Scribd
Upload
219 views10 pages

OpenVPN Mikrotik

The document provides a 14-step process to configure an OpenVPN server on a Mikrotik router and connect a Windows client: 1. Update the ppp package on the Mikrotik router. 2. Create an IP pool for OpenVPN connections. 3. Create a user profile for the OpenVPN connection. 4. Generate server, CA, and client certificates on the Mikrotik router. 5. Enable the OpenVPN server interface and configure authentication. 6. Download the certificates and configure the Windows OpenVPN client. 7. Add a firewall rule on the Mikrotik to allow the OpenVPN connection. 8. Test the connection from the Windows client.

Uploaded by

camilo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
219 views10 pages

OpenVPN Mikrotik

The document provides a 14-step process to configure an OpenVPN server on a Mikrotik router and connect a Windows client: 1. Update the ppp package on the Mikrotik router. 2. Create an IP pool for OpenVPN connections. 3. Create a user profile for the OpenVPN connection. 4. Generate server, CA, and client certificates on the Mikrotik router. 5. Enable the OpenVPN server interface and configure authentication. 6. Download the certificates and configure the Windows OpenVPN client. 7. Add a firewall rule on the Mikrotik to allow the OpenVPN connection. 8. Test the connection from the Windows client.

Uploaded by

camilo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Configuración​ ​OpenVPN​ ​Mikrotik

Junio​ ​de​ ​2017


William​ ​Rojas​ ​Ordoñez

Link:​ ​https://www.youtube.com/watch?v=ucifDsLHj6c

1. Primero​ ​actualizar​ ​el​ ​paquete​ ​ppp​ a


​ ​ ​la​ ​versión​ ​6.37.1​ ​(versión​ ​estable,​ ​evaluar​ ​si​ ​a​ ​la
fecha​ ​existe​ ​una​ ​sin​ ​problemas).
System>Package>ppp

2. Configure​ ​un​ ​pool​ ​de​ ​ip’s​ ​para​ ​las​ ​conexiones​ ​a​ ​través​ ​de​ ​OpenVPN.
IP>Pool
/ip​ ​pool​ ​add​ ​name=openVPN​ ​ranges=192.168.1.201-192.168.1.205
3. Cree​ ​un​ ​perfil​ ​para​ ​la​ ​conexión​ ​OpenVPN​ ​desde​ ​el​ ​menú​ ​ppp.
PPP>Secrets
Name:​ ​Nombre​ ​Usuario​ ​cuenta.
Service:​​ ​Tipo​ ​ovpn.
Profile:​ ​default-encryption.
/ppp​ ​secret​ ​add​ ​name=support​ ​password=​ ​service=ovpn

4. Edite​ ​los​ ​perfiles​ ​para​ ​la​ ​conexión​ ​OpenVPN​ ​desde​ ​el​ ​menú​ ​ppp.​ ​La​ ​opción
PPP>Profiles
Local​ ​Address:​ ​Gateway​ ​de​ ​la​ ​red.
Remote​ ​Address:​ ​Pool​ ​Ip’s.
5. Crear​ ​los​ ​certificados​ ​por​ ​la​ ​terminal​ ​de​ ​RouterOS.​ ​Abrir​ ​la​ ​terminal​ ​y​ ​abrir​ ​el​ ​menú
certificates.
System>certificates.​ ​New​ ​terminal.
Durante​ ​la​ ​creación​ ​de​ ​los​ ​certificados​ ​es​ ​normal​ ​que​ ​la​ ​CPU​ ​de​ ​la​ ​routerBoard
esté​ ​al​ ​máximo​ ​de​ ​capacidad.
Editar​ ​a​ ​la​ ​conveniencia​ ​los​ ​campos​ ​entre​ ​paréntesis.

Certificado​ ​1​ ​CA​.


/certificate​ ​add​ ​name=CA-tpl​ ​country="CO"​ ​state="VAC"​ ​locality="CALI"​ ​organization=
“​(NOMBRE​ ​ORGANIZACIÓN)”​​ ​unit="MA"​ ​common-name="CA"​ ​key-size=4096
days-valid=3650​ ​key-usage=crl-sign,key-cert-sign
/certificate​ ​sign​ ​CA-tpl​ ​ca-crl-host=127.0.0.1​ ​name="CA"

Certificado​ ​2​ ​SERVER​.


/certificate​ ​add​ ​name=SERVER-tpl​ ​country="CO"​ ​state="VAC"​ ​locality="Cali"
organization="EYTEC"​ ​unit="MA"​ ​common-name=​ ​“​(IP​ ​PUBLICA​ ​SEDE)”​​ ​key-size=4096
days-valid=1095​ ​key-usage=digital-signature,key-encipherment,tls-server
/certificate​ ​sign​ ​SERVER-tpl​ ​ca="CA"​ ​name="SERVER"
Certificado​ ​3​ ​CLIENT​.
/certificate​ ​add​ ​name=CLIENT-tpl​ ​country="CO"​ ​state="VAC"​ ​locality="Cali"​ ​organization=
“​(NOMBRE​ ​ORGANIZACIÓN)”​​ ​unit="MA"​ ​common-name="CLIENT"​ ​key-size=4096
days-valid=3650​ ​key-usage=tls-client
/certificate​ ​add​ ​name=CLIENT1​ ​copy-from="CLIENT-tpl"​ ​common-name="CLIENT1"
/certificate​ ​sign​ ​CLIENT1​ ​ca="CA"​ ​name="CLIENT1"

Export​ ​Certificado​ ​CLIENT.


/certificate​ ​export-certificate​ ​CA​ ​export-passphrase=(​definir​ ​clave​ ​segura​)
/certificate​ ​export-certificate​ ​CLIENT1​ ​export-passphrase=(​definir​ ​clave​ ​segura​)
6. ​ ​Habilitar​ ​el​ ​servidor​ ​de​ ​OpenVPN​ ​para​ ​el​ ​Mikrotik​ ​en​ ​el​ ​menú​ ​ppp.
ppp>interface>OVPN​ ​Server
/interface​ ​ovpn-server​ ​server
set​ ​auth=sha1​ ​certificate=SERVER​ ​cipher=aes256
default-profile=default-encryption​ ​enabled=yes​ ​require-client-certificate=yes

7.​ ​Descargar​ ​los​ ​certificados​ ​del​ ​menú​ ​files​ ​creando​ ​una​ ​carpeta​ ​en​ ​el​ ​escritorio
arrastrandolos​ ​desde​ ​la​ ​ventana​ ​de​ ​Winbox​ ​al​ ​escritorio.

8.​ ​Descargar​ ​e​ ​instale​ ​el​ ​cliente​ ​de​ ​OpenVPN​ ​del​ ​siguiente​ ​enlace:
Link:​​ ​https://openvpn.net/index.php/open-source/downloads.html

9.​ ​Abra​ ​una​ ​consola​ ​de​ ​simbolo​ ​de​ ​sistema​ ​de​ ​Windows​ ​y​ ​ejecute​ ​los​ ​siguientes
comandos.
cd​ ​c:\Users\"User"\Desktop\certs
"c:\Program​ ​Files\OpenVPN\bin\openssl.exe"​ ​rsa​ ​-in​ ​cert_export_CLIENT1.key
-out​ ​cert_export_CLIENT1.key
Se​ ​le​ ​pedirá​ ​la​ ​contraseña​ ​configurada​ ​en​ ​el​ ​certificado​ ​cliente​ ​CLIENT1​ ​en​ ​el​ ​paso​ ​5
export-passphrase​.

Después​ ​copie​ ​los​ ​certificados​ ​del​ ​escritorio​ ​a​ ​la​ ​carpeta​ ​C:\Program
Files\OpenVPN\config

10.​ ​Abra​ ​un​ ​editor​ ​de​ ​texto​ ​y​ ​cree​ ​un​ ​archivo​ ​llamado​ M
​ TVPN.ovpn​ ​con​ ​el​ ​siguiente
contenido.

#​ ​Specify​ ​that​ ​we​ ​are​ ​a​ ​client​ ​and​ ​that​ ​we


#​ ​will​ ​be​ ​pulling​ ​certain​ ​config​ ​file​ ​directives
#​ ​from​ ​the​ ​server.
client

#​ ​Use​ ​the​ ​same​ ​setting​ ​as​ ​you​ ​are​ ​using​ ​on


#​ ​the​ ​server.
#​ ​On​ ​some​ ​systems,​ ​the​ ​VPN​ ​will​ ​not​ ​function
#​ ​unless​ ​you​ ​partially​ ​or​ ​fully​ ​disable
#​ ​the​ ​firewall​ ​for​ ​the​ ​TUN/TAP​ ​interface.
#dev​ ​tap
dev​ ​tun

#​ ​Are​ ​we​ ​connecting​ ​to​ ​a​ ​TCP​ ​or


#​ ​UDP​ ​server?​ ​ ​Use​ ​the​ ​same​ ​setting​ ​as
#​ ​on​ ​the​ ​server.​ ​For​ ​MikroTik​ ​only​ ​TCP
proto​ ​tcp-client

#​ ​Change​ ​'myremote'​ ​to​ ​be​ ​your​ ​remote​ ​host,


#​ ​or​ ​comment​ ​out​ ​to​ ​enter​ ​a​ ​listening
#​ ​server​ ​mode.
remote​ ​(Configurar​ ​IP​ ​Pública​ ​A​ ​la​ ​Conexión)

#​ ​Reconfigure​ ​this​ ​line​ ​to​ ​use​ ​a​ ​different


#​ ​port​ ​number​ ​than​ ​the​ ​default​ ​of​ ​1194.
port​ ​1194

#​ ​Most​ ​clients​ ​don't​ ​need​ ​to​ ​bind​ ​to


#​ ​a​ ​specific​ ​local​ ​port​ ​number.
nobind

#​ ​Try​ ​to​ ​preserve​ ​some​ ​state​ ​across​ ​restarts.


persist-key
persist-tun

#​ ​SSL/TLS​ ​client
tls-client

#​ ​Chech​ ​server​ ​serificate​ ​in​ ​key-usage


remote-cert-tls​ ​server

#​ ​SSL/TLS​ ​parms.
#​ ​See​ ​the​ ​server​ ​config​ ​file​ ​for​ ​more
#​ ​description.​ ​ ​It's​ ​best​ ​to​ ​use
#​ ​a​ ​separate​ ​.crt/.key​ ​file​ ​pair
#​ ​for​ ​each​ ​client.​ ​ ​A​ ​single​ ​ca
#​ ​file​ ​can​ ​be​ ​used​ ​for​ ​all​ ​clients.
ca​ ​cert_export_CA.crt
cert​ ​cert_export_CLIENT1.crt
key​ ​ ​cert_export_CLIENT1.key

#​ ​moderate​ ​verbosity
verb​ ​4
mute​ ​10

#​ ​Select​ ​a​ ​cryptographic​ ​cipher.


#​ ​If​ ​the​ ​cipher​ ​option​ ​is​ ​used​ ​on​ ​the​ ​server
#​ ​then​ ​you​ ​must​ ​also​ ​specify​ ​it​ ​here.
cipher​ ​AES-256-CBC

#​ ​cipher​ ​algorithm
auth​ ​SHA1

#​ ​Username​ ​and​ ​password​ ​file


auth-user-pass​ ​secret

#​ ​Nocache​ ​for​ ​auth


auth-nocache

#​ ​Pushing​ ​the​ ​redirect-gateway​ ​option​ ​to​ ​clients


#​ ​will​ ​cause​ ​all​ ​IP​ ​network​ ​traffic​ ​originating
#​ ​on​ ​client​ ​machines​ ​to​ ​pass​ ​through​ ​the​ ​OpenVPN
#​ ​server.
;redirect-gateway​ ​def1

11.​ ​Crear​ ​un​ ​archivo​ ​de​ ​nombre​ ​secret​​ ​con​ ​extensión​ ​file​ ​con​ ​las​ ​credenciales​ ​de​ ​ovpn
configuradas​ ​en​ ​el​ ​paso​ ​3.
12.​ ​Agregar​ ​regla​ ​de​ ​Firewall​ ​en​ ​el​ ​Mikrotik​ ​para​ ​la​ ​conexión​ ​del​ ​servidor​ ​OpenVPN

13.​ ​Ejecute​ ​el​ ​cliente​ ​de​ ​OpenVPN​ ​de​ ​Windows​ ​para​ ​validar​ ​funcionamiento.
14.​ ​Validar​ ​conexión​ ​a​ ​la​ ​red​ ​a​ ​través​ ​del​ ​simbolo​ ​de​ ​sistema.

You might also like