Administrator: /* Properties */

2018-04-04T18:53:56Z

Properties

← Older revision		Revision as of 18:53, 4 April 2018
Line 45:		Line 45:
	\|type=string {{!}} none		\|type=string {{!}} none
	\|default=none		\|default=none
	\|desc=Name of the client certificate imported into [[certificate list]].		\|desc=Name of the client certificate imported into certificate list.
	}}		}}

Administrator: Created page with "{{Versions|v5+}} ==Summary==
Standards:
Package: `ppp`
Currently unsupported OVPN feature: * UDP mode * LZ..."

2018-04-04T18:49:11Z

Created page with "{{Versions|v5+}} ==Summary== Standards: <code></code> Package: <code>ppp</code> Currently unsupported OVPN feature: * UDP mode * LZ..."

New page

{{Versions|v5+}}

==Summary==

Standards: <code></code> 
Package: <code>ppp</code>


Currently unsupported OVPN feature:
* UDP mode
* LZO compression
* TLS authentication
* authentication without username/password

==OVPN Client==
Sub-menu: <code>/interface ovpn-client</code>

===Properties===

{{Mr-arg-table-h
|prop=Property
|desc=Description
}}

{{Mr-arg-table
|arg=add-default-route
|type=yes {{!}} no
|default=no
|desc=Whether to add OVPN remote address as a default route.

}}

{{Mr-arg-table
|arg=auth
|type=md5 {{!}} sha1
|default=sha1
|desc=Allowed authentication methods.
}}

{{Mr-arg-table
|arg=certificate
|type=string {{!}} none
|default=none
|desc=Name of the client certificate imported into [[certificate list]].
}}

{{Mr-arg-table
|arg=cipher
|type=aes128 {{!}} aes192 {{!}} aes256 {{!}} blowfish128
|default=blowfish128
|desc=Allowed ciphers.
}}

{{Mr-arg-table
|arg=comment
|type=string
|default=
|desc=Descriptive name of an item
}}

{{Mr-arg-table
|arg=connect-to
|type=IP
|default=
|desc=Remote address of the OVPN server.
}}

{{Mr-arg-table
|arg=disabled
|type=yes {{!}} no
|default=yes
|desc=Whether interface is disabled or not. By default it is disabled.
}}

{{Mr-arg-table
|arg=mac-address
|type=MAC
|default=
|desc=Mac address of OVPN interface. Will be auto generated if not specified.
}}

{{Mr-arg-table
|arg=max-mtu
|type=integer
|default=1500
|desc=Maximum Transmission Unit. Max packet size that OVPN interface will be able to send without packet fragmentation.
}}

{{Mr-arg-table
|arg=mode
|type=ip {{!}} ethernet
|default=ip
|desc=Layer3 or layer2 tunnel mode (alternatively tun, tap)
}}

{{Mr-arg-table
|arg=name
|type=string
|default=
|desc=Descriptive name of the interface.
}}

{{Mr-arg-table
|arg=password
|type=string
|default=""
|desc=Password used for authentication.
}}

{{Mr-arg-table
|arg=port
|type=integer
|default=1194
|desc=Port to connect to.
}}

{{Mr-arg-table
|arg=profile
|type=name
|default=default
|desc=Used [[Manual:PPP_AAA#User_Profiles | PPP profile]].
}}

{{Mr-arg-table-end
|arg=user
|type=string
|default=
|desc=User name used for authentication.
}}

===Quick example===

This example demonstrates how to set up OVPN client with username "test", password "123" and server 10.1.101.1

<pre>
[admin@bumba] /interface ovpn-client> add connect-to=10.1.101.1 user=test password=123 disabled=no
[admin@bumba] /interface ovpn-client> print
Flags: X - disabled, R - running
0 name="ovpn-out1" mac-address=FE:7B:9C:F9:59:D0 max-mtu=1500 connect-to=10.1.101.1
port=1194 mode=ip user="test" password="123" profile=default certificate=none auth=sha1
cipher=blowfish128 add-default-route=no

</pre>

==OVPN Server==
Sub-menu: <code>/interface ovpn-server</code>

This sub-menu shows interfaces for each connected OVPN clients.

An interface is created for each tunnel established to the given server. There are two types of interfaces in OVPN server's configuration
<ul class="bullets">
<li> Static interfaces are added administratively if there is a need to reference the particular interface name (in firewall rules or elsewhere) created for the particular user.
<li>Dynamic interfaces are added to this list automatically whenever a user is connected and its username does not match any existing static entry (or in case the entry is active already, as there can not be two separate tunnel interfaces referenced by the same name).
</ul>
Dynamic interfaces appear when a user connects and disappear once the user disconnects, so it is impossible to reference the tunnel created for that use in router configuration (for example, in firewall), so if you need a persistent rule for that user, create a static entry for him/her. Otherwise it is safe to use dynamic configuration.

{{Note | in both cases PPP users must be configured properly - static entries do not replace PPP configuration.}}

===Server configuration===
Sub-menu: <code>/interface ovpn-server server</code>

Properties:

{{Mr-arg-table-h
|prop=Property
|desc=Description
}}

{{Mr-arg-table
|arg=auth
|type=sha1 {{!}} md5
|default=sha1,md5
|desc=Authentication methods that server will accept.
}}

{{Mr-arg-table
|arg=certificate
|type=name {{!}} none
|default=none
|desc=Name of the certificate that OVPN server will use.
}}

{{Mr-arg-table
|arg=cipher
|type=aes128 {{!}} aes192 {{!}} aes256 {{!}} blowfish128
|default=aes128,blowfish128
|desc=Allowed ciphers.
}}

{{Mr-arg-table
|arg=default-profile
|type=name
|default=default
|desc=Default profile to use.
}}

{{Mr-arg-table
|arg=enabled
|type=yes {{!}} no
|default=no
|desc= Defines whether OVPN server is enabled or not.
}}

{{Mr-arg-table
|arg=keepalive-timeout
|type=integer {{!}} disabled
|default=60
|desc=Defines the time period (in seconds) after which the router is starting to send keepalive packets every second. If no traffic and no keepalive responses has came for that period of time (i.e. 2 * keepalive-timeout), not responding client is proclaimed disconnected
}}

{{Mr-arg-table
|arg=mac-address
|type=MAC
|default=
|desc=Auto Generated MAC address of the server.
}}

{{Mr-arg-table
|arg=max-mtu
|type=integer
|default=1500
|desc=Maximum Transmission Unit. Max packet size that OVPN interface will be able to send without packet fragmentation.
}}

{{Mr-arg-table
|arg=mode
|type=ip {{!}} ethernet
|default=ip
|desc=Layer3 or layer2 tunnel mode (alternatively tun, tap)
}}

{{Mr-arg-table
|arg=netmask
|type=integer
|default=24
|desc=Subnet mask to be applied to client.
}}

{{Mr-arg-table
|arg=port
|type=integer
|default=1194
|desc=Port to run server on.
}}

{{Mr-arg-table-end
|arg=require-client-certificate
|type=yes {{!}} no
|default=no
|desc=If set to yes, then server checks whether client's certificate belongs to the same certificate chain.
}}

<pre>
[admin@bumba] /interface ovpn-server server set enabled=yes
[admin@bumba] /interface ovpn-server server set certificate=server
[admin@bumba] /interface ovpn-server server print
enabled: yes
port: 1194
mode: ip
netmask: 24
mac-address: FE:A5:57:72:9D:EC
max-mtu: 1500
keepalive-timeout: 60
default-profile: default
certificate: server
require-client-certificate: no
auth: sha1,md5
cipher: blowfish128,aes128

</pre>

{{Warning |
It is very important that the date on the router is within the range of the installed certificate's date of expiration. To overcome any certificate verification problems, enable NTP date synchronization on both server and client.}}

==Monitoring==
Monitor command can be used to monitor the status of the tunnel on both client and server.
<pre>
[admin@dzeltenais_burkaans] /interface ovpn-server monitor 0
status: "connected"
uptime: 17m47s
idle-time: 17m47s
user: "test"
caller-id: "10.1.101.18:43886"
mtu: 1500

</pre>

Read-only properties
{{Mr-arg-table-h
|prop=Property
|desc=Description
}}

{{Mr-arg-ro-table
|arg=status
|type=
|desc=Current status. Value other than "connected" indicates that there are some problems establishing tunnel.
}}

{{Mr-arg-ro-table
|arg=uptime
|type=time
|desc=Elapsed time since tunnel was established.
}}

{{Mr-arg-ro-table
|arg=idle-time
|type=time
|desc=Elapsed time since last activity on the tunnel.
}}

{{Mr-arg-ro-table
|arg=user
|type=string
|desc=Username used to establish the tunnel.
}}

{{Mr-arg-ro-table
|arg=mtu
|type=integer
|desc=Negotiated and used MTU
}}

{{Mr-arg-ro-table-end
|arg=caller-id
|type=IP:ID
|desc=Source IP and Port of client.
}}

==Application Examples==

====Setup Overview====

[[file:ipsec-road-warrior.png]]

Assume that Office public IP address is 2.2.2.2 and we want two remote OVPN clients to have access to 10.5.8.20 and 192.168.55.0/24 networks behind office gateway.

====Creating Certificates====
All certificates can be created on RadioOS server using certificate manager. [[M:Create_Certificates#Generate_certificates_on_RadioOS | See example >>]].

For simplest setup you need only ovpn server certificate.

====Server Config====

First step is to create ip pool from which client addresses will be assigned and some users
<pre>
/ip pool add name=ovpn-pool range=192.168.77.2-192.168.77.254

/ppp profile add name=ovpn local-address=192.168.77.1 remote-address=ovpn-pool
/ppp secret
add name=client1 password=123 profile=ovpn
add name=client2 password=234 profile=ovpn
</pre>

Assume that server certificate is already created and named "server"

<pre>
/interface ovpn-server server set enabled=yes certificate=server
</pre>

====Client Config====

'''RadioOS client'''

Since RadioOS does not support route-push you need to add manually which networks you want to access over the tunnel.
<pre>
/interface ovpn-client
add name=ovpn-client1 connect-to=2.2.2.2 user=client1 password=123 disabled=no
/ip route
add dst-address=10.5.8.20 gateway=ovpn-client1
add dst-address=192.168.55.0/24 gateway=ovpn-client1
/ip firewall nat add chain=srcnat action=masquerade out-interface=ovpn-client1
</pre>

'''Linux Client config'''

<pre>
dev tun
proto tcp-client

remote 2.2.2.2 1194

tls-client

user nobody
group nogroup

#comp-lzo # Do not use compression.

# More reliable detection when a system loses its connection.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

mute-replay-warnings

verb 3

cipher BF-CBC
auth SHA1
pull

auth-user-pass auth.cfg
</pre>

The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password.
<pre>
client2
234
</pre>

{{Cont}}

[[Category:Manual|O]]
[[Category:VPN|O]]
[[Category:Interface|O]]

Manual:Interface/OVPN - Revision history

Administrator: /* Properties */

Administrator: Created page with "{{Versions|v5+}} ==Summary== Standards: Package: ppp Currently unsupported OVPN feature: * UDP mode * LZ..."

Administrator: Created page with "{{Versions|v5+}} ==Summary==
Standards:
Package: `ppp`
Currently unsupported OVPN feature: * UDP mode * LZ..."