OpenVPN between Mikrotik and OpenWRT: Difference between revisions
Brian Wilson (talk | contribs) mNo edit summary |
Brian Wilson (talk | contribs) mNo edit summary |
||
| Line 35: | Line 35: | ||
== Creating the certificate and key files == | == Creating the certificate and key files == | ||
I | I used the instructions on this http://wiki.mikrotik.com/wiki/Manual:Create_Certificates page. | ||
I used CDS Wireless for the ca.crt CN and cds1.net for the client and server certificate CN. | |||
== The OpenWRT router == | == The OpenWRT router == | ||
| Line 83: | Line 49: | ||
mkdir /etc/openvpn | mkdir /etc/openvpn | ||
mv /tmp/openwrt.* /tmp/ca.crt /etc/openvpn | mv /tmp/openwrt.* /tmp/ca.crt /etc/openvpn | ||
== A Debian client == | |||
When I could not get the OpenWRT and Mikrotik devices to talk, I backed off on the OpenWrt side | |||
and used the Debian Server as an OpenVPN client. | |||
== The Mikrotik router == | == The Mikrotik router == | ||
| Line 91: | Line 62: | ||
/certificate | /certificate | ||
import file= | import file-name=cdswireless.crt | ||
import file= | import file-name=cdswireless.key | ||
import file=ca.crt | import file-name=ca.crt | ||
set 0 name=cdswireless | |||
set 1 name=ca | |||
# This will let you have many OpenVPN clients | # This will let you have many OpenVPN clients | ||
| Line 99: | Line 72: | ||
/ppp profile | /ppp profile | ||
add change-tcp-mss=default | add change-tcp-mss=default local-address=10.8.0.1 \ | ||
name="ovpn_profile" only-one=default remote-address=ovpn-pool \ | name="ovpn_profile" only-one=default remote-address=ovpn-pool \ | ||
use-compression=default use-encryption=required use-vj-compression=default | use-compression=default use-encryption=required use-vj-compression=default | ||
| Line 108: | Line 81: | ||
# If you don't already have these defined, | # If you don't already have these defined, | ||
/ip address | /ip address | ||
add address= | add address=192.168.4.253/24 comment="Management LAN" interface=ether1 network=192.168.4.0 | ||
add address=192.168.2.1/24 | add address=192.168.2.1/24 comment="CDS LAN" interface=ether2 network=192.168.2.0 | ||
add address= | add address=172.16.1.1/24 comment=Internet interface=ether3 network=172.16.1.0 | ||
/ip route | /ip route | ||
# This is how we really reach the Internet | |||
add distance=1 gateway=192.168.4.254 | |||
add dst-address=10.8.0.0/24 gateway=10.8.0.1 comment="OVPN" | add dst-address=10.8.0.0/24 gateway=10.8.0.1 comment="OVPN" | ||
I think when I "enable" this then port 1194 should light up? Hopefully on the Internet interface | |||
since that's where the OpenVPN client attempting to connect. | |||
/interface ovpn-server server | /interface ovpn-server server | ||
set auth=sha1,md5 certificate= | set auth=sha1,md5 certificate=cdswireless \ | ||
cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn_profile \ | cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn_profile \ | ||
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask= | enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=27 \ | ||
port=1194 require-client-certificate=no | port=1194 require-client-certificate=no | ||
# I have the firewall turned off for testing right now. | |||
# When I activate the firewall I will need this | |||
/ip firewall filter | /ip firewall filter | ||
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=udp | add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=udp | ||
== The "remote" server == | == The "remote" server == | ||
Revision as of 04:19, 23 December 2014
This is a page full of details, for the intro and how to set up Windows and Linux clients, see OpenVPN.
I am writing this while testing with three virtual machines on a Mac. Once I have the steps down, I will be transferring everything over to a Buffalo WZR WiFi access point running OpenWRT 14.xx and a Mikrotik RB750 running RouterOS 5.27.
I am running my virtual machines on VirtualBox. I use images downloaded from OpenWRT and Mikrotik and install them into very minimal setups. This is handy, they boot FAST and I don't risk cutting myself off from the remote end as I do tests and experiment.
The main reasons I chose to use OpenVPN over other options (today) are:
- I can directly route packets so I don't need to mess with NAT at one end as with PPTP
- My endpoint is hiding behind several layers of access points and routers that I don't control. OpenVPN works fine in this case.
The virtual network
Plover (Macintosh)
192.168.56.1
LAN (This will be the LAN in my house)
192.168.56.101
VM1 = Router #1, OpenWRT Barrier Breaker
76.0.0.1
Internet
76.0.0.2
VM2 = Router #2, Mikrotik RouterOS 6.23
192.168.2.1
REMOTE LAN (this will be the CDS OFFICE LAN)
192.168.2.2
VM3 = Remote Debian server
Creating the certificate and key files
I used the instructions on this http://wiki.mikrotik.com/wiki/Manual:Create_Certificates page.
I used CDS Wireless for the ca.crt CN and cds1.net for the client and server certificate CN.
The OpenWRT router
Refer to http://wiki.openwrt.org/doc/howto/vpn.openvpn I am not going to copy all the instructions here, just go look at that page now.
ssh [email protected] opkg update opkg install openvpn-openssl mkdir /etc/openvpn mv /tmp/openwrt.* /tmp/ca.crt /etc/openvpn
A Debian client
When I could not get the OpenWRT and Mikrotik devices to talk, I backed off on the OpenWrt side and used the Debian Server as an OpenVPN client.
The Mikrotik router
Refer to same Mikrotik page as mentioned above, http://wiki.mikrotik.com/wiki/OpenVPN
Import the three files transferred in the "create" section above.
/certificate import file-name=cdswireless.crt import file-name=cdswireless.key import file-name=ca.crt set 0 name=cdswireless set 1 name=ca # This will let you have many OpenVPN clients /ip pool add name=ovpn-pool ranges=10.10.10.2-10.10.10.50 /ppp profile add change-tcp-mss=default local-address=10.8.0.1 \ name="ovpn_profile" only-one=default remote-address=ovpn-pool \ use-compression=default use-encryption=required use-vj-compression=default /ppp secret add caller-id="" comment="" disabled=no limit-bytes-in=0 \ limit-bytes-out=0 name="ovpn" password="password" routes="" service=any
# If you don't already have these defined, /ip address add address=192.168.4.253/24 comment="Management LAN" interface=ether1 network=192.168.4.0 add address=192.168.2.1/24 comment="CDS LAN" interface=ether2 network=192.168.2.0 add address=172.16.1.1/24 comment=Internet interface=ether3 network=172.16.1.0
/ip route # This is how we really reach the Internet add distance=1 gateway=192.168.4.254 add dst-address=10.8.0.0/24 gateway=10.8.0.1 comment="OVPN"
I think when I "enable" this then port 1194 should light up? Hopefully on the Internet interface since that's where the OpenVPN client attempting to connect.
/interface ovpn-server server set auth=sha1,md5 certificate=cdswireless \ cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn_profile \ enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=27 \ port=1194 require-client-certificate=no
# I have the firewall turned off for testing right now. # When I activate the firewall I will need this /ip firewall filter add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=udp
The "remote" server
I have a generic Debian server installed already in a VirtualBox machine, so I used it as the far end of my network to allow me to test connectivity through the two routers.
Tests
Start the client
/etc/init.d/openvpn start cat /tmp/openvpn.log ifconfig tun0
Make sure you can reach each of the routers and the Debian server from the Mac, and that you can reach each of the routers and the Mac from the Debian server.
