markdown MikroTik（RouterOS）脚本用于设置OpenVPN服务器并生成证书

Posted 2021-05-06

# OpenVPN Server and certificate management on MikroTik

## Contents

- [Setup OpenVPN server and generate certificates](#setup-openvpn-server-and-generate-certificates)
- [Add a new user](#add-a-new-user)
- [Setup OpenVPN client](#setup-openvpn-client)
- [Decrypt private key to avoid password asking](#decrypt-private-key-to-avoid-password-asking)
- [Delete a user and revoke his certificate](#delete-a-user-and-revoke-his-certificate)
- [Revert OpenVPN server configuration on MikroTik](#revert-openvpn-server-configuration-on-mikrotik)

## Setup OpenVPN server and generate certificates

```ini
# Setup OpenVPN Server and generate certs
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global COUNTRY "CZ"
:global STATE "CZ"
:global LOC "Brandys"
:global ORG "apealive"
:global OU ""
:global KEYSIZE "4096"

## functions
:global waitSec do={:return ($KEYSIZE * 10 / 1024)}

## generate a CA certificate
/certificate
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \
  days-valid=3650 key-usage=crl-sign,key-cert-sign
sign ca-template ca-crl-host=127.0.0.1 name="$CN"
:delay [$waitSec]

## generate a server certificate
/certificate
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \
  days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$CN" name="server@$CN"
:delay [$waitSec]

## create a client template
/certificate
add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="client" \
  key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client

## create IP pool
/ip pool
add name=VPN-POOL ranges=192.168.252.128-192.168.252.224

## add VPN profile
/ppp profile
add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \
  remote-address=VPN-POOL use-encryption=yes

## setup OpenVPN server
/interface ovpn-server server
set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \
  default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes

## add a firewall rule
/ip firewall filter
add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN"

```

## Add a new user

```ini
# Add a new user and generate/export certs
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global USERNAME "user"
:global PASSWORD "password"

## add a user
/ppp secret
add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn

## generate a client certificate
/certificate
add name=client-template-to-issue copy-from="client-template" \
  common-name="$USERNAME@$CN"
sign client-template-to-issue ca="$CN" name="$USERNAME@$CN"
:delay 20

## export the CA, client certificate, and private key
/certificate
export-certificate "$CN" export-passphrase=""
export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD"

```

## Setup OpenVPN client

1. Copy the exported certificates from the MikroTik

    ```sh
    sftp admin@MikroTik_IP:cert_export_\*
    ```

    Also, you can download the certificates from the web interface.
    Go to `WebFig` → `Files` for this.


2. Create `user.auth` file

    The file auth.cfg holds your username/password combination. On the first
    line must be the username and on the second line your password.

    ```
    user
    password
    ```

3. Create OpenVPN config that named like `USERNAME.ovpn`:

    ```ini
    client
    dev tun
    proto tcp-client
    remote MikroTik_IP 1194
    nobind
    persist-key
    persist-tun
    cipher AES-256-CBC
    auth SHA1
    pull
    verb 2
    mute 3

    # Create a file 'user.auth' with a username and a password
    #
    # cat << EOF > user.auth
    # user
    # password
    # EOF
    auth-user-pass user.auth

    # Copy the certificates from MikroTik and change
    # the filenames below if needed
    ca cert_export_MikroTik.crt
    cert cert_export_user@MikroTik.crt
    key cert_export_user@MikroTik.key

    # Add routes to networks behind MikroTik
    #route 192.168.10.0 255.255.255.0
    ```

4. Try to connect

    ```
    sudo openvpn USERNAME.ovpn
    ```

## Decrypt private key to avoid password asking

```
openssl rsa -passin pass:password -in cert_export_user@MikroTik.key -out cert_export_user@MikroTik.key
```

## Delete a user and revoke his certificate

```ini
# Delete a user and revoke his certificate
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global USERNAME "user"

## delete a user
/ppp secret
remove [find name=$USERNAME profile=VPN-PROFILE]

## revoke a client certificate
/certificate
issued-revoke [find name="$USERNAME@$CN"]

```

## Revert OpenVPN server configuration on MikroTik

```ini
# Revert OpenVPN configuration
#

/ip pool
remove [find name=VPN-POOL]

/ppp profile
remove [find name=VPN-PROFILE]

/ip firewall filter
remove [find comment="Allow OpenVPN"]

/ppp secrets
remove [find profile=VPN-PROFILE]

/certificate
## delete the certificates manually

```