Anyone out there working with OpenVPN + Mikrotik??
I am trying to set up OpenVPN on an OpenWRT (Barrier Breaker) client and
connect to a Mikrotik (RouterOS 6.23) as the OpenVPN server.
Currently I am testing on virtual machines so that I can watch both sides
of the conversations without cutting myself off. In deployment, this is
the hardware I have right now, I can't substitute a second Mikrotik or
OpenWRT box to make life easier.
One problem I see right off the bat is that the Mikrotik is listening on
port 1194 but not on the WAN interface. I checked this by running port
scans. That makes it pretty useless, but I can't see where to tell it what
interface to listen on.
Another problem is that I can't see anyplace on OpenWRT to put an auth-user
file or to specify the user/password.
OpenWRT client -- /etc/config/openvpn looks like this --
config openvpn 'cds-vpn'
option enabled '1'
option dev 'tun'
option proto 'udp'
option log '/tmp/openvpn.log'
option verb '3'
option ca '/etc/openvpn/ca.crt'
option cert '/etc/openvpn/buffalo.crt'
option key '/etc/openvpn/buffalo.key'
option client '1'
option remote_cert_tls 'server'
option remote '76.0.0.2 1194'
Mikrotik server --
[admin@MikroTik] /interface ovpn-server server> print
enabled: yes
port: 1194
mode: ip
netmask: 24
mac-address: FE:BD:B7:57:BA:17
max-mtu: 1500
keepalive-timeout: disabled
default-profile: ovpn_profile
certificate: cert_1
require-client-certificate: no
auth: sha1,md5
cipher: blowfish128,aes128,aes192,aes256
/ppp profile print
Flags: *** - default
0 *** name="default" use-mpls=default use-compression=default
use-vj-compression=default
use-encryption=default only-one=default change-tcp-mss=yes
address-list=""
1 name="ovpn_profile" local-address=10.8.0.1 remote-address=ovpn-pool
use-mpls=default
use-compression=default use-vj-compression=default use-encryption=required
only-one=default
change-tcp-mss=default address-list=""
2 *** name="default-encryption" use-mpls=default use-compression=default
use-vj-compression=default
use-encryption=yes only-one=default change-tcp-mss=yes address-list=""
/ppp secret print
Flags: *X* - disabled
* # NAME SERVICE CALLER-ID PASSWORD
PROFILE REMOTE-ADDRESS *
0 ovpn any mypasswd
default
/certificate print
Flags: *K* - private-key, *D* - dsa, *L* - crl, *C* - smart-card-key, *A* -
authority, *I* - issued, *R* - revoked,
*E* - expired, *T* - trusted
* # NAME COMMON-NAME SUBJECT-ALT-NAME
FINGERPRINT *
0 *K* *T* cert_1 rb750 DNS:rb750
6488f54c1996...
1 *T* cert_2 CDS Wireless CA email:[email protected]
e5716f686e01...
I am using OpenVPN because I have used it with good results in the past
with OpenWRT client and a Debian Linux based server. The client roams so it
has to be able to build a tunnel from behind NAT gateways that I don't
control.
(Generally I feel like Mikrotik RouterOS is an annoying mantle of
proprietary obscurity over the basically straightforward Linux but I am
heavily biased. :-) I feel the same way about Android. I have to use both
Android and Mikrotik. But I digress.)
--
Brian Wilson
currently in Gold Beach, OR
_______________________________________________
Mikrotik-users mailing list
[email protected]
http://lists.wispa.org/mailman/listinfo/mikrotik-users
