OpenVpn Server Mikrotik

/ 16 de julho de 2019 / No comments

Referencia: https://delphinus.qns.net/xwiki/bin/view/Blog/Mikrotik%20OpenVPN%20in%2090%20seconds
Posted by Quentin Conner

So, you want to install and configure a VPN to your home network using your Mikrotik router and OpenVPN for your client?

In my case I wanted to use a Mikrotik RB750 with the PPP package installed and the OpenVPN client for MacOS, Tunnelblick. My RouterOS software version is 6.34.3, current at the time of writing. My OpenVPN client software is Tunnelblick, 3.5.8 (which incorporates OpenVPN 2.3.6).

The idea is to create a VPN into my home network, accessed from the Internet. I started by reading the Mikrotik OpenVPN documentation:

http://wiki.mikrotik.com/wiki/OpenVPN

Then I looked at the easy_rsa scripts that come with OpenVPN, on my Mac (this would be an alternate source for key pairs and certificate artifact generation):

https://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html

Between the two I managed to gain an understanding and get it running using the Mikrotik for key and certificate generation. I captured my implementation steps, complete with an OpenVPN template configuration you can reuse.

There are three main tasks:

Create encryption artifacts (files) used to establish SSL / TLS connections
Configure a OpenVPN / PPP profile in the VPN server
Configure an OpenVPN profile on the client
Encryption Artifacts
First we ssh into the Mikrotik router and create our own Certification Authority (CA) named “myCa”.

I used my Mikrotik router’s inside LAN IP address for the ca-crl-host. I’m not planning a CRL server for this use case.

[admin@MikroTik-gw] >/certificate
[admin@MikroTik-gw] /certificate> add name=myCa common-name=myCa key-usage=key-cert-sign,crl-sign
[admin@MikroTik-gw] /certificate> sign myCa ca-crl-host=192.168.1.1 name=myCa
Now export the CA certificate, download and save the .crt file.

You will use this file and two others later when creating the .ovpn (OpenVPN) client configuration.

[admin@MikroTik-gw] /certificate> export-certificate myCa
Now we create a private and public key pair for the VPN Server followed by another key pair for the VPN Client:

[admin@MikroTik-gw] /certificate> add name=VPNserver common-name=server
[admin@MikroTik-gw] /certificate> add name=VPNclient1 common-name=client1
We need to sign both public keys with our new CA:

[admin@MikroTik-gw] /certificate> sign VPNserver ca=myCa name=server
[admin@MikroTik-gw] /certificate> sign VPNclient1 ca=myCa name=client1
Export the VPN Client's private key and public key+certificate files.

The following command creates two files which you need to download and save for use later (when creating the .ovpn OpenVPN client configuration file).

[admin@MikroTik-gw] /certificate> export-certificate export-passphrase=mysecret client1

To check your work, first check your Mikrotik certificates and look for the “KLAT” on the CA certificate and “KA” flags on the client and server entries. These entries represent a tuple of Private Key, Public Key and CA-signed Certificate. Yes, the “myCa” CA certificate is “self-signed”.

[admin@MikroTik-gw] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #          NAME                            COMMON-NAME                         SUBJECT-ALT-NAME                                                      FINGERPRINT
 0 K L A  T myCa                            myCa                                                                                                      c9c129cb1b7...
 1 K   A    server                          server                                                                                                    03883a34bdc...
 2 K   A    client1                         client1                                                                                                   a67a988df5e...

Now go to the Files section of the Mikrotik Web GUI, or sftp to your Mikrotik.
You should see:

cert_export_client1.crt
cert_export_client1.key
cert_export_myCa.crt

VPN Server Configuration
Adding a PPP profile to the Mikrotik enables a VPN Server endpoint for one or more VPN Clients.

The OpenVPN solution appears to be a PPP connection over an encrypted TLS (SSL) connection.

In this case I will choose AES256 for my session encryption, SHA1 for session message authentication and I will use 2048 bit RSA private keys as the basis for the client and server certificates.

This use case assumes a simple home network where the 192.168.1.0/24 TCP/IP network exists and the Mikrotik router is the gateway to the Internet. We will add a second network number for use by the VPN clients, since this is an IP-based VPN.

On this network we will assign IP addresses for an IP address pool to be used by VPN Clients; it is a small range of addresses from 192.168.2.10 to 192.168.2.19. This synthetic network will exist virtually, inside the Mikrotik router and appears to be defined via the /PPP Profile and the /interface openvpn-server server commands.

Our Mikrotik router is the default route to the WAN (Internet) and on 192.168.1.1 for its internal LAN interface. For the VPN Client’s synthetic network (192.168.2.0/24) our VPN Server will present itself as 192.168.2.1 to the VPN Client.

First create the PPP profile and IP address pool:

[admin@MikroTik-gw] > /ip pool add name=ovpn-pool range=192.168.2.10-192.168.2.19
[admin@MikroTik-gw] > /ppp profile add name=ovpn local-address=192.168.2.1 remote-address=ovpn-pool

Add our “client1″ user with “second factor secret” (the certificate embedded in the .ovpn file will be the other factor):

[admin@MikroTik-gw] > /ppp secret add name=client1 password=mysecret profile=ovpn

Create a synthetic interface in the Mikrotik representing the VPN Server endpoint on the synthetic VPN Client network, then associate it with the VPN Client IP pool:

[admin@MikroTik-gw] > /interface ovpn-server server set enabled=yes certificate=server auth=sha1 cipher=aes256 port=1194 netmask=24 require-client-certificate=yes mode=ip
OpenVPN Client Configuration

Each OpenVPN user (VPN Client) needs their own distinct .ovpn configuration file.

In this use case we will configure only a single client.
The client1.ovpn file follows. Make four substitutions in your version of this template.

Change 11.12.13.14 to your public IP address (or maybe hostname) for your Mikrotik router.
In the section below, replace with your CA certificate text.
In the section, replace with your VPN Client Certificate text.
In the section, replace with your unprotected VPN Client Private Key text.
Optionally, if you run your own DNS server on your home network, you may want to make an additional substitution.

Change 8.8.8.8 to the IP address for your home network DNS server, somewhere on 192.168.1.0/24 in this example.
Potentially, this could be your Mikrotik router (192.168.1.1 in this example), if you enabled the DNS service there.
To get the unprotected (non-encrypted) Private Key text from the password-protected VPN Client Private Key file you downloaded earlier, run the following from a UNIX shell prompt where you have access to openssl:

$ openssl rsa -in cert_export_client1.key -text
You can copy/paste the following to create an initial .ovpn file for the four substitutions/edits above:

$ cat > client1.ovpn << _END_
client

# this is a layer 3 (IP) VPN
dev tun

# Mikrotik only supports TCP at the moment
proto tcp

# put your VPN Server's routable (WAN or Internet-accessible) IP address here
remote 11.12.13.14 1194

resolv-retry infinite
nobind

# Mikrotik does not support link compression at the moment
#comp-lzo

persist-key
persist-tun
#mute-replay-warnings

# OpenVPN client debug log verbosity
verb 1
#verb 3
#verb 6

#cipher BF-CBC
#cipher AES-128-CBC
#cipher AES-192-CBC
cipher AES-256-CBC

#auth MD5
auth SHA1

# Mikrotik's PPP server requires username/password authentication
# at the moment and it uses this in conjunction with both client and
# server-side x.509v3 certificate authentication
auth-user-pass

# domain name for home LAN
dhcp-option DOMAIN your.home.domain.name

# DNS server (replace with your own)
dhcp-option DNS 8.8.8.8

# SMB WINS name server if you have one
#dhcp-option WINS 192.168.1.1

# route to multiple networks
route 192.168.0.0 255.255.0.0


# Mikrotik accepts a CA cert
<ca>
-----BEGIN CERTIFICATE-----
BAMMBG15Q2GgAwIBAgIIfp+KAYv5zqIwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE
...
urKNm8k8KGt9ur15zL22C0YeYfef4H0BTAvuwOMgIOWzw5k0By==
-----END CERTIFICATE-----
</ca>

# Mikrotik expects a VPN Client Certificate
<cert>
-----BEGIN CERTIFICATE-----
G6kUxIYCx9cGbwAZMv8OtHnu2R+pk0A/cxg1ReYcp161Wed0bir0MIIDTTCCAjWg
...
c7OYas3x1DE2kJYQ8Z8ZakSXVBq8WScUa
-----END CERTIFICATE-----
</cert>

# OpenVPN Client needs the VPN Client Private Key to decrypt
# info sent by the server during the SSL/TLS handshake
<key>
-----BEGIN RSA PRIVATE KEY-----
PF85doECgYEA8b1fuDTh17NLzXPxDG9O4LilGzQX7AEPiY8gOfk1iQrrlcvvFeS7
...
F8nyWXTcXD74Ygj/CXxirR+Q3w==
-----END RSA PRIVATE KEY-----
</key>

_END_
Category: Mikrotik /

ATA linksys, cisco e sipura perdem registro sip (asterisk) quando atrás de nat masquerad MIKROTIK

/ 18 de março de 2019 / No comments

Esse problema é muito comum e muitas das vezes pode ser observado quando o ATA perde o registro sip ao asterisk e, retorna momentaneamente e instantaneamente somente se:

1 – Trocar a porta UDP de X para outra Y. (Exemplo: de 5061 para 5064)
2 – Limpar os registros sip do Mikrotik com script:

 

     /ip firewall connection remove [/ip firewall connection find where connection-type=sip and assured=no]
     /ip firewall connection remove [find where dst-address~"IP DO DESTINO, ASTERISK"]
     /ip firewall connection remove [find where connection-type=sip or connection-type=sip-2 or connection-type=sip-1]

Porem se o script 2 for executado as chamadas correntes são derrubadas.

Uma solução que encontrei é trocar o NAT Masquerad por NAT src-nat, onde eu pego o IP Real fixo ou mesmo o IP da VPN sainte e coloco no TO ADDRESS (item irá aparecer quando trocar o MASQUERADE por SRC-NAT)

Se seu ip na WAN for dinâmico (eu possuo pppoe dinamico) pode-se criar um script de exemplo:

:global newIP [/ip address get [find interface="fibra-pppoe"] address] 
/ip firewall nat set [find where comment="PPPoE NAT"] to-address=$newIP

Onde o fibra-pppoe é o nome da interface pppoe, e o PPPoE NAT é um comentário que tenho obrigatoriamente deixar na regra de SRC-NAT do firewall

E lembre-se de criar um agendamento para rodar esse script de 5 em 5 minutos.

Category: Asterisk, Mikrotik /

Tabela no mysql crashed “is marked as crashed and last (automatic?) repair failed”

/ 12 de janeiro de 2019 / No comments

Problem:

#144 - Table './mya2billing/cc_call' is marked as crashed and last (automatic?) repair failed
or 
ERROR 144 - Table 'BLABLABLABLABL' is marked as crashed and last (automatic?) repair failed

If your MySQL process is running, stop it. On Debian/Red Hat/Centos:

sudo service mysql stop
/etc/init.d/mysql stop

Go to your data folder. On Debian:

cd /var/lib/mysql/$DATABASE_NAME

Try running:

myisamchk -r $TABLE_NAME

If that doesn’t work, you can try:

myisamchk -r -v -f $TABLE_NAME

You can start your MySQL server again. On Debian:

sudo service mysql start
or /etc/init.d/mysql start
Category: Linux /

Brother printers: how to install them in Linux Mint

/ 4 de julho de 2018 / No comments
Linux_Mint_modified_Logo

A Brother printer is nowadays easily installable in Linux Mint. You can apply this how-to:

1. Connect your printer to your computer by means of a USB cable (even when you intend to use it as a network printer later on: for initial installation a USB cable is often needed). Then turn on your printer.

2. Sometimes it’s necessary to add a printer or scanner to the system yourself, by means of the application Printers. In that case the application Printers already contains the driver for your printer, but you have to “indicate” the printer first.

So launch the application Printers. You can use the search box in your menu to find it; it’s present by default in all editions of Linux Mint.

In Printers, click the button Add (with the + sign) and follow the steps it offers you.

But in some cases this driver doesn’t work well: the printed characters are deformed. Or if you have a multifunctional printer, this doesn’t get the scanner part operational: you can only print. Or your printer might simply be too new for the database in your version of Linux Mint. In either of those cases, proceed with step 3:

3. Installing the driver manually isn’t very difficult either, because Brother has issued a generic install script for that: the Driver Install Tool.

With that, you can install not only the printer driver, but also (for a multifunctional printer) the scanner driver.

You can use it as follows:

4. First remove any existing instance of the Brother printer in the application Printers.

5. Go to the download section of the Brother website and look up your printer model.

For “OS Family” you choose Linux.
For “OS Version” you select Linux (deb).
Click the Search button.

Then click the Driver Install Tool and download linux-brprinter-installer.

Save the downloaded file in the folder Downloads. Don’t extract the zipped file, but leave it there just as it is. Note: don’t use the installation how-to on the Brother website, but use the installation how-to on my website instead (see below)!

6. Launch a terminal linux.

d. Now copy/paste the following command into the terminal, in order to unzip the downloaded file (it’s one line):

cd ~/Downloads && gunzip -v ~/Downloads/linux-brprinter*

Press Enter.

7. Use copy/paste to transfer the following line to the terminal:

sudo bash ~/Downloads/linux-brprinter*

Press Enter. Type your password when prompted; this will remain entirely invisible, not even asterisks will show, which is normal.

8. Follow the steps that the installer script presents you. When asked for the printer model name, type it and press Enter.

An example is best: for a Brother DCP-1610W you type:

DCP-1610W

Note: is there at the end of the model name a letter between brackets? Then you probably have to omit that last letter (including the brackets).

Example: for the Brother MFC-L9550CDW(T) it becomes:

MFC-L9550CDW

At the question about the Device URI, you answer N for a USB printer and Y for a network printer.

For a network printer, you select in the next question the last option:
(A): Auto. For that, you type the number of that option and you press Enter.

9. Reboot your computer.

10. Now you may have to solve a problem with the scanner. In 64-bit Linux Mint 19 the location for the supporting library files has changed, and the driver for the scanner feature doesn’t always take that into account. The Brother driver then puts them in /usr/lib64, whereas your operating system expects them in /usr/lib.

So for a 64-bit system, you now need to execute the following three commands in order to make your scanner work well (use copy/paste to transfer them one by one to the terminal, and press Enter after each command):

sudo ln -sf /usr/lib64/libbrscandec*.so* /usr/lib

sudo mkdir -p /usr/lib/sane

sudo ln -sf /usr/lib64/sane/libsane-brother*.so* /usr/lib/sane

11. Then add yourself to the scanner user group. You can use a click-click-click graphical system tool for that, but this varies amongst editions. The terminal works in all editions….

An example is easiest. If your name is Johnny, your username is johnny (no caps), so the terminal command would be:

sudo usermod -a -G scanner johnny

Press Enter.

12.Now open a settings file with Xed, using the following command (use copy/paste to transfer it to the terminal):

xed admin:///lib/udev/rules.d/60-libsane1.rules

(The three consecutive dashes are intentional)

Press Enter.

13. At the very end of the text in that long text file, you see this line:

# LABEL="libsane_rules_end".

Now add the following two lines right above that line: (use copy/paste to transfer them):

# Brother scanners

ATTRS{idVendor}=="04f9", ENV{libsane_matched}="yes"

14. Reboot your computer.

15. Printers with wifi: for wireless setup, it’s necessary to configure your printer to connect to your wireless network automatically. If your printer has a small display of its own, you should be able to set this up by means of that little display (see your manual).

If your printer doesn’t have a display of its own, you might need to boot Windows for this. One time only, because you only need to configure the printer to connect to your wireless network automatically when you turn it on. Reboot into Linux, launch the application Printers, and you should be able to select your network printer wirelessly.

16. You’re done! Your printer should work fine now, including the scanner part (when present).

Category: Linux /

Regras firewall para openvpn

/ 16 de março de 2018 / No comments

Regras para passar trafego pelo iptables:

Exemplo:

tun0 – interface openvpn
eth0 – lan

# vpn
iptables -A INPUT -i tun0 -j ACCEPT

# openvpn
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun0 -m state –state RELATED,ESTABLISHED -j ACCEPT

# aceitar a openvpn
iptables -A INPUT -p udp –dport 1195 -j ACCEPT

Category: Linux /
« Older Entries