Setting up MikroTik as an OVPN server using client certificates and revocation list
I had a task to configure MikroTik as an OVPN server using client certificates and the possibility of their revocation. I did not find a clear How-To on the Internet on this topic, so I decided to invent my own bicycle. In this article I will describe the configuration scheme of this miracle, which turned out and worked for me.
Regarding PKI, there are two options:
1. Using the built-in ROS PKI:
2. Using a third-party PKI - openssl, or windows server PKI (DO NOT use trusted StartSSL CAs, they do not issue client certificates to you):
')
I will consider only the first option, because, firstly, it suits me, and secondly, it is more flexible. Also, I will not dwell on the parameters of certificates and other various parameters of standard ROS tools, since there is a comprehensive description of them on the official MikroTik Wiki .
1.1. CA Certificate:
Note: ca-crl-host = is a required parameter, otherwise the revocation list will not be created; The full path to the revocation list will be specified in the certificate parameters, in the column "[1] The Distribution List Distribution Point (CRL)"; in principle, you can specify any of the ip-addresses of our mikrotik, the one that we specify - and will be registered in the certificate. Domain names are not supported, unfortunately.
1.2. Server Certificate:
Note: for the key-usage server certificate, it is better not to change why it is so described here (and if you really want to change it, then it says there that you need to register the client for this in the config file).
Note: unlike SSTP, OVPN does not check the common-name of the server certificate against the fqdn of this server.
1.3. Template for client certificates:
1.3.1 Certificate of the first client:
1.3.2. Certificate of the second and subsequent clients:
See p. 3.1, but changing the value of the parameters.
For the first command, this value must be unique within the same CA.
For the second command, this value must be unique within a single microtic.
1.4 In the future, for certificate revocation we use the command:
Where% cert-name% is the name = field of the signed certificate, that is, the PKI display of the microtic.
Note: can be configured in tun mode (“ip” in ROS), or in tap mode (“ethernet” in ROS). Tun mode is a normal tunnel. Tap mode - emulation of high-grade ethernet, in particular, in tap mode, clients can be combined into bridge mode and they will be fine to see each other. In theory, in tap mode, you can start a DHCP server, but this is not implemented in the current version of ROS.
2tun.1. Set the address pool for OVPN clients (can be set directly in the PPP-profile):
2tun.2. Create a PPP-profile for the OVPN server:
Optional! The remaining parameters to your taste and in accordance with your goals. For example: dns = 192.168.100.1 use-ipv6 = no
2tun.3. Configure user authentication mode:
2tun.4. We add users:
2tun.5. Enable the OVPN server:
2tap.1. Set the address pool for OVPN clients (can be set directly in the PPP-profile):
2tap.1 +. Create a bridge for OVPN connections:
Note: It is not necessary to assign an IP for the bridge, it is already in the PPP-profile (besides, if you specify the address for the bridge, but do not specify local-address = in the PPP-profile, the client will not connect).
Note: arp must be enabled, otherwise clients will not see each other.
2tun.2. Create a PPP-profile for the OVPN server:
Optional! The remaining parameters to your taste and in accordance with your goals. For example: dns = 192.168.100.1 use-ipv6 = no
2tap.3. Configure user authentication mode:
2tap.4. We add users:
2tap.5. Enable the OVPN server:
Notes for both modes:
1. The presence of the user is mandatory, even despite the authorization by certificates; You can create one user for all clients and register the same username / password in the client configs, but this makes it impossible to track the connection and actions of a specific user - inconvenient, somewhat insecure.
2. I do not consider RADIUS authentication simply because I have not tested it. I can only assume that it will work only for username / password, and certificates will still be checked on microtic.
3. Make sure that the address pool matches the subnet specified in the OVPN server settings. ROS'ovskiy OVPN-server will not understand whether the local-address = server belongs to the same network and the client address assigned from the pool, moreover, if, for example, you use the mask 29, and the ranges = 192.168.100.0 / 29, Broadcast 192.168.100.7 can be assigned to the client as it was with me. Exactly the same situation can occur if the specified pool is larger than the mask implies - only the problem will not be revealed immediately, but after a while.
3.1. Export CA certificate:
Note: We need only the certificate itself, the private key is NOT needed, therefore the export-passphrase = "" parameter must be empty.
3.2. Export customer certificates:
Note: export-passphrase = is a required parameter for exporting private keys; we use our password for each client; We DO NOT use the same password, which was indicated in paragraphs 2.4 for users!
3.3. We extract the received files of certificates and keys from the microtic in any convenient way (as a rule, I drag files back and forth directly from the winbox).
1. Get the OVPN distribution with openvpn.net .
2. Set, leave all options by default, including the tap-interface, which is required for any configuration mode.
3. Go to OpenVPN \ config (by default C: \ Program Files \ OpenVPN \ config) and create a client.ovpn file there (or copy from OpenVPN \ sample-config).
4. Create a client configuration, or edit it with sample-config.
Note: to apply the routing parameters specified in the config, the OVPN service itself, or the OVPN GUI, must be run with administrator rights.
Note: the list of most parameters is here but it is somewhat outdated.
1.1 Put the CA certificate file and the certificate file and the client key file in a convenient way
1.2 Import CA certificate
1.3 Import the certificate and client key
2. Configure the client
Values ​​in {} specify in accordance with the previous settings and your needs.
Thanks for attention.
Using PKI ROS
Regarding PKI, there are two options:
1. Using the built-in ROS PKI:
- + we can issue and revoke certificates directly on the microtic, otherwise we will have to manually update crl on it after each review
- - accidental deletion of the CA certificate used for signing and revoking certificates from the microtic is fatal; There is a current backup of all this)
- + if we back up the entire config of the microtic, then CA will back up with it
2. Using a third-party PKI - openssl, or windows server PKI (DO NOT use trusted StartSSL CAs, they do not issue client certificates to you):
')
- + protected from the lack of the first option
- - in the case of openssl, you must manually upload crl to the microtic after each revoked certificate
- + in the case of windows server PKI, it is theoretically possible to implement authentication through the SCEP mechanism, but has not yet verified
- - in the case of windows server PKI, a domain is needed, without it, this very PKI will not work
I will consider only the first option, because, firstly, it suits me, and secondly, it is more flexible. Also, I will not dwell on the parameters of certificates and other various parameters of standard ROS tools, since there is a comprehensive description of them on the official MikroTik Wiki .
We configure the OVPN server on ROS
1. Configure PKI
1.1. CA Certificate:
/certificate add name=template-CA country="" state="" locality="" organization="" unit="" common-name="test-CA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign template-CA ca-crl-host=127.0.0.1 name="test-CA"
Note: ca-crl-host = is a required parameter, otherwise the revocation list will not be created; The full path to the revocation list will be specified in the certificate parameters, in the column "[1] The Distribution List Distribution Point (CRL)"; in principle, you can specify any of the ip-addresses of our mikrotik, the one that we specify - and will be registered in the certificate. Domain names are not supported, unfortunately.
1.2. Server Certificate:
/certificate add name=template-SRV country="" state="" locality="" organization="" unit="" common-name="test-srv-OVPN" key-size=4096 days-valid=1095 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign template-SRV ca="test-CA" name="test-srv-OVPN"
Note: for the key-usage server certificate, it is better not to change why it is so described here (and if you really want to change it, then it says there that you need to register the client for this in the config file).
Note: unlike SSTP, OVPN does not check the common-name of the server certificate against the fqdn of this server.
1.3. Template for client certificates:
/certificate add name=template-CL country="" state="" locality="" organization="" unit="" common-name="test-client-ovpn-template" key-size=4096 days-valid=365 key-usage=tls-client
1.3.1 Certificate of the first client:
/certificate add name=template-CL-to-issue copy-from="template-CL" common-name="test-client-ovpn-1"
/certificate sign template-CL-to-issue ca="test-CA" name="test-client-ovpn-1"
1.3.2. Certificate of the second and subsequent clients:
See p. 3.1, but changing the value of the parameters.
common-name="test-client-ovpn-1"
For the first command, this value must be unique within the same CA.
name="test-client-ovpn-1"For the second command, this value must be unique within a single microtic.
1.4 In the future, for certificate revocation we use the command:
certificate issued-revoke %cert-name%
Where% cert-name% is the name = field of the signed certificate, that is, the PKI display of the microtic.
2. Configure the OVPN server
Note: can be configured in tun mode (“ip” in ROS), or in tap mode (“ethernet” in ROS). Tun mode is a normal tunnel. Tap mode - emulation of high-grade ethernet, in particular, in tap mode, clients can be combined into bridge mode and they will be fine to see each other. In theory, in tap mode, you can start a DHCP server, but this is not implemented in the current version of ROS.
2tun. Tun mode
2tun.1. Set the address pool for OVPN clients (can be set directly in the PPP-profile):
/ip pool add name=OVPN_srv_pool ranges=192.168.100.2-192.168.254
2tun.2. Create a PPP-profile for the OVPN server:
/ppp profile add name=OVPN_server local-address=192.168.100.1 remote-address=OVPN_srv_pool
Optional! The remaining parameters to your taste and in accordance with your goals. For example: dns = 192.168.100.1 use-ipv6 = no
2tun.3. Configure user authentication mode:
/ppp aaa set accounting=yes
2tun.4. We add users:
/ppp secret add name=test-user-1 password=P@ssword1 service=ovpn profile=OVPN_server
/ppp secret add name=test-user-2 password=P@ssword2 service=ovpn profile=OVPN_server
2tun.5. Enable the OVPN server:
/interface ovpn-server server set auth=sha1 cipher=blowfish128 default-profile=OVPN_server mode=ip netmask=24 require-client-certificate=yes certificate=test-srv-OVPN enabled=yes
2tap. Tap mode
2tap.1. Set the address pool for OVPN clients (can be set directly in the PPP-profile):
/ip pool add name=OVPN_srv_pool ranges=192.168.100.2-192.168.254
2tap.1 +. Create a bridge for OVPN connections:
/interface bridge add name=OVPN_bridge arp=enabled
Note: It is not necessary to assign an IP for the bridge, it is already in the PPP-profile (besides, if you specify the address for the bridge, but do not specify local-address = in the PPP-profile, the client will not connect).
Note: arp must be enabled, otherwise clients will not see each other.
2tun.2. Create a PPP-profile for the OVPN server:
/ppp profile add name=OVPN_server local-address=192.168.100.1 remote-address=OVPN_srv_pool bridge=OVPN_bridge
Optional! The remaining parameters to your taste and in accordance with your goals. For example: dns = 192.168.100.1 use-ipv6 = no
2tap.3. Configure user authentication mode:
/ppp aaa set accounting=yes
2tap.4. We add users:
/ppp secret add name=test-user-1 password=P@ssword1 service=ovpn profile=OVPN_server
/ppp secret add name=test-user-2 password=P@ssword2 service=ovpn profile=OVPN_server
2tap.5. Enable the OVPN server:
/interface ovpn-server server set auth=sha1 cipher=blowfish128 default-profile=OVPN_server mode=ethernet netmask=24 require-client-certificate=yes certificate=test-srv-OVPN enabled=yes
Notes for both modes:
1. The presence of the user is mandatory, even despite the authorization by certificates; You can create one user for all clients and register the same username / password in the client configs, but this makes it impossible to track the connection and actions of a specific user - inconvenient, somewhat insecure.
2. I do not consider RADIUS authentication simply because I have not tested it. I can only assume that it will work only for username / password, and certificates will still be checked on microtic.
3. Make sure that the address pool matches the subnet specified in the OVPN server settings. ROS'ovskiy OVPN-server will not understand whether the local-address = server belongs to the same network and the client address assigned from the pool, moreover, if, for example, you use the mask 29, and the ranges = 192.168.100.0 / 29, Broadcast 192.168.100.7 can be assigned to the client as it was with me. Exactly the same situation can occur if the specified pool is larger than the mask implies - only the problem will not be revealed immediately, but after a while.
3. Export certificates for client configuration
3.1. Export CA certificate:
/certificate export-certificate test-CA export-passphrase=""
Note: We need only the certificate itself, the private key is NOT needed, therefore the export-passphrase = "" parameter must be empty.
3.2. Export customer certificates:
/certificate export-certificate test-client-ovpn-1 export-passphrase=private-key-password1
/certificate export-certificate test-client-ovpn-2 export-passphrase=private-key-password2
Note: export-passphrase = is a required parameter for exporting private keys; we use our password for each client; We DO NOT use the same password, which was indicated in paragraphs 2.4 for users!
3.3. We extract the received files of certificates and keys from the microtic in any convenient way (as a rule, I drag files back and forth directly from the winbox).
Setting up a Windows client
1. Get the OVPN distribution with openvpn.net .
2. Set, leave all options by default, including the tap-interface, which is required for any configuration mode.
3. Go to OpenVPN \ config (by default C: \ Program Files \ OpenVPN \ config) and create a client.ovpn file there (or copy from OpenVPN \ sample-config).
4. Create a client configuration, or edit it with sample-config.
Content client.ovpn with small comments
# The mode in which the OVPN service works
# Attention! We specify only one parameter from two
# For tup mode, specify the parameter
# For tap mode, specify the parameter
# This parameter is specified only in the case of using tap mode, and instead of MyTap, we substitute the name of the tap interface in windows (ipconfig / all, or network connections in the control panel)
# Used protocol. ROS'ovskiy OVPN-server works only in tcp mode
# Address of the server to which we will connect, and port. Instead ovpn.my.domain - dns-name or ip-address. You can specify multiple servers.
# This parameter is needed only when using more than one server; When specifying this parameter when connecting, the client randomly selects one of the specified servers.
# Timeout between attempts to determine the ip-address for the specified DNS server name, in seconds (or infinity - infinite)
# If this parameter is specified, the client will use a dynamic outgoing port to connect
# Allow the client to save the tunnel settings when reconnecting, and also not to re-read the key files
Proxy settings
# Turn off duplicate packet messages
# Path to certificate files
# ca - CA certificate that issued the client certificate AND server certificate
# cert - client certificate
# key - client certificate private key
# auth-user-pass tells the client to use the username and password for authentication (not instead of certificates, but with certificates)
# auth-user-pass tells OVPN client to use login and password (but not instead of certificates, but with certificates)
# user-pwd.txt points to the file in which the username and password are stored; The first line in the file is the login, the second is the password; in the absence of this argument, the login and password will be requested each time you connect
# Note: In the case of using a certificate with a private key, to which you need to enter the key every time you connect, I do not consider it necessary to force the user to remember the login with a password
# Tells the client that he should check the server certificate for the key-usage used.
# Key for encrypting the beginning of the authentication process (handshake), an additional security measure. It makes sense when using only login / password, without certificates.
# Specify a special encryption method, by default blowfish128 is used.
# Use lzo-compression. OVPN on ROS is not supported.
# Log level. The greater the value - the more.
# Blocking duplicate messages in the log
# Above were given the parameters that are present in the "native" example of the config for the client + 1 we need the parameter
# Below I will give a few more, in my opinion, useful parameters.
# Route set when starting a connection
# The route does not point to the gateway, but directly to the connection
# Pause before installing routes after establishing a connection (in seconds)
# If we want to set an OVPN connection as the main gateway
client# Attention! We specify only one parameter from two
# For tup mode, specify the parameter
dev tun# For tap mode, specify the parameter
dev tap# This parameter is specified only in the case of using tap mode, and instead of MyTap, we substitute the name of the tap interface in windows (ipconfig / all, or network connections in the control panel)
dev-node MyTap# Used protocol. ROS'ovskiy OVPN-server works only in tcp mode
proto tcp# Address of the server to which we will connect, and port. Instead ovpn.my.domain - dns-name or ip-address. You can specify multiple servers.
remote ovpn.my.domain 1194
;remote my-server-2 1194# This parameter is needed only when using more than one server; When specifying this parameter when connecting, the client randomly selects one of the specified servers.
;remote-random# Timeout between attempts to determine the ip-address for the specified DNS server name, in seconds (or infinity - infinite)
resolv-retry infinite# If this parameter is specified, the client will use a dynamic outgoing port to connect
nobind# Allow the client to save the tunnel settings when reconnecting, and also not to re-read the key files
persist-key
persist-tunProxy settings
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]# Turn off duplicate packet messages
;mute-replay-warnings# Path to certificate files
# ca - CA certificate that issued the client certificate AND server certificate
# cert - client certificate
# key - client certificate private key
ca cert_export_test-CA.crt
cert cert_export_test-client-ovpn-1.crt
key cert_export_test-client-ovpn-1.key# auth-user-pass tells the client to use the username and password for authentication (not instead of certificates, but with certificates)
# auth-user-pass tells OVPN client to use login and password (but not instead of certificates, but with certificates)
# user-pwd.txt points to the file in which the username and password are stored; The first line in the file is the login, the second is the password; in the absence of this argument, the login and password will be requested each time you connect
# Note: In the case of using a certificate with a private key, to which you need to enter the key every time you connect, I do not consider it necessary to force the user to remember the login with a password
--auth-user-pass user-pwd.txt# Tells the client that he should check the server certificate for the key-usage used.
remote-cert-tls server# Key for encrypting the beginning of the authentication process (handshake), an additional security measure. It makes sense when using only login / password, without certificates.
;tls-auth ta.key 1# Specify a special encryption method, by default blowfish128 is used.
;cipher x# Use lzo-compression. OVPN on ROS is not supported.
;comp-lzo# Log level. The greater the value - the more.
verb 3# Blocking duplicate messages in the log
;mute 20# Above were given the parameters that are present in the "native" example of the config for the client + 1 we need the parameter
# Below I will give a few more, in my opinion, useful parameters.
# Route set when starting a connection
# The route does not point to the gateway, but directly to the connection
route 192.168.88.0 255.255.255.0# Pause before installing routes after establishing a connection (in seconds)
route-delay 5# If we want to set an OVPN connection as the main gateway
route-gateway 192.168.100.1
redirect-gateway def1 //route-gateway 192.168.100.1
redirect-gateway def1 //. , .
. , .
Note: to apply the routing parameters specified in the config, the OVPN service itself, or the OVPN GUI, must be run with administrator rights.
Note: the list of most parameters is here but it is somewhat outdated.
Setting up a MikroTik client
1 Import Certificates
1.1 Put the CA certificate file and the certificate file and the client key file in a convenient way
1.2 Import CA certificate
/certificate import file-name=cert_export_test-CA.crt passphrase=""
1.3 Import the certificate and client key
/certificate import file-name=cert_export_test-client-ovpn-1.crt passphrase=""
/certificate import file-name=cert_export_test-client-ovpn-1.key passphrase=private-key-password1
2. Configure the client
/interface ovpn-client add name=OVPN_client connect-to={ovpn.my.domain|xxx.xxx.xxx.xxx} port=1194 mode={ip|ethernet} user=test-user-1 password=P@ssword1 profile=default certificate=cert_32 auth=sha1 cipher=blowfish128 add-default-route={no|yes} disabled=no
Values ​​in {} specify in accordance with the previous settings and your needs.
The following equipment and software were used for the experiments:
RouterBoard 2011UiAS-2HnD with RouterOS 6.32.2 on board - 2 pcs., One as a server, the other as a client; both serve as border gateways at home and at work.
Laptop with Windows 10 Pro x64 on the bot - 1 pc., As a client; serves for work and as a laboratory.
Laptop with Windows 10 Pro x64 on the bot - 1 pc., As a client; serves for work and as a laboratory.
The following resources were used for knowledge:
wiki.mikrotik.com
openvpn.net/index.php/open-source/documentation/howto.html
tuxnotes.ru/note/1
www.v13.gr/blog/?p=386
And a lot more in detail from the issuance of the search.
openvpn.net/index.php/open-source/documentation/howto.html
tuxnotes.ru/note/1
www.v13.gr/blog/?p=386
And a lot more in detail from the issuance of the search.
Thanks for attention.
Source: https://habr.com/ru/post/269679/
All Articles