Na wiki Mikrotiku naleznete spousty n\u00e1vodu jak nakonfigurovat OVPN server na Mikrotiku, ale z m\u00e9ho hlediska jsou a\u017e moc obecn\u00e9.<\/p>\n
V\u00a0tomto n\u00e1vodu se tedy pokus\u00edm shrnout mou konfiguraci od A do Z.
\nC\u00edlem je nakonfigurovat OpenVPN server pro vzd\u00e1len\u00fd p\u0159\u00edstup klient\u016f a z\u00e1rove\u0148 vytvo\u0159en\u00ed n\u011bkolika VPN profil\u016f a jejich omezen\u00ed na firewallu.<\/p>\n
Kl\u00ed\u010dem pro \u00fasp\u011b\u0161n\u00e9 fungov\u00e1n\u00ed VPN je \u010das. Nastav\u00edme tedy NTP servery<\/p>\n
Nyn\u00ed je pot\u0159eba vytvo\u0159it certifik\u00e1t certifika\u010dn\u00ed autority (CA). To lze nyn\u00ed ud\u011blat p\u0159\u00edmo v\u00a0Mikrotiku (ve star\u0161\u00edch verz\u00edch to ne\u0161lo a vytv\u00e1\u0159elo se to bu\u010f na Linuxu a nebo pomoc\u00ed aplikac\u00ed t\u0159et\u00edch stran).<\/p>\n Podep\u00ed\u0161eme CA (jako CRL host pou\u017eij IP VPN serveru)<\/p>\n <\/p>\n Jakmile m\u00e1me certifika\u010dn\u00ed autoritu, m\u016f\u017eeme vytvo\u0159it certifik\u00e1t serveru (VPN serveru)<\/p>\n A podep\u00ed\u0161eme op\u011bt<\/p>\n A do t\u0159etice je pot\u0159eba je\u0161t\u011b vytvi\u0159it certifik\u00e1t(y) pro klienty. M\u016f\u017eete pou\u017e\u00edt stejn\u00fd Certifik\u00e1t pro v\u0161echny klienty, a nebo ka\u017ed\u00e9mu klientu vygenerovat jeden. Rozhodnut\u00ed je na V\u00e1s, v\u00a0obou p\u0159\u00edpadech to bude fungovat.<\/p>\n Pokud by jste cht\u011bli vyplnit v\u00edce informac\u00ed do klientsk\u00fdch certifik\u00e1tu, tak je to pot\u0159eba ud\u011blat p\u0159ed podeps\u00e1n\u00edm.<\/p>\n Jeste je potreba nastavit, aby certifik\u00e1t Serveru a CA m\u011bl flag T (Trusted). Ov\u011b\u0159it si to m\u016f\u017eete pomoc\u00ed p\u0159\u00edkazu<\/p>\n Pokud nen\u00ed, p\u0159idat do Trusted m\u016f\u017eete pomoc\u00ed p\u0159ikazu<\/p>\n To by bylo k\u00a0certifik\u00e1t\u016fm asi v\u0161e. Te\u010f u\u017e je pot\u0159eba je jen vyexportovat. Pro klienta je pot\u0159eba m\u00edt Certifik\u00e1t CA a klientsk\u00fd certifik\u00e1t a je\u0161t\u011b k\u00a0tomu priv\u00e1tn\u00ed kl\u00ed\u010d . Export provedeme t\u011bmito p\u0159\u00edkazy. Kli\u010de si st\u00e1hneme do po\u010d\u00edta\u010de, pozd\u011bji se k\u00a0n\u00edm vr\u00e1t\u00edme.<\/p>\n POZOR!<\/span><\/strong><\/p>\n Pokud budete pou\u017e\u00edvat mobiln\u00edho klienta na Androidu (nebo iOS), tak z\u0159ejm\u011b naraz\u00edte na probl\u00e9m jako j\u00e1, \u017ee klient si neporadil se za\u0161ifrovan\u00fdm priv\u00e1tn\u00edm kl\u00ed\u010dem. Tak\u017ee je ho pot\u0159eba de\u0161ifrovat. K\u00a0tomuto si budete muset st\u00e1hnout z\u00a0internetu openssl (pro windows jsem pou\u017eil odkaz https:\/\/sourceforge.net\/projects\/openssl\/<\/a>) a pomoc\u00ed tohoto p\u0159\u00edkazu provedete de\u0161ifrov\u00e1n\u00ed:<\/p>\n openssl rsa \u2013in <cesta k zasifrovanemu klici> -out <nov\u00fd><\/p>\n Jen pro informaci. Takhle vypad\u00e1 za\u0161ifrovan\u00fd priv\u00e1tn\u00ed kl\u00ed\u010d<\/p>\n —–BEGIN ENCRYPTED PRIVATE KEY—–<\/p>\n A takhle de\u0161ifrovan\u00fd priv\u00e1tn\u00ed kl\u00ed\u010d<\/p>\n —–BEGIN RSA PRIVATE KEY—–<\/p>\n Vytvo\u0159\u00edme si IP pooly. Zde bych se tak\u00e9 pozastavil a vysv\u011btlil jednu d\u016fle\u017eitou v\u011bc.<\/p>\n P\u0159i vytv\u00e1\u0159en\u00ed jak\u00e9koliv lok\u00e1ln\u00ed s\u00edt\u011b obvykle pou\u017e\u00edv\u00e1me adresy z\u00a0priv\u00e1tn\u00edho prostoru (v\u00edce o priv\u00e1tn\u00edm prostoru na wiki https:\/\/cs.wikipedia.org\/wiki\/Priv%C3%A1tn%C3%AD_s%C3%AD%C5%A5<\/a>). Nej\u010dast\u011bji pou\u017e\u00edvan\u00e1 s\u00ed\u0165 je 192.168.0.0.\/16. Tuto s\u00ed\u0165 naleznete na v\u011bt\u0161in\u011b dom\u00e1c\u00edch routeru (krom O2, ti pou\u017e\u00edvaj\u00ed 10.0.0.0\/8). T\u00edm p\u00e1dem bych se vyhnul pou\u017e\u00edv\u00e1n\u00ed lok\u00e1ln\u00ed s\u00edt\u011b 192.168.x.x na Mikrotik routeru kter\u00fd bude OpenVPN server. D\u016fvod je velice prost\u00fd, jeliko\u017e p\u0159i konfiguraci klienta obvykle vyu\u017e\u00edv\u00e1me routy, kter\u00e9 n\u00e1m ur\u010duj\u00ed, do kter\u00e9 s\u00edt\u011b se chceme skrze VPN p\u0159ipojit. Pokud by jste m\u011bli stejnou s\u00ed\u0165 v\u00a0kav\u00e1rn\u011b (kde budete jako klient) a na routeru (kam se budete p\u0159ipojovat), mohlo by se st\u00e1t, \u017ee by routy nefungovaly spr\u00e1vn\u011b.<\/p>\n Tak\u017ee m\u00e1 doporu\u010den\u00ed je si nastavit va\u0161\u00ed lok\u00e1ln\u00ed s\u00ed\u0165 (kam se budete p\u0159ipojovat) z\u00a0rozsahu 172.16.0.0\/16 a virtu\u00e1ln\u00ed VPN s\u00ed\u0165 z\u00a0rozsahu 10.0.0.0\/8<\/p>\n Zp\u011bt ke konfiguraci poolu. Pro demonstraci v\u00edce profilu si vytvo\u0159\u00edme dva pooly.<\/p>\n Vytvo\u0159\u00edme VPN profily a zvol\u00edme si na\u0161e vytvo\u0159en\u00e9 pooly jako remote address<\/p>\n Nyn\u00ed si vytvo\u0159\u00edme libovoln\u00fd po\u010det u\u017eivatel\u016f a p\u0159id\u00e1me do vytvo\u0159en\u00fdch profil\u016f<\/p>\n Do\u0161li jsme k\u00a0nejpodstatn\u011bjs\u00ed v\u011bci a to je zapnut\u00ed OpenVPN serveru<\/p>\n Je\u0161t\u011b povol\u00edme defalt port pro OpenVPN 1194 na firewallu<\/p>\n Jako n\u00e1zorn\u00fd p\u0159iklad si vezmene Windows klient. Tak\u017ee pro windows si st\u00e1hneme OVPN client z\u00a0oficialn\u00edch str\u00e1nek openvpn.net a nainstalujeme. Po instalaci si otev\u0159eme slo\u017eku z\u00a0konfigura\u010dn\u00edmi soubory (nach\u00e1zi se v\u00a0Program Files ve slo\u017ece kde jste nainstalovali OpenVPN). Zde tak\u00e9 nalezneme sample konfigura\u010dn\u00ed soubor. Ten uprav\u00edme podle va\u0161eho nastaven\u00ed serveru. Zde jen vyp\u00edchnu d\u016fle\u017eit\u00e9 \u0159\u00e1dky.<\/p>\n Mikrotik um\u00ed pouze TCP<\/p>\n proto tcp<\/p>\n Certifik\u00e1t CA a klientsky certifik\u00e1t spolu s\u00a0privatn\u00edm kl\u00ed\u010dem je pot\u0159eba nakop\u00edrovat do stejn\u00e9 slo\u017eky jako konfigura\u010dn\u00ed soubor pro vpn. V\u00a0konfiguraku se pot\u00e9 odk\u00e1\u017eeme na tyto soubory.<\/p>\n ca myCa.crt Nastaven\u00ed cipher a auth stejn\u00e9 jako na serveru<\/p>\n cipher AES-256-CBC Tento p\u0159\u00edkaz vynut\u00ed zad\u00e1n\u00ed u\u017eivatelsk\u00e9ho jm\u00e9na a hesla<\/p>\n auth-user-pass<\/p>\n A je\u0161t\u011b routy. Mikrotik bohu\u017eel neum\u00ed p\u0159id\u011blit routy ze serveru jako Linuxovy OVPN server<\/p>\n route 172.16.15.0 255.255.255.0<\/p>\n Pokud jste v\u0161echno spr\u00e1vn\u011b nakonfigurovali, tak by jste se m\u011bli p\u0159ipojit.<\/p>\n Jeliko\u017e jsem ned\u00e1vno str\u00e1vil docela docela dost hodin na zprovozn\u011bn\u00ed klienta na iOS, r\u00e1d bych se pod\u011blil o m\u00e9 zku\u0161enosti.<\/p>\n Prvn\u00ed v\u011bc, kterou bylo pot\u0159eba vy\u0159e\u0161it, byly extern\u00ed soubory.\u00a0 Ty bylo pot\u0159eba „vlo\u017eit“ do konfigura\u010dn\u00edho souboru. OpenVPN to naz\u00fdv\u00e1 „unified format“ (viz vzor konfigura\u010dn\u00edho souboru n\u00ed\u017ee)<\/p>\n D\u00e1le je pot\u0159eba na iOS n\u011bjak dopravit konfigura\u010dn\u00ed soubor do Mobilu. J\u00e1 pou\u017eil email. Soubory s p\u0159\u00edponou *.ovpn se automaticky asociuj\u00ed s aplikaci OpenVPN, tak\u017ee sta\u010d\u00ed otev\u0159\u00edt a proj\u00edt pr\u016fdovdce.<\/p>\n Vzor konfigura\u010dn\u00edho souboru pro iOS (sna\u017ete se vyhnout pr\u00e1zdn\u00fdm \u0159\u00e1dk\u016fm)<\/p>\n Jak jsem ji\u017e psal na za\u010d\u00e1tku, po\u017eadavek byl, aby u\u017eivetel\u00e9 z\u00a0dan\u00fdch VPN profilu m\u011bli omezen\u00fd p\u0159\u00edstup v\u00a0s\u00edti pouze pro ur\u010dit\u00e9 servery. Toho je mo\u017en\u00e9 doc\u00edlit na firewallu t\u00edm, \u017ee omez\u00edme p\u0159\u00edstup na rozsahy IP address, kter\u00e9 jsme p\u0159id\u011blili ke ka\u017ed\u00e9mu profilu.<\/p>\n Abychom nem\u011bli ve Firewallu nepo\u0159\u00e1dek a hlavn\u011b abychom uleh\u010dili hardware, vyu\u017eijeme tzv. Jumpu. Tento trik m\u011b nau\u010dil m\u016fj velice chytr\u00fd kamar\u00e1d, kter\u00e9mu t\u00edmto moc d\u011bkuji.<\/p>\n Jako prvn\u00ed pravidlo ve firewallu nastav\u00edme tento \u0159\u00e1dek. V\u00a0podstat\u011b \u0159\u00edk\u00e1 \u017ee ve\u0161ker\u00fd traffic ze v\u0161ech VPN interface, kter\u00fd d\u00e1le pokra\u010duje do bridge po\u0161li do chainu s\u00a0n\u00e1zvem OVPN (tak\u017ee ostatn\u00ed pravidla p\u0159esko\u010d\u00ed a pokra\u010duje v\u00a0\u0159et\u011bzci OVPN)<\/p>\n Nastav\u00edme zahazov\u00e1n\u00ed<\/p>\n A nyn\u00ed m\u016f\u017eete p\u0159id\u00e1vat pravidla pro r\u016fzne VPN profily a jako zdrojov\u00fd IP subnet pou\u017eit VPN pool kter\u00fd jsme si vytov\u0159ili na za\u010d\u00e1tku. Nezapomente m\u00edt pravidlo na zahazovn\u00e1n\u00ed paketu v\u017edy na konci.<\/p>\n","protected":false},"excerpt":{"rendered":" Konfigurace OpenVPN serveru na Mikrotiku (RouterOS ver. 6.37.1) Na wiki Mikrotiku naleznete spousty n\u00e1vodu jak nakonfigurovat OVPN server na Mikrotiku, ale z m\u00e9ho hlediska jsou a\u017e moc obecn\u00e9. V\u00a0tomto n\u00e1vodu se… Read more »<\/a><\/p>\n","protected":false},"author":1,"featured_media":88,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/posts\/51"}],"collection":[{"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/comments?post=51"}],"version-history":[{"count":8,"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/posts\/51\/revisions"}],"predecessor-version":[{"id":131,"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/posts\/51\/revisions\/131"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/media\/88"}],"wp:attachment":[{"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/media?parent=51"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/categories?post=51"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.djblond.cz\/index.php\/wp-json\/wp\/v2\/tags?post=51"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\/system ntp client<\/code>
\nset enabled=yes primary-ntp=<IP> secondary-ntp=<IP><\/code><\/p>\n\/certificate
\nadd name=myCa country=\"CZ\" state=\"<kraj>\" organization=\"<n\u00e1zev fimy>\" locality=\"<mesto>\" unit=\"IT\" common-name=myCa key-usage=key-cert-sign,crl-sign days-valid=5475<\/code><\/p>\n\/certificate
\nsign myCa ca-crl-host=<IP VPN serveru> name=myCa<\/code><\/p>\n\/certificate
\nadd name=VPNserver country=\"CZ\" state=\"<kraj>\" organization=\"<n\u00e1zev fimy>\" locality=\"<mesto>\" unit=\"IT\" common-name=VPNserver key-usage=digital-signature,key-encipherment,tls-server days-valid=3650<\/code><\/p>\n\/certificate
\nsign VPNserver ca=myCa name= VPNserver<\/code><\/p>\n\/certificate
\nadd name=client1 common-name=client1
\nsign client1 ca=myCa name=client1<\/code><\/p>\n\/certifikate print<\/code><\/p>\nset myCa trusted=yes
\nset VPNserver trusted=yes<\/code><\/p>\n\/certificate
\nexport-certificate myCa
\nexport-certificate client1 export-passphrase=<zvolte si heslo pro zasifrovani priv\u00e1tn\u00edho klice><\/code><\/p>\np\u0159: openssl rsa \u2013in enc.key -out dec.key<\/code><\/p>\n\/ip pool add name=ovpn-pool-1 ranges=10.20.30.10 \u2013 10.20.30.20
\n\/ip pool add name=ovpn-pool-2 ranges=10.20.40.10 \u2013 10.20.40.20<\/code><\/p>\n\/ppp profile add local-address=10.20.30.1 name=ovpn-profile-1 remote-address=ovpn-pool-1
\n\/ppp profile add local-address=10.20.40.1 name=ovpn-profile-2 remote-address=ovpn-pool-2<\/code><\/p>\n\/ppp secret
\nadd name=<client> password=<password> profile= ovpn-pool-1
\nadd name=<client> password=<password> profile= ovpn-pool-2<\/code><\/p>\n\/interface ovpn-server server
\nset auth=sha1 certificate=VPNserver cipher=aes256 enabled=yes keepalive-timeout=60 max-mtu=1400 require-client-certificate=yes mode=ip netmask=24 default-profile=default<\/code><\/p>\n\/ip firewall filter add chain=input dst-port=1194 protocol=tcp<\/code><\/p>\nKLIENT<\/h2>\n
\ncert client.crt
\nkey client.key<\/p>\n
\nauth SHA1<\/p>\nKlient (Android, iOS)<\/h2>\n
client
\ndev tun
\nproto tcp
\nremote <remote IP> 1194
\nresolv-retry infinite
\nnobind
\npersist-key
\npersist-tun
\nauth-user-pass
\nreneg-sec 0
\nverb 3
\nauth SHA1
\ncipher AES-256-CBC
\nroute 10.10.10.0 255.255.255.0
\n<ca>
\n-----BEGIN CERTIFICATE-----
\n<your cert here>
\n-----END CERTIFICATE-----
\n<\/ca>
\n<cert>
\n-----BEGIN CERTIFICATE-----
\n<your cert here>
\n-----END CERTIFICATE-----
\n<\/cert>
\n<key>
\n-----BEGIN RSA PRIVATE KEY-----
\n<your cert here>
\n-----END RSA PRIVATE KEY-----
\n<\/key><\/code><\/p>\nFIREWALL<\/h2>\n
\/ip firewall filter add chain=forward in-interface all-ppp out-interface bridge action=jump jump-target=OVPN<\/code><\/p>\n\/ip firewall filter add chain=OVPN action=drop<\/code><\/p>\n
\nP\u0159\u00edklad povolit pouze p\u0159\u00edstup na 172.16.15.100 z\u00a0VPN poolu 10.20.30.x<\/p>\n\/ip firewall filter add chain=OVPN src-address 10.20.30.0\/24 dst-address 172.16.15.100 action=accept<\/code><\/p>\n