Hello, I'm impressed and very excited about the container release in RouterOS 7.5. For a long time I dream transfer my openvpn clients to the wifi-router. Enjoy simple guide if you want
<REMOVED>
Why it was removed? I'm looking for something similar as Mikrotik OpenVPN as a client still does not support TLS auth<REMOVED>
If the remote server I'm connecting to had used Wireguard, I would surely use it. But it is about MT connecting as a client to a remote OpenVPN server, and I do not have any alternative methods available.However I recommend you to use wireguard which is natively supported
Hey, buddy. Hope you find this useful. This is copy of README from my githubIf the remote server I'm connecting to had used Wireguard, I would surely use it. But it is about MT connecting as a client to a remote OpenVPN server, and I do not have any alternative methods available.However I recommend you to use wireguard which is natively supported
FROM alpine:3.16
RUN apk update && \
apk upgrade && \
apk add --no-cache openvpn iptables && \
rm -rf /var/cache/apk
COPY ./entry.sh /root/
COPY ./config.ovpn /root/
COPY ./config.pass /root/
RUN chmod +x /root/entry.sh
ENTRYPOINT /root/entry.sh
#!/bin/sh
set -x
/usr/sbin/openvpn --config /root/config.ovpn &
until ip l sh tap0 >/dev/null 2>&1; do sleep 1; done
sysctl -w net.ipv4.ip_forward=1
/sbin/iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
/sbin/iptables -A FORWARD -i tap0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT
while sleep 50; do
t=$(ping -c 10 service.home.internal.net | grep -o -E '[0-9]+ packets r' | grep -o -E '[0-9]+')
if [ "$t" -eq 0 ]; then
pkill -f openvpn
/usr/sbin/openvpn --config /root/config.ovpn &
fi
done
UsageRouterOS 7.5 or newer
arm, arm64 or x86 cpu
10 MB disk space (internal NAND storage)
docker buildx build --no-cache --platform linux/arm/v7 -t ovpn-container .
docker save ovpn-container > ovpn-container.tar
arch router cpu
linux/arm/v7 ARM
linux/arm64 ARM64
linux/amd64 x86
/interface/bridge/add name=dockers
/interface/veth/add address=192.168.121.2/24 gateway=192.168.121.1 name=veth1
/interface/bridge/port/add bridge=dockers interface=veth1
/interface/list/member/add interface=dockers list=LAN
/ip/address/add address=192.168.121.1/24 interface=dockers network=192.168.121.0
/ip/firewall/nat/add action=masquerade chain=srcnat src-address-list=192.168.121.0/24
/routing/table/add disabled=no fib name=homeNetwork
/ip/route/add disabled=no distance=1 dst-address=172.16.0.0/12 gateway=192.168.121.2 \
pref-src=0.0.0.0 routing-table=homeNetwork scope=30 suppress-hw-offload=no \
target-scope=1
/routing/rule/add action=lookup disabled=no dst-address=172.16.0.0/12 table=homeNetwork
/container/add file=ovpn-container.tar interface=veth1 dns=192.168.121.1 logging=yes
/container/start 0
Hello, my friend. Thank you so much for the tutorial you provided; I really appreciate it. I have a few questions I hope you can help me with. I was able to run the container successfully, but it seems that my service provider does not support TAP mode, so I have to use TUN mode instead. While the connection is established in TUN mode, there is no network connectivity outside the container.Hey, buddy. Hope you find this useful. This is copy of README from my github
If the remote server I'm connecting to had used Wireguard, I would surely use it. But it is about MT connecting as a client to a remote OpenVPN server, and I do not have any alternative methods available.
Dockerfile
entry.shCode: Select allFROM alpine:3.16 RUN apk update && \ apk upgrade && \ apk add --no-cache openvpn iptables && \ rm -rf /var/cache/apk COPY ./entry.sh /root/ COPY ./config.ovpn /root/ COPY ./config.pass /root/ RUN chmod +x /root/entry.sh ENTRYPOINT /root/entry.sh
config.ovpn Yout configuration of OpenVPNCode: Select all#!/bin/sh set -x /usr/sbin/openvpn --config /root/config.ovpn & until ip l sh tap0 >/dev/null 2>&1; do sleep 1; done sysctl -w net.ipv4.ip_forward=1 /sbin/iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE /sbin/iptables -A FORWARD -i tap0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT while sleep 50; do t=$(ping -c 10 service.home.internal.net | grep -o -E '[0-9]+ packets r' | grep -o -E '[0-9]+') if [ "$t" -eq 0 ]; then pkill -f openvpn /usr/sbin/openvpn --config /root/config.ovpn & fi done
config.pass Certificate password
Description
Setup a OpenVPN client for access to your home network
Minimum system requirements
UsageRouterOS 7.5 or newer
arm, arm64 or x86 cpu
10 MB disk space (internal NAND storage)
Setup container on RouterOS. See details here.
Replace config.ovpn and config.pass with your own files. Or configure client like you want
Replace service. home. internal .net in entry.sh for some host in your home network (for connectivity check). This used for restart connection if it's down.
Build image:
Code: Select alldocker buildx build --no-cache --platform linux/arm/v7 -t ovpn-container . docker save ovpn-container > ovpn-container.tar
Upload ovpn-container.tar to your routerCode: Select allarch router cpu linux/arm/v7 ARM linux/arm64 ARM64 linux/amd64 x86
Setup containers network
Setup routingCode: Select all/interface/bridge/add name=dockers /interface/veth/add address=192.168.121.2/24 gateway=192.168.121.1 name=veth1 /interface/bridge/port/add bridge=dockers interface=veth1 /interface/list/member/add interface=dockers list=LAN /ip/address/add address=192.168.121.1/24 interface=dockers network=192.168.121.0 /ip/firewall/nat/add action=masquerade chain=srcnat src-address-list=192.168.121.0/24
Create containerCode: Select all/routing/table/add disabled=no fib name=homeNetwork /ip/route/add disabled=no distance=1 dst-address=172.16.0.0/12 gateway=192.168.121.2 \ pref-src=0.0.0.0 routing-table=homeNetwork scope=30 suppress-hw-offload=no \ target-scope=1 /routing/rule/add action=lookup disabled=no dst-address=172.16.0.0/12 table=homeNetwork
Done, now you can access all your services in 172.16.0.0/12 networkCode: Select all/container/add file=ovpn-container.tar interface=veth1 dns=192.168.121.1 logging=yes /container/start 0
/sbin/iptables -A FORWARD -i tap0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT