OpenVPN between Mikrotik and OpenWRT

This is a page full of details, for the intro and how to set up Windows and Linux clients, see OpenVPN.

I am writing this while testing with three virtual machines on a Mac. Once I have the steps down, I will be transferring everything over to a Buffalo WZR WiFi access point running OpenWRT 14.xx and a Mikrotik RB750 running RouterOS 5.27.

I am running my virtual machines on VirtualBox. I use images downloaded from OpenWRT and Mikrotik and install them into very minimal setups. This is handy, they boot FAST and I don't risk cutting myself off from the remote end as I do tests and experiment.

The main reasons I chose to use OpenVPN over other options (today) are:

1. I can directly route packets so I don't need to mess with NAT at one end as with PPTP
2. My endpoint is hiding behind several layers of access points and routers that I don't control. OpenVPN works fine in this case.

The virtual network

Plover (Macintosh)
   192.168.56.1

    LAN (This will be the LAN in my house)

   192.168.56.101
VM1 = Router #1, OpenWRT Barrier Breaker
     76.0.0.1

     Internet

     76.0.0.2
VM2 = Router #2, Mikrotik RouterOS 6.23
    192.168.2.1

    REMOTE LAN (this will be the CDS OFFICE LAN)

   192.168.2.2
VM3 = Remote Debian server

Creating the certificate and key files

First time

cd /etc/openvpn/easy-rsa
emacs vars
source vars
./clean-all
./pkitool --initca
./build_dh # only needed if running a Linux openvpn server
./pkitool --pass --server servername
./pkitool clientname

Later to create more clients

cd /etc/openvpn/easy-rsa
source vars
./pkitool clientname

Can I test the keys before spending hours trying to deploy them? http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/

Put all the certificate and key files somewhere on the debian server. Start a server. Try to connect to the server with a client.

# In the first window run this so you can see its debug output
cd keys
openssl s_server -cert server.crt -key server.key
Enter pass phrase for server.key:

# In another window on the same server, connect to the server
openssl s_client -showcerts -connect localhost:4433 -cert client.crt -key client.key -CAfile ca.crt

In the server window you should see Using default temp DH parameters Using default temp ECDH parameters ACCEPT

BEGIN SSL SESSION PARAMETERS-----

END SSL SESSION PARAMETERS-----

Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 CIPHER is ECDHE-RSA-AES256-GCM-SHA384 Secure Renegotiation IS supported

In the client window you should see Error opening client certificate private key file debian.key 140523391956648:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('debian.key','r') 140523391956648:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load client certificate private key file bwilson@debian-server:/etc$ cd openvpn/keys/ bwilson@debian-server:/etc/openvpn/keys$ sudo openssl s_client -key debian.key -cert debian.crt -CAfile ca.crt CONNECTED(00000003) depth=1 C = US, ST = California, L = Santa Rosa, O = CDS, OU = CDS Wireless, CN = CDS CA, name = EasyRSA, emailAddress = [email protected] verify return:1 depth=0 C = US, ST = California, L = Santa Rosa, O = CDS, OU = CDS Wireless, CN = server, name = EasyRSA, emailAddress = [email protected] verify return:1 --- Certificate chain

0 s:/C=US/ST=California/L=Santa Rosa/O=CDS/OU=CDS Wireless/CN=server/name=EasyRSA/[email protected]
  i:/C=US/ST=California/L=Santa Rosa/O=CDS/OU=CDS Wireless/CN=CDS CA/name=EasyRSA/[email protected]

BEGIN CERTIFICATE-----

END CERTIFICATE-----

   Protocol  : TLSv1.2
   Cipher    : ECDHE-RSA-AES256-GCM-SHA384
   Session-ID: E81700F4CEC05516F3D9B25456BBA7F059B4F30333A9C931C2DF2BB1BC10A420
   Session-ID-ctx: 
   Master-Key: 7710717AF260458E37923979FB2453987CF86E1A184CE4C286D37179B87ECBC26C004C775F541E0AFBA6623554A7BBFE
   Key-Arg   : None
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   TLS session ticket lifetime hint: 300 (seconds)
   TLS session ticket:
   0000 - 72 66 ed c5 15 3e f1 43-67 6d 81 4f 22 6b 70 9e   rf...>.Cgm.O"kp.
   0010 - 27 05 a4 eb 59 05 5d 2b-54 5f 99 e6 3d 36 38 58   '...Y.]+T_..=68X
   0020 - cd 90 ac 1d 21 2b 46 56-f8 7a a2 5c 7e 47 62 9f   ....!+FV.z.\~Gb.
   0030 - a4 8e ff 67 4a 27 9a 94-38 33 5a ff 52 47 46 76   ...gJ'..83Z.RGFv
   0040 - bc cb 19 c8 42 88 80 ae-a8 71 62 bd 55 85 2b c8   ....B....qb.U.+.
   0050 - 10 bb 76 90 fa c5 f5 cf-ca c6 f7 44 61 ad 74 7d   ..v........Da.t}
   0060 - 33 cd 6e a5 4b a4 61 70-e3 b0 18 de d5 e4 a1 75   3.n.K.ap.......u
   0070 - 91 ea 90 00 46 70 05 d5-e3 bd d3 4b 92 43 a3 02   ....Fp.....K.C..
   0080 - ff d1 15 d1 a7 0e 2b e6-ee a4 75 fa 5a c7 19 bd   ......+...u.Z...
   0090 - 5b 6e 80 84 f9 19 52 29-ac 06 60 33 5f 59 ca d6   [n....R)..`3_Y..

   Compression: 1 (zlib compression)
   Start Time: 1419370778
   Timeout   : 300 (sec)
   Verify return code: 0 (ok)

Make sure it says "ok". I got an interesting error at one point, "certificate is not yet valid", because the clock was not set on the Debian server. Make sure you are syncing to ntp or otherwise have an accurately set clock to avoid this.

Since it was pretty easy to do next I started the Debian server with OpenVPN in server mode and connected from the Mac using Viscosity as a client. I had to tune a few server settings to make it work. See the next section for config.

Can I run the "openssl s_client" test against an OpenVPN server on port 1194? NO, I cannot.

So now I have to try to use the Mikrotik as the server and see what I can learn with a Linux client.

A Debian openvpn server

This is my /etc/openvpn/server.conf file

dev tun proto tcp-server ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh1024.pem

server 10.8.0.0 255.255.255.0 port 1194

user nobody group nogroup

comp-lzo no # Do not use compression. It doesn't work with RouterOS (at least up to RouterOS 3.0rc9)

persist-tun persist-key

verb 3

ifconfig-pool-persist ipp.txt keepalive 10 120

status /tmp/openvpn-status.log

The OpenWRT router

Refer to http://wiki.openwrt.org/doc/howto/vpn.openvpn I am not going to copy all the instructions here, just go look at that page now.

ssh [email protected]
opkg update
opkg install openvpn-openssl
mkdir /etc/openvpn
mv /tmp/openwrt.* /tmp/ca.crt /etc/openvpn

A Debian client

When I could not get the OpenWRT and Mikrotik devices to talk, I backed off on the OpenWrt side and used the Debian Server as an OpenVPN client.

The Mikrotik router

Refer to same Mikrotik page as mentioned above, http://wiki.mikrotik.com/wiki/OpenVPN

Import the three files transferred in the "create" section above.

/certificate
import file-name=ca.crt
import file-name=server.crt
import file-name=server.key
set 0 name=ca
set 1 name=cdswireless

# This will let you have many OpenVPN clients
/ip pool add name=ovpn-pool ranges=10.10.10.2-10.10.10.50

/ppp profile 
add change-tcp-mss=default local-address=10.8.0.1 \
name="ovpn_profile" only-one=default remote-address=ovpn-pool \
use-compression=default use-encryption=required use-vj-compression=default
/ppp secret 
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="ovpn" password="password" routes="" service=any

# If you don't already have these defined, 
/ip address
add address=192.168.4.253/24 comment="Management LAN" interface=ether1 network=192.168.4.0
add address=192.168.2.1/24 comment="CDS LAN" interface=ether2 network=192.168.2.0
add address=172.16.1.1/24 comment=Internet interface=ether3 network=172.16.1.0

/ip route
# This is how we really reach the Internet
add distance=1 gateway=192.168.4.254
add dst-address=10.8.0.0/24 gateway=10.8.0.1 comment="OVPN"

# If you change the keys later you will need to repeat this step
/interface ovpn-server server 
set auth=sha1,md5 certificate=cdswireless \
cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=27 \
port=1194 require-client-certificate=no

# I have the firewall turned off for testing right now.
# When I activate the firewall I will need this
/ip firewall filter 
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=udp

The "remote" server

I have a generic Debian server installed already in a VirtualBox machine, so I used it as the far end of my network to allow me to test connectivity through the two routers.

Tests

Start the client

/etc/init.d/openvpn start
cat /tmp/openvpn.log
ifconfig tun0

Make sure you can reach each of the routers and the Debian server from the Mac, and that you can reach each of the routers and the Mac from the Debian server.