基于Mikrotik的RouterOS路由搭建OpenVPN服务

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[admin@DTOPS-OVH-SG-Router-Node1] > quitConnection closed by foreign host.
[lookback@LookBack-MacBookPro ~]$ telnet 139.99.18.81 2301
[lookback@LookBack-MacBookPro ~]$ telnet 139.99.18.81 2301
Trying 139.99.18.81...
Connected to ip81.ip-139-99-18.net.
Login failed, incorrect username or password
 
Login: admin
   ape character is '^]'.                                                                                                                                                                                                                                                                                                                                    Password:
 
  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK
 
  MikroTik RouterOS 6.43.2 (c) 1999-2018       http://www.mikrotik.com/
 
[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments
 
[Tab]           Completes the command/word. If the input is ambiguous,
                a second [Tab] gives possible options
 
/               Move up to base level
..              Move up one level
/command        Use command at the base level
 
[admin@DTOPS-OVH-SG-Router-Node1] >

为了做这个教程我把之前做好的环境都删除了

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
[admin@DTOPS-OVH-SG-Router-Node1] > /file pr
 # NAME                                                      TYPE                                 SIZE             CREATION-TIME      
 0 user-manager                                              directory                                             nov/19/2018 06:32:08
 1 user-manager/sqldb                                        file                                 80.0KiB          sep/30/2018 08:20:39
 2 user-manager/logsqldb                                     file                                 6.0KiB           sep/30/2018 08:20:39
 3 um-before-migration.tar                                   .tar file                            15.5KiB          sep/30/2018 08:20:39
 4 skins                                                     directory                                             jun/16/2018 12:06:32
 5 primary-slave                                             disk                                                  jun/16/2018 12:06:33
 6 autosupout.rif                                            .rif file                            647.0KiB         nov/15/2018 06:26:38
 7 auto-before-reset.backup                                  backup                               14.8KiB          sep/30/2018 08:20:29
 8 pub                                                       directory                                             nov/15/2018 06:26:35
 9 dhcp-6.43.4.npk                                           .npk file                            0                nov/19/2018 06:18:15
10 primary-slave/lost+found                                  directory                                             oct/18/2015 02:38:50
11 primary-slave/user-manager2                               user-manager store                                    sep/30/2018 08:15:35
[admin@DTOPS-OVH-SG-Router-Node1] > /ip pool print
 # NAME
 RANGES                        
 0 dhcp-pool-1            172.20.255.1-172.20.255.254,172.20.254.1-172.20.254.254   
[admin@DTOPS-OVH-SG-Router-Node1] > /interface ovpn-server print
Flags: X - disabled, D - dynamic, R - running
 #     NAME                         USER       MTU CLIENT-ADDRESS     UPTIME   ENCODING 
[admin@DTOPS-OVH-SG-Router-Node1] >

首先我们来创建证书

1
2
3
4
5
[admin@DTOPS-OVH-SG-Router-Node1] > /certificate
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> add name=ca-template common-name=ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> add name=server-template common-name=*.ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> add name=client-template common-name=client.ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=tls-client
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> /

给创建好的证书签名

1
2
3
4
5
6
7
8
9
[admin@DTOPS-OVH-SG-Router-Node1] > /certificate
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> sign ca-template name=ca-certificate
  progress: done
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> sign server-template name=server-certificate ca=ca-certificate
  progress: done
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> sign client-template name=client-certificate ca=ca-certificate
  progress: done
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> /
[admin@DTOPS-OVH-SG-Router-Node1] >

开始对签好名的证书导出到文件

1
2
3
4
5
[admin@DTOPS-OVH-SG-Router-Node1] > /certificate
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> export-certificate ca-certificate export-passphrase=""
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> export-certificate client-certificate export-passphrase=12345678
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> /
[admin@DTOPS-OVH-SG-Router-Node1] >

创建一个OpenVPN拨号专用的ip池

1
[admin@DTOPS-OVH-SG-Router-Node1] > /ip pool add name="openvpn-pool" ranges=172.20.253.1-172.20.253.254

添加用于OpenVPN拨号用的账号

1
2
[admin@DTOPS-OVH-SG-Router-Node1] > /ppp profile add name="openvpn-profile" use-encryption=yes local-address=172.20.0.1 dns-server=139.99.18.82,139.99.115.58 remote-address=openvpn-pool
[admin@DTOPS-OVH-SG-Router-Node1] > /ppp secret add name=lookback password=lookback123 profile=openvpn-profile service=ovpn

启用OpenVPN服务

1
[admin@DTOPS-OVH-SG-Router-Node1] > /interface ovpn-server server set default-profile=openvpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes

添加防火墙方向OpenVPN服务

1
[admin@DTOPS-OVH-SG-Router-Node1] > /ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN"

下载证书文件

1
2
[lookback@LookBack-MacBookPro ~]$ ls Desktop/OpenVPN/
cert_export_ca-certificate.crt          cert_export_client-certificate.crt      cert_export_client-certificate.key

去除私钥密码

1
2
3
4
5
6
[lookback@LookBack-MacBookPro ~]$ openssl rsa -in Desktop/OpenVPN/cert_export_client-certificate.key -out Desktop/OpenVPN/cert_export_client-certificate2.key   
Enter pass phrase for Desktop/OpenVPN/cert_export_client-certificate.key:
writing RSA key
[lookback@LookBack-MacBookPro ~]$ ls Desktop/OpenVPN/
cert_export_ca-certificate.crt          cert_export_client-certificate.crt      cert_export_client-certificate.key      cert_export_client-certificate2.key
[lookback@LookBack-MacBookPro ~]$

制作OpenVPN配置文件:

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
[lookback@LookBack-MacBookPro ~]$ cat > Desktop/OpenVPN/139.99.18.81.ovpn <<EOF
client
dev tun
proto tcp
remote 139.99.18.81 1194
resolv-retry infinite
nobind
persist-key
persist-tun
#ca ca.crt
#cert client.crt
#key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3
 
<ca>
$(cat Desktop/OpenVPN/cert_export_ca-certificate.crt)
</ca>
 
<cert>
$(cat Desktop/OpenVPN/cert_export_client-certificate.crt)
</cert>
 
<key>
$(cat Desktop/OpenVPN/cert_export_client-certificate2.key)
</key>
 
EOF
[lookback@LookBack-MacBookPro ~]$ cat Desktop/OpenVPN/139.99.18.81.ovpn
client
dev tun
proto tcp
remote 139.99.18.81 1194
resolv-retry infinite
nobind
persist-key
persist-tun
#ca ca.crt
#cert client.crt
#key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3
 
<ca>
-----BEGIN CERTIFICATE-----
MIIDIDCCAgigAwIBAgIIFSnsJ9PMqmcwDQYJKoZIhvcNAQELBQAwGzEZMBcGA1UE
AwwQcm9zLXZwbi1kdG9wcy5jYzAeFw0xODExMjIwNDA4MTVaFw0yODExMTkwNDA4
MTVaMBsxGTAXBgNVBAMMEHJvcy12cG4tZHRvcHMuY2MwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCsPw1VT2KvJrkK+d4OB9C/IiYS9HJKGrvV2jlpsvfr
4r7Z0XEHPZfGN/oOCx5dqkVzpQrhCkniuGGScP+FQ10A7nIxSILl/SWLgdsM29gr
JBzj6O4clKIhadlIBlHosIu16SaesTx5IKCmapyBX21NYoEjTev387FGLZOwcNx4
ZWr9NQ2NiwRhzh2Cu27TxdvIzWxIjjVuJpSj41UXJXhtjVAIar8IrK7HyqjDg3fB
BVjWGcXq9sBo9EDEcq7ArKg18ptLROS4JAwDuzRlQJbt+6ykyQexEsrH/O3Q81nd
i5CPtGI/NbrNVFgaP3Z0O3rvGfUzCPfUP7+PKY+16upLAgMBAAGjaDBmMA8GA1Ud
EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTJh1HnISeQwWf9
bInPaQdZI0BjQjAkBglghkgBhvhCAQ0EFxYVR2VuZXJhdGVkIGJ5IFJvdXRlck9T
MA0GCSqGSIb3DQEBCwUAA4IBAQAjbjih4aGGKE+NRlxvtPG/rRCgBYjZrmuug3S9
0Mks3TLylWSehhrpmEdCByGFx2CaU2sA5kIyf9S+sii+TBuiyiLVRsOUWG9jtQx4
4vpyxt/lmJpzZsMFAc0jG67ZkKhETGte7RQ+D8J+gtBKDgIMeub/WP6GfGRPnlE4
MaxFeOmHSSdrs9L0/fsDPPO1k80Fd6NSL9VPLPrxH6HWbd4xLaAdx7FaO4Hj2sQN
pt1QryFDKhzlydAFORy/kRudil2Or+tEjYFqkADvHm+0d0O5ykuaNqqONnXhRxor
JhggpPntQMuN+3BzZej8rFlJES7tP4+5mqrpIVjkDYF9p5Ec
-----END CERTIFICATE-----
</ca>
 
<cert>
-----BEGIN CERTIFICATE-----
MIIDPDCCAiSgAwIBAgIIaYYxJrBmU5QwDQYJKoZIhvcNAQELBQAwGzEZMBcGA1UE
AwwQcm9zLXZwbi1kdG9wcy5jYzAeFw0xODExMjIwNDA4MzBaFw0yODExMTkwNDA4
MzBaMCIxIDAeBgNVBAMMF2NsaWVudC5yb3MtdnBuLWR0b3BzLmNjMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAymqBCtpOAUztveZIqeLjxmzpdoDyjIHO
LuVDifjs4Ax1VNM0vjJPpmcMsu2iCUURsE0KI2PSeIzfcgrfVpltUEXwJ5zHyPim
4lNt3KPQX4G97KH/W0GVPdssj7XR1Hi64wO+Csu0wcNNZKcM1Ct9Y/k60oHJ+q96
44oc1Qn4u/R4HkZEQY4NrAQPziUvs4Zm/DW9AVATmmAfQ56o7KRIYW5bw3jEnrcu
KFqdkUNu4//kr+x1az/QroUm5Aj01ZSKENpBMPrFhuaiJ9Ve5zT/2iPMWvC1NYq0
89KSOCLLB4aCble1sBsXp52mmszrQ0mw3AHsYdIuIylIMQaHaaLYywIDAQABo30w
ezATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUyu2FpYZXyJAlnKBIfWXb
Nn0XN/UwHwYDVR0jBBgwFoAUyYdR5yEnkMFn/WyJz2kHWSNAY0IwJAYJYIZIAYb4
QgENBBcWFUdlbmVyYXRlZCBieSBSb3V0ZXJPUzANBgkqhkiG9w0BAQsFAAOCAQEA
KOP9hgBpo68oQ01P8NyaQWXGLpxgDLAi0GHSCCWT0eF7B8k+PEwQqMYizIwjej2f
qdDL4LJ0lyyRWuCekA2DkkM845OJ5o56HRB+SoD3Dj9XGyx7HVtrA0zCg4jUeVdD
4ZJhrJ+aWgleHZ/X4Z7HVMbOr3PhApNVxBdIZ3ad4oIDWpro2aGVEBMjVA1d63vD
EGtmkftfim9g09zxtUaT5viHB09s+t79v+Q/SIsAVVmNc7zUtK4aMZve3E6Ijz8Y
9UPX2d40OuyjPk+S5g/rjkDEJS0kOQtIuOKCGKy2zPqCCW5mrDAIJBk+ub7/Frw5
FLpsmgv29C9619MSY/VeiA==
-----END CERTIFICATE-----
</cert>
 
<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAymqBCtpOAUztveZIqeLjxmzpdoDyjIHOLuVDifjs4Ax1VNM0
vjJPpmcMsu2iCUURsE0KI2PSeIzfcgrfVpltUEXwJ5zHyPim4lNt3KPQX4G97KH/
W0GVPdssj7XR1Hi64wO+Csu0wcNNZKcM1Ct9Y/k60oHJ+q9644oc1Qn4u/R4HkZE
QY4NrAQPziUvs4Zm/DW9AVATmmAfQ56o7KRIYW5bw3jEnrcuKFqdkUNu4//kr+x1
az/QroUm5Aj01ZSKENpBMPrFhuaiJ9Ve5zT/2iPMWvC1NYq089KSOCLLB4aCble1
sBsXp52mmszrQ0mw3AHsYdIuIylIMQaHaaLYywIDAQABAoIBAGc96XGypUTOixhn
47obCtiDZpTV8mCuOI78yvUNrSwdzp6kV2uHV87lEroUsKgPvZTxxnEEki6Ak9uk
JgQSn4npEjPyKIieIuifaxK1zytXjpqqigdurQNuzgzCzTKVHaV6nCz/d8O4rLng
5o81W3Bph5IlNvMRHBoAsPIMcvzSLSb8TnSAvPTLTtidl1ajvXPmAs+uNpv6mQx+
ha7ezT0cGql/hWle876P5UK7j9tJBdXBbL1oCYETqvzDb0/cyRfQohvbqFMVTQpi
dC02vUdWn4AsHwDH4vetg1XkSszKM7gZJ/A2jlTCk8ogcxO9yxr6OIIq0omPm7Qh
z2eqCVkCgYEA7P1WstsSX2+UQ2W5lsZ4iOrDsfH0Ec7PvxbiC1RmAxh+c+l6ceFm
PMVtRGk1BfcVNSS0pIyvm0FfcTUSqgH3Qv08g3Goy/TuDGby78KMAhyzVn9bTpt7
tayzAkMRb3dsDxS/FFTvmpMzfTGmn/CSCRWpDjDzy1Ox+DySXnvcUpcCgYEA2qcv
eX/qW4FOsZDE/MxnzN62UCg75I26UiqsGkGlJWss8gxK/jDThOR5G/XdLTibPk6n
HN+ZUq5N6Jf9tnjQjyVe4Ygat7GmPXQeqe6nNewIxAtztbT8lJk55lWNW8TgvXN9
kKCPQF5ZsRsfh71JQHyUArn9weMzavnbUMO8Fe0CgYEAlOEWHSg445GCD9ERBSJL
yJ/LLre0P5evtPkYKkvsBhfWINVVIcOa6aSRXz/Emqm9PfSAMztaemtYHRNdVUYE
4qWZ5W16wB5viYUHKw4JzK3hD/7UCo7s6ZXDozEk++SHEvZSj+BH4dCFsSmG5sVH
yMM9v/eKwHokvLC4tviS0aMCgYEAyw1pVB7LR/D8YH+9v7ofRy0oB6ZlgGlxty5z
puqBcA9orNtnpUk4lPgL1EBuBrnDyYgHPxQS8ap3JWJItfTaUaT1yOG5Vg++/uDg
PRUo6TVqKo0sBnmt+l2VXGbkoG1j++vNlsrUXYWBK6yxij/pT96hISsSEcVpkZW4
6vbqqz0CgYBx5i3xN1RHdjITGGC5rMBK/9nnpURDKLNv0uz0CRMXbmeIDQod7DlQ
vGXrDFqjise0FC8TAPbhTBcnHP8tctzvd7Uq6uGTS75Q196H1RTktLWDQWqkX5e9
/PXPNB0Wx7YziLQSTdJGKfUh3Ilvo1gR2zVgzdcDeHan3frVNE7Ykg==
-----END RSA PRIVATE KEY-----
</key>
[lookback@LookBack-MacBookPro ~]$

测试连接

整体过程总结

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
[admin@DTOPS-OVH-SG-Router-Node1] > /certificate
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> add name=ca-template common-name=ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> add name=server-template common-name=*.ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> add name=client-template common-name=client.ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=tls-client
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> sign ca-template name=ca-certificate
  progress: done
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> sign server-template name=server-certificate ca=ca-certificate
  progress: done
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> sign client-template name=client-certificate ca=ca-certificate
  progress: done
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> export-certificate ca-certificate export-passphrase=""
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> export-certificate client-certificate export-passphrase=12345678
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> /ip pool add name="openvpn-pool" ranges=172.20.253.1-172.20.253.254
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> /ppp profile add name="openvpn-profile" use-encryption=yes local-address=172.20.0.1 dns-server=139.99.18.82,139.99.115.58 remote-address=openvpn-pool
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> /ppp secret add name=lookback profile=openvpn-profile password=lookback123
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> /interface ovpn-server server set default-profile=openvpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes
[admin@DTOPS-OVH-SG-Router-Node1] /certificate> /
[admin@DTOPS-OVH-SG-Router-Node1] > /ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN"
[admin@DTOPS-OVH-SG-Router-Node1] > quit

12-14 07:01