Community discussions

MikroTik App
 
error420123
just joined
Topic Author
Posts: 3
Joined: Thu Nov 04, 2021 4:43 am

Tiny OpenVPN client container

Fri Oct 14, 2022 3:54 pm

Hello, I'm impressed and very excited about the container release in RouterOS 7.5. For a long time I dream transfer my openvpn clients to the wifi-router. Enjoy simple guide if you want
<REMOVED>
Last edited by rextended on Sat Oct 15, 2022 2:46 am, edited 1 time in total.
Reason: <REMOVED> link
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Tiny OpenVPN client container

Sat Oct 15, 2022 2:46 am

On your code is present this, why?

ping -c 10 service. home. internal. net (without spaces on domain)

This call home?

Assuming I'm wrong, never use something that really exists on examples...
Last edited by rextended on Fri Oct 21, 2022 3:23 pm, edited 1 time in total.
 
error420123
just joined
Topic Author
Posts: 3
Joined: Thu Nov 04, 2021 4:43 am

Re: Tiny OpenVPN client container

Sat Oct 15, 2022 7:55 am

Hi service. home. internal. net is just an example of an intranet resource. If it ceases to be available, then the openvpn connection is re-created. When configuring, you must specify your resource
 
marlab
newbie
Posts: 25
Joined: Sun Mar 15, 2015 2:48 pm
Location: EU

Re: Tiny OpenVPN client container

Fri Jul 07, 2023 5:31 pm

<REMOVED>
Why it was removed? I'm looking for something similar as Mikrotik OpenVPN as a client still does not support TLS auth
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Tiny OpenVPN client container

Fri Jul 07, 2023 7:06 pm

You could have waited a few more months before asking, so one would remember it better,
however it is written, just read.

However I recommend you to use wireguard which is natively supported, in a heartbeat,
instead of wasting your time with openvpn inside a container...
 
marlab
newbie
Posts: 25
Joined: Sun Mar 15, 2015 2:48 pm
Location: EU

Re: Tiny OpenVPN client container

Mon Jul 10, 2023 1:09 am

However I recommend you to use wireguard which is natively supported
If the remote server I'm connecting to had used Wireguard, I would surely use it. But it is about MT connecting as a client to a remote OpenVPN server, and I do not have any alternative methods available.
 
error420123
just joined
Topic Author
Posts: 3
Joined: Thu Nov 04, 2021 4:43 am

Re: Tiny OpenVPN client container

Thu Aug 31, 2023 8:35 pm

However I recommend you to use wireguard which is natively supported
If the remote server I'm connecting to had used Wireguard, I would surely use it. But it is about MT connecting as a client to a remote OpenVPN server, and I do not have any alternative methods available.
Hey, buddy. Hope you find this useful. This is copy of README from my github

Dockerfile
FROM alpine:3.16

RUN apk update && \
    apk upgrade && \
    apk add --no-cache openvpn iptables && \
    rm -rf /var/cache/apk

COPY ./entry.sh /root/
COPY ./config.ovpn /root/
COPY ./config.pass /root/
RUN chmod +x /root/entry.sh
ENTRYPOINT /root/entry.sh
entry.sh
#!/bin/sh
set -x

/usr/sbin/openvpn --config /root/config.ovpn &
until ip l sh tap0 >/dev/null 2>&1; do sleep 1; done
sysctl -w net.ipv4.ip_forward=1
/sbin/iptables -t nat -A POSTROUTING -o tap0 -j MASQUERADE
/sbin/iptables -A FORWARD -i tap0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o tap0 -j ACCEPT

while sleep 50; do
  t=$(ping -c 10 service.home.internal.net | grep -o -E '[0-9]+ packets r' | grep -o -E '[0-9]+')
  if [ "$t" -eq 0 ]; then
    pkill -f openvpn
    /usr/sbin/openvpn --config /root/config.ovpn &
  fi
done
config.ovpn Yout configuration of OpenVPN
config.pass Certificate password

Description

Setup a OpenVPN client for access to your home network
Minimum system requirements
RouterOS 7.5 or newer
arm, arm64 or x86 cpu
10 MB disk space (internal NAND storage)
Usage

Setup container on RouterOS. See details here.

Replace config.ovpn and config.pass with your own files. Or configure client like you want

Replace service. home. internal .net in entry.sh for some host in your home network (for connectivity check). This used for restart connection if it's down.

Build image:
docker buildx build  --no-cache --platform linux/arm/v7 -t ovpn-container .
docker save ovpn-container > ovpn-container.tar
arch 	router cpu
linux/arm/v7 	ARM
linux/arm64 	ARM64
linux/amd64 	x86
Upload ovpn-container.tar to your router

Setup containers network
/interface/bridge/add name=dockers
/interface/veth/add address=192.168.121.2/24 gateway=192.168.121.1 name=veth1
/interface/bridge/port/add bridge=dockers interface=veth1
/interface/list/member/add interface=dockers list=LAN
/ip/address/add address=192.168.121.1/24 interface=dockers network=192.168.121.0
/ip/firewall/nat/add action=masquerade chain=srcnat src-address-list=192.168.121.0/24
Setup routing
/routing/table/add disabled=no fib name=homeNetwork
/ip/route/add disabled=no distance=1 dst-address=172.16.0.0/12 gateway=192.168.121.2 \
    pref-src=0.0.0.0 routing-table=homeNetwork scope=30 suppress-hw-offload=no \
    target-scope=1
/routing/rule/add action=lookup disabled=no dst-address=172.16.0.0/12 table=homeNetwork
Create container
 /container/add file=ovpn-container.tar interface=veth1 dns=192.168.121.1 logging=yes
 /container/start 0
Done, now you can access all your services in 172.16.0.0/12 network

Who is online

Users browsing this forum: No registered users and 4 guests