基于Mikrotik的RouterOS路由搭建OpenVPN服务
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | [admin@DTOPS-OVH-SG-Router-Node1] > quitConnection closed by foreign host. [lookback@LookBack-MacBookPro ~]$ telnet 139.99.18.81 2301 [lookback@LookBack-MacBookPro ~]$ telnet 139.99.18.81 2301 Trying 139.99.18.81... Connected to ip81.ip-139-99-18.net. Login failed, incorrect username or password Login: admin ape character is '^]' . Password: MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK MikroTik RouterOS 6.43.2 (c) 1999-2018 http: //www .mikrotik.com/ [?] Gives the list of available commands command [?] Gives help on the command and list of arguments [Tab] Completes the command /word . If the input is ambiguous, a second [Tab] gives possible options / Move up to base level .. Move up one level /command Use command at the base level [admin@DTOPS-OVH-SG-Router-Node1] > |
为了做这个教程我把之前做好的环境都删除了
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 | [admin@DTOPS-OVH-SG-Router-Node1] > /file pr # NAME TYPE SIZE CREATION-TIME 0 user-manager directory nov /19/2018 06:32:08 1 user-manager /sqldb file 80.0KiB sep /30/2018 08:20:39 2 user-manager /logsqldb file 6.0KiB sep /30/2018 08:20:39 3 um-before-migration. tar . tar file 15.5KiB sep /30/2018 08:20:39 4 skins directory jun /16/2018 12:06:32 5 primary-slave disk jun /16/2018 12:06:33 6 autosupout.rif .rif file 647.0KiB nov /15/2018 06:26:38 7 auto-before-reset.backup backup 14.8KiB sep /30/2018 08:20:29 8 pub directory nov /15/2018 06:26:35 9 dhcp-6.43.4.npk .npk file 0 nov /19/2018 06:18:15 10 primary-slave /lost +found directory oct /18/2015 02:38:50 11 primary-slave /user-manager2 user-manager store sep /30/2018 08:15:35 [admin@DTOPS-OVH-SG-Router-Node1] > /ip pool print # NAME RANGES 0 dhcp-pool-1 172.20.255.1-172.20.255.254,172.20.254.1-172.20.254.254 [admin@DTOPS-OVH-SG-Router-Node1] > /interface ovpn-server print Flags: X - disabled, D - dynamic, R - running # NAME USER MTU CLIENT-ADDRESS UPTIME ENCODING [admin@DTOPS-OVH-SG-Router-Node1] > |
首先我们来创建证书
1 2 3 4 5 | [admin@DTOPS-OVH-SG-Router-Node1] > /certificate [admin@DTOPS-OVH-SG-Router-Node1] /certificate > add name=ca-template common-name=ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign [admin@DTOPS-OVH-SG-Router-Node1] /certificate > add name=server-template common-name=*.ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server [admin@DTOPS-OVH-SG-Router-Node1] /certificate > add name=client-template common-name=client.ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=tls-client [admin@DTOPS-OVH-SG-Router-Node1] /certificate > / |
给创建好的证书签名
1 2 3 4 5 6 7 8 9 | [admin@DTOPS-OVH-SG-Router-Node1] > /certificate [admin@DTOPS-OVH-SG-Router-Node1] /certificate > sign ca-template name=ca-certificate progress: done [admin@DTOPS-OVH-SG-Router-Node1] /certificate > sign server-template name=server-certificate ca=ca-certificate progress: done [admin@DTOPS-OVH-SG-Router-Node1] /certificate > sign client-template name=client-certificate ca=ca-certificate progress: done [admin@DTOPS-OVH-SG-Router-Node1] /certificate > / [admin@DTOPS-OVH-SG-Router-Node1] > |
开始对签好名的证书导出到文件
1 2 3 4 5 | [admin@DTOPS-OVH-SG-Router-Node1] > /certificate [admin@DTOPS-OVH-SG-Router-Node1] /certificate > export -certificate ca-certificate export -passphrase= "" [admin@DTOPS-OVH-SG-Router-Node1] /certificate > export -certificate client-certificate export -passphrase=12345678 [admin@DTOPS-OVH-SG-Router-Node1] /certificate > / [admin@DTOPS-OVH-SG-Router-Node1] > |
创建一个OpenVPN拨号专用的ip池
1 | [admin@DTOPS-OVH-SG-Router-Node1] > /ip pool add name= "openvpn-pool" ranges=172.20.253.1-172.20.253.254 |
添加用于OpenVPN拨号用的账号
1 2 | [admin@DTOPS-OVH-SG-Router-Node1] > /ppp profile add name= "openvpn-profile" use-encryption= yes local -address=172.20.0.1 dns-server=139.99.18.82,139.99.115.58 remote-address=openvpn-pool [admin@DTOPS-OVH-SG-Router-Node1] > /ppp secret add name=lookback password=lookback123 profile=openvpn-profile service=ovpn |
启用OpenVPN服务
1 | [admin@DTOPS-OVH-SG-Router-Node1] > /interface ovpn-server server set default-profile=openvpn-profile certificate=server-certificate require-client-certificate= yes auth=sha1 cipher=aes128,aes192,aes256 enabled= yes |
添加防火墙方向OpenVPN服务
1 | [admin@DTOPS-OVH-SG-Router-Node1] > /ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment= "Allow OpenVPN" |
1 2 | [lookback@LookBack-MacBookPro ~]$ ls Desktop /OpenVPN/ cert_export_ca-certificate.crt cert_export_client-certificate.crt cert_export_client-certificate.key |
1 2 3 4 5 6 | [lookback@LookBack-MacBookPro ~]$ openssl rsa - in Desktop /OpenVPN/cert_export_client-certificate .key -out Desktop /OpenVPN/cert_export_client-certificate2 .key Enter pass phrase for Desktop /OpenVPN/cert_export_client-certificate .key: writing RSA key [lookback@LookBack-MacBookPro ~]$ ls Desktop /OpenVPN/ cert_export_ca-certificate.crt cert_export_client-certificate.crt cert_export_client-certificate.key cert_export_client-certificate2.key [lookback@LookBack-MacBookPro ~]$ |
制作OpenVPN配置文件:
001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 | [lookback@LookBack-MacBookPro ~]$ cat > Desktop /OpenVPN/139 .99.18.81.ovpn <<EOF client dev tun proto tcp remote 139.99.18.81 1194 resolv-retry infinite nobind persist-key persist-tun #ca ca.crt #cert client.crt #key client.key remote-cert-tls server cipher AES-128-CBC auth SHA1 auth-user-pass redirect-gateway def1 verb 3 <ca> $( cat Desktop /OpenVPN/cert_export_ca-certificate .crt) < /ca > <cert> $( cat Desktop /OpenVPN/cert_export_client-certificate .crt) < /cert > <key> $( cat Desktop /OpenVPN/cert_export_client-certificate2 .key) < /key > EOF [lookback@LookBack-MacBookPro ~]$ cat Desktop /OpenVPN/139 .99.18.81.ovpn client dev tun proto tcp remote 139.99.18.81 1194 resolv-retry infinite nobind persist-key persist-tun #ca ca.crt #cert client.crt #key client.key remote-cert-tls server cipher AES-128-CBC auth SHA1 auth-user-pass redirect-gateway def1 verb 3 <ca> -----BEGIN CERTIFICATE----- MIIDIDCCAgigAwIBAgIIFSnsJ9PMqmcwDQYJKoZIhvcNAQELBQAwGzEZMBcGA1UE AwwQcm9zLXZwbi1kdG9wcy5jYzAeFw0xODExMjIwNDA4MTVaFw0yODExMTkwNDA4 MTVaMBsxGTAXBgNVBAMMEHJvcy12cG4tZHRvcHMuY2MwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQCsPw1VT2KvJrkK+d4OB9C /IiYS9HJKGrvV2jlpsvfr 4r7Z0XEHPZfGN /oOCx5dqkVzpQrhCkniuGGScP +FQ10A7nIxSILl /SWLgdsM29gr JBzj6O4clKIhadlIBlHosIu16SaesTx5IKCmapyBX21NYoEjTev387FGLZOwcNx4 ZWr9NQ2NiwRhzh2Cu27TxdvIzWxIjjVuJpSj41UXJXhtjVAIar8IrK7HyqjDg3fB BVjWGcXq9sBo9EDEcq7ArKg18ptLROS4JAwDuzRlQJbt+6ykyQexEsrH /O3Q81nd i5CPtGI /NbrNVFgaP3Z0O3rvGfUzCPfUP7 +PKY+16upLAgMBAAGjaDBmMA8GA1Ud EwEB /wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTJh1HnISeQwWf9 bInPaQdZI0BjQjAkBglghkgBhvhCAQ0EFxYVR2VuZXJhdGVkIGJ5IFJvdXRlck9T MA0GCSqGSIb3DQEBCwUAA4IBAQAjbjih4aGGKE+NRlxvtPG /rRCgBYjZrmuug3S9 0Mks3TLylWSehhrpmEdCByGFx2CaU2sA5kIyf9S+sii+TBuiyiLVRsOUWG9jtQx4 4vpyxt /lmJpzZsMFAc0jG67ZkKhETGte7RQ +D8J+gtBKDgIMeub /WP6GfGRPnlE4 MaxFeOmHSSdrs9L0 /fsDPPO1k80Fd6NSL9VPLPrxH6HWbd4xLaAdx7FaO4Hj2sQN pt1QryFDKhzlydAFORy /kRudil2Or +tEjYFqkADvHm+0d0O5ykuaNqqONnXhRxor JhggpPntQMuN+3BzZej8rFlJES7tP4+5mqrpIVjkDYF9p5Ec -----END CERTIFICATE----- < /ca > <cert> -----BEGIN CERTIFICATE----- MIIDPDCCAiSgAwIBAgIIaYYxJrBmU5QwDQYJKoZIhvcNAQELBQAwGzEZMBcGA1UE AwwQcm9zLXZwbi1kdG9wcy5jYzAeFw0xODExMjIwNDA4MzBaFw0yODExMTkwNDA4 MzBaMCIxIDAeBgNVBAMMF2NsaWVudC5yb3MtdnBuLWR0b3BzLmNjMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAymqBCtpOAUztveZIqeLjxmzpdoDyjIHO LuVDifjs4Ax1VNM0vjJPpmcMsu2iCUURsE0KI2PSeIzfcgrfVpltUEXwJ5zHyPim 4lNt3KPQX4G97KH /W0GVPdssj7XR1Hi64wO +Csu0wcNNZKcM1Ct9Y /k60oHJ +q96 44oc1Qn4u /R4HkZEQY4NrAQPziUvs4Zm/DW9AVATmmAfQ56o7KRIYW5bw3jEnrcu KFqdkUNu4 //kr +x1az /QroUm5Aj01ZSKENpBMPrFhuaiJ9Ve5zT/2iPMWvC1NYq0 89KSOCLLB4aCble1sBsXp52mmszrQ0mw3AHsYdIuIylIMQaHaaLYywIDAQABo30w ezATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUyu2FpYZXyJAlnKBIfWXb Nn0XN /UwHwYDVR0jBBgwFoAUyYdR5yEnkMFn/WyJz2kHWSNAY0IwJAYJYIZIAYb4 QgENBBcWFUdlbmVyYXRlZCBieSBSb3V0ZXJPUzANBgkqhkiG9w0BAQsFAAOCAQEA KOP9hgBpo68oQ01P8NyaQWXGLpxgDLAi0GHSCCWT0eF7B8k+PEwQqMYizIwjej2f qdDL4LJ0lyyRWuCekA2DkkM845OJ5o56HRB+SoD3Dj9XGyx7HVtrA0zCg4jUeVdD 4ZJhrJ+aWgleHZ /X4Z7HVMbOr3PhApNVxBdIZ3ad4oIDWpro2aGVEBMjVA1d63vD EGtmkftfim9g09zxtUaT5viHB09s+t79v+Q /SIsAVVmNc7zUtK4aMZve3E6Ijz8Y 9UPX2d40OuyjPk+S5g /rjkDEJS0kOQtIuOKCGKy2zPqCCW5mrDAIJBk +ub7 /Frw5 FLpsmgv29C9619MSY /VeiA == -----END CERTIFICATE----- < /cert > <key> -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAymqBCtpOAUztveZIqeLjxmzpdoDyjIHOLuVDifjs4Ax1VNM0 vjJPpmcMsu2iCUURsE0KI2PSeIzfcgrfVpltUEXwJ5zHyPim4lNt3KPQX4G97KH/ W0GVPdssj7XR1Hi64wO+Csu0wcNNZKcM1Ct9Y /k60oHJ +q9644oc1Qn4u /R4HkZE QY4NrAQPziUvs4Zm /DW9AVATmmAfQ56o7KRIYW5bw3jEnrcuKFqdkUNu4//kr +x1 az /QroUm5Aj01ZSKENpBMPrFhuaiJ9Ve5zT/2iPMWvC1NYq089KSOCLLB4aCble1 sBsXp52mmszrQ0mw3AHsYdIuIylIMQaHaaLYywIDAQABAoIBAGc96XGypUTOixhn 47obCtiDZpTV8mCuOI78yvUNrSwdzp6kV2uHV87lEroUsKgPvZTxxnEEki6Ak9uk JgQSn4npEjPyKIieIuifaxK1zytXjpqqigdurQNuzgzCzTKVHaV6nCz /d8O4rLng 5o81W3Bph5IlNvMRHBoAsPIMcvzSLSb8TnSAvPTLTtidl1ajvXPmAs+uNpv6mQx+ ha7ezT0cGql /hWle876P5UK7j9tJBdXBbL1oCYETqvzDb0/cyRfQohvbqFMVTQpi dC02vUdWn4AsHwDH4vetg1XkSszKM7gZJ /A2jlTCk8ogcxO9yxr6OIIq0omPm7Qh z2eqCVkCgYEA7P1WstsSX2+UQ2W5lsZ4iOrDsfH0Ec7PvxbiC1RmAxh+c+l6ceFm PMVtRGk1BfcVNSS0pIyvm0FfcTUSqgH3Qv08g3Goy /TuDGby78KMAhyzVn9bTpt7 tayzAkMRb3dsDxS /FFTvmpMzfTGmn/CSCRWpDjDzy1Ox +DySXnvcUpcCgYEA2qcv eX /qW4FOsZDE/MxnzN62UCg75I26UiqsGkGlJWss8gxK/jDThOR5G/XdLTibPk6n HN+ZUq5N6Jf9tnjQjyVe4Ygat7GmPXQeqe6nNewIxAtztbT8lJk55lWNW8TgvXN9 kKCPQF5ZsRsfh71JQHyUArn9weMzavnbUMO8Fe0CgYEAlOEWHSg445GCD9ERBSJL yJ /LLre0P5evtPkYKkvsBhfWINVVIcOa6aSRXz/Emqm9PfSAMztaemtYHRNdVUYE 4qWZ5W16wB5viYUHKw4JzK3hD /7UCo7s6ZXDozEk ++SHEvZSj+BH4dCFsSmG5sVH yMM9v /eKwHokvLC4tviS0aMCgYEAyw1pVB7LR/D8YH +9v7ofRy0oB6ZlgGlxty5z puqBcA9orNtnpUk4lPgL1EBuBrnDyYgHPxQS8ap3JWJItfTaUaT1yOG5Vg++ /uDg PRUo6TVqKo0sBnmt+l2VXGbkoG1j++vNlsrUXYWBK6yxij /pT96hISsSEcVpkZW4 6vbqqz0CgYBx5i3xN1RHdjITGGC5rMBK /9nnpURDKLNv0uz0CRMXbmeIDQod7DlQ vGXrDFqjise0FC8TAPbhTBcnHP8tctzvd7Uq6uGTS75Q196H1RTktLWDQWqkX5e9 /PXPNB0Wx7YziLQSTdJGKfUh3Ilvo1gR2zVgzdcDeHan3frVNE7Ykg == -----END RSA PRIVATE KEY----- < /key > [lookback@LookBack-MacBookPro ~]$ |
整体过程总结
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 | [admin@DTOPS-OVH-SG-Router-Node1] > /certificate [admin@DTOPS-OVH-SG-Router-Node1] /certificate > add name=ca-template common-name=ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign [admin@DTOPS-OVH-SG-Router-Node1] /certificate > add name=server-template common-name=*.ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server [admin@DTOPS-OVH-SG-Router-Node1] /certificate > add name=client-template common-name=client.ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=tls-client [admin@DTOPS-OVH-SG-Router-Node1] /certificate > sign ca-template name=ca-certificate progress: done [admin@DTOPS-OVH-SG-Router-Node1] /certificate > sign server-template name=server-certificate ca=ca-certificate progress: done [admin@DTOPS-OVH-SG-Router-Node1] /certificate > sign client-template name=client-certificate ca=ca-certificate progress: done [admin@DTOPS-OVH-SG-Router-Node1] /certificate > export -certificate ca-certificate export -passphrase= "" [admin@DTOPS-OVH-SG-Router-Node1] /certificate > export -certificate client-certificate export -passphrase=12345678 [admin@DTOPS-OVH-SG-Router-Node1] /certificate > /ip pool add name= "openvpn-pool" ranges=172.20.253.1-172.20.253.254 [admin@DTOPS-OVH-SG-Router-Node1] /certificate > /ppp profile add name= "openvpn-profile" use-encryption= yes local -address=172.20.0.1 dns-server=139.99.18.82,139.99.115.58 remote-address=openvpn-pool [admin@DTOPS-OVH-SG-Router-Node1] /certificate > /ppp secret add name=lookback profile=openvpn-profile password=lookback123 [admin@DTOPS-OVH-SG-Router-Node1] /certificate > /interface ovpn-server server set default-profile=openvpn-profile certificate=server-certificate require-client-certificate= yes auth=sha1 cipher=aes128,aes192,aes256 enabled= yes [admin@DTOPS-OVH-SG-Router-Node1] /certificate > / [admin@DTOPS-OVH-SG-Router-Node1] > /ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment= "Allow OpenVPN" [admin@DTOPS-OVH-SG-Router-Node1] > quit |