OpenVPN - zollak/pentest-notes GitHub Wiki

Setting OpenVPN server on RouterOS

The following configuration allows that clients can connect to internal LAN network through OpenVPN. In our case the LAN network is the same where to connect the clients (no segment separation for VPN and destination network).

Server: Mikrotik RB-750GL (you can use any type of Mikrotik router), FQDN: mikrotik.company.hu, Port: 443/TCP

Client1: Windows (XP and later)

Client2: Linux (Ubuntu, Debian, Mint, Kali etc.)

RouterOS limitation:

  • no UDP mode
  • no lzo compression
  • required both auth method: x509 certificate and passwd auth

Supported Features:

  • TCP
  • bridging (tap device)
  • routing (tun device)
  • certificates
  • p2p mode (refer to OpenVPN V2.1 manual page)

Create X.509 certificates on Mikrotik

You can create CA, server, client1, client2 certificates with Mikrotik router.

Generate, sign, export CA certificate

Generate CA:

/certificate
add name=CA-temp country=HU state=Pest locality=Budapest organization="Company Name" unit="Company VPN" common-name="VPN CA" subject-alt-name=email:[email protected] key-size=2048 days-valid=3650 key-usage=key-cert-sign,crl-sign,digital-signature,key-encipherment,data-encipherment

Notes:

  • You can use your own values of parameters.
  • The key-usage parameter tested in this composition.
  • The common-name parameter must be different every certificate.
  • Optional parameter: subject-alt-name=email

Sign CA:

/certificate
sign CA-temp name=CA

If certificate does not have T flag then you need to set it as trusted before using it:

/certificate
set CA trusted=yes

Export CA without passphrase (need to be use for client side):

/certificate
export-certificate CA

Find exported CA copying to clients:

/file print
 # NAME                                  TYPE                                        SIZE CREATION-TIME 
...
 3 cert_export_CA.crt                    .crt file                                   1367 aug/07/2017 23
...

Generate, sign server certificate

Generate server cert:

/certificate
add name=server-temp country=HU state=Pest locality=Budapest organization="Company Name" unit=IT common-name=server.company.hu subject-alt-name=email:[email protected] key-size=2048 days-valid=365 key-usage=key-cert-sign,crl-sign,digital-signature,key-encipherment,data-encipherment,tls-server

Notes:

  • You can use your own values of parameters because the server validates the signatures, not those values.
  • The key-usage parameter tested in this composition.
  • The common-name parameter must be different every certificate.

Sign server cert with CA:

/certificate
sign server-temp ca=CA name=server

Not necessary to export server certificate.

Generate, sign, export client1 certificate

Create certificate for Windows client:

/certificate
add name=client1-temp country=HU state=Pest locality=Budapest organization="Company Name" unit=IT common-name=windows.company.hu subject-alt-name=email:[email protected] key-size=2048 days-valid=365 key-usage=key-cert-sign,crl-sign,digital-signature,key-encipherment,data-encipherment,tls-client

Notes:

  • You can use your own values of parameters because the server validates the signatures, not those values.
  • The key-usage parameter tested in this composition.
  • The common-name parameter must be different every certificate.

Sign client cert with CA:

/certificate
sign client1-temp ca=CA name=client1

Export client certificate setting with passphrase:

/certificate
export-certificate client1 ca=CA export-passphrase=xxxxxxxx

Find exported client cert copying to clients:

/file print
 # NAME                                  TYPE                                        SIZE CREATION-TIME 
...
 4 cert_export_client1.crt               .crt file                                   1367 aug/07/2017 23
 5 cert_export_client1.key               .key file                                   1367 aug/07/2017 23
 ...

Generate, sign, export client2 certificate

Create certificate for Linux client:

/certificate
add name=client2-temp country=HU state=Pest locality=Budapest organization="Company Name" unit=IT common-name=linux.company.hu subject-alt-name=email:[email protected] key-size=2048 days-valid=365 key-usage=key-cert-sign,crl-sign,digital-signature,key-encipherment,data-encipherment,tls-client

Notes:

  • You can use your own values of parameters because the server validates the signatures, not those values.
  • The key-usage parameter tested in this composition.
  • The common-name parameter must be different every certificate.

Sign client cert with CA:

/certificate
sign client2-temp ca=CA name=client2

Export client certificate setting with passphrase:

/certificate
export-certificate client2 ca=CA export-passphrase=yyyyyyyy

Find exported client cert copying to clients:

/file print
 # NAME                                  TYPE                                        SIZE CREATION-TIME 
...
 6 cert_export_client2.crt               .crt file                                   1367 aug/07/2017 23
 7 cert_export_client2.key               .key file                                   1367 aug/07/2017 23
 ...

Configuring DDNS

If you want to use your FQDN except 529c0491d41c.sn.mynetname.net you need to have own domain registration (e.g. godaddy.com) and access to create CNAME DNS record.

/ip cloud set ddns-enabled=yes
/ip cloud print
         ddns-enabled: yes
     update-time: yes
  public-address: 159.148.172.205
        dns-name: 529c0491d41c.sn.mynetname.net
          status: updated

To enable time update from cloud service:

/ip cloud set update-time=yes

To enable automatic time zone detection:

/system clock set time-zone-autodetect=yes

You may have own domain what you would like to use:

Name					Type	Content							TTL
mikrotik.company.com	CNAME	529c0491d41c.sn.mynetname.net	3600

In this case you can reach your router on your own domain: mikrotik.company.com

Firewall configuration

/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN from External" dst-port=443 in-interface=ether1 protocol=tcp src-address-list=external

/ip firewall address-list 
add list=external address=0.0.0.0/0

Notes:

  • You need to move this rule from the bottom of the list to the INPUT rules.
  • WAN interface in our case is ether1

DHCP, DNS, NTP configuration

In our case we use the internal LAN settings (DHCP, DNS, NTP, bridge1) for OpenVPN.

Define an IP pool:

/ip pool
add name=dhcp_pool_10 ranges=10.0.0.100-10.0.0.130

/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool_10 authoritative=after-2sec-delay \
    disabled=no interface=bridge1 lease-time=5m name=dhcp1

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1 gateway=10.0.0.1 \
    ntp-server=10.0.0.1

/ip dns
set allow-remote-requests=yes cache-max-ttl=1h cache-size=8192KiB \
    max-udp-packet-size=8192 servers=8.8.8.8,8.8.4.4

/system ntp client
set enabled=yes primary-ntp=148.6.0.1 secondary-ntp=62.77.130.46

/system ntp server
set enabled=yes

Set OpenVPN server

Define a profile:

/ppp profile
add bridge=bridge1 dns-server=10.0.0.1 local-address=10.0.0.25 name=\
    ovpn-profile remote-address=dhcp_pool_10

OpenVPN server configuration:

/interface ovpn-server server
set auth=sha1 cipher=blowfish128,aes128 certificate=server.company.hu default-profile=ovpn-profile \
    enabled=yes mode=ethernet port=443 require-client-certificate=yes

Add a vpn user1 for Windows client:

/ppp secret
add name=tyler password=zzzzzzzzzz profile=ovpn-profile service=ovpn

Add a vpn user2 for Linux client:

/ppp secret
add name=john password=xyxyxyxyxy profile=ovpn-profile service=ovpn

Client1 - Windows GUI

  • Download from openvpn.net / Community / Community-Downloads http://openvpn.net/index.php/open-source/downloads.html
  • Select OpenSSL Utilities component (RSA certificate generator not required)
  • Default destination to install: C:\Program Files\OpenVPN
  • Copy certificates (cert_export_CA.crt, cert_export_client1.crt) from winbox to encrypted (safe) strorage (e.g Z:\tyler\Documents\Access\VPN).
  • Create config file: C:\Program Files\OpenVPN\config\mikrotik.ovpn
client
dev tap
proto tcp-client
<connection>
remote mikrotik.company.hu 443
</connection>
resolv-retry infinite
nobind
persist-key
persist-tun
ca z:\\tyler\\Documents\\Access\\VPN\\cert_export_CA.crt
cert z:\\tyler\\Documents\\Access\\VPN\\cert_export_client1.crt
key z:\\tyler\\Documents\\Access\\VPN\\cert_export_client1.key
ping 15
ping-restart 45
ping-timer-rem
mute-replay-warnings
verb 3
auth-user-pass z:\\tyler\\Documents\\Access\\VPN\\mirotik-auth.cfg
redirect-gateway
tls-client
;remote-cert-tls server
  • Create passwd auth file: z:\tyler\Documents\Access\VPN\mirotik-auth.cfg
tyler
zzzzzzzzzz

Client2 - Linux command line tool

Install OpenVPN

sudo apt-get install openvpn
  • Create safe place where you store the sensitive config files and certificates (e.g. Truecrypt, LUKS etc.)
/root/data/priv/
  • Set OpenVPN config file on /root/data/priv/mikrotik.conf with the following content:
client
dev tap
proto tcp-client
<connection>
remote mikrotik.company.hu 443
</connection>
resolv-retry infinite
nobind
persist-key
persist-tun
ca /root/data/priv/cert_export_CA.crt
cert /root/data/priv/cert_export_client2.crt
key /root/data/priv/cert_export_client2.key
ping 15
ping-restart 45
ping-timer-rem
mute-replay-warnings
verb 3
auth-user-pass /root/data/priv/mikrotik-auth.cfg
redirect-gateway def1
  • Create /root/data/priv/mikrotik-auth.cfg file with the following content:
john
xyxyxyxyxy
  • Set rights
sudo chown -R root.root /root/data/priv/
sudo chmod -R 600 /root/data/priv/
  • Turn off default autostart in /etc/default/openvpn file:
AUTOSTART="none"
  • Finaly, you can start OpenVPN manually:
sudo openvpn --config /root/data/priv/mikrotik.conf &

Troubleshooting

sudo tail -f /var/log/syslog
ip rou ls

Sources:

⚠️ **GitHub.com Fallback** ⚠️