit the ./vars file and ensure the following are set for your enviroment:
export KEY_COUNTRY="ZA" # Your 2 digit country code
export KEY_PROVINCE="Gauteng" # Your province
export KEY_CITY="JHB" # Your city
export KEY_ORG="Company" # Your company. This one needs to be the same in all keys.
export KEY_EMAIL="support@company.co.za" # The support mail address
Now run the following scripts:
[root] . ./vars # Yes. [.][space][./]
[root] ./clean-all # Deletes all the keys in keys folder.
[root] ./build-ca # Generates the CA key
Generating a 1024 bit RSA private key
..........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ZA]:
State or Province Name (full name) [Gauteng]:
Locality Name (eg, city) [JHB]:
Organization Name (eg, company) [Company]:
Organizational Unit Name (eg, section) []:IT Department
Common Name (eg, your name or your server's hostname) []: company.co.za
Email Address [support@company.co.za]:
The "Common Name" will be the domain name only for the MikroTIK server on the Internet side.
Now we build the client certificates:
[root] ./build-key client1
Generating a 1024 bit RSA private key
....................++++++.........++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ZA]:
State or Province Name (full name) [Gauteng]:
Locality Name (eg, city) [JHB]:
Organization Name (eg, company) [Company]:
Organizational Unit Name (eg, section) []:Client Name
Common Name (eg, your name or your server's hostname) []:fqdn.client.co.za
Email Address [support@company.co.za]:support@client.co.za
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'ZA'
stateOrProvinceName :PRINTABLE:'Gauteng'
localityName :PRINTABLE:'JHB'
organizationName :PRINTABLE:'Copany'
organizationalUnitName:PRINTABLE:'Client Name'
commonName :PRINTABLE:'fqdn.client.co.za'
emailAddress :IA5STRING:'support@client.co.za'
Certificate is to be certified until Apr 5 22:46:58 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Do the same for all your clients.
Now we build the key files:
[root] build-dh
This can take a while, depending on the machine and the amount of files.
Now copy *.crt and *.key files under the keys folder to your MikroTik Server under files. I use the Winbox drag and drop function.
In Winbox, under certificates, hit the import button, select the ca.crt file first, and import. Then hit the import button again, and select the ca.key file and import. You should see a "KR" in the first column. The order is important.
Do the same for all your client certificates, getting the order right for each and confirming the "KR" shows for each.
Under "IP" -> "Pools" add a pool called "ovpn-pool". In the "Addresses" select the range you would like to use, like "10.10.1.10-10.10.1.50". Set the "Next Pool" to "none".
Under "PPP" -> "Profiles" add a profile called "ovpn-profile". Set your "Local Address" outside your "ovpn-pool", but in the same subnet. Select "ovpn-pool" under "Remote Address" and set "Use Encryption" to "required". The rest should be blank or default.
Under "PPP" -> "Interface" select the "OVPN Server" button. Enable the server, select the "ovpn-profile" under "Default profile" and the CA certificate under "Certificate" (should be "cert1" if it was the first to be imported.)
Under "PPP" -> "Secrets" add an entry where "Name" would be the username, "Password" the user password, "Service" wouild be "ovpn" and "Profile" should be "ovpn-profile"
Under "PPP" -> "Interface" add "OVPN Server" and set "Name" to "ovpn-username", where username is what you set in the previouse step. "User" should just be the username.
Under "IP" -> "Firewall" add a INPUT rule for protocol TCP, source port 1194 on your external interface. You would also need to add some more INPUT, OUTPUT and FORWARD rules to define what the user can and cannot do, using the ovpn interfaces.
Now send each client the "ca.crt" file, and their respective "client.crt" and "client.key" files.
On the client, copy these into the openvpn configuration directory. Create a new OVPN config file that looks like this:
dev tun
proto tcp-client
remote fqdn.company.co.za 1194 # Remote OpenVPN Servername or IP address
ca ca.crt
cert client.crt
key client.key
tls-client
port 1194
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
mute-replay-warnings
verb 3
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass auth.cfg
The auth.cfg file should be in the same diretory and should contain the username on the first line, and the password on the second line of the file.
Launch with:
openvpn --config client.ovpn
References:
http://openvpn.net/index.php/documentation/howto.html#pki
http://wiki.mikrotik.com/wiki/User_Manager/User_payments
http://wiki.mikrotik.com/wiki/OpenVPN
Herewith the process I used.
SSH to the Fedora box as root:
[root] yum install openvpn
[root] wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
[root] tar zxvf openvpn-2.0.9.tar.gz
[root] mv openvpn-2.0.9/easy-rsa/ /etc/openvpn/easy-rsa/
[root] cd /etc/openvpn/easy-rsa/
Edit the ./vars file and ensure the following are set for your enviroment:
export KEY_COUNTRY="ZA" # Your 2 digit country code
export KEY_PROVINCE="Gauteng" # Your province
export KEY_CITY="JHB" # Your city
export KEY_ORG="Company" # Your company. This one needs to be the same in all keys.
export KEY_EMAIL="support@company.co.za" # The support mail address
Now run the following scripts:
[root] . ./vars # Yes. [.][space][./]
[root] ./clean-all # Deletes all the keys in keys folder.
[root] ./build-ca # Generates the CA key
Generating a 1024 bit RSA private key
..........++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ZA]:
State or Province Name (full name) [Gauteng]:
Locality Name (eg, city) [JHB]:
Organization Name (eg, company) [Company]:
Organizational Unit Name (eg, section) []:IT Department
Common Name (eg, your name or your server's hostname) []: company.co.za
Email Address [support@company.co.za]:
The "Common Name" will be the domain name only for the MikroTIK server on the Internet side.
Now we build the client certificates:
[root] ./build-key client1
Generating a 1024 bit RSA private key
....................++++++.........++++++
writing new private key to 'client1.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [ZA]:
State or Province Name (full name) [Gauteng]:
Locality Name (eg, city) [JHB]:
Organization Name (eg, company) [Company]:
Organizational Unit Name (eg, section) []:Client Name
Common Name (eg, your name or your server's hostname) []:fqdn.client.co.za
Email Address [support@company.co.za]:support@client.co.za
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'ZA'
stateOrProvinceName :PRINTABLE:'Gauteng'
localityName :PRINTABLE:'JHB'
organizationName :PRINTABLE:'Copany'
organizationalUnitName:PRINTABLE:'Client Name'
commonName :PRINTABLE:'fqdn.client.co.za'
emailAddress :IA5STRING:'support@client.co.za'
Certificate is to be certified until Apr 5 22:46:58 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Do the same for all your clients.
Now we build the key files:
[root] build-dh
This can take a while, depending on the machine and the amount of files.
Now copy *.crt and *.key files under the keys folder to your MikroTik Server under files. I use the Winbox drag and drop function.
In Winbox, under certificates, hit the import button, select the ca.crt file first, and import. Then hit the import button again, and select the ca.key file and import. You should see a "KR" in the first column. The order is important.
Do the same for all your client certificates, getting the order right for each and confirming the "KR" shows for each.
Under "IP" -> "Pools" add a pool called "ovpn-pool". In the "Addresses" select the range you would like to use, like "10.10.1.10-10.10.1.50". Set the "Next Pool" to "none".
Under "PPP" -> "Profiles" add a profile called "ovpn-profile". Set your "Local Address" outside your "ovpn-pool", but in the same subnet. Select "ovpn-pool" under "Remote Address" and set "Use Encryption" to "required". The rest should be blank or default.
Under "PPP" -> "Interface" select the "OVPN Server" button. Enable the server, select the "ovpn-profile" under "Default profile" and the CA certificate under "Certificate" (should be "cert1" if it was the first to be imported.)
Under "PPP" -> "Secrets" add an entry where "Name" would be the username, "Password" the user password, "Service" wouild be "ovpn" and "Profile" should be "ovpn-profile"
Under "PPP" -> "Interface" add "OVPN Server" and set "Name" to "ovpn-username", where username is what you set in the previouse step. "User" should just be the username.
Under "IP" -> "Firewall" add a INPUT rule for protocol TCP, source port 1194 on your external interface. You would also need to add some more INPUT, OUTPUT and FORWARD rules to define what the user can and cannot do, using the ovpn interfaces.
Now send each client the "ca.crt" file, and their respective "client.crt" and "client.key" files.
On the client, copy these into the openvpn configuration directory. Create a new OVPN config file that looks like this:
dev tun
proto tcp-client
remote fqdn.company.co.za 1194 # Remote OpenVPN Servername or IP address
ca ca.crt
cert client.crt
key client.key
tls-client
port 1194
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
mute-replay-warnings
verb 3
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass auth.cfg
The auth.cfg file should be in the same diretory and should contain the username on the first line, and the password on the second line of the file.
Launch with:
openvpn --config client.ovpn
References:
http://openvpn.net/index.php/documentation/howto.html#pki
http://wiki.mikrotik.com/wiki/User_Manager/User_payments
http://wiki.mikrotik.com/wiki/OpenVPN
