OpenVPN between Mikrotik and OpenWRT: Difference between revisions
Brian Wilson (talk | contribs) mNo edit summary |
Brian Wilson (talk | contribs) mNo edit summary |
||
(4 intermediate revisions by the same user not shown) | |||
Line 35: | Line 35: | ||
== Creating the certificate and key files == | == Creating the certificate and key files == | ||
First time | |||
cd /etc/openvpn/easy-rsa | |||
emacs vars | |||
source vars | |||
./clean-all | |||
./pkitool --initca | |||
./build_dh # only needed if running a Linux openvpn server | |||
./pkitool --pass --server ''servername'' | |||
./pkitool ''clientname'' | |||
Later to create more clients | |||
cd /etc/openvpn/easy-rsa | |||
source vars | |||
./pkitool ''clientname'' | |||
openssl | Can I test the keys before spending hours trying to deploy them? | ||
http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/ | |||
Put all the certificate and key files somewhere on the debian server. Start a server. | |||
Try to connect to the server with a client. | |||
# In the first window run this so you can see its debug output | |||
cd keys | |||
openssl s_server -cert server.crt -key server.key | |||
Enter pass phrase for server.key: | |||
# | # In another window on the same server, connect to the server | ||
openssl s_client -showcerts -connect localhost:4433 -cert client.crt -key client.key -CAfile ca.crt | |||
openssl | |||
In the server window you should see | |||
<code> | |||
Using default temp DH parameters | |||
Using default temp ECDH parameters | |||
ACCEPT | |||
-----BEGIN SSL SESSION PARAMETERS----- | |||
MFUCAQECAgMDBALAMAQABDB6p4OTXApCEW3xW99wF2wwP56zeXzzoQBNZuNQWdPy | |||
9S0gMHk/mJcc7xeTnDiJpfuhBgIEVJnFhKIEAgIBLKQGBAQBAAAA | |||
-----END SSL SESSION PARAMETERS----- | |||
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5 | |||
CIPHER is ECDHE-RSA-AES256-GCM-SHA384 | |||
Secure Renegotiation IS supported | |||
</code> | |||
In the client window you should see | |||
<code> | |||
Error opening client certificate private key file debian.key | |||
140523391956648:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('debian.key','r') | |||
140523391956648:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: | |||
unable to load client certificate private key file | |||
bwilson@debian-server:/etc$ cd openvpn/keys/ | |||
bwilson@debian-server:/etc/openvpn/keys$ sudo openssl s_client -key debian.key -cert debian.crt -CAfile ca.crt | |||
CONNECTED(00000003) | |||
depth=1 C = US, ST = California, L = Santa Rosa, O = CDS, OU = CDS Wireless, CN = CDS CA, name = EasyRSA, emailAddress = [email protected] | |||
verify return:1 | |||
depth=0 C = US, ST = California, L = Santa Rosa, O = CDS, OU = CDS Wireless, CN = server, name = EasyRSA, emailAddress = [email protected] | |||
verify return:1 | |||
--- | |||
Certificate chain | |||
0 s:/C=US/ST=California/L=Santa Rosa/O=CDS/OU=CDS Wireless/CN=server/name=EasyRSA/[email protected] | |||
i:/C=US/ST=California/L=Santa Rosa/O=CDS/OU=CDS Wireless/CN=CDS CA/name=EasyRSA/[email protected] | |||
--- | |||
Server certificate | |||
-----BEGIN CERTIFICATE----- | |||
MIIFQzCCBCugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBoDELMAkGA1UEBhMCVVMx | |||
EzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTClNhbnRhIFJvc2ExDDAKBgNV | |||
BAoTA0NEUzEVMBMGA1UECxMMQ0RTIFdpcmVsZXNzMQ8wDQYDVQQDEwZDRFMgQ0Ex | |||
EDAOBgNVBCkTB0Vhc3lSU0ExHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAY2RzMS5u | |||
ZXQwHhcNMTQxMjIzMTczNDA2WhcNMjQxMjIwMTczNDA2WjCBoDELMAkGA1UEBhMC | |||
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTClNhbnRhIFJvc2ExDDAK | |||
BgNVBAoTA0NEUzEVMBMGA1UECxMMQ0RTIFdpcmVsZXNzMQ8wDQYDVQQDEwZzZXJ2 | |||
ZXIxEDAOBgNVBCkTB0Vhc3lSU0ExHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAY2Rz | |||
MS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1EvqCTEUVvQKt | |||
yTGMB/6DMwzEPGSz1mqR+Gb/lraAgN1c9X1sfuonOykvS+neW8JJi0GO1PGtOq0j | |||
tcfzk35a9/b3B9ZkH2BZ8rov+liN88qEXowFMSdzbFe5mDAHRclNRB9l9Txy3j6/ | |||
6HpVt8LDPFJT4ZcxNxMDNayFS5IsHt17mwYVlOynOu2WcPGSaIYrQZCnVHJWRbND | |||
BSTzyPHSjXLtVOK30st3DdKE9OOHgBYlLe3RhwtcEOYbf0uD+2UZhF1UJWjYDSRt | |||
11MLJ/pAGqeuUbUh74vDyWm/AVJlvD44eCp/qhgyxcWDYhBmjrwY2OcM+hy5p+lL | |||
9rCYlIjZAgMBAAGjggGEMIIBgDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIG | |||
QDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVkIFNlcnZlciBDZXJ0 | |||
aWZpY2F0ZTAdBgNVHQ4EFgQUhjyGV1UF/hz9+xaH77yqUNC53mkwgdUGA1UdIwSB | |||
zTCByoAUFWW3Zru+rdOx5zrc0yIqIJfhptWhgaakgaMwgaAxCzAJBgNVBAYTAlVT | |||
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBSb3NhMQwwCgYD | |||
VQQKEwNDRFMxFTATBgNVBAsTDENEUyBXaXJlbGVzczEPMA0GA1UEAxMGQ0RTIENB | |||
MRAwDgYDVQQpEwdFYXN5UlNBMR8wHQYJKoZIhvcNAQkBFhBzdXBwb3J0QGNkczEu | |||
bmV0ggkAskvi2tvuHZowEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWg | |||
MBEGA1UdEQQKMAiCBnNlcnZlcjANBgkqhkiG9w0BAQsFAAOCAQEADQvhZGBiDR4i | |||
UhnBUAP91h3ecZ+Lxny/Tjb2Wcg/JMA1/9sUTQ6xBUhMP10xAbuMYOhPQx1pD7OY | |||
i3NJ/ofjzajJmwa2YNpUsy7DVmZln8+8Go2mbUUHch7ZfHbjRhKh8SBKZ4mYo297 | |||
b/CWlP/KGT8e0fUj/6htY/be90Os3blllWIToibnfZUT9ixSIQv9fN0XKYlKsjEl | |||
H9i+2mKjJHMm01tauzbsnPwkzmCzlOV/p96NyVHctRzTBmlDrMtri9AR1hiyS67P | |||
xORDnYF0LFbAEqqqGAg8OgH0D00OvV9hBtba0hRrjA/6blW7H97UVBCe+7Fw6ZsJ | |||
+ebvAl5Zyw== | |||
-----END CERTIFICATE----- | |||
subject=/C=US/ST=California/L=Santa Rosa/O=CDS/OU=CDS Wireless/CN=server/name=EasyRSA/[email protected] | |||
issuer=/C=US/ST=California/L=Santa Rosa/O=CDS/OU=CDS Wireless/CN=CDS CA/name=EasyRSA/emailAddress=support@cds1.net | |||
--- | |||
No client certificate CA names sent | |||
--- | |||
SSL handshake has read 2019 bytes and written 443 bytes | |||
--- | |||
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 | |||
Server public key is 2048 bit | |||
Secure Renegotiation IS supported | |||
Compression: zlib compression | |||
Expansion: zlib compression | |||
SSL-Session: | |||
Protocol : TLSv1.2 | |||
Cipher : ECDHE-RSA-AES256-GCM-SHA384 | |||
Session-ID: E81700F4CEC05516F3D9B25456BBA7F059B4F30333A9C931C2DF2BB1BC10A420 | |||
Session-ID-ctx: | |||
Master-Key: 7710717AF260458E37923979FB2453987CF86E1A184CE4C286D37179B87ECBC26C004C775F541E0AFBA6623554A7BBFE | |||
Key-Arg : None | |||
PSK identity: None | |||
PSK identity hint: None | |||
SRP username: None | |||
TLS session ticket lifetime hint: 300 (seconds) | |||
TLS session ticket: | |||
0000 - 72 66 ed c5 15 3e f1 43-67 6d 81 4f 22 6b 70 9e rf...>.Cgm.O"kp. | |||
0010 - 27 05 a4 eb 59 05 5d 2b-54 5f 99 e6 3d 36 38 58 '...Y.]+T_..=68X | |||
0020 - cd 90 ac 1d 21 2b 46 56-f8 7a a2 5c 7e 47 62 9f ....!+FV.z.\~Gb. | |||
0030 - a4 8e ff 67 4a 27 9a 94-38 33 5a ff 52 47 46 76 ...gJ'..83Z.RGFv | |||
0040 - bc cb 19 c8 42 88 80 ae-a8 71 62 bd 55 85 2b c8 ....B....qb.U.+. | |||
0050 - 10 bb 76 90 fa c5 f5 cf-ca c6 f7 44 61 ad 74 7d ..v........Da.t} | |||
0060 - 33 cd 6e a5 4b a4 61 70-e3 b0 18 de d5 e4 a1 75 3.n.K.ap.......u | |||
0070 - 91 ea 90 00 46 70 05 d5-e3 bd d3 4b 92 43 a3 02 ....Fp.....K.C.. | |||
0080 - ff d1 15 d1 a7 0e 2b e6-ee a4 75 fa 5a c7 19 bd ......+...u.Z... | |||
0090 - 5b 6e 80 84 f9 19 52 29-ac 06 60 33 5f 59 ca d6 [n....R)..`3_Y.. | |||
Compression: 1 (zlib compression) | |||
Start Time: 1419370778 | |||
Timeout : 300 (sec) | |||
Verify return code: 0 (ok) | |||
</code> | |||
Make sure it says "ok". I got an interesting error at one point, "certificate is not yet valid", because the clock was not set on the Debian server. Make sure you are syncing to ntp or otherwise have an accurately set clock to avoid this. | |||
Since it was pretty easy to do next I started the Debian server with OpenVPN in server mode and connected | |||
from the Mac using Viscosity as a client. I had to tune a few server settings to make it work. See the next section for config. | |||
Can I run the "openssl s_client" test against an OpenVPN server on port 1194? NO, I cannot. | |||
So now I have to try to use the Mikrotik as the server and see what I can learn with a Linux client. | |||
== A Debian openvpn server == | |||
This is my /etc/openvpn/server.conf file | |||
<code> | |||
dev tun | |||
proto tcp-server | |||
ca keys/ca.crt | |||
cert keys/server.crt | |||
key keys/server.key | |||
dh keys/dh1024.pem | |||
server 10.8.0.0 255.255.255.0 | |||
port 1194 | |||
user nobody | |||
group nogroup | |||
comp-lzo no # Do not use compression. It doesn't work with RouterOS (at least up to RouterOS 3.0rc9) | |||
persist-tun | |||
persist-key | |||
verb 3 | |||
ifconfig-pool-persist ipp.txt | |||
keepalive 10 120 | |||
status /tmp/openvpn-status.log | |||
</code> | |||
== The OpenWRT router == | == The OpenWRT router == | ||
Line 76: | Line 233: | ||
/certificate | /certificate | ||
import file-name=ca.crt | import file-name=ca.crt | ||
set 0 name= | import file-name=server.crt | ||
set 1 name= | import file-name=server.key | ||
set 0 name=ca | |||
set 1 name=cdswireless | |||
# This will let you have many OpenVPN clients | # This will let you have many OpenVPN clients | ||
Line 104: | Line 261: | ||
add dst-address=10.8.0.0/24 gateway=10.8.0.1 comment="OVPN" | add dst-address=10.8.0.0/24 gateway=10.8.0.1 comment="OVPN" | ||
# If you change the keys later you will need to repeat this step | |||
/interface ovpn-server server | /interface ovpn-server server | ||
set auth=sha1,md5 certificate=cdswireless \ | set auth=sha1,md5 certificate=cdswireless \ |
Latest revision as of 22:40, 23 December 2014
This is a page full of details, for the intro and how to set up Windows and Linux clients, see OpenVPN.
I am writing this while testing with three virtual machines on a Mac. Once I have the steps down, I will be transferring everything over to a Buffalo WZR WiFi access point running OpenWRT 14.xx and a Mikrotik RB750 running RouterOS 5.27.
I am running my virtual machines on VirtualBox. I use images downloaded from OpenWRT and Mikrotik and install them into very minimal setups. This is handy, they boot FAST and I don't risk cutting myself off from the remote end as I do tests and experiment.
The main reasons I chose to use OpenVPN over other options (today) are:
- I can directly route packets so I don't need to mess with NAT at one end as with PPTP
- My endpoint is hiding behind several layers of access points and routers that I don't control. OpenVPN works fine in this case.
The virtual network
Plover (Macintosh) 192.168.56.1 LAN (This will be the LAN in my house) 192.168.56.101 VM1 = Router #1, OpenWRT Barrier Breaker 76.0.0.1 Internet 76.0.0.2 VM2 = Router #2, Mikrotik RouterOS 6.23 192.168.2.1 REMOTE LAN (this will be the CDS OFFICE LAN) 192.168.2.2 VM3 = Remote Debian server
Creating the certificate and key files
First time
cd /etc/openvpn/easy-rsa emacs vars source vars ./clean-all ./pkitool --initca ./build_dh # only needed if running a Linux openvpn server ./pkitool --pass --server servername ./pkitool clientname
Later to create more clients
cd /etc/openvpn/easy-rsa source vars ./pkitool clientname
Can I test the keys before spending hours trying to deploy them? http://www.cyberciti.biz/faq/test-ssl-certificates-diagnosis-ssl-certificate/
Put all the certificate and key files somewhere on the debian server. Start a server. Try to connect to the server with a client.
# In the first window run this so you can see its debug output cd keys openssl s_server -cert server.crt -key server.key Enter pass phrase for server.key: # In another window on the same server, connect to the server openssl s_client -showcerts -connect localhost:4433 -cert client.crt -key client.key -CAfile ca.crt
In the server window you should see
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALAMAQABDB6p4OTXApCEW3xW99wF2wwP56zeXzzoQBNZuNQWdPy
9S0gMHk/mJcc7xeTnDiJpfuhBgIEVJnFhKIEAgIBLKQGBAQBAAAA
END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
In the client window you should see
Error opening client certificate private key file debian.key
140523391956648:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('debian.key','r')
140523391956648:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load client certificate private key file
bwilson@debian-server:/etc$ cd openvpn/keys/
bwilson@debian-server:/etc/openvpn/keys$ sudo openssl s_client -key debian.key -cert debian.crt -CAfile ca.crt
CONNECTED(00000003)
depth=1 C = US, ST = California, L = Santa Rosa, O = CDS, OU = CDS Wireless, CN = CDS CA, name = EasyRSA, emailAddress = [email protected]
verify return:1
depth=0 C = US, ST = California, L = Santa Rosa, O = CDS, OU = CDS Wireless, CN = server, name = EasyRSA, emailAddress = [email protected]
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Santa Rosa/O=CDS/OU=CDS Wireless/CN=server/name=EasyRSA/[email protected]
i:/C=US/ST=California/L=Santa Rosa/O=CDS/OU=CDS Wireless/CN=CDS CA/name=EasyRSA/[email protected]
---
Server certificate
BEGIN CERTIFICATE-----
MIIFQzCCBCugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBoDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTClNhbnRhIFJvc2ExDDAKBgNV
BAoTA0NEUzEVMBMGA1UECxMMQ0RTIFdpcmVsZXNzMQ8wDQYDVQQDEwZDRFMgQ0Ex
EDAOBgNVBCkTB0Vhc3lSU0ExHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAY2RzMS5u
ZXQwHhcNMTQxMjIzMTczNDA2WhcNMjQxMjIwMTczNDA2WjCBoDELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNVBAcTClNhbnRhIFJvc2ExDDAK
BgNVBAoTA0NEUzEVMBMGA1UECxMMQ0RTIFdpcmVsZXNzMQ8wDQYDVQQDEwZzZXJ2
ZXIxEDAOBgNVBCkTB0Vhc3lSU0ExHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAY2Rz
MS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1EvqCTEUVvQKt
yTGMB/6DMwzEPGSz1mqR+Gb/lraAgN1c9X1sfuonOykvS+neW8JJi0GO1PGtOq0j
tcfzk35a9/b3B9ZkH2BZ8rov+liN88qEXowFMSdzbFe5mDAHRclNRB9l9Txy3j6/
6HpVt8LDPFJT4ZcxNxMDNayFS5IsHt17mwYVlOynOu2WcPGSaIYrQZCnVHJWRbND
BSTzyPHSjXLtVOK30st3DdKE9OOHgBYlLe3RhwtcEOYbf0uD+2UZhF1UJWjYDSRt
11MLJ/pAGqeuUbUh74vDyWm/AVJlvD44eCp/qhgyxcWDYhBmjrwY2OcM+hy5p+lL
9rCYlIjZAgMBAAGjggGEMIIBgDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIG
QDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVkIFNlcnZlciBDZXJ0
aWZpY2F0ZTAdBgNVHQ4EFgQUhjyGV1UF/hz9+xaH77yqUNC53mkwgdUGA1UdIwSB
zTCByoAUFWW3Zru+rdOx5zrc0yIqIJfhptWhgaakgaMwgaAxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpTYW50YSBSb3NhMQwwCgYD
VQQKEwNDRFMxFTATBgNVBAsTDENEUyBXaXJlbGVzczEPMA0GA1UEAxMGQ0RTIENB
MRAwDgYDVQQpEwdFYXN5UlNBMR8wHQYJKoZIhvcNAQkBFhBzdXBwb3J0QGNkczEu
bmV0ggkAskvi2tvuHZowEwYDVR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWg
MBEGA1UdEQQKMAiCBnNlcnZlcjANBgkqhkiG9w0BAQsFAAOCAQEADQvhZGBiDR4i
UhnBUAP91h3ecZ+Lxny/Tjb2Wcg/JMA1/9sUTQ6xBUhMP10xAbuMYOhPQx1pD7OY
i3NJ/ofjzajJmwa2YNpUsy7DVmZln8+8Go2mbUUHch7ZfHbjRhKh8SBKZ4mYo297
b/CWlP/KGT8e0fUj/6htY/be90Os3blllWIToibnfZUT9ixSIQv9fN0XKYlKsjEl
H9i+2mKjJHMm01tauzbsnPwkzmCzlOV/p96NyVHctRzTBmlDrMtri9AR1hiyS67P
xORDnYF0LFbAEqqqGAg8OgH0D00OvV9hBtba0hRrjA/6blW7H97UVBCe+7Fw6ZsJ
+ebvAl5Zyw==
END CERTIFICATE-----
subject=/C=US/ST=California/L=Santa Rosa/O=CDS/OU=CDS Wireless/CN=server/name=EasyRSA/[email protected]
issuer=/C=US/ST=California/L=Santa Rosa/O=CDS/OU=CDS Wireless/CN=CDS CA/name=EasyRSA/[email protected]
---
No client certificate CA names sent
---
SSL handshake has read 2019 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: E81700F4CEC05516F3D9B25456BBA7F059B4F30333A9C931C2DF2BB1BC10A420
Session-ID-ctx:
Master-Key: 7710717AF260458E37923979FB2453987CF86E1A184CE4C286D37179B87ECBC26C004C775F541E0AFBA6623554A7BBFE
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 72 66 ed c5 15 3e f1 43-67 6d 81 4f 22 6b 70 9e rf...>.Cgm.O"kp.
0010 - 27 05 a4 eb 59 05 5d 2b-54 5f 99 e6 3d 36 38 58 '...Y.]+T_..=68X
0020 - cd 90 ac 1d 21 2b 46 56-f8 7a a2 5c 7e 47 62 9f ....!+FV.z.\~Gb.
0030 - a4 8e ff 67 4a 27 9a 94-38 33 5a ff 52 47 46 76 ...gJ'..83Z.RGFv
0040 - bc cb 19 c8 42 88 80 ae-a8 71 62 bd 55 85 2b c8 ....B....qb.U.+.
0050 - 10 bb 76 90 fa c5 f5 cf-ca c6 f7 44 61 ad 74 7d ..v........Da.t}
0060 - 33 cd 6e a5 4b a4 61 70-e3 b0 18 de d5 e4 a1 75 3.n.K.ap.......u
0070 - 91 ea 90 00 46 70 05 d5-e3 bd d3 4b 92 43 a3 02 ....Fp.....K.C..
0080 - ff d1 15 d1 a7 0e 2b e6-ee a4 75 fa 5a c7 19 bd ......+...u.Z...
0090 - 5b 6e 80 84 f9 19 52 29-ac 06 60 33 5f 59 ca d6 [n....R)..`3_Y..
Compression: 1 (zlib compression)
Start Time: 1419370778
Timeout : 300 (sec)
Verify return code: 0 (ok)
Make sure it says "ok". I got an interesting error at one point, "certificate is not yet valid", because the clock was not set on the Debian server. Make sure you are syncing to ntp or otherwise have an accurately set clock to avoid this.
Since it was pretty easy to do next I started the Debian server with OpenVPN in server mode and connected from the Mac using Viscosity as a client. I had to tune a few server settings to make it work. See the next section for config.
Can I run the "openssl s_client" test against an OpenVPN server on port 1194? NO, I cannot.
So now I have to try to use the Mikrotik as the server and see what I can learn with a Linux client.
A Debian openvpn server
This is my /etc/openvpn/server.conf file
dev tun
proto tcp-server
ca keys/ca.crt
cert keys/server.crt
key keys/server.key
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
port 1194
user nobody
group nogroup
comp-lzo no # Do not use compression. It doesn't work with RouterOS (at least up to RouterOS 3.0rc9)
persist-tun
persist-key
verb 3
ifconfig-pool-persist ipp.txt
keepalive 10 120
status /tmp/openvpn-status.log
The OpenWRT router
Refer to http://wiki.openwrt.org/doc/howto/vpn.openvpn I am not going to copy all the instructions here, just go look at that page now.
ssh [email protected] opkg update opkg install openvpn-openssl mkdir /etc/openvpn mv /tmp/openwrt.* /tmp/ca.crt /etc/openvpn
A Debian client
When I could not get the OpenWRT and Mikrotik devices to talk, I backed off on the OpenWrt side and used the Debian Server as an OpenVPN client.
The Mikrotik router
Refer to same Mikrotik page as mentioned above, http://wiki.mikrotik.com/wiki/OpenVPN
Import the three files transferred in the "create" section above.
/certificate import file-name=ca.crt import file-name=server.crt import file-name=server.key set 0 name=ca set 1 name=cdswireless # This will let you have many OpenVPN clients /ip pool add name=ovpn-pool ranges=10.10.10.2-10.10.10.50 /ppp profile add change-tcp-mss=default local-address=10.8.0.1 \ name="ovpn_profile" only-one=default remote-address=ovpn-pool \ use-compression=default use-encryption=required use-vj-compression=default /ppp secret add caller-id="" comment="" disabled=no limit-bytes-in=0 \ limit-bytes-out=0 name="ovpn" password="password" routes="" service=any
# If you don't already have these defined, /ip address add address=192.168.4.253/24 comment="Management LAN" interface=ether1 network=192.168.4.0 add address=192.168.2.1/24 comment="CDS LAN" interface=ether2 network=192.168.2.0 add address=172.16.1.1/24 comment=Internet interface=ether3 network=172.16.1.0
/ip route # This is how we really reach the Internet add distance=1 gateway=192.168.4.254 add dst-address=10.8.0.0/24 gateway=10.8.0.1 comment="OVPN"
# If you change the keys later you will need to repeat this step /interface ovpn-server server set auth=sha1,md5 certificate=cdswireless \ cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn_profile \ enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=27 \ port=1194 require-client-certificate=no
# I have the firewall turned off for testing right now. # When I activate the firewall I will need this /ip firewall filter add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=udp
The "remote" server
I have a generic Debian server installed already in a VirtualBox machine, so I used it as the far end of my network to allow me to test connectivity through the two routers.
Tests
Start the client
/etc/init.d/openvpn start cat /tmp/openvpn.log ifconfig tun0
Make sure you can reach each of the routers and the Debian server from the Mac, and that you can reach each of the routers and the Mac from the Debian server.