MikroTik OpenVPN server and Windows OpenVPN client (LAB demo)
HTML-код
- Опубликовано: 15 сен 2024
- The video is publish as a demo for that article: mikrotik.unibi...
Use that URL for direct english translation: translate.goog...
CLI command and URLs used in the video:
/certificate add name=CA-tpl country="BG" state="BG" locality="Sofia" organization="UNIBIT" unit="MA" common-name="CA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign CA-tpl ca-crl-host=127.0.0.1 name="CA"
/certificate add name=SERVER-tpl country="BG" state="BG" locality="Sofia" organization="UNIBIT" unit="MA" common-name="192.168.137.2" key-size=4096 days-valid=1095 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign SERVER-tpl ca="CA" name="SERVER"
/certificate add name=CLIENT-tpl country="BG" state="BG" locality="Sofia" organization="UNIBIT" unit="MA" common-name="CLIENT" key-size=4096 days-valid=3650 key-usage=tls-client
/certificate add name=CLIENT1 copy-from="CLIENT-tpl" common-name="CLIENT1"
/certificate sign CLIENT1 ca="CA" name="CLIENT1"
/certificate export-certificate CA export-passphrase=""
/certificate export-certificate CLIENT1 export-passphrase=12345678
MTVPN.ovpn file without comments:
client
dev tun
proto tcp-client
remote 192.168.137.2
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca cert_export_CA.crt
cert cert_export_CLIENT1.crt
key cert_export_CLIENT1.key
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass secret
auth-nocache
;redirect-gateway def1
MTVPN.ovpn file with comments: mikrotik.unibi...
URLs:
mikrotik.unibi...
openvpn.net/in...
Спасибо большое. Очень помог Ваш видеоурок. Ничего лишнего. Всё крайне понятно...
Very useful..many thanks
excellent explaination HATS OFF
Excelente!!!
Thanks, very usefull ;D
excelent!!! Thanks
Hi, I just followed your configuration step by step, changing the parameters for my own devices and while trying to connect i get the following error: OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure. Can you point me to the right direction here? Thanks!
Step 5:46 is not required , when connecting you will be asked to enter the password.
Hi, am having an issue. I am getting the address of my private network but not the public address of my remote location. why is that?
hi I follow the steps but it show me an error that say eeor parsing config private key:Pk, private key password cannot be empty. I follow the exact steps that say here in the video. Can I help me?
Hi! This is a very useful guide and it is very explicative. But I'm struggling with one problem. When a Client tries to connect to the mikrotik OVPN server, next logs have been registered. I have no idea why it happens, because a rule on the firewall accepts the port 1194
/ip firewall filter add action=accept chain=input disabled=no dst-port=1194 in-interface=ether1-gateway protocol=tcp place-before=0
Logs:
input: in:ether1 out:(none), src-mac 02:03:39:04:30:57, proto TCP (ACK,PSH). 94.243.69.185:62050->here is my public IP:1194, len 180
input: in:ether1 out:(none), src-mac 02:03:39:04:30:57, proto TCP (ACK,PSH). 94.243.69.185:62050->here is my public IP:1194, len 330
input: in:ether1 out:(none), src-mac 02:03:39:04:30:57, proto TCP (ACK). 94.243.69.185:62050->here is my public IP:1194, len 52
input: in:ether1 out:(none), src-mac 02:03:39:04:30:57, proto TCP (ACK,FIN). 94.243.69.185:62050->here is my public IP:1194, len 52
REMARK: I created certificates as in your tutorial, the only difirece is in IP
/certificate sign CA-tpl ca-crl-host=192.168.1.1 name="CA"
/certificate add name=SERVER-tpl ... common-name="my public IP" ...
CAN SOMEBODY ADVISE WHAT TO DO IN THIS CASE, PLEASE?
+alex fox Hi! Your firewall rule looks perfect. I don't know what is your network topology. Try removing in interface and import the firewall filter rule like this:
/ip firewall filter add action=accept chain=input disabled=no dst-port=1194 in-protocol=tcp place-before=0
Are the counter of the rule working now?
Can you please post logs from the OpenVPN client and enable advanced logging on RouterOS like this:
/system logging action add disk-file-name=OpenVPN.log name=OpenVPN target=disk
/system logging add action=OpenVPN prefix=OpenVPN_ topics=ovpn
and post logs form the RouterOS likewise
Here is the example of my OpenVPN client log file: mikrotik.unibit.bg/wp-content/uploads/OpenVPN-conn-log.txt
RouterOS OpenVPN.log file: mikrotik.unibit.bg/wp-content/uploads/OpenVPN.log.0.txt
+MikroTik Академия при УниБИТ
+
the issue has been solved when I enabled Blowfish option. I read somewhere that it is default for OVPN.
PPP->Interface->OVPN Server->Chiper: ✔blowfish
Now I have access to the remote machines. However, when I check MY IP, it doesn't give me the IP of Mikrotik public IP. It gives the public IP of remote OVPN client
Maybe something else should be setup on the mikrotik server?
∟The same situation I had when I was connected to PPTP server, but that issue was solved by adding a firewall rule:
Chain:forward; In. Interface:all ppp; Connection State:new; Action:accept
After adding this rule, when I check MY IP, it gives public IP of Mikrotik.
How can I solve that issue with OVPN server?
Sorry for write in that style, I am a noob in routeros :)
+alex fox Hi! It is better not to use blowfish. If possible edit .ovpn file of your client and change cipher to AES-256-CBC.
Here is demo of my ovpn file mikrotik.unibit.bg/wp-content/uploads/MTVPN.ovpn
About routing ... Default configuration of your client doesn't route add you default route. Try to add redirect-gateway def1 in .ovpn.
Test with route print -4 in cmd. You must have two destinations 0.0.0.0/0 and one mast be trough your VPN server.
+alex fox Do you have Nat (src-nat+masquerade) for your VPN clients (for their IP pool)?
Thank you, I setup client settings to cipher AES-256-CBC. Now it works without blowfish.
Anyway, when I check MyIP on client's side, it still does not show the Public IP of OVPN Server router.
The VPN pool is IP from LAN range. Masquerade works fine for LAN, then I think it should work fine with the VPN pool too.
Could you write please, which setting of my router do you want to know?
It is TCP base so it will be slow. Mikrotik doesn't support UDP
Satish Patel we expect UDP support in RouterOS v7
@@mantor4o how slow is it? is it practical to implement this opevpn server in office enviroment?
ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,warning duplicate packet, dropping
why do i recive this log ?
remove remote-cert-tls server from you .ovpn file
друзья все получилось, единственная проблема это то, что VPN клиенты не могут допинговаться друг до друга.
в бридж вроде добавить надо все ovpn
how can i configure this for it to work from home?
Един съвет, ако тези видеа ги правите за хора който знаят как става, продължавайте. Но ако искате да сте полезни на хора които не са го правили и искат да се научат от вас, сериозно помислете за смяна на този който го показва и за начина по който го показвате. Не винаги по-сложния начин е по-добър. Абе, ако някой иска да се научи, да не го прави от този клип.
Това може да е полезно mikrotik.unibit.bg/articles/mikrotik-openvpn-server-windows-client/
@@MikrotikAcademy ruclips.net/video/pv10UCgG0yQ/видео.html. Наличие на обяснения, скорост на представяне, структурирано на етапи. Да, разбирам, че знаете и можете. Но целта е да научите и другите, а не да показвате колко сте знаещи.
VPN Client and Server are on the same network !! Why are you connecting them via VPN ??
+Imbrica Špiček This is a working how to configure OpenVPN server under RouterOS and OpenVPN client under Windows. From the network topology you can see that the OpenVPN client and PC1 are not in the same L3 network. The VPN server allows OpenVPN client and PC1 to communicate successfully. Everybody can apply this demo to his own topology.
Also connecting clients to server in same broadcast domain it's not unusual scenario. For example PPPoE works that way. It is clear that OpenVPN (MikroTik TCP implementation) is routed (not routing) protocol. For me there is now such a big difference if there is router between the Open VPN client and OpenVPN server or not.
I understand your point of view, but ..
The largest number of VPN connection is used to connect remote users to the local network through the Internet and your presentation is supposed to take into account.
For users with less experience is absolutely unclear why the VPN when the networks can connect via the router.
but that's just my opinion
Besides that, excellent video !!
greetings
/certificate sign CA-tpl ca-crl-host=127.0.0.1 name="CA"
Pls. This host is my WAN address, right?
+1 Can anyone answer ?
How I cand change TAP-Windows Adapter V9 to private network on Windows 10 Home?
+Rostislav Pokorný I didn't understand your question very well. Please explain.
+MikroTik Академия при УниБИТ Windows marked the TAP-Windows Adapter A9 as public network in network and sharing center. How I can turn on network discovery and file sharing?
Коллеги! Кто нибудь знает как сделать так, чтобы при перезагрузке сервера (2008r2) , сервер коннектился на микротик автоматом? У меня проблема в том что при коннекте всегда нужно вводить пароль, который в примере /certificate export-certificate CLIENT1 export-passphrase=12345678, соответственно я не могу поставить задание в планировщике по событию загрузки сервера
напиши батник . после закинь его в планеровщик
Ссылки побиты
What's with the annoyingly loud music in this video? Do you expect people to throw a party while watching your videos?