RB750 6.27
I am attempting to generate certificates for openvpn by following the wiki:
http://wiki.mikrotik.com/wiki/Manual:Cr ... n_RouterOS
The first steps work fine:
/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client1-template common-name=client1
add name=client2-template common-name=client2
However, when attempting to follow step 2 it errs out at the "sign template". Help does not show that "template" should be used. However, I am not sure how to work around that.
/certificate
sign template=ca-template ca-crl-host=10.5.101.16 name=myCa
sign ca=myCa template=server-template name=server
sign ca=myCa template=client1-template name=client1
sign ca=myCa template=client2-template name=client2
Re: wiki instructions not working for certificate creation
I have the same problem. Did anyone succeed to create the certificates using this instruction?
rgs
rgs
-
-
boen_robot
Forum Guru
- Posts: 2400
- Joined:
- Location: europe://Bulgaria/Plovdiv
Re: wiki instructions not working for certificate creation
I'm seeing that there's no longer a "template" argument on the "sign" command... There is however "numbers", so perhaps try it out as:
Code: Select all
/certificate
sign ca-template ca-crl-host=10.5.101.16 name=myCa
sign server-template ca=myCa name=server
sign client1-template ca=myCa name=client1
sign client2-template ca=myCa name=client2Re: wiki instructions not working for certificate creation
Thanks a lot boen for your support.
This worked. I hope mikrotik will see this and update the wiki.
This worked. I hope mikrotik will see this and update the wiki.
Re: wiki instructions not working for certificate creation
Please could you elaborate on what is the role of the CRL url. Can this be any IP or must it be the servers IP (public or lan url)?
-
-
boen_robot
Forum Guru
- Posts: 2400
- Joined:
- Location: europe://Bulgaria/Plovdiv
Re: wiki instructions not working for certificate creation
AFAIK, the idea is to consult the specified URL in order to determine whether a certificate is revoked by the CA or not.
I'm not really sure what the protocol is, but seeing there's an Apache module for it, I'm assuming it's an HTTP flavor of sorts, so if you have an HTTPS server, it could probably act as a CRL for its own self signed certificate. If you had your certificate issued by a 3rd party, they'd embed their own servers as CRLs, since after all, it's up to them to block your certificate, should someone steal it or whatever.
I'm not really sure what the protocol is, but seeing there's an Apache module for it, I'm assuming it's an HTTP flavor of sorts, so if you have an HTTPS server, it could probably act as a CRL for its own self signed certificate. If you had your certificate issued by a 3rd party, they'd embed their own servers as CRLs, since after all, it's up to them to block your certificate, should someone steal it or whatever.
Re: wiki instructions not working for certificate creation
I sincerely appreciate this help. I spend so much time working on this and now finally got the connection right. We will be using the openvpn to connection to our network from wan side. I now I just need the final step to get the routing right too.
In the openvpn client config file I have specified "route 10.0.0.0 255.255.255.0" but I am not sure if this is adequate.
Connection through from wan side how should I set up the routing. I saw some solution suggesting to make a NAT rule masquerade - or should I add the OpenVPN interface to the bridge? or how will clients connecting get access to the units on the lan (10.0.0.0)
after connecting through the openvpn client (windows) my routing table look as in below.
I don't understand the first line
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 10
is it correct that according above, then everything is still sent to 192.168.0.1 i.e. the gateway on the lan where the remote client is connected. If so, then i have achived nothing.
Objective was that everything has to go throught he VPN to 10.0.0.0
or does below mean that everything 10.0.0.0 goes through the vpn and anything else goes to the local gateway where the client is connected 192.168.0.1?
192.168.100.xxx is the openvpn connection
10.0.1.1 is the remote address where the mikrotik server is located.
10.0.0.0 is the lan on the server side I wish to connect to.
192.168.0.xxx is the remote lan where the windows client is connected - connecting to 10.0.1.1 through the openvpn to get on lan 10.0.0.0
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 10
10.0.0.0 255.255.255.0 192.168.100.1 192.168.100.2 30
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.100 266
192.168.0.100 255.255.255.255 On-link 192.168.0.100 266
192.168.0.255 255.255.255.255 On-link 192.168.0.100 266
192.168.100.0 255.255.255.0 192.168.100.1 192.168.100.2 30
192.168.100.0 255.255.255.252 On-link 192.168.100.2 286
192.168.100.2 255.255.255.255 On-link 192.168.100.2 286
192.168.100.3 255.255.255.255 On-link 192.168.100.2 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.100 266
224.0.0.0 240.0.0.0 On-link 192.168.100.2 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.100 266
255.255.255.255 255.255.255.255 On-link 192.168.100.2 286
In the openvpn client config file I have specified "route 10.0.0.0 255.255.255.0" but I am not sure if this is adequate.
Connection through from wan side how should I set up the routing. I saw some solution suggesting to make a NAT rule masquerade - or should I add the OpenVPN interface to the bridge? or how will clients connecting get access to the units on the lan (10.0.0.0)
after connecting through the openvpn client (windows) my routing table look as in below.
I don't understand the first line
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 10
is it correct that according above, then everything is still sent to 192.168.0.1 i.e. the gateway on the lan where the remote client is connected. If so, then i have achived nothing.
Objective was that everything has to go throught he VPN to 10.0.0.0
or does below mean that everything 10.0.0.0 goes through the vpn and anything else goes to the local gateway where the client is connected 192.168.0.1?
192.168.100.xxx is the openvpn connection
10.0.1.1 is the remote address where the mikrotik server is located.
10.0.0.0 is the lan on the server side I wish to connect to.
192.168.0.xxx is the remote lan where the windows client is connected - connecting to 10.0.1.1 through the openvpn to get on lan 10.0.0.0
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 10
10.0.0.0 255.255.255.0 192.168.100.1 192.168.100.2 30
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.100 266
192.168.0.100 255.255.255.255 On-link 192.168.0.100 266
192.168.0.255 255.255.255.255 On-link 192.168.0.100 266
192.168.100.0 255.255.255.0 192.168.100.1 192.168.100.2 30
192.168.100.0 255.255.255.252 On-link 192.168.100.2 286
192.168.100.2 255.255.255.255 On-link 192.168.100.2 286
192.168.100.3 255.255.255.255 On-link 192.168.100.2 286
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.100 266
224.0.0.0 240.0.0.0 On-link 192.168.100.2 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.100 266
255.255.255.255 255.255.255.255 On-link 192.168.100.2 286
Re: wiki instructions not working for certificate creation
I got a bit of a break, but still have a long way to go, I am affraid. I am totally new to openvpn.
I got access to the units on the server side by changing from IP/TUN to Ethernet/TAP and delete the route in the client config file. So far so good, but I would like to revert back to TUN/IP to have more control and also to have the option that only the traffic designated for the "office" lan goes through the VPN and other internet traffic just goes directly. As well as, would also like to limit access to specific IP's on the office lan.
So any advice how to setup the routing on the mikrotik vpn server is more than appreciated.
rgs
I got access to the units on the server side by changing from IP/TUN to Ethernet/TAP and delete the route in the client config file. So far so good, but I would like to revert back to TUN/IP to have more control and also to have the option that only the traffic designated for the "office" lan goes through the VPN and other internet traffic just goes directly. As well as, would also like to limit access to specific IP's on the office lan.
So any advice how to setup the routing on the mikrotik vpn server is more than appreciated.
rgs
Who is online
Users browsing this forum: Bing [Bot], elico and 138 guests