• info@gonard.com.ar

Category ArchiveMikrotik

OpenVPN Server y gestión de certificados en MikroTik

Configurar OpenVPN Server y generar certificados

Cambia las variables debajo y pega el script

en la ventana de la terminal de MikroTik.

:global CN [/system identity get name]
:global COUNTRY “UA” :global STATE “KV”
:global LOC “Kyiv”
:global ORG “My organization”
:global OU “”
:global KEYSIZE “2048”

funciones

:global waitSec do={:return ($KEYSIZE * 10 / 1024)}

generar un certificado CA

/certificate add name=ca-template country=”$COUNTRY” state=”$STATE” locality=”$LOC” \
organization=”$ORG” unit=”$OU” common-name=”$CN” key-size=”$KEYSIZE” \
days-valid=3650 key-usage=crl-sign,key-cert-sign sign ca-template \
ca-crl-host=127.0.0.1 name=”$CN” :delay [$waitSec]

generar un certificado para el servidor

/certificate add name=server-template country=”$COUNTRY” state=”$STATE” locality=”$LOC” \
organization=”$ORG” unit=”$OU” common-name=”server@$CN” key-size=”$KEYSIZE” days-valid=3650 \
key-usage=digital-signature,key-encipherment,tls-server \
sign server-template ca=”$CN” name=”server@$CN” :delay [$waitSec]

crear cliente template

/certificate add name=client-template country=”$COUNTRY” state=”$STATE” locality=”$LOC” \
organization=”$ORG” unit=”$OU” common-name=”client” \
key-size=”$KEYSIZE” days-valid=3650 key-usage=tls-client

crear un pool IP

/ip pool add name=VPN-POOL ranges=192.168.252.128-192.168.252.224

agregar un perfil VPN

/ppp profile add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \
remote-address=VPN-POOL use-encryption=yes

configurar servidor OpenVPN

/interface ovpn-server server set auth=sha1 certificate=”server@$CN” cipher=aes128,aes192,aes256 \
default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes

agregar regla de firewall

/ip firewall filter add chain=input dst-port=1194 protocol=tcp comment=”Allow OpenVPN”

Agregar nuevo usuario

Agregar nuevo usuario y generar/exportar certs

cambiar variables abajo y pegar el script

dentro de la terminal de MikroTik

:global CN [/system identity get name]
:global USERNAME “user”
:global PASSWORD “password”

agregar un usuario

/ppp secret add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn

generar un certificado cliente

/certificate add name=client-template-to-issue copy-from=”client-template” \
common-name=”$USERNAME@$CN” sign client-template-to-issue ca=”$CN” name=”$USERNAME@$CN” :delay 20

exportar el CA, el certificado cliente, y llave privada

/certificate export-certificate “$CN” export-passphrase=”” \
export-certificate “$USERNAME@$CN” export-passphrase=”$PASSWORD”

Configurar Cliente OpenVPN

  1. Copy the exported certificates from the MikroTik
    sftp admin@MikroTik_IP:cert_export_*

Also, you can download the certificates from the web interface. Go to WebFig → Files for this.

  1. Create user.auth file

The file auth.cfg holds your username/password combination.
On the first line must be the username and on the second line your password.

user
password
  1. Create OpenVPN config that named like USERNAME.ovpn: client dev tun proto tcp-client remote MikroTik_IP 1194 nobind persist-key persist-tun cipher AES-256-CBC auth SHA1 pull verb 2 mute 3

Create a file ‘user.auth’ with a username and a password

cat << EOF > user.auth

user

password

EOF

auth-user-pass user.auth

Copy the certificates from MikroTik and change

the filenames below if needed

ca cert_export_MikroTik.crt
cert cert_export_user@MikroTik.crt
key cert_export_user@MikroTik.key

Add routes to networks behind MikroTik

route 192.168.10.0 255.255.255.0

Try to connect

sudo openvpn USERNAME.ovpn

Desencriptar la clave privada para evitar la solicitud de contraseña

openssl rsa -passin pass:password -in cert_export_user@MikroTik.key -out cert_export_user@MikroTik.key

Borrar usuario y revocar el certificado

Borrar usuario y revocar el certificado

Cambia las variables debajo y pega el script

en la ventana de la terminal de MikroTik.

:global CN [/system identity get name] :global USERNAME “user”

borrar un usuario

/ppp secret remove [find name=$USERNAME profile=VPN-PROFILE]

revocar el certificado de un cliente

/certificate issued-revoke [find name=”$USERNAME@$CN”]

Revertir la configuración del servidor OpenVPN en MikroTik

Revertir configuracion OpenVPN

/ip pool remove [find name=VPN-POOL]
/ppp profile remove [find name=VPN-PROFILE]
/ip firewall filter remove [find comment=”Allow OpenVPN”]
/ppp secret remove [find profile=VPN-PROFILE]

/certificate

delete the certificates manually #

Fuente: https://gist.github.com/SmartFinn/8324a55a2020c56b267b#setup-openvpn-server-and-generate-certificates

Balanceo de Carga NTH Mikrotik Con Fail Over

/system identity
set name=”Balanceador Dinamico”

/interface ethernet
set [ find default-name=ether1 ] comment=”Proveedor ISP 1” name=Wan1
set [ find default-name=ether2 ] comment=”Proveedor ISP 2” name=Wan2
set [ find default-name=ether3 ] comment=”Proveedor ISP 3” name=Wan3
set [ find default-name=ether4 ] comment=”Proveedor ISP 4” name=Wan4
set [ find default-name=ether5 ] comment=”Red de Area Local” name=LAN

/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=Wan1 use-peer-dns=no use-peer-ntp=no
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=Wan2 use-peer-dns=no use-peer-ntp=no
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=Wan3 use-peer-dns=no use-peer-ntp=no
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=Wan4 use-peer-dns=no use-peer-ntp=no

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip address
add address=192.168.0.1/24 interface=LAN network=192.168.0.0

/ip pool
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=LAN name=dhcp1

/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1

/ip firewall nat
add action=masquerade chain=srcnat connection-mark=conn1 out-interface=Wan1
add action=masquerade chain=srcnat connection-mark=conn2 out-interface=Wan2
add action=masquerade chain=srcnat connection-mark=conn3 out-interface=Wan3
add action=masquerade chain=srcnat connection-mark=conn4 out-interface=Wan4

/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new in-interface=LAN new-connection-mark=conn1 nth=4,1
add action=mark-routing chain=prerouting connection-mark=conn1 in-interface=LAN new-routing-mark=conn1 passthrough=no
add action=mark-connection chain=prerouting connection-state=new in-interface=LAN new-connection-mark=conn2 nth=4,2
add action=mark-routing chain=prerouting connection-mark=conn2 in-interface=LAN new-routing-mark=conn2 passthrough=no
add action=mark-connection chain=prerouting connection-state=new in-interface=LAN new-connection-mark=conn3 nth=4,3
add action=mark-routing chain=prerouting connection-mark=conn3 in-interface=LAN new-routing-mark=conn3 passthrough=no
add action=mark-connection chain=prerouting connection-state=new in-interface=LAN new-connection-mark=conn4 nth=4,4
add action=mark-routing chain=prerouting connection-mark=conn4 in-interface=LAN new-routing-mark=conn4 passthrough=no

/system scheduler
add interval=10s name=Busqueda_Wan_1 on-event=”\r\
/system script run ether1_force” policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
add interval=10s name=Busqueda_Wan_2 on-event=”\r\
\n/system script run ether2_force” policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
add interval=10s name=Busqueda_Wan_3 on-event=”\r\
\n/system script run ether3_force” policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
add interval=10s name=Busqueda_Wan_4 on-event=”\r\
\n/system script run ether4_force” policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
add name=Enable-All-Schedules on-event=” /system scheduler set [find name=\”Busqueda_Wan_1\”] disable=no;\r\
\n\r\
\n /system scheduler set [find name=\”Busqueda_Wan_2\”] disable=no;\r\
\n\r\
\n /system scheduler set [find name=\”Busqueda_Wan_3\”] disable=no;\r\
\n\r\
\n /system scheduler set [find name=\”Busqueda_Wan_4\”] disable=no;\r\
\n” policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup

/system script
add name=ether1_force owner=admin policy=read,write source=”:if ([/interface find name=\”Wan1\”] = \”\”) do={\r\
\n\t:error \”La Interface No Esta Conectada\”;\r\
\n\t}\r\
\n\t\r\
\n:if ([/interface get [find name=\”Wan1\”] disabled ]) do={\r\
\n\t:error \”La Interface Wan1 esta Deshabilitada.\”;\r\
\n\t}\r\
\n\r\
\n:if ([/ip dhcp-client find interface=\”Wan1\”] = \”\”) do={\r\
\n\t:error \”La Interface Wan1 No tiene activo el DHCP Cliente.\”;\r\
\n\t}\r\
\n\r\
\n:if ([/ip dhcp-client get [find interface=\”Wan1\”] status] != \”bound\”) do={\r\
\n\t:error \”DHCP cliente no tiene asignada una dirección.\”;\r\
\n\t}\r\
\n\t\r\
\n:local dhcpgateway [/ip dhcp-client get [find interface=\”Wan1\”] gateway];\r\
\n:if (\$dhcpgateway = \”\”) do={\r\
\n\t:error \”La Interface no tiene asignada una dirección de gateway.\”;\r\
\n\t}\r\
\n\t\r\
\n:local oldgatewayid [/ip route find comment=\”ether1_force\”];\r\
\n\r\
\n:if (\”\$oldgatewayid\” = \”\”) do={\r\
\n\t:log warning \”Adding route\”;\r\
\n\t:execute \”/ip route add \\r\
\n\t\tdst-address=0.0.0.0/0 \\r\
\n\t\tcomment=ether1_force \\r\
\n\t\trouting-mark=conn1 \\r\
\n\t\tgateway=\$dhcpgateway\”;\r\
\n\t:error \”All done.\”;\r\
\n\t}\r\
\n\r\
\n:local oldgateway [/ip route get number=\”\$oldgatewayid\” gateway];\r\
\n:if (\”\$oldgateway\” != \”\$dhcpgateway\”) do={\r\
\n\t/ip route set numbers=\”\$oldgatewayid\” gateway=\”\$dhcpgateway\”;\r\
\n\t}\r\
\n\r\
\n#The Same IP Gatway\r\
\n\r\
\n:local dhcpgateway [/ip dhcp-client get [find interface=\”Wan1\”] gateway];\r\
\n\r\
\n /ip route set [find comment=\”ether1_force\”] gateway=(\$dhcpgateway.\”%Wan1\”)\r\
\n\r\
\n# Disable Schedule\r\
\n\r\
\n:local RCount [/system scheduler get [find name =Busqueda_Wan_1] run-count]\r\
\n\r\
\n:if (\$RCount >2) do={\r\
\n/system scheduler set [find name=\”Busqueda_Wan_1\”] disable=yes\r\
\n#: log warning DigitAllFran;\r\
\n}”

add name=ether2_force owner=admin policy=read,write source=”:if ([/interface find name=\”Wan2\”] = \”\”) do={\r\
\n\t:error \”La Interface No Esta Conectada\”;\r\
\n\t}\r\
\n\t\r\
\n:if ([/interface get [find name=\”Wan2\”] disabled ]) do={\r\
\n\t:error \”La Interface Wan2 esta Deshabilitada.\”;\r\
\n\t}\r\
\n\r\
\n:if ([/ip dhcp-client find interface=\”Wan2\”] = \”\”) do={\r\
\n\t:error \”La Interface Wan2 No tiene activo el DHCP Cliente.\”;\r\
\n\t}\r\
\n\r\
\n:if ([/ip dhcp-client get [find interface=\”Wan2\”] status] != \”bound\”) do={\r\
\n\t:error \”DHCP cliente no tiene asignada una dirección.\”;\r\
\n\t}\r\
\n\t\r\
\n:local dhcpgateway [/ip dhcp-client get [find interface=\”Wan2\”] gateway];\r\
\n:if (\$dhcpgateway = \”\”) do={\r\
\n\t:error \”La Interface no tiene asignada una dirección de gateway.\”;\r\
\n\t}\r\
\n\t\r\
\n:local oldgatewayid [/ip route find comment=\”ether2_force\”];\r\
\n\r\
\n:if (\”\$oldgatewayid\” = \”\”) do={\r\
\n\t:log warning \”Adding route\”;\r\
\n\t:execute \”/ip route add \\r\
\n\t\tdst-address=0.0.0.0/0 \\r\
\n\t\tcomment=ether2_force \\r\
\n\t\trouting-mark=conn2 \\r\
\n\t\tgateway=\$dhcpgateway\”;\r\
\n\t:error \”All done.\”;\r\
\n\t}\r\
\n\r\
\n:local oldgateway [/ip route get number=\”\$oldgatewayid\” gateway];\r\
\n:if (\”\$oldgateway\” != \”\$dhcpgateway\”) do={\r\
\n\t/ip route set numbers=\”\$oldgatewayid\” gateway=\”\$dhcpgateway\”;\r\
\n\t}\r\
\n\r\
\n#The Same IP Gatway\r\
\n\r\
\n:local dhcpgateway [/ip dhcp-client get [find interface=\”Wan2\”] gateway];\r\
\n\r\
\n /ip route set [find comment=\”ether2_force\”] gateway=(\$dhcpgateway.\”%Wan2\”)\r\
\n\r\
\n# Disable Schedule\r\
\n\r\
\n:local RCount [/system scheduler get [find name =Busqueda_Wan_2] run-count]\r\
\n\r\
\n:if (\$RCount >2) do={\r\
\n/system scheduler set [find name=\”Busqueda_Wan_2\”] disable=yes\r\
\n#: log warning DigitAllFran;\r\
\n}”

add name=ether3_force owner=admin policy=read,write source=”:if ([/interface find name=\”Wan3\”] = \”\”) do={\r\
\n\t:error \”La Interface No Esta Conectada\”;\r\
\n\t}\r\
\n\t\r\
\n:if ([/interface get [find name=\”Wan3\”] disabled ]) do={\r\
\n\t:error \”La Interface Wan3 esta Deshabilitada.\”;\r\
\n\t}\r\
\n\r\
\n:if ([/ip dhcp-client find interface=\”Wan3\”] = \”\”) do={\r\
\n\t:error \”La Interface Wan3 No tiene activo el DHCP Cliente.\”;\r\
\n\t}\r\
\n\r\
\n:if ([/ip dhcp-client get [find interface=\”Wan3\”] status] != \”bound\”) do={\r\
\n\t:error \”DHCP cliente no tiene asignada una dirección.\”;\r\
\n\t}\r\
\n\t\r\
\n:local dhcpgateway [/ip dhcp-client get [find interface=\”Wan3\”] gateway];\r\
\n:if (\$dhcpgateway = \”\”) do={\r\
\n\t:error \”La Interface no tiene asignada una dirección de gateway.\”;\r\
\n\t}\r\
\n\t\r\
\n:local oldgatewayid [/ip route find comment=\”ether3_force\”];\r\
\n\r\
\n:if (\”\$oldgatewayid\” = \”\”) do={\r\
\n\t:log warning \”Adding route\”;\r\
\n\t:execute \”/ip route add \\r\
\n\t\tdst-address=0.0.0.0/0 \\r\
\n\t\tcomment=ether3_force \\r\
\n\t\trouting-mark=conn3 \\r\
\n\t\tgateway=\$dhcpgateway\”;\r\
\n\t:error \”All done.\”;\r\
\n\t}\r\
\n\r\
\n:local oldgateway [/ip route get number=\”\$oldgatewayid\” gateway];\r\
\n:if (\”\$oldgateway\” != \”\$dhcpgateway\”) do={\r\
\n\t/ip route set numbers=\”\$oldgatewayid\” gateway=\”\$dhcpgateway\”;\r\
\n\t}\r\
\n\r\
\n#The Same IP Gatway\r\
\n\r\
\n:local dhcpgateway [/ip dhcp-client get [find interface=\”Wan3\”] gateway];\r\
\n\r\
\n /ip route set [find comment=\”ether3_force\”] gateway=(\$dhcpgateway.\”%Wan3\”)\r\
\n\r\
\n# Disable Schedule\r\
\n\r\
\n:local RCount [/system scheduler get [find name =Busqueda_Wan_3] run-count]\r\
\n\r\
\n:if (\$RCount >2) do={\r\
\n/system scheduler set [find name=\”Busqueda_Wan_3\”] disable=yes\r\
\n#: log warning DigitAllFran;\r\
\n}”

add name=ether4_force owner=admin policy=read,write source=”:if ([/interface find name=\”Wan4\”] = \”\”) do={\r\
\n\t:error \”La Interface No Esta Conectada\”;\r\
\n\t}\r\
\n\t\r\
\n:if ([/interface get [find name=\”Wan4\”] disabled ]) do={\r\
\n\t:error \”La Interface Wan4 esta Deshabilitada.\”;\r\
\n\t}\r\
\n\r\
\n:if ([/ip dhcp-client find interface=\”Wan4\”] = \”\”) do={\r\
\n\t:error \”La Interface Wan4 No tiene activo el DHCP Cliente.\”;\r\
\n\t}\r\
\n\r\
\n:if ([/ip dhcp-client get [find interface=\”Wan4\”] status] != \”bound\”) do={\r\
\n\t:error \”DHCP cliente no tiene asignada una dirección.\”;\r\
\n\t}\r\
\n\t\r\
\n:local dhcpgateway [/ip dhcp-client get [find interface=\”Wan4\”] gateway];\r\
\n:if (\$dhcpgateway = \”\”) do={\r\
\n\t:error \”La Interface no tiene asignada una dirección de gateway.\”;\r\
\n\t}\r\
\n\t\r\
\n:local oldgatewayid [/ip route find comment=\”ether4_force\”];\r\
\n\r\
\n:if (\”\$oldgatewayid\” = \”\”) do={\r\
\n\t:log warning \”Adding route\”;\r\
\n\t:execute \”/ip route add \\r\
\n\t\tdst-address=0.0.0.0/0 \\r\
\n\t\tcomment=ether4_force \\r\
\n\t\trouting-mark=conn4 \\r\
\n\t\tgateway=\$dhcpgateway\”;\r\
\n\t:error \”All done.\”;\r\
\n\t}\r\
\n\r\
\n:local oldgateway [/ip route get number=\”\$oldgatewayid\” gateway];\r\
\n:if (\”\$oldgateway\” != \”\$dhcpgateway\”) do={\r\
\n\t/ip route set numbers=\”\$oldgatewayid\” gateway=\”\$dhcpgateway\”;\r\
\n\t}\r\
\n\r\
\n#The Same IP Gatway\r\
\n\r\
\n:local dhcpgateway [/ip dhcp-client get [find interface=\”Wan4\”] gateway];\r\
\n\r\
\n /ip route set [find comment=\”ether4_force\”] gateway=(\$dhcpgateway.\”%Wan4\”)\r\
\n\r\
\n# Disable Schedule\r\
\n\r\
\n:local RCount [/system scheduler get [find name =Busqueda_Wan_4] run-count]\r\
\n\r\
\n:if (\$RCount >2) do={\r\
\n/system scheduler set [find name=\”Busqueda_Wan_4\”] disable=yes\r\
\n#: log warning DigitAllFran;\r\
\n}”

Fuente: https://digitallfran.com/routers/balanceo-nth-mkt/