routeros openvp配置
第一步创建ovpn的配置文件,在创建配置文件前先创建一个ovpn的地址池
/ip pool add name=pool_ovpn ranges=192.168.xx.2-192.168.xx.10
/ppp profile add change-tcp-mss=yes dns-server=192.168.xx.1 local-address=192.168.xx.1 name=profile_openvpn only-one=yes remote-address=pool_ovpn use-encryption=yes use-ipv6=no use-upnp=no
第二步创建证书,包含CA证书,客户端证书,服务端证书
1.ca证书
签发完成后记得点击信任
2.客户端证书
签发完成后记得点击信任
3.服务器端证书
签发完成后记得点击信任
最终签发完的效果应该是这样
Flags: K – private-key, L – crl, C – smart-card-key, A – authority,
I – issued, R – revoked, E – expired, T – trusted
证书自签完成,接下来通过Export 导出证书
ca、服务端证书正常导出就行,客户端证书需要设定密码
/certificate add common-name=cert_ovpn_root_ca-test key-usage=crl-sign,key-cert-sign /certificate sign cert_ovpn_root_ca-test ca-crl-host=xxx.com /certificate set cert_ovpn_root_ca-test trusted=yes /certificate export-certificate cert_ovpn_root_ca-test file-name=cert_ovpn_root_ca-test /certificate add common-name=cert_ovpn_client-test key-usage=tls-server /certificate sign cert_ovpn_client-test ca=cert_ovpn_root_ca-test /certificate set cert_ovpn_client-test trusted=yes /certificate export-certificate cert_ovpn_client-test file-name=cert_ovpn_client-test export-passphrase=xxxx2222 /certificate add common-name=cert_ovpn_server-test key-usage=tls-server,digital-signature /certificate sign cert_ovpn_server-test ca=cert_ovpn_root_ca-test /certificate set cert_ovpn_server-test trusted=yes /certificate export-certificate cert_ovpn_server-test file-name=cert_ovpn_server-test
到此证书设置完毕
第三步:配置ovpn
/interface ovpn-server server set auth=sha1 certificate=cert_ovpn_server cipher=aes256 default-profile=profile_openvpn enabled=yes port=1694 require-client-certificate=yes
配置完成,接下来就是用客户端测试
第四步:添加放行规则
/ip firewall filter add action=accept chain=input comment=openvpn dst-port=1694 protocol=tcp
规则要置于其他规则之前
创建一个用户
/ppp secret add name=xxx password=xxxx profile=profile_openvpn service=ovpn
第五步:验证ovpn
下载openvpn的客户端
创建后缀.ovpn的配置文件
client
dev tun
proto tcp
remote 6f38079e4e64.sn.mynetname.net 1694
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
verb 4
mute 1500
cipher AES-256-CBC
auth SHA1
auth-user-pass
auth-nocache
#redirect-gateway autolocal # 客户端连接openvpn后 流量从服务端流出
route-nopull # 客户端连接openvpn后 不从服务端获取路由
max-routes 1000 # 设置路由的最大条数,默认是100,这里可以根据需求修改
route 192.168.88.0 255.255.255.0 vpn_gateway # 使192.168.1.0/24网段,走vpn网关
<ca>
ca证书文件内容
</ca>
<cert>
客户端证书文件内容
</cert>
<key>
客户端证书key文件内容
</key>
到此配置完成
最活跃的读者