Wed Apr 11 14:48:54 2018 TCP_CLIENT link local: (not bound) Key pki1/ca/slaves/test-mikrotik/test-mikrotik_key.pemĬert pki1/ca/slaves/test-mikrotik/test-mikrotik.pem OpenVPN reference client configuration client The connection is “running”, whereas a correct client configuration (with the ca directive set) yields an error: So I stopped the old server and started the “evil” one and… well: /interface ovpn-client> print
Key pki2/ca/slaves/evil-server/evil-server_key.pemĪs CA I still use the “good” CA so that the server accepts the certificate of the client but as cert and key I’m using certificates (evil-server.pem) issued by a totally different (new) CA. So I imported the CA certificate: > /certificate importĬheck if it is trusted: > /certificate printįor testing an “evil” server with an other identity, I created a new CA and server certificate ( evil-server.pem) issued by that CA and created the following OpenVPN server configuration: port 1194Ĭert pki2/ca/slaves/evil-server/evil-server.pem # NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINTĠ K T test-mikrotik.pem_0 test-mikrotik DNS:test-mikrotik e01bca9e.īut maybe it is a crude default behavior if I do not have any trusted CAs in the certificate store. But at this point I noticed I forgot to import the CA certificate, so how can the client verify the server’s authenticity? > /certificate printįlags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted … or did we? Well, the connection works, I can ping and ssh to my server through the tunnel using the internal tunnel IP.
So yeah, great success, we heve established a secure OpenVPN connection to our Server! > /interface ovpn-client printĠ R name="ovpn-out1" mac-address=FE:DA:0A:A8:44:4C max-mtu=1500 connect-to=192.168.88.254 port=1194 mode=ip user="dummy" password="" profile=default-encryption certificate=test-mikrotik.pem_0Īuth=sha1 cipher=aes256 add-default-route=no MikroTik OpenVPN client configuration /interface ovpn-client add certificate=test-mikrotik.pem_0 cipher=aes256 connect-to=192.168.88.254 name=ovpn-out1 profile=default-encryption user=dummyįor some reason it is not possible to configure an MikroTik OpenVPN client without a username, so I named it “dummy”. In my test scenario, the server has the ip 192.168.88.254.Īfter creating, signing and uploading the client certificate and key I configured the vpn client as follows:
In this case, I am using a hEX PoE with the latest firmware (6.41.4). Key pki1/ca/slaves/test-server/test-server_key.pem The simple server configuration file now looks like this: port 1194Ĭert pki1/ca/slaves/test-server/test-server.pem I first created an own PKI with a CA certificate ( ca1.pem) and a server key pair ( test-server.pem and test-server_key.pem) as well as own dh-parameters ( dh4096.pem).
The client now established a secure connection to the server and we can now tunnel whatever we want. The server verifys the client’s authenticity using a client certificate and the client should verify the authenticity of the server’s certificate by checking whether the certificate is issued by a known and trusted CA.Authorization is thereby granted by signing a certificate with the CA’s private key. This CA is normally an internal one dedicated for this usage. The server is configured to authenticate and authorize clients based on a client certificate, which must be issued by a certain certification authority (CA).So a basic (simplified) scenario looks like this: MikroTik’s Routerboards on the other hand are quite cheap and are providing a neat “black box” appliance which can easily handed to people with no IT experience. I like using OpenVPN because it is simple to configure and supports both, L2 (tap) and 元 (tun) secure (encrypted) tunnels. I use MikroTik Routerborads quite a lot on remote sites to establish a secure tunnel to connect to internal services remotely (for example for employee time clocks).
0 kommentar(er)
