DC


OpenVPN server na Mikrotiku

parametry: brige mode
port: 1194
net: 172.29.0.0/26
routing: default-gateway + NAT

OVPN Server klice:
- vyrobime certifikaty
- pres ftp nakopirujeme do mikrotiku

 /certificate import file-name=s1-ovpn.crt
 /certificate import file-name=s1-ovpn.key
 /certificate print                          ! overime za server certifikat ma priznaky KR 

 - po te muzeme klice smazat z adresare souboru
##########################


/interface bridge add name=ovpn-bridge                                               ! Vyrobi interface ovpn-bridge
/interface bridge port add interface=ether1 bridge=ovpn-bridge                       ! udela spojeni ether1 a ovpn-bridge

/ip address add address=172.29.0.1/26 interface=ovpn-bridge comment=OVPN-Lan 
/ip firewall nat add chain=srcnat src-address=172.29.0.0/26  action=masquerade       ! zapneme preklad IP zeleho OVPN POOLU
/ip pool add name=ovpn-pool ranges=172.29.0.2-172.29.0.62

/ppp profile 
add local-address=172.29.0.1 change-tcp-mss=default comment="" bridge=ovpn-bridge \
name="ovpn_ppp_profile" only-one=default remote-address=ovpn-pool \
use-compression=default use-encryption=required use-vj-compression=default

OpenVPN server configuration ( Port= 1194 ):

/interface ovpn-server server 
set auth=sha1,md5 certificate=cert1 enabled=yes \
cipher=blowfish128,aes128,aes192,aes256 default-profile=ovpn_ppp_profile \
keepalive-timeout=60 max-mtu=1500 mode=ethernet netmask=26 \
port=1194 require-client-certificate=yes 

Pridani prvniho clienta:

 - vygenerujeme klientsky certifikat, nakopirujeme pres ftp na mikrotik certifikat
 /certificate import file-name=client1.crt
 /certificate print                     					     ! overime zdali mame naimportovany crt pro client1

/ppp secret 
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="client1" password="Heslo" \
routes="" service=ovpn profile=ovpn_ppp_profile


####################################################
 Konfigurace pro openvpn pro klienta ( http://openvpn.se/ ):
mikrotik.ovpn 

tls-client
client
dev tap
pull
proto tcp
remote "ip adresa kde bezi server" 1194
resolv-retry infinite
nobind
# ns-cert-type server  - tato volba overi podle typu certifikatu X509v3 Key Usage zdali jen to serverovy certifikat (dalsi kontrola)
persist-key
ca ca.crt
cert volfp.crt
key volfp.key
verb 3
auth-user-pass
redirect-gateway

###################################################
Uzivatel ma u sebe svuj certifikat a privatni klic k certifikatu
- aby si dokazal overit ze servrovy certifikat je pravdivy ma u sebe jeste certifikat
  certifikacni autority


TROUBLESHOOTING:
 - konrola casu na serveru i na clientu aby sedela platnost certifikatu