OpenVPN between Mikrotik and OpenWRT: Difference between revisions

From Wildsong
Jump to navigationJump to search
Newer edit →
VisualWikitext
Brian Wilson (talk | contribs)
Bureaucrats, restrict, Administrators, uploaders
11,540 edits
Created page with "This is a page of details, for the intro and how to set up Windows and Linux clients, see OpenVPN. I am writing this while testing with two three virtual machines on a Ma..."
 
Brian Wilson (talk | contribs)
Bureaucrats, restrict, Administrators, uploaders
11,540 edits
m How to make a Mikrotik and an OpenWrt router talk OpenVPN
Line 1: Line 1:
This is a page of details, for the intro and how to set up Windows and Linux clients, see [[OpenVPN]].
This is a page full of details, for the intro and how to set up Windows and Linux clients, see [[OpenVPN]].


I am writing this while testing with two three virtual machines on a Mac. Once I have the steps down,
I am writing this while testing with three virtual machines on a Mac. Once I have the steps down,
I will be transferring over to a Buffalo access point running OpenWRT 14.xx and a Mikrotik RB750 running RouterOS 5.27.
I will be transferring everything over to a Buffalo WZR WiFi access point running OpenWRT 14.xx and a Mikrotik RB750 running RouterOS 5.27.


I am running my virtual machines on VirtualBox. I use images downloaded from OpenWRT and Mikrotik and install them into  
I am running my virtual machines on VirtualBox. I use images downloaded from OpenWRT and Mikrotik and install them into  
very minimal setups. This is handy, they boot FAST and I don't risk cutting myself off from the remote end as I do tests and experiment.  
very minimal setups. This is handy, they boot FAST and I don't risk cutting myself off from the remote end as I do tests and experiment.  


The reasons I chose to use OpenVPN over other options are
The main reasons I chose to use OpenVPN over other options (today) are:
 
# I can directly route packets so I don't need to mess with NAT at one end as with PPTP
# I can directly route packets so I don't need to mess with NAT at one end as with PPTP
# My endpoint is hiding behind several layers of access points and routers that I don't control. OpenVPN works fine in this case.
# My endpoint is hiding behind several layers of access points and routers that I don't control. OpenVPN works fine in this case.
Line 14: Line 13:
== The virtual network ==
== The virtual network ==


  Plover (Macintosh)
  '''Plover''' (Macintosh)
     192.168.56.1
     192.168.56.1
   
   
Line 20: Line 19:
   
   
     192.168.56.101
     192.168.56.101
  VM1 = Router #1, OpenWRT Barrier Breaker
  VM1 = '''Router #1''', OpenWRT Barrier Breaker
       76.0.0.1
       76.0.0.1
   
   
Line 26: Line 25:
   
   
       76.0.0.2
       76.0.0.2
  VM2 = Router #2, Mikrotik RouterOS 6.23
  VM2 = '''Router #2''', Mikrotik RouterOS 6.23
     192.168.2.1
     192.168.2.1
   
   
Line 32: Line 31:
   
   
     192.168.2.2
     192.168.2.2
  VM3 = Remote server running Debian
  VM3 = Remote '''Debian server'''


== Creating the certificate and key files ==
== Creating the certificate and key files ==


I do this on a Ubuntu Linux box, it's the easiest way.
I do this on a Ubuntu Linux box, it's the easiest way. It is also possible to install easy-rsa on the OpenWRT device
I install the easy-rsa package which pulls in the tools needed.
and create the files there.
 
This [http://wiki.mikrotik.com/wiki/OpenVPN#Creating Certificates with Easy-RSA Mikrotik page] has instructions on how to create the keys. Here is an abridged version.
 
sudo -i
apt-get install openvpn easy-rsa
cd /usr/share
cp -r easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa
emacs vars
source vars
# This creates the ca.crt file in keys/
./pkitool --initca


This [http://wiki.mikrotik.com/wiki/OpenVPN Mikrotik page] has instructions on how to create the keys. Here is an abridged version.
Create the files for the Mikrotik RB750 "server"; remember your password!
./pkitool --pass --server rb750
# Convert key file to pem file format
openssl rsa -in keys/rb750.key -out keys/rb750.pem
# Create files for the OpenWRT "client"
./pkitool --pass --client openwrt
openssl rsa -in keys/openwrt.key -out keys/openwrt.pem
./build-dh


# Copy the server files to the rb750
cd keys
ftp 76.0.0.2
bin
put rb750.crt
put rb750.pem
put ca.crt
cd ..
# Copy the client files to the router
cd keys
scp openwrt.crt openwrt.pem ca.crt 192.168.56.101:/tmp


== The OpenWRT router ==
== The OpenWRT router ==


Refer to http://wiki.openwrt.org/doc/howto/vpn.openvpn
Refer to http://wiki.openwrt.org/doc/howto/vpn.openvpn
I am not going to copy all the instructions here, just go look at that page now.
opkg update
opkg install openvpn-openssl
mkdir /etc/openvpn
mv /tmp/openwrt.* /tmp/ca.crt /etc/openvpn


== The Mikrotik router ==
== The Mikrotik router ==


Refer to same Mikrotik page as mentioned above, http://wiki.mikrotik.com/wiki/OpenVPN
Refer to same Mikrotik page as mentioned above, http://wiki.mikrotik.com/wiki/OpenVPN
Import the three files transferred in the "create" section above.
/certificate
import file=rb750.crt
import file=rb750.pem
import file=ca.crt
# This will let you have many OpenVPN clients
/ip pool add name=ovpn-pool ranges=10.10.10.2-10.10.10.50
/ppp profile
add change-tcp-mss=default comment="" local-address=192.168 \
name="ovpn_profile" only-one=default remote-address=ovpn-pool \
use-compression=default use-encryption=required use-vj-compression=default
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="ovpn" password="password" routes="" service=any
# If you don't already have these defined,
/ip address
add address=10.8.0.1/24 interface=ether1 comment="Tunnel"
add address=192.168.2.1/24 interface=ether1 comment="LAN"
add address=76.0.0.2/24 interface=ether2 comment="Internet"
/ip route
add dst-address=10.8.0.0/24 gateway=10.8.0.1 comment="OVPN"
add dst-address=192.168.4.0/24 gateway=10.8.0.1 comment="OVPN"
add gateway=76.0.0.2 comment="Internet"
/interface ovpn-server server
set auth=sha1,md5 certificate=router_cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
port=1194 require-client-certificate=no
/ip firewall filter
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=udp


== The "remote" server ==
== The "remote" server ==


I happened to have a generic Debian server installed already in a VirtualBox machine, so I used it as the far end of my network
I have a generic Debian server installed already in a VirtualBox machine, so I used it as the far end of my network
to allow me to test connectivity through the two routers.  
to allow me to test connectivity through the two routers.  


== Tests ==


Make sure you can reach each of the routers and the Debian server from the Mac,
and that you can reach each of the routers and the Mac from the Debian server.




[[Category: Network]]
[[Category: Network]]
[[Category: System Administration]]
[[Category: System Administration]]

Revision as of 02:54, 22 December 2014

This is a page full of details, for the intro and how to set up Windows and Linux clients, see OpenVPN.

I am writing this while testing with three virtual machines on a Mac. Once I have the steps down, I will be transferring everything over to a Buffalo WZR WiFi access point running OpenWRT 14.xx and a Mikrotik RB750 running RouterOS 5.27.

I am running my virtual machines on VirtualBox. I use images downloaded from OpenWRT and Mikrotik and install them into very minimal setups. This is handy, they boot FAST and I don't risk cutting myself off from the remote end as I do tests and experiment.

The main reasons I chose to use OpenVPN over other options (today) are:

  1. I can directly route packets so I don't need to mess with NAT at one end as with PPTP
  2. My endpoint is hiding behind several layers of access points and routers that I don't control. OpenVPN works fine in this case.

The virtual network

Plover (Macintosh)
   192.168.56.1

    LAN (This will be the LAN in my house)

   192.168.56.101
VM1 = Router #1, OpenWRT Barrier Breaker
     76.0.0.1

     Internet

     76.0.0.2
VM2 = Router #2, Mikrotik RouterOS 6.23
    192.168.2.1

    REMOTE LAN (this will be the CDS OFFICE LAN)

   192.168.2.2
VM3 = Remote Debian server

Creating the certificate and key files

I do this on a Ubuntu Linux box, it's the easiest way. It is also possible to install easy-rsa on the OpenWRT device and create the files there.

This Certificates with Easy-RSA Mikrotik page has instructions on how to create the keys. Here is an abridged version. 

sudo -i
apt-get install openvpn easy-rsa
cd /usr/share 
cp -r easy-rsa /etc/openvpn
cd /etc/openvpn/easy-rsa
emacs vars
source vars
# This creates the ca.crt file in keys/
./pkitool --initca

Create the files for the Mikrotik RB750 "server"; remember your password! 

./pkitool --pass --server rb750
# Convert key file to pem file format
openssl rsa -in keys/rb750.key -out keys/rb750.pem

# Create files for the OpenWRT "client"
./pkitool --pass --client openwrt
openssl rsa -in keys/openwrt.key -out keys/openwrt.pem
./build-dh

# Copy the server files to the rb750
cd keys
ftp 76.0.0.2
bin
put rb750.crt
put rb750.pem
put ca.crt
cd ..

# Copy the client files to the router
cd keys
scp openwrt.crt openwrt.pem ca.crt 192.168.56.101:/tmp

The OpenWRT router

Refer to http://wiki.openwrt.org/doc/howto/vpn.openvpn I am not going to copy all the instructions here, just go look at that page now. 

ssh [email protected]
opkg update
opkg install openvpn-openssl
mkdir /etc/openvpn
mv /tmp/openwrt.* /tmp/ca.crt /etc/openvpn

The Mikrotik router

Refer to same Mikrotik page as mentioned above, http://wiki.mikrotik.com/wiki/OpenVPN

Import the three files transferred in the "create" section above. 

/certificate
import file=rb750.crt
import file=rb750.pem
import file=ca.crt

# This will let you have many OpenVPN clients
/ip pool add name=ovpn-pool ranges=10.10.10.2-10.10.10.50

/ppp profile 
add change-tcp-mss=default comment="" local-address=192.168 \
name="ovpn_profile" only-one=default remote-address=ovpn-pool \
use-compression=default use-encryption=required use-vj-compression=default
/ppp secret 
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="ovpn" password="password" routes="" service=any

# If you don't already have these defined, 
/ip address
add address=10.8.0.1/24 interface=ether1 comment="Tunnel" 
add address=192.168.2.1/24 interface=ether1 comment="LAN" 
add address=76.0.0.2/24 interface=ether2 comment="Internet" 

/ip route
add dst-address=10.8.0.0/24 gateway=10.8.0.1 comment="OVPN"
add dst-address=192.168.4.0/24 gateway=10.8.0.1 comment="OVPN"
add gateway=76.0.0.2 comment="Internet"

/interface ovpn-server server 
set auth=sha1,md5 certificate=router_cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
port=1194 require-client-certificate=no

/ip firewall filter 
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=udp


The "remote" server

I have a generic Debian server installed already in a VirtualBox machine, so I used it as the far end of my network to allow me to test connectivity through the two routers.

Tests

Make sure you can reach each of the routers and the Debian server from the Mac, and that you can reach each of the routers and the Mac from the Debian server.

Retrieved from "https://wiki.wildsong.biz//index.php?title=OpenVPN_between_Mikrotik_and_OpenWRT&oldid=8690"