https://SmartISP.

us/

OpenVPN Server Ubuntu 16.04 + OpenVPN

Cliente en Mikrotik Para Conectar SmartISP
via API.

Prepared By

Rodrigo Anrrango
Network Specialist and Consultant
https://SmartISP.us/install
 https://SmartISP.us/

Introduction
The goal of this project is to configure an Ubuntu OpenVPN server and a Mikrotik OpenVPN client.
Network Topology
In this project we are using the following topology:

Devices
OpenVPN Server
A VPS server with Ubuntu 16.04.4 LTS.
Mikrotik
A Mikrotik RB951Ui-2HnD router as OpenVPN client.
Server Configurations
Run the following commands as root:

Step 1: Install OpenVPN

apt-get update
apt-get install openvpn easy-rsa

Step 2: Set UP CA Directory

make-cadir ~/openvpn-ca
cd ~/openvpn-ca
Step 3: Configure the CA Variables
 https://SmartISP.us/

nano vars

Set the following according to your requirement:

export KEY_COUNTRY="US"
export KEY_PROVINCE="NY"
export KEY_CITY="New York City"
export KEY_ORG="DigitalOcean"
export KEY_EMAIL="admin@example.com"
export KEY_OU="Community"

(Only edit the values in red)

Set the key name:

export KEY_NAME="server"

Save and close the file.

Step 4: Build the Certificate Authority

cd ~/openvpn-ca
source vars
./clean-all
./build-ca

Press Enter through all the prompts.

Step 5: Create the Server Certificate, Key, and Encryption Files

./build-key-server server

Accept the default values by pressing ENTER. Do not enter a challenge password for this setup. Towards
the end, you will have to enter y to two questions to sign and commit the certificate.

./build-dh
openvpn --genkey --secret keys/ta.key

Step 6: Generate a Client Certificate and Key Pair

cd ~/openvpn-ca
source vars
./build-key client1

Step 7: Configure the OpenVPN Service

cd ~/openvpn-ca/keys
sudo cp ca.crt server.crt server.key ta.key dh2048.pem /etc/openvpn

gunzip -c /usr/share/doc/openvpn/examples/sample-config-
files/server.conf.gz | sudo tee /etc/openvpn/server.conf
 https://SmartISP.us/

Adjust the OpenVPN Configuration:

nano /etc/openvpn/server.conf

Set the following:

cipher AES-128-CBC

Change protocol from TCP to UDP:

proto tcp
;proto udp

LZO Compression should be disabled:

;comp-lzo

Save and close the file

Step 8: Adjust the Server Networking Configuration

nano /etc/sysctl.conf

Allow IP Forwarding:
net.ipv4.ip_forward=1

Save and close the file.

sysctl –p

Adjust the UFW Rules to Masquerade Client Connections:

nano /etc/ufw/before.rules

Add the part in red (replace eth0 with your actual interface):
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#

# START OPENVPN RULES

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES

# Don't delete these required lines, otherwise there will be errors

*filter
 https://SmartISP.us/
. . .

Save and close the file.

nano /etc/default/ufw
Change the value from DROP to ACCEPT:

DEFAULT_FORWARD_POLICY="ACCEPT"

Save and close the file.

Open the OpenVPN Port and Enable the Changes:

ufw allow 1194/udp

ufw allow 1194/tcp
ufw allow 80/tcp
ufw allow 8291/tcp
ufw allow 8728/api
ufw allow OpenSSH
ufw disable
ufw enable

Step 9: Start and Enable the OpenVPN Service

systemctl start openvpn@server

systemctl status openvpn@server

The status should be active (running).

systemctl enable openvpn@server

Step 10: Create Client Configuration Infrastructure

mkdir -p ~/client-configs/files
chmod 700 ~/client-configs/files
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf
~/client-configs/base.conf
nano ~/client-configs/base.conf

Add the IP address of server here:

remote server_IP_address 1194

Protocol should be tcp:

proto tcp

Find the directives that set the ca, cert, and key. Comment out these directives:
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
 https://SmartISP.us/

Add cipher parameter:

cipher AES-128-CBC

LZO Compression should be disabled:

;comp-lzo

Save and close the file.

Step 11: Creating a Configuration Generation Script:

nano ~/client-configs/make_config.sh

Inside, paste the following script:

#!/bin/bash

# First argument: Client identifier

KEY_DIR=~/openvpn-ca/keys
OUTPUT_DIR=~/client-configs/files
BASE_CONFIG=~/client-configs/base.conf

cat ${BASE_CONFIG} \
<(echo -e '<ca>') \
${KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${KEY_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${KEY_DIR}/${1}.key \
<(echo -e '</key>\n<tls-auth>') \
${KEY_DIR}/ta.key \
<(echo -e '</tls-auth>') \
> ${OUTPUT_DIR}/${1}.ovpn

Save and close the file.

chmod 700 ~/client-configs/make_config.sh

Step 12: Generate Client Configurations

cd ~/client-configs
./make_config.sh client1

If everything went well, we should have a client1.ovpn file in our ~/client-

configs/files directory.
This file can be used by Windows and Android clients to connect to OpenVPN.
 https://SmartISP.us/

Mikrotik Configurations
Step 1: Copy Certificates and Keys

Go to openvpn-ca/keys directory on OpenVPN server and download these three files to your local
computer:

ca.crt client.crt client.key

Open Mikrtok router using Winbox and drag and drop these files:

Step 2: Installing Certificates

 https://SmartISP.us/

Go to System -> Certificates and import ca.crt:

Similarly import client1.crt and client1.key.

Step 3: Create a PPP Profile

Go to PPP -> Profiles and create a new profile. Give it a name of your choice. Go to Protocols and disable
MPLS and IPv6. “Use Encryption” option should be set to “required”. Go to Limits tab and set Only One
to “yes”. Save this profile.

Step 4: Create an OVPN Client Connection

Go to PPP -> Interface and add a new “OVPN Client” interface. Give it a name of your choice. Go to “Dial
Out” tab and set the following properties:
 https://SmartISP.us/

The username and password can be anything. However, it is mandatory and cannot be blank. If
everything went well your VPN should be connected.

Para tener Acceso LAN Clientes Pool (Opcional)

If you want to access the LAN subnet of OpenVPN client from server, use the following procedure:

Suppose the LAN subnet is 172.20.30.0/24:

nano /etc/openvpn/server.conf

Go to the following line:

;client-config-dir ccd

Uncomment it and change it to:

client-config-dir ccd

Add the following lines:

push "route 172.20.30.0 255.255.255.0"

route 172.20.30.0 255.255.255.0

Save and close the file.

 https://SmartISP.us/

mkdir /etc/openvpn/ccd
touch /etc/openvpn/ccd/client1
nano /etc/openvpn/ccd/client1

Add the following line to client1:

iroute 172.20.30.0 255.255.255.0

Save and close the file.

systemctl restart openvpn

The routing table will now have a routing entry for 172.20.30.0/24:

You’ll be able to ping from server to client LAN:

Troubleshooting:
To troubleshoot you can go to OpenVPN server and run the following command to see Syslogs related to
OpenVPN:
tailf /var/log/syslog | grep vpn
Any errors encountered during connection will be displayed here.

Here is rules for access RB: (Importante)

sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp --dport 8291 -j DNAT --to-destination
10.8.0.6:8291
iptables -t nat -A POSTROUTING -j MASQUERADE

Check NAT Rules:

iptables -nL -t nat

 https://SmartISP.us/

Useful Links:
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-16-
04
https://github.com/missinglink/mikrotik-openvpn-client
https://www.cyberciti.biz/faq/howto-setup-openvpn-server-on-ubuntu-linux-14-04-or-16-04-lts/

https://www.smartisp.us/vpn/