...
Currently, unsupported OpenVPN features:
- LZO compression
- TLS authentication authentication without username/password
...
| Code Block | ||
|---|---|---|
| ||
/interface/ovpn-client/import-ovpn-configuration ovpn-password=securepassword \
key-passphrase=certificatekeypassphrase ovpn-user=myuserid skip-cert-import=no |
OVPN client supports tls authentication. The configuration of tls-auth can be added only by importing .ovpn configuration file. Using tls-auth requires that you generate a shared-secret key, this key should be added to the client configuration file .ovpn.
| Code Block | ||
|---|---|---|
| ||
key-direction 1 <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- </tls-auth> |
OVPN Server
An interface is created for each tunnel established to the given server. There are two types of interfaces in the OVPN server's configuration
...
| Property | Description |
|---|---|
| auth (md5 | sha1 | null | sha256 | sha512; Default: sha1,md5,sha256,sha512) | Authentication methods that the server will accept. |
| certificate (name | none; Default: none) | Name of the certificate that the OVPN server will use. |
| cipher (null | aes128-cbc | aes128-gcm | aes192-cbc | aes192-gcm | aes256-cbc | aes256-gcm | blowfish128; Default: aes128-cbc,blowfish128) | Allowed ciphers. |
| default-profile (name; Default: default) | Default profile to use. |
| enabled (yes | no; Default: no) | Defines whether the OVPN server is enabled or not. |
| protocol (tcp | udp; Default: tcp) | indicates Indicates the protocol to use when connecting with the remote endpoint. |
| keepalive-timeout (integer | disabled; Default: 60) | Defines the time period (in seconds) after which the router is starting to send keepalive packets every second. If no traffic and no keepalive responses have come for that period of time (i.e. 2 * keepalive-timeout), not responding client is proclaimed disconnected |
| mac-address (MAC; Default: ) | Automatically generated MAC address of the server. |
| max-mtu (integer; Default: 1500) | Maximum Transmission Unit. Max packet size that the OVPN interface will be able to send without packet fragmentation. |
| mode (ip | ethernet; Default: ip) | Layer3 or layer2 tunnel mode (alternatively tun, tap) |
| netmask (integer; Default: 24) | Subnet mask to be applied to the client. |
| port (integer; Default: 1194) | Port to run the server on. |
| require-client-certificate (yes | no; Default: no) | If set to yes, then the server checks whether the client's certificate belongs to the same certificate chain. |
| redirect-gateway (def1 | disabled | ipv6; Default: disabled) | Specifies what kind of routes the OVPN client must add to the routing table.
|
| enable-tun-ipv6 (yes | no; Default: no) | Specifies if IPv6 IP tunneling mode should be possible with this OVPN server. |
| ipv6-prefix-len (integer; Default: 64) | Length of IPv6 prefix for IPv6 address which will be used when generating OVPN interface on the server side. |
| reneg-sec (integer; Default: 3600) | Key renegotiate seconds, the time the server periodically renegotiates the secret key for the data channel. |
| push-routes (string; Default: ) | Push route support are added in 7.14, the maximum of possible input is limited to 1400 characters. |
| tls-version (any | only-1.2 ; Default: any ) | TLS protocol setting. |
| tun-server-ipv6 (IPv6 prefix; Default: ::) | IPv6 prefix address which will be used when generating the OVPN interface on the server side. |
...
| Code Block | ||
|---|---|---|
| ||
/interface ovpn-server server set enabled=yes certificate=server |
Client Config
Push route support are added in 7.14, the maximum of possible input is limited to 1400 characters.
example: route network/IP [netmask] [gateway] [metric].
| Code Block | ||
|---|---|---|
| ||
/interface ovpn-server server set push-routes="192.168.102.0 255.255.255.0 192.168.109.1 9" |
To Since RouterOS does not support route-push you need to add manually which networks you want to access over the tunnel.
...