Помогите, пожалуйста, с настройкой OVPN сервера на Mikrotik. Подключаюсь с windows клиента из локальной сети. (Это пока - для проверки, пробовал и через интернет, история та же самая).
Настраивал по инструкции отсюда https://wifisystem.ru/docs/mikrotik/ope ... -mikrotik/
На RB2011L-IN (на прошивках 6.42.6, 6.43.4, 6.43.12) все отлично работает, но он был без настроек. На нем опробовал на всякий случай с теми же сертификатами и настройками.
А вот на офисном шлюзе RB1100AHx4 (6.43.4) что-то никак.
Вот лог подключения windows клиента:
Код: Выделить всё
Thu Feb 21 16:53:43 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Thu Feb 21 16:53:43 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Thu Feb 21 16:53:43 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Thu Feb 21 16:53:43 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25342
Thu Feb 21 16:53:43 2019 Need hold release from management interface, waiting...
Thu Feb 21 16:53:44 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25342
Thu Feb 21 16:53:44 2019 MANAGEMENT: CMD 'state on'
Thu Feb 21 16:53:44 2019 MANAGEMENT: CMD 'log all on'
Thu Feb 21 16:53:44 2019 MANAGEMENT: CMD 'echo all on'
Thu Feb 21 16:53:44 2019 MANAGEMENT: CMD 'bytecount 5'
Thu Feb 21 16:53:44 2019 MANAGEMENT: CMD 'hold off'
Thu Feb 21 16:53:44 2019 MANAGEMENT: CMD 'hold release'
Thu Feb 21 16:53:44 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.1:65108
Thu Feb 21 16:53:44 2019 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Feb 21 16:53:44 2019 Attempting to establish TCP connection with [AF_INET]192.168.1.1:65108 [nonblock]
Thu Feb 21 16:53:44 2019 MANAGEMENT: >STATE:1550757224,TCP_CONNECT,,,,,,
Thu Feb 21 16:53:45 2019 TCP connection established with [AF_INET]192.168.1.1:65108
Thu Feb 21 16:53:45 2019 TCP_CLIENT link local: (not bound)
Thu Feb 21 16:53:45 2019 TCP_CLIENT link remote: [AF_INET]192.168.1.1:65108
Thu Feb 21 16:53:45 2019 MANAGEMENT: >STATE:1550757225,WAIT,,,,,,
Thu Feb 21 16:53:45 2019 MANAGEMENT: >STATE:1550757225,AUTH,,,,,,
Thu Feb 21 16:53:45 2019 TLS: Initial packet from [AF_INET]192.168.1.1:65108, sid=3dc7ae63 561d2e1c
Thu Feb 21 16:53:45 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Feb 21 16:53:45 2019 VERIFY OK: depth=1, C=RU, ST=KrasnodarRegion, L=Armavir, O=OpenVPN, OU=changeme, CN=server, name=server, emailAddress=mail@host.domain
Thu Feb 21 16:53:45 2019 VERIFY KU OK
Thu Feb 21 16:53:45 2019 Validating certificate extended key usage
Thu Feb 21 16:53:45 2019 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Feb 21 16:53:45 2019 VERIFY EKU OK
Thu Feb 21 16:53:45 2019 VERIFY OK: depth=0, C=RU, ST=KrasnodarRegion, L=Armavir, O=OpenVPN, OU=changeme, CN=server, name=server, emailAddress=mail@host.domain
Thu Feb 21 16:53:45 2019 Connection reset, restarting [0]
Thu Feb 21 16:53:45 2019 SIGUSR1[soft,connection-reset] received, process restarting
Thu Feb 21 16:53:45 2019 MANAGEMENT: >STATE:1550757225,RECONNECTING,connection-reset,,,,,
Thu Feb 21 16:53:45 2019 Restart pause, 5 second(s)
Thu Feb 21 16:53:50 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.1.1:65108
и так далееКод: Выделить всё
13:07:19 ovpn,info TCP connection established from 192.168.1.167
13:07:20 ovpn,debug,error,l2tp,30544,42264,30544,15020,41924,25288,l2tp,info,25292
,debug duplicate packet, dropping Код: Выделить всё
# feb/22/2019 12:32:55 by RouterOS 6.43.4
# model = RB1100x4
/interface bridge
add name=bridge1
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
password=******** use-peer-dns=yes user=***********
/interface sstp-server
add disabled=yes name=sstp-bor*** user=bo***
/interface list
add name=WAN
add name=LAN
add name=Internet
add name=Local
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=OVPN_Pool ranges=172.30.0.1-172.30.0.253
/ppp profile
add local-address=172.30.0.1 name=OVPN_Connection remote-address=OVPN_Pool
/interface bridge port
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 hw=no interface=ether6
add bridge=bridge1 hw=no interface=ether7
add bridge=bridge1 hw=no interface=ether8
add bridge=bridge1 hw=no interface=ether9
add bridge=bridge1 hw=no interface=ether10
add bridge=bridge1 hw=no interface=ether11
add bridge=bridge1 hw=no interface=ether12
add bridge=bridge1 hw=no interface=ether13
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
add interface=pppoe-out1 list=Internet
add interface=bridge1 list=Local
/interface ovpn-server server
set certificate=server.crt_0 default-profile=OVPN_Connection enabled=yes \
mode=ethernet port=65108 require-client-certificate=yes
/interface sstp-server server
set authentication=mschap2
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,77.88.8.1
/ip firewall address-list
add address=xx.xx.92.206 list="Port Scanners"
add address=xx.xx.192.81 comment=Ti*** list="RDP 1"
add address=xx.xx.188.59 comment=V*** list="RDP 1"
add address=xx.xx.153.20 comment=Ca*** list="RDP 1"
add address=xx.xx.99.120 comment=Ei*** list="RDP 1"
add address=xx.xx.125.37 comment=bo*** disabled=yes list="RDP 1"
add address=xx.xx.159.22 comment=va*** disabled=yes list="RDP 1"
add address=xx.xx.18.207 comment=de*** list="RDP 1"
add address=xx.xx.5.188 comment=Ki*** list="RDP 1"
/ip firewall filter
add action=accept chain=input comment="Permit SSTP" disabled=yes dst-port=443 \
protocol=tcp
add action=accept chain=input comment="1.5.1 Allow OpenVPN" dst-port=65108 \
in-interface=all-ethernet log=yes protocol=tcp
add action=accept chain=forward comment=\
"1.1. Forward and Input Established and Related connections" \
connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=add-src-to-address-list address-list=ddos-blacklist \
address-list-timeout=1d chain=input comment=\
"1.2. DDoS Protect - Connection Limit" connection-limit=100,32 \
in-interface-list=Internet protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp \
src-address-list=ddos-blacklist
add action=jump chain=forward comment="1.3. DDoS Protect - SYN Flood" \
connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=input connection-state=new in-interface-list=Internet \
jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect connection-state=new limit=200,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="1.4. Protected - Ports Scanners" \
src-address-list="Port Scanners"
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input in-interface-list=Internet \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="1.5. Protected - WinBox Access" log=yes \
log-prefix="WINBOX DROP" src-address-list="Black List Winbox"
add action=add-src-to-address-list address-list="Black List Winbox" \
address-list-timeout=none-dynamic chain=input connection-state=new \
dst-port=8291 in-interface-list=Internet log=yes log-prefix=\
"BLACK WINBOX" protocol=tcp src-address-list="Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
in-interface-list=Internet protocol=tcp src-address-list="Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 2" \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
in-interface-list=Internet protocol=tcp src-address-list="Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 1" \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
in-interface-list=Internet protocol=tcp
add action=accept chain=input dst-port=8291 in-interface-list=Internet \
protocol=tcp
add action=drop chain=input comment="1.6. Protected - OpenVPN Connections" \
log=yes log-prefix="OVPN BLACK" src-address-list="Black List OpenVPN"
add action=add-src-to-address-list address-list="Black List OpenVPN" \
address-list-timeout=none-dynamic chain=input connection-state=new \
dst-port=1194 in-interface-list=Internet log=yes log-prefix="BLACK OVPN" \
protocol=tcp src-address-list="OpenVPN Stage 3"
add action=add-src-to-address-list address-list="OpenVPN Stage 3" \
address-list-timeout=1m chain=input connection-state=new dst-port=1194 \
in-interface-list=Internet protocol=tcp src-address-list=\
"OpenVPN Stage 2"
add action=add-src-to-address-list address-list="OpenVPN Stage 2" \
address-list-timeout=1m chain=input connection-state=new dst-port=1194 \
in-interface-list=Internet protocol=tcp src-address-list=\
"OpenVPN Stage 1"
add action=add-src-to-address-list address-list="OpenVPN Stage 1" \
address-list-timeout=1m chain=input connection-state=new dst-port=1194 \
in-interface-list=Internet protocol=tcp
add action=accept chain=input dst-port=1194 in-interface-list=Internet \
protocol=tcp
add action=accept chain=input comment="1.8. Access Normal Ping" \
in-interface-list=Internet limit=50/5s,2:packet protocol=icmp
add action=drop chain=input comment="1.9. Drop All Other" in-interface-list=\
Internet
add action=accept chain=forward comment="RDP 1" dst-port=3389 \
in-interface=pppoe-out1 log-prefix="RDP 1" protocol=tcp \
src-address-list="RDP 1"
add action=drop chain=forward comment="RDP 2" dst-port=3389 in-interface=\
pppoe-out1 log=yes log-prefix="RDP 2" protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=netmap chain=dstnat disabled=yes dst-port=5037 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.1.111 to-ports=3389
add action=netmap chain=dstnat dst-port=1234 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.93 to-ports=1234
add action=netmap chain=dstnat dst-port=12345 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.93 to-ports=12345
add action=netmap chain=dstnat dst-port=1222 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.93 to-ports=1222
add action=netmap chain=dstnat dst-port=1223 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.93 to-ports=1223
add action=netmap chain=dstnat dst-port=1224 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.93 to-ports=1224
add action=netmap chain=dstnat dst-port=1225 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.93 to-ports=1225
add action=netmap chain=dstnat dst-port=1226 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.93 to-ports=1226
add action=netmap chain=dstnat dst-port=1227 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.93 to-ports=1227
add action=netmap chain=dstnat dst-port=1420 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.93 to-ports=1420
add action=netmap chain=dstnat dst-port=5036 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.95 to-ports=3389
add action=netmap chain=dstnat dst-port=5038 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.110 to-ports=3389
add action=netmap chain=dstnat dst-port=5039 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.109 to-ports=3389
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=172.16.30.2 pref-src=\
172.16.30.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=sergey***** password=******** profile=OVPN_Connection service=ovpn
Вот конфиг клиента:
Код: Выделить всё
client
dev tun
proto tcp
remote 192.168.1.1 65108
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
verb 3
auth-user-pass "c:\\program files\\openvpn\\config\\pass65108"