Community discussions

MikroTik App
 
error420123
just joined
Topic Author
Posts: 3
Joined: Thu Nov 04, 2021 4:43 am

Tiny OpenVPN client container

Fri Oct 14, 2022 3:54 pm

Hello, I'm impressed and very excited about the container release in RouterOS 7.5. For a long time I dream transfer my openvpn clients to the wifi-router. Enjoy simple guide if you want
<REMOVED>
Last edited by rextended on Sat Oct 15, 2022 2:46 am, edited 1 time in total.
Reason: <REMOVED> link
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12377
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Tiny OpenVPN client container

Sat Oct 15, 2022 2:46 am

On your code is present this, why?

ping -c 10 service. home. internal. net (without spaces on domain)

This call home?

Assuming I'm wrong, never use something that really exists on examples...
Last edited by rextended on Fri Oct 21, 2022 3:23 pm, edited 1 time in total.
 
error420123
just joined
Topic Author
Posts: 3
Joined: Thu Nov 04, 2021 4:43 am

Re: Tiny OpenVPN client container

Sat Oct 15, 2022 7:55 am

Hi service. home. internal. net is just an example of an intranet resource. If it ceases to be available, then the openvpn connection is re-created. When configuring, you must specify your resource
 
marlab
newbie
Posts: 25
Joined: Sun Mar 15, 2015 2:48 pm
Location: EU

Re: Tiny OpenVPN client container

Fri Jul 07, 2023 5:31 pm

<REMOVED>
Why it was removed? I'm looking for something similar as Mikrotik OpenVPN as a client still does not support TLS auth
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12377
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Tiny OpenVPN client container

Fri Jul 07, 2023 7:06 pm

You could have waited a few more months before asking, so one would remember it better,
however it is written, just read.

However I recommend you to use wireguard which is natively supported, in a heartbeat,
instead of wasting your time with openvpn inside a container...
 
marlab
newbie
Posts: 25
Joined: Sun Mar 15, 2015 2:48 pm
Location: EU

Re: Tiny OpenVPN client container

Mon Jul 10, 2023 1:09 am

However I recommend you to use wireguard which is natively supported
If the remote server I'm connecting to had used Wireguard, I would surely use it. But it is about MT connecting as a client to a remote OpenVPN server, and I do not have any alternative methods available.
 
error420123
just joined
Topic Author
Posts: 3
Joined: Thu Nov 04, 2021 4:43 am

Re: Tiny OpenVPN client container

Thu Aug 31, 2023 8:35 pm

However I recommend you to use wireguard which is natively supported
If the remote server I'm connecting to had used Wireguard, I would surely use it. But it is about MT connecting as a client to a remote OpenVPN server, and I do not have any alternative methods available.
Hey, buddy. Hope you find this useful. This is copy of README from my github

Dockerfile
FROM alpine:3.16

RUN apk update && \
    apk upgrade && \
    apk add --no-cache openvpn iptables && \
    rm -rf /var/cache/apk

COPY ./entry.sh /root/
COPY ./config.ovpn /root/
COPY ./config.pass /root/
RUN chmod +x /root/entry.sh
ENTRYPOINT /root/entry.sh
entry.sh
#!/bin/sh
set -x

/usr/sbin/openvpn --config /root/config.ovpn &
until ip l sh tap0 >/dev/null 2>&1; do sleep 1; done
sysctl -w net.ipv4.ip_forward=1
/sbin/iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
/sbin/iptables -A FORWARD -i tap0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT

while sleep 50; do
  t=$(ping -c 10 service.home.internal.net | grep -o -E '[0-9]+ packets r' | grep -o -E '[0-9]+')
  if [ "$t" -eq 0 ]; then
    pkill -f openvpn
    /usr/sbin/openvpn --config /root/config.ovpn &
  fi
done
config.ovpn Yout configuration of OpenVPN
config.pass Certificate password

Description

Setup a OpenVPN client for access to your home network
Minimum system requirements
RouterOS 7.5 or newer
arm, arm64 or x86 cpu
10 MB disk space (internal NAND storage)
Usage

Setup container on RouterOS. See details here.

Replace config.ovpn and config.pass with your own files. Or configure client like you want

Replace service. home. internal .net in entry.sh for some host in your home network (for connectivity check). This used for restart connection if it's down.

Build image:
docker buildx build  --no-cache --platform linux/arm/v7 -t ovpn-container .
docker save ovpn-container > ovpn-container.tar
arch 	router cpu
linux/arm/v7 	ARM
linux/arm64 	ARM64
linux/amd64 	x86
Upload ovpn-container.tar to your router

Setup containers network
/interface/bridge/add name=dockers
/interface/veth/add address=192.168.121.2/24 gateway=192.168.121.1 name=veth1
/interface/bridge/port/add bridge=dockers interface=veth1
/interface/list/member/add interface=dockers list=LAN
/ip/address/add address=192.168.121.1/24 interface=dockers network=192.168.121.0
/ip/firewall/nat/add action=masquerade chain=srcnat src-address-list=192.168.121.0/24
Setup routing
/routing/table/add disabled=no fib name=homeNetwork
/ip/route/add disabled=no distance=1 dst-address=172.16.0.0/12 gateway=192.168.121.2 \
    pref-src=0.0.0.0 routing-table=homeNetwork scope=30 suppress-hw-offload=no \
    target-scope=1
/routing/rule/add action=lookup disabled=no dst-address=172.16.0.0/12 table=homeNetwork
Create container
 /container/add file=ovpn-container.tar interface=veth1 dns=192.168.121.1 logging=yes
 /container/start 0
Done, now you can access all your services in 172.16.0.0/12 network
 
AresPo
just joined
Posts: 12
Joined: Thu Sep 02, 2021 7:06 pm

Re: Tiny OpenVPN client container

Sat Sep 07, 2024 1:17 pm



If the remote server I'm connecting to had used Wireguard, I would surely use it. But it is about MT connecting as a client to a remote OpenVPN server, and I do not have any alternative methods available.
Hey, buddy. Hope you find this useful. This is copy of README from my github

Dockerfile
FROM alpine:3.16

RUN apk update && \
    apk upgrade && \
    apk add --no-cache openvpn iptables && \
    rm -rf /var/cache/apk

COPY ./entry.sh /root/
COPY ./config.ovpn /root/
COPY ./config.pass /root/
RUN chmod +x /root/entry.sh
ENTRYPOINT /root/entry.sh
entry.sh
#!/bin/sh
set -x

/usr/sbin/openvpn --config /root/config.ovpn &
until ip l sh tap0 >/dev/null 2>&1; do sleep 1; done
sysctl -w net.ipv4.ip_forward=1
/sbin/iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
/sbin/iptables -A FORWARD -i tap0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT

while sleep 50; do
  t=$(ping -c 10 service.home.internal.net | grep -o -E '[0-9]+ packets r' | grep -o -E '[0-9]+')
  if [ "$t" -eq 0 ]; then
    pkill -f openvpn
    /usr/sbin/openvpn --config /root/config.ovpn &
  fi
done
config.ovpn Yout configuration of OpenVPN
config.pass Certificate password

Description

Setup a OpenVPN client for access to your home network
Minimum system requirements
RouterOS 7.5 or newer
arm, arm64 or x86 cpu
10 MB disk space (internal NAND storage)
Usage

Setup container on RouterOS. See details here.

Replace config.ovpn and config.pass with your own files. Or configure client like you want

Replace service. home. internal .net in entry.sh for some host in your home network (for connectivity check). This used for restart connection if it's down.

Build image:
docker buildx build  --no-cache --platform linux/arm/v7 -t ovpn-container .
docker save ovpn-container > ovpn-container.tar
arch 	router cpu
linux/arm/v7 	ARM
linux/arm64 	ARM64
linux/amd64 	x86
Upload ovpn-container.tar to your router

Setup containers network
/interface/bridge/add name=dockers
/interface/veth/add address=192.168.121.2/24 gateway=192.168.121.1 name=veth1
/interface/bridge/port/add bridge=dockers interface=veth1
/interface/list/member/add interface=dockers list=LAN
/ip/address/add address=192.168.121.1/24 interface=dockers network=192.168.121.0
/ip/firewall/nat/add action=masquerade chain=srcnat src-address-list=192.168.121.0/24
Setup routing
/routing/table/add disabled=no fib name=homeNetwork
/ip/route/add disabled=no distance=1 dst-address=172.16.0.0/12 gateway=192.168.121.2 \
    pref-src=0.0.0.0 routing-table=homeNetwork scope=30 suppress-hw-offload=no \
    target-scope=1
/routing/rule/add action=lookup disabled=no dst-address=172.16.0.0/12 table=homeNetwork
Create container
 /container/add file=ovpn-container.tar interface=veth1 dns=192.168.121.1 logging=yes
 /container/start 0
Done, now you can access all your services in 172.16.0.0/12 network
Hello, my friend. Thank you so much for the tutorial you provided; I really appreciate it. I have a few questions I hope you can help me with. I was able to run the container successfully, but it seems that my service provider does not support TAP mode, so I have to use TUN mode instead. While the connection is established in TUN mode, there is no network connectivity outside the container.

My question is: is it possible to set the dst field to 0.0.0.0/0 in the routing settings you mentioned, so that we can use mangle to specify that all devices should use this gateway?
 
acompot
just joined
Posts: 2
Joined: Tue Jan 15, 2019 10:09 pm

Re: Tiny OpenVPN client container

Mon Sep 16, 2024 11:10 am

Hello, if I check the container settings on regular linux (mint 22), everything is fine, the route is created, everything works.
When the same container is sent to microtik, I get an error from iptables
 /sbin/iptables -A FORWARD -i tap0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
. that failed to apply filters module.
I am using hap ac^2, RouterOS version 7.15stable.
Different versions of alpine linux did not help to fix the situation.
P.S. now it is not tap0 but tun0.

Can someone help me with this problem?
 
solex
just joined
Posts: 1
Joined: Sat Sep 14, 2024 9:21 am

Re: Tiny OpenVPN client container

Tue Sep 17, 2024 11:29 am

hello, can you send your github link,
or someone tell me how can use code, because I'm nob :D, just I want use in my mikrotik router
please help me

Who is online

Users browsing this forum: No registered users and 3 guests