The goal of this project is to configure a Dockerized OpenVPN server instance in Ubuntu 18 so that Mikrotik OpenVPN clients can connect to it.
There are a few limitations in Mikrotik’s implementation of OpenVPN client that we need to keep in mind:
-
It only supports TCP and not UDP
-
TLS-Auth is not supported
-
Comp-LZO is not supported
-
Limited authentication algorithms and ciphers are supported
Assuming Docker is already installed on the server:
Step 1: Create a variable to be used subsequently
OVPN_DATA="ovpn-data"
Step 2: Create Docker volume
docker volume create --name $OVPN_DATA
Step 3: Define server IP, protocol, port and OpenVPN topology
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_genconfig -e 'topology subnet' -u tcp://<Server IP>:1194
Step 4: Build the Certificate Authority
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn ovpn_initpki
Enter a passphrase for security. Press Enter through all the prompts.
Step 5: Adjust OpenVPN server configurations
docker volume inspect ovpn-data
This command will provide the actual location of OpenVPN volume’s files as the “Mountpoint” parameter. Navigate to this folder:
cd /var/lib/docker/volumes/ovpn-data-hubconnect/_data
nano openvpn.conf
Modify the OpenVPN server configurations as follows:
Comment the tls-auth line:
#tls-auth /etc/openvpn/pki/ta.key
Add cipher directive:
cipher AES-128-CBC
For allowing multiple clients to use the same certificate and key:
duplicate-cn
Comment the comp-lzo directive:
#comp-lzo no
Comment all the push configurations:
#push "block-outside-dns"
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
#push "comp-lzo no"
Save and exit.
The complete OpenVPN file is given below for reference:
server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/178.62.52.238.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/178.62.52.238.crt
dh /etc/openvpn/pki/dh.pem
#tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun
proto tcp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log
cipher AES-128-CBC
duplicate-cn
user nobody
group nogroup
#comp-lzo no
### Route Configurations Below
route 192.168.254.0 255.255.255.0
### Push Configurations Below
#push "block-outside-dns"
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
#push "comp-lzo no"
### Extra Configurations Below
topology subnet
Step 6: Initialize the Docker container
docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/tcp --cap-add=NET_ADMIN kylemanna/openvpn
Step 7: Client Setup
docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn easyrsa build-client-full mikrotik1 nopass
This will generate the certificate and key for client named mikrotik1
.
The CA’s passphrase would also need to be entered.
Step 8: Setup static IP for client
echo "ifconfig-push 192.168.255.10 255.255.255.0" | docker run -v $OVPN_DATA:/etc/openvpn -i --rm kylemanna/openvpn tee /etc/openvpn/ccd/mikrotik1
With this configuration the client mikrotik1
will always get the static
IP 192.168.255.10
upon connection.
Step 1: Copy Certificates and Keys
Go to OpenVPN server’s volume mountpoint and download these three files to your local computer:
ca.crt
mikrotik1.crt
mikrotik1.key
Their paths are given below:
File | Path |
---|---|
ca.crt | /var/lib/docker/volumes/ovpn-data/_data/pki |
mikrotik1.crt | /var/lib/docker/volumes/ovpn-data/_data/pki/issued |
mikrotik1.key | /var/lib/docker/volumes/ovpn-data/_data/pki/private |
Open Mikrotik router using Winbox and drag and drop these files:
Step 2: Installing Certificates
Go to System -> Certificates and import ca.crt
:
The passphrase for CA will also have to be entered.
Similarly import mikrotik1.crt
and mikrotik1.key
(passphrase will not be
required for importing these).
Step 3: Create an OVPN Client Connection
Go to PPP -> Interface and add a new “OVPN Client” interface. Give it a name of your choice. Go to “Dial Out” tab and set the following properties:
The username and password can be anything; it doesn’t really matter. However, they are mandatory and cannot be left blank. If everything went well your VPN should be connected.
To troubleshoot you can go to OpenVPN server and run the following command to see logs related to OpenVPN:
docker logs -f <container_ID or name>
Any errors encountered during connection will be displayed here.
@nasirhafeez Hey, great tutorial! I've a problem with importing the cert private key (.key file) on my router. Maybe a specific router OS required? I'm on 7.x version. Could you provide some screenshots on how you're importing
mikrotik1.crt
,mikrotik1.key
files?