Skip to content

Instantly share code, notes, and snippets.

@nasirhafeez
Last active September 26, 2024 17:12
Show Gist options
  • Save nasirhafeez/a444a8e9cdf80adbd9d1803c77a2a182 to your computer and use it in GitHub Desktop.
Save nasirhafeez/a444a8e9cdf80adbd9d1803c77a2a182 to your computer and use it in GitHub Desktop.
OpenVPN Server for Mikrotik on Docker

OpenVPN Server for Mikrotik on Docker

Contents

Introduction

Server Configurations

Mikrotik Client Setup

Troubleshooting

Useful Links

Introduction

The goal of this project is to configure a Dockerized OpenVPN server instance in Ubuntu 18 so that Mikrotik OpenVPN clients can connect to it.

There are a few limitations in Mikrotik’s implementation of OpenVPN client that we need to keep in mind:

  • It only supports TCP and not UDP

  • TLS-Auth is not supported

  • Comp-LZO is not supported

  • Limited authentication algorithms and ciphers are supported

Server Configurations

Assuming Docker is already installed on the server:

Step 1: Create a variable to be used subsequently

OVPN_DATA="ovpn-data"

Step 2: Create Docker volume

docker volume create --name $OVPN_DATA

Step 3: Define server IP, protocol, port and OpenVPN topology

docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm kylemanna/openvpn ovpn_genconfig -e 'topology subnet' -u tcp://<Server IP>:1194

Step 4: Build the Certificate Authority

docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn ovpn_initpki

Enter a passphrase for security. Press Enter through all the prompts.

Step 5: Adjust OpenVPN server configurations

docker volume inspect ovpn-data

This command will provide the actual location of OpenVPN volume’s files as the “Mountpoint” parameter. Navigate to this folder:

cd /var/lib/docker/volumes/ovpn-data-hubconnect/_data
nano openvpn.conf

Modify the OpenVPN server configurations as follows:

Comment the tls-auth line:

#tls-auth /etc/openvpn/pki/ta.key

Add cipher directive:

cipher AES-128-CBC

For allowing multiple clients to use the same certificate and key:

duplicate-cn

Comment the comp-lzo directive:

#comp-lzo no

Comment all the push configurations:

#push "block-outside-dns"
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
#push "comp-lzo no"

Save and exit.

The complete OpenVPN file is given below for reference:

server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/178.62.52.238.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/178.62.52.238.crt
dh /etc/openvpn/pki/dh.pem
#tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto tcp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log

cipher AES-128-CBC
duplicate-cn

user nobody
group nogroup
#comp-lzo no

### Route Configurations Below
route 192.168.254.0 255.255.255.0

### Push Configurations Below
#push "block-outside-dns"
#push "dhcp-option DNS 8.8.8.8"
#push "dhcp-option DNS 8.8.4.4"
#push "comp-lzo no"

### Extra Configurations Below
topology subnet

Step 6: Initialize the Docker container

docker run -v $OVPN_DATA:/etc/openvpn -d -p 1194:1194/tcp --cap-add=NET_ADMIN kylemanna/openvpn

Step 7: Client Setup

docker run -v $OVPN_DATA:/etc/openvpn --log-driver=none --rm -it kylemanna/openvpn easyrsa build-client-full mikrotik1 nopass

This will generate the certificate and key for client named mikrotik1. The CA’s passphrase would also need to be entered.

Step 8: Setup static IP for client

echo "ifconfig-push 192.168.255.10 255.255.255.0" | docker run -v $OVPN_DATA:/etc/openvpn -i --rm kylemanna/openvpn tee /etc/openvpn/ccd/mikrotik1

With this configuration the client mikrotik1 will always get the static IP 192.168.255.10 upon connection.

Mikrotik Client Setup

Step 1: Copy Certificates and Keys

Go to OpenVPN server’s volume mountpoint and download these three files to your local computer:

ca.crt
mikrotik1.crt
mikrotik1.key

Their paths are given below:

File Path
ca.crt /var/lib/docker/volumes/ovpn-data/_data/pki
mikrotik1.crt /var/lib/docker/volumes/ovpn-data/_data/pki/issued
mikrotik1.key /var/lib/docker/volumes/ovpn-data/_data/pki/private

Open Mikrotik router using Winbox and drag and drop these files:

image3

Step 2: Installing Certificates

Go to System -> Certificates and import ca.crt:

image4

The passphrase for CA will also have to be entered.

Similarly import mikrotik1.crt and mikrotik1.key (passphrase will not be required for importing these).

image5

Step 3: Create an OVPN Client Connection

Go to PPP -> Interface and add a new “OVPN Client” interface. Give it a name of your choice. Go to “Dial Out” tab and set the following properties:

4

The username and password can be anything; it doesn’t really matter. However, they are mandatory and cannot be left blank. If everything went well your VPN should be connected.

Troubleshooting

To troubleshoot you can go to OpenVPN server and run the following command to see logs related to OpenVPN:

docker logs -f <container_ID or name> 

Any errors encountered during connection will be displayed here.

Useful Links

https://github.com/kylemanna/docker-openvpn

@nasirhafeez
Copy link
Author

@nasirhafeez Hey, great tutorial! I've a problem with importing the cert private key (.key file) on my router. Maybe a specific router OS required? I'm on 7.x version. Could you provide some screenshots on how you're importing mikrotik1.crt, mikrotik1.key files?

You can refer to the screenshot under Step 2: Installing Certificates. Click on the Import button in Certificates tab. But this was tested on RouterOS v6, not sure about whether it will work on v7 or not.

I had to convert my crt and key files into the pem certificates. It can be done via the openssl program:

openssl x509 -inform PEM -in my_cert.crt > public.pem
openssl rsa -in my_key.key -text > private.pem

Then v7 allows to import these certs without any problems.

Somehow the manual's missing the part how to route your connections through the VPN interface. I would appreciate if it'll be described in details.

If you look at the screenshot under Step 3, there's a checkbox to Add Default Route. You can click on that and then all traffic will start going through the VPN.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment