基于Mikrotik的RouterOS路由搭建OpenVPN服务
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
[admin@DTOPS-OVH-SG-Router-Node1] > quitConnection closed by foreign host.
[lookback@LookBack-MacBookPro ~]$ telnet 139.99.18.81 2301
[lookback@LookBack-MacBookPro ~]$ telnet 139.99.18.81 2301
Trying 139.99.18.81...
Connected to ip81.ip-139-99-18.net.
Login failed, incorrect username or password
Login: admin
ape character is
'^]'
. Password:
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 6.43.2 (c) 1999-2018 http:
//www
.mikrotik.com/
[?] Gives the list of available commands
command
[?] Gives help on the
command
and list of arguments
[Tab] Completes the
command
/word
. If the input is ambiguous,
a second [Tab] gives possible options
/ Move up to base level
.. Move up one level
/command
Use
command
at the base level
[admin@DTOPS-OVH-SG-Router-Node1] >
|
为了做这个教程我把之前做好的环境都删除了
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
|
[admin@DTOPS-OVH-SG-Router-Node1] >
/file
pr
# NAME TYPE SIZE CREATION-TIME
0 user-manager directory nov
/19/2018
06:32:08
1 user-manager
/sqldb
file
80.0KiB sep
/30/2018
08:20:39
2 user-manager
/logsqldb
file
6.0KiB sep
/30/2018
08:20:39
3 um-before-migration.
tar
.
tar
file
15.5KiB sep
/30/2018
08:20:39
4 skins directory jun
/16/2018
12:06:32
5 primary-slave disk jun
/16/2018
12:06:33
6 autosupout.rif .rif
file
647.0KiB nov
/15/2018
06:26:38
7 auto-before-reset.backup backup 14.8KiB sep
/30/2018
08:20:29
8 pub directory nov
/15/2018
06:26:35
9 dhcp-6.43.4.npk .npk
file
0 nov
/19/2018
06:18:15
10 primary-slave
/lost
+found directory oct
/18/2015
02:38:50
11 primary-slave
/user-manager2
user-manager store sep
/30/2018
08:15:35
[admin@DTOPS-OVH-SG-Router-Node1] >
/ip
pool print
# NAME
RANGES
0 dhcp-pool-1 172.20.255.1-172.20.255.254,172.20.254.1-172.20.254.254
[admin@DTOPS-OVH-SG-Router-Node1] >
/interface
ovpn-server print
Flags: X - disabled, D - dynamic, R - running
# NAME USER MTU CLIENT-ADDRESS UPTIME ENCODING
[admin@DTOPS-OVH-SG-Router-Node1] >
|
首先我们来创建证书
1
2
3
4
5
|
[admin@DTOPS-OVH-SG-Router-Node1] >
/certificate
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> add name=ca-template common-name=ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> add name=server-template common-name=*.ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> add name=client-template common-name=client.ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=tls-client
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> /
|
给创建好的证书签名
1
2
3
4
5
6
7
8
9
|
[admin@DTOPS-OVH-SG-Router-Node1] >
/certificate
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> sign ca-template name=ca-certificate
progress:
done
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> sign server-template name=server-certificate ca=ca-certificate
progress:
done
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> sign client-template name=client-certificate ca=ca-certificate
progress:
done
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> /
[admin@DTOPS-OVH-SG-Router-Node1] >
|
开始对签好名的证书导出到文件
1
2
3
4
5
|
[admin@DTOPS-OVH-SG-Router-Node1] >
/certificate
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
>
export
-certificate ca-certificate
export
-passphrase=
""
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
>
export
-certificate client-certificate
export
-passphrase=12345678
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> /
[admin@DTOPS-OVH-SG-Router-Node1] >
|
创建一个OpenVPN拨号专用的ip池
1
|
[admin@DTOPS-OVH-SG-Router-Node1] >
/ip
pool add name=
"openvpn-pool"
ranges=172.20.253.1-172.20.253.254
|
添加用于OpenVPN拨号用的账号
1
2
|
[admin@DTOPS-OVH-SG-Router-Node1] >
/ppp
profile add name=
"openvpn-profile"
use-encryption=
yes
local
-address=172.20.0.1 dns-server=139.99.18.82,139.99.115.58 remote-address=openvpn-pool
[admin@DTOPS-OVH-SG-Router-Node1] >
/ppp
secret add name=lookback password=lookback123 profile=openvpn-profile service=ovpn
|
启用OpenVPN服务
1
|
[admin@DTOPS-OVH-SG-Router-Node1] >
/interface
ovpn-server server
set
default-profile=openvpn-profile certificate=server-certificate require-client-certificate=
yes
auth=sha1 cipher=aes128,aes192,aes256 enabled=
yes
|
添加防火墙方向OpenVPN服务
1
|
[admin@DTOPS-OVH-SG-Router-Node1] >
/ip
firewall filter add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment=
"Allow OpenVPN"
|
1
2
|
[lookback@LookBack-MacBookPro ~]$
ls
Desktop
/OpenVPN/
cert_export_ca-certificate.crt cert_export_client-certificate.crt cert_export_client-certificate.key
|
1
2
3
4
5
6
|
[lookback@LookBack-MacBookPro ~]$ openssl rsa -
in
Desktop
/OpenVPN/cert_export_client-certificate
.key -out Desktop
/OpenVPN/cert_export_client-certificate2
.key
Enter pass phrase
for
Desktop
/OpenVPN/cert_export_client-certificate
.key:
writing RSA key
[lookback@LookBack-MacBookPro ~]$
ls
Desktop
/OpenVPN/
cert_export_ca-certificate.crt cert_export_client-certificate.crt cert_export_client-certificate.key cert_export_client-certificate2.key
[lookback@LookBack-MacBookPro ~]$
|
制作OpenVPN配置文件:
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
[lookback@LookBack-MacBookPro ~]$
cat
> Desktop
/OpenVPN/139
.99.18.81.ovpn <<EOF
client
dev tun
proto tcp
remote 139.99.18.81 1194
resolv-retry infinite
nobind
persist-key
persist-tun
#ca ca.crt
#cert client.crt
#key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3
<ca>
$(
cat
Desktop
/OpenVPN/cert_export_ca-certificate
.crt)
<
/ca
>
<cert>
$(
cat
Desktop
/OpenVPN/cert_export_client-certificate
.crt)
<
/cert
>
<key>
$(
cat
Desktop
/OpenVPN/cert_export_client-certificate2
.key)
<
/key
>
EOF
[lookback@LookBack-MacBookPro ~]$
cat
Desktop
/OpenVPN/139
.99.18.81.ovpn
client
dev tun
proto tcp
remote 139.99.18.81 1194
resolv-retry infinite
nobind
persist-key
persist-tun
#ca ca.crt
#cert client.crt
#key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIDIDCCAgigAwIBAgIIFSnsJ9PMqmcwDQYJKoZIhvcNAQELBQAwGzEZMBcGA1UE
AwwQcm9zLXZwbi1kdG9wcy5jYzAeFw0xODExMjIwNDA4MTVaFw0yODExMTkwNDA4
MTVaMBsxGTAXBgNVBAMMEHJvcy12cG4tZHRvcHMuY2MwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCsPw1VT2KvJrkK+d4OB9C
/IiYS9HJKGrvV2jlpsvfr
4r7Z0XEHPZfGN
/oOCx5dqkVzpQrhCkniuGGScP
+FQ10A7nIxSILl
/SWLgdsM29gr
JBzj6O4clKIhadlIBlHosIu16SaesTx5IKCmapyBX21NYoEjTev387FGLZOwcNx4
ZWr9NQ2NiwRhzh2Cu27TxdvIzWxIjjVuJpSj41UXJXhtjVAIar8IrK7HyqjDg3fB
BVjWGcXq9sBo9EDEcq7ArKg18ptLROS4JAwDuzRlQJbt+6ykyQexEsrH
/O3Q81nd
i5CPtGI
/NbrNVFgaP3Z0O3rvGfUzCPfUP7
+PKY+16upLAgMBAAGjaDBmMA8GA1Ud
EwEB
/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTJh1HnISeQwWf9
bInPaQdZI0BjQjAkBglghkgBhvhCAQ0EFxYVR2VuZXJhdGVkIGJ5IFJvdXRlck9T
MA0GCSqGSIb3DQEBCwUAA4IBAQAjbjih4aGGKE+NRlxvtPG
/rRCgBYjZrmuug3S9
0Mks3TLylWSehhrpmEdCByGFx2CaU2sA5kIyf9S+sii+TBuiyiLVRsOUWG9jtQx4
4vpyxt
/lmJpzZsMFAc0jG67ZkKhETGte7RQ
+D8J+gtBKDgIMeub
/WP6GfGRPnlE4
MaxFeOmHSSdrs9L0
/fsDPPO1k80Fd6NSL9VPLPrxH6HWbd4xLaAdx7FaO4Hj2sQN
pt1QryFDKhzlydAFORy
/kRudil2Or
+tEjYFqkADvHm+0d0O5ykuaNqqONnXhRxor
JhggpPntQMuN+3BzZej8rFlJES7tP4+5mqrpIVjkDYF9p5Ec
-----END CERTIFICATE-----
<
/ca
>
<cert>
-----BEGIN CERTIFICATE-----
MIIDPDCCAiSgAwIBAgIIaYYxJrBmU5QwDQYJKoZIhvcNAQELBQAwGzEZMBcGA1UE
AwwQcm9zLXZwbi1kdG9wcy5jYzAeFw0xODExMjIwNDA4MzBaFw0yODExMTkwNDA4
MzBaMCIxIDAeBgNVBAMMF2NsaWVudC5yb3MtdnBuLWR0b3BzLmNjMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAymqBCtpOAUztveZIqeLjxmzpdoDyjIHO
LuVDifjs4Ax1VNM0vjJPpmcMsu2iCUURsE0KI2PSeIzfcgrfVpltUEXwJ5zHyPim
4lNt3KPQX4G97KH
/W0GVPdssj7XR1Hi64wO
+Csu0wcNNZKcM1Ct9Y
/k60oHJ
+q96
44oc1Qn4u
/R4HkZEQY4NrAQPziUvs4Zm/DW9AVATmmAfQ56o7KRIYW5bw3jEnrcu
KFqdkUNu4
//kr
+x1az
/QroUm5Aj01ZSKENpBMPrFhuaiJ9Ve5zT/2iPMWvC1NYq0
89KSOCLLB4aCble1sBsXp52mmszrQ0mw3AHsYdIuIylIMQaHaaLYywIDAQABo30w
ezATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUyu2FpYZXyJAlnKBIfWXb
Nn0XN
/UwHwYDVR0jBBgwFoAUyYdR5yEnkMFn/WyJz2kHWSNAY0IwJAYJYIZIAYb4
QgENBBcWFUdlbmVyYXRlZCBieSBSb3V0ZXJPUzANBgkqhkiG9w0BAQsFAAOCAQEA
KOP9hgBpo68oQ01P8NyaQWXGLpxgDLAi0GHSCCWT0eF7B8k+PEwQqMYizIwjej2f
qdDL4LJ0lyyRWuCekA2DkkM845OJ5o56HRB+SoD3Dj9XGyx7HVtrA0zCg4jUeVdD
4ZJhrJ+aWgleHZ
/X4Z7HVMbOr3PhApNVxBdIZ3ad4oIDWpro2aGVEBMjVA1d63vD
EGtmkftfim9g09zxtUaT5viHB09s+t79v+Q
/SIsAVVmNc7zUtK4aMZve3E6Ijz8Y
9UPX2d40OuyjPk+S5g
/rjkDEJS0kOQtIuOKCGKy2zPqCCW5mrDAIJBk
+ub7
/Frw5
FLpsmgv29C9619MSY
/VeiA
==
-----END CERTIFICATE-----
<
/cert
>
<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAymqBCtpOAUztveZIqeLjxmzpdoDyjIHOLuVDifjs4Ax1VNM0
vjJPpmcMsu2iCUURsE0KI2PSeIzfcgrfVpltUEXwJ5zHyPim4lNt3KPQX4G97KH/
W0GVPdssj7XR1Hi64wO+Csu0wcNNZKcM1Ct9Y
/k60oHJ
+q9644oc1Qn4u
/R4HkZE
QY4NrAQPziUvs4Zm
/DW9AVATmmAfQ56o7KRIYW5bw3jEnrcuKFqdkUNu4//kr
+x1
az
/QroUm5Aj01ZSKENpBMPrFhuaiJ9Ve5zT/2iPMWvC1NYq089KSOCLLB4aCble1
sBsXp52mmszrQ0mw3AHsYdIuIylIMQaHaaLYywIDAQABAoIBAGc96XGypUTOixhn
47obCtiDZpTV8mCuOI78yvUNrSwdzp6kV2uHV87lEroUsKgPvZTxxnEEki6Ak9uk
JgQSn4npEjPyKIieIuifaxK1zytXjpqqigdurQNuzgzCzTKVHaV6nCz
/d8O4rLng
5o81W3Bph5IlNvMRHBoAsPIMcvzSLSb8TnSAvPTLTtidl1ajvXPmAs+uNpv6mQx+
ha7ezT0cGql
/hWle876P5UK7j9tJBdXBbL1oCYETqvzDb0/cyRfQohvbqFMVTQpi
dC02vUdWn4AsHwDH4vetg1XkSszKM7gZJ
/A2jlTCk8ogcxO9yxr6OIIq0omPm7Qh
z2eqCVkCgYEA7P1WstsSX2+UQ2W5lsZ4iOrDsfH0Ec7PvxbiC1RmAxh+c+l6ceFm
PMVtRGk1BfcVNSS0pIyvm0FfcTUSqgH3Qv08g3Goy
/TuDGby78KMAhyzVn9bTpt7
tayzAkMRb3dsDxS
/FFTvmpMzfTGmn/CSCRWpDjDzy1Ox
+DySXnvcUpcCgYEA2qcv
eX
/qW4FOsZDE/MxnzN62UCg75I26UiqsGkGlJWss8gxK/jDThOR5G/XdLTibPk6n
HN+ZUq5N6Jf9tnjQjyVe4Ygat7GmPXQeqe6nNewIxAtztbT8lJk55lWNW8TgvXN9
kKCPQF5ZsRsfh71JQHyUArn9weMzavnbUMO8Fe0CgYEAlOEWHSg445GCD9ERBSJL
yJ
/LLre0P5evtPkYKkvsBhfWINVVIcOa6aSRXz/Emqm9PfSAMztaemtYHRNdVUYE
4qWZ5W16wB5viYUHKw4JzK3hD
/7UCo7s6ZXDozEk
++SHEvZSj+BH4dCFsSmG5sVH
yMM9v
/eKwHokvLC4tviS0aMCgYEAyw1pVB7LR/D8YH
+9v7ofRy0oB6ZlgGlxty5z
puqBcA9orNtnpUk4lPgL1EBuBrnDyYgHPxQS8ap3JWJItfTaUaT1yOG5Vg++
/uDg
PRUo6TVqKo0sBnmt+l2VXGbkoG1j++vNlsrUXYWBK6yxij
/pT96hISsSEcVpkZW4
6vbqqz0CgYBx5i3xN1RHdjITGGC5rMBK
/9nnpURDKLNv0uz0CRMXbmeIDQod7DlQ
vGXrDFqjise0FC8TAPbhTBcnHP8tctzvd7Uq6uGTS75Q196H1RTktLWDQWqkX5e9
/PXPNB0Wx7YziLQSTdJGKfUh3Ilvo1gR2zVgzdcDeHan3frVNE7Ykg
==
-----END RSA PRIVATE KEY-----
<
/key
>
[lookback@LookBack-MacBookPro ~]$
|
整体过程总结
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
|
[admin@DTOPS-OVH-SG-Router-Node1] >
/certificate
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> add name=ca-template common-name=ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> add name=server-template common-name=*.ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> add name=client-template common-name=client.ros-vpn-dtops.cc days-valid=3650 key-size=2048 key-usage=tls-client
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> sign ca-template name=ca-certificate
progress:
done
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> sign server-template name=server-certificate ca=ca-certificate
progress:
done
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> sign client-template name=client-certificate ca=ca-certificate
progress:
done
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
>
export
-certificate ca-certificate
export
-passphrase=
""
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
>
export
-certificate client-certificate
export
-passphrase=12345678
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
>
/ip
pool add name=
"openvpn-pool"
ranges=172.20.253.1-172.20.253.254
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
>
/ppp
profile add name=
"openvpn-profile"
use-encryption=
yes
local
-address=172.20.0.1 dns-server=139.99.18.82,139.99.115.58 remote-address=openvpn-pool
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
>
/ppp
secret add name=lookback profile=openvpn-profile password=lookback123
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
>
/interface
ovpn-server server
set
default-profile=openvpn-profile certificate=server-certificate require-client-certificate=
yes
auth=sha1 cipher=aes128,aes192,aes256 enabled=
yes
[admin@DTOPS-OVH-SG-Router-Node1]
/certificate
> /
[admin@DTOPS-OVH-SG-Router-Node1] >
/ip
firewall filter add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment=
"Allow OpenVPN"
[admin@DTOPS-OVH-SG-Router-Node1] > quit
|