[Pfsense-pt] openvpn pfsense 2.4.2 x mikrotik

a vpn esta conectada, porem nao pinga e nao acessa nada. nos logs aparece
isso.

openVPN_mikrotik_BAHIA / wan mikrotik: 32852 Byte de cabeçalho de
descompressão do stub de compressão incorreta: 42

‌
<https://mailtrack.io/> Enviado com Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality&>

Att,

*Marcel Laino*
Vivo: (11) 95287-5837
***@gmail.com
facebook.com/marcellaino <http://Facebook.com/marcellaino>
youtube.com/marcellaino
br.linkedin.com/in/marcellaino
google.com/+MarcelLaino

Post by Marcel Laino
Alguem pode ajudar com essa configuracao. a vpn esta conectada, porem as
redes nao se falam de jeito nenhum.
segui esse cenario, porem nao vai. tentei ipsec e tb n conecta. tinha
ipsec conectado com esse mikrotik na versao 2.1.5 porem atualizei o pfsense
e nao conectou mais.
*pfSense:*
1. System -> Cert Manager -> CAs
Create new CA (*vpn-tunnel-ca*). Export "CA cert" file (my-ca.crt).
2. System -> Cert Manager -> Certificates
Create two certificates (use CA created above) - one for the VPN Server
(vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and key
files for client certificate (mik-vpn.crt and mik-vpn.key).
3. VPN -> OpenVPN -> Server
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: ITD
Local port: 1195
TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS
key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: BF-CBC (128-bit)
Auth Digest Algorithm: SHA1 (160-bit)
IPv4 Tunnel Network: x <http://172.20.20.0/30>.x.x.x/30
IPv4 Local Network/s: l <http://192.168.0.0/24>an
IPv4 Remote Network/s: lan client <http://10.10.2.0/26>
Compression: No Preference
Advanced: client-to-client
4. VPN -> OpenVPN -> Client Specific Overrides
Common name: mik-vpn
Advanced: iroute (lan client) mask
*MikroTik:*
1. Copy two certificate files and the key file to Files. Import all of
them from System/Certificates.
Name: ovpn-office
Connect To: wan pfsense
Port: 1195
Mode: ip
User: any
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: blowfish 128
Add Default Route: (do not check this)
It works as expected - I can ping workstations from both sides of the
tunnel.
Att,
*Marcel Laino*
Vivo: (11) 95287-5837
facebook.com/marcellaino <http://Facebook.com/marcellaino>
youtube.com/marcellaino
br.linkedin.com/in/marcellaino
google.com/+MarcelLaino
‌
<https://mailtrack.io/> Enviado com Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality&>

Ulisses Féres - Abratel Telecom

2018-03-15 13:27:42 UTC

Amigo, vou tentar listar um passo a passo para seguir:

Para funcionar no mikrotik, no server da openvpn *não *pode ter:
— Compressão Lzo
— Porta UDP

Alguns ajustes são necessários. Ainda no linux, converter as chaves para
RSA:

openssl rsa -in ca.key -text > ca.rsa
openssl rsa -in client2.key -text > client2.rsa

*NO MIKROTIK*

Importar do linux esses 4 arquivos abaixo e arrasta-los para dentro do
mikrotik.
Depois no terminal do mesmo executar
1
2
3
4
/certificate import file-name=ca.crt (pressione enter até concluir)
/certificate import file-name=ca.rsa (pressione enter até concluir)
/certificate import file-name=client4.crt (pressione enter até concluir)
/certificate import file-name=client4.rsa (pressione enter até concluir)

No MIKROTIK:

*INTERFACES –> ADD –> OPENVPN CLIENT*
1
2
3
4
5
6
7
8
9
Dialup: A.B.C.D (ip do servidor openvpn)
porta: 1195
mode: ip
user: cliente4 (nome da chave)
pass: vazia
profile: default-encryptation
Certificate: client4.crt_0
Auth: sha1
Cipher: blowfish 128

Após conexão, em *IP –> ROUTE* observe se automaticamente criou a rota
para o rede destino/rede_destino saindo pelo openvpn client.

Criei um masquerad no firewall com:
1
2
3
SOURCE: rede LAN mikrotik
OutInterface: openvpncliete criada
Aba Action: Masquerad

*Step 4 — Routing – SOMENTE SE NECESSITAR ACESSAR A REDE INTERNA LAN ONDE O
SERVIDOR VPN ASTERISK ENCONTRA-SE*

To keep things simple we’re going to do our routing directly with iptables
rather than the new firewalld.

First, make sure the iptables service is installed and enabled.

yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables –flush
Next we’ll add a rule to iptables to forward our routing to our OpenVPN
subnet, and save this rule.

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
Then we must enable IP forwarding in sysctl. Open sysctl.conf for editing.
1
2
3
4
vi /etc/sysctl.conf
Add the following line at the top of the file:

net.ipv4.ip_forward = 1

Then restart the network service so the IP forwarding will take effect.
1
systemctl restart network.service

*Step 5 — Starting OpenVPN*

Now we’re ready to run our OpenVPN service. So lets add it to systemctl:
1
2
systemctl -f enable ***@server.service
systemctl start ***@server.service

*No mk crie uma regra de mascaramento:*
NAT –> ADD
Chain: srcnat
Src. Address: rede lan (exemplo: 192.168.88.0/24)
Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24)
Out Interface: nome-da-open-vpn-interface
Action: Masquerade

*Em MANGLE:*
ADD
Chain: Prerouting
Src. Address: rede lan (exemplo: 192.168.88.0/24)
Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24)
Action: Mark routing
New Routing Mark: OpenVpn-NOME
*Desmarcar Passthrough*

* IP –> ROUTES*
ADD
Dst. Address: 192.168.218.0/24 (lan do outro lado)
Geteway: openvpn-gw-criado-automaticamente
Routinha Mark: OpenVpn-NOME (dado a regra acima de Mangle)

Boa sorte.

Ulisses Féres Cerqueira
Infraestrutura e Projeto
55 32 3722-4004 ramal 928
55 32 98489-6455
***@abratel.com.br
www.abratel.com.br

[image: Loading Image...

]

Post by Marcel Laino
a vpn esta conectada, porem nao pinga e nao acessa nada. nos logs aparece
isso.
openVPN_mikrotik_BAHIA / wan mikrotik: 32852 Byte de cabeçalho de
descompressão do stub de compressão incorreta: 42
‌
<https://mailtrack.io/> Enviado com Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=
signaturevirality&>
Att,
*Marcel Laino*
Vivo: (11) 95287-5837
facebook.com/marcellaino <http://Facebook.com/marcellaino>
youtube.com/marcellaino
br.linkedin.com/in/marcellaino
google.com/+MarcelLaino

pfsense

Post by Marcel Laino
e nao conectou mais.
*pfSense:*
1. System -> Cert Manager -> CAs
Create new CA (*vpn-tunnel-ca*). Export "CA cert" file (my-ca.crt).
2. System -> Cert Manager -> Certificates
Create two certificates (use CA created above) - one for the VPN Server
(vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert and

key

Post by Marcel Laino
files for client certificate (mik-vpn.crt and mik-vpn.key).
3. VPN -> OpenVPN -> Server
Server Mode: Peer to Peer (SSL/TLS)
Protocol: TCP
Device Mode: tun
Interface: ITD
Local port: 1195
TLS Authentication: (clear checkbox, MikroTik doesn't support shared TLS
key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: BF-CBC (128-bit)
Auth Digest Algorithm: SHA1 (160-bit)
IPv4 Tunnel Network: x <http://172.20.20.0/30>.x.x.x/30
IPv4 Local Network/s: l <http://192.168.0.0/24>an
IPv4 Remote Network/s: lan client <http://10.10.2.0/26>
Compression: No Preference
Advanced: client-to-client
4. VPN -> OpenVPN -> Client Specific Overrides
Common name: mik-vpn
Advanced: iroute (lan client) mask
*MikroTik:*
1. Copy two certificate files and the key file to Files. Import all of
them from System/Certificates.
Name: ovpn-office
Connect To: wan pfsense
Port: 1195
Mode: ip
User: any
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: blowfish 128
Add Default Route: (do not check this)
It works as expected - I can ping workstations from both sides of the
tunnel.
Att,
*Marcel Laino*
Vivo: (11) 95287-5837
facebook.com/marcellaino <http://Facebook.com/marcellaino>
youtube.com/marcellaino
br.linkedin.com/in/marcellaino
google.com/+MarcelLaino
‌
<https://mailtrack.io/> Enviado com Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=

signature&utm_campaign=signaturevirality&>
_______________________________________________
Pfsense-pt mailing list
http://lists.pfsense.org/mailman/listinfo/pfsense-pt

Marcel Laino

2018-03-15 14:58:38 UTC

Bom dia.

Para funcionar no mikrotik, no server da openvpn *não *pode ter:
— Compressão Lzo (eu estava usando o padrao: no preference )
— Porta UDP ( configurei para rodar TCP apenas ipv4)

Vou converter as chaves pelo shell do pfsense e enviar para o tecnico do
mikrotik importar. pois a vpn conectou, mas nao pinga e nem acessa o \\.
agora precisa fazer todas aquelas configuracoes de iptables mesmo do lado
do mikrotik ? apenas preciso que as lans se falem via ip para acessar o \\
na outra ponta.
fazendo os acertos do certificado as redes nao vao se falar ainda ?

‌

Att,

*Marcel Laino*
Vivo: (11) 95287-5837
***@gmail.com
facebook.com/marcellaino <http://Facebook.com/marcellaino>
youtube.com/marcellaino
br.linkedin.com/in/marcellaino
google.com/+MarcelLaino

On Thu, Mar 15, 2018 at 10:27 AM, Ulisses Féres - Abratel Telecom <

Post by Ulisses FÃ©res - Abratel Telecom
— Compressão Lzo
— Porta UDP
Alguns ajustes são necessários. Ainda no linux, converter as chaves para
openssl rsa -in ca.key -text > ca.rsa
openssl rsa -in client2.key -text > client2.rsa
*NO MIKROTIK*
Importar do linux esses 4 arquivos abaixo e arrasta-los para dentro do
mikrotik.
Depois no terminal do mesmo executar
1
2
3
4
/certificate import file-name=ca.crt (pressione enter até concluir)
/certificate import file-name=ca.rsa (pressione enter até concluir)
/certificate import file-name=client4.crt (pressione enter até concluir)
/certificate import file-name=client4.rsa (pressione enter até concluir)
*INTERFACES –> ADD –> OPENVPN CLIENT*
1
2
3
4
5
6
7
8
9
Dialup: A.B.C.D (ip do servidor openvpn)
porta: 1195
mode: ip
user: cliente4 (nome da chave)
pass: vazia
profile: default-encryptation
Certificate: client4.crt_0
Auth: sha1
Cipher: blowfish 128
Após conexão, em *IP –> ROUTE* observe se automaticamente criou a rota
para o rede destino/rede_destino saindo pelo openvpn client.
1
2
3
SOURCE: rede LAN mikrotik
OutInterface: openvpncliete criada
Aba Action: Masquerad
*Step 4 — Routing – SOMENTE SE NECESSITAR ACESSAR A REDE INTERNA LAN ONDE O
SERVIDOR VPN ASTERISK ENCONTRA-SE*
To keep things simple we’re going to do our routing directly with iptables
rather than the new firewalld.
First, make sure the iptables service is installed and enabled.
yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables –flush
Next we’ll add a rule to iptables to forward our routing to our OpenVPN
subnet, and save this rule.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
Then we must enable IP forwarding in sysctl. Open sysctl.conf for editing.
1
2
3
4
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
Then restart the network service so the IP forwarding will take effect.
1
systemctl restart network.service
*Step 5 — Starting OpenVPN*
1
2
*No mk crie uma regra de mascaramento:*
NAT –> ADD
Chain: srcnat
Src. Address: rede lan (exemplo: 192.168.88.0/24)
Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24)
Out Interface: nome-da-open-vpn-interface
Action: Masquerade
*Em MANGLE:*
ADD
Chain: Prerouting
Src. Address: rede lan (exemplo: 192.168.88.0/24)
Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24)
Action: Mark routing
New Routing Mark: OpenVpn-NOME
*Desmarcar Passthrough*
* IP –> ROUTES*
ADD
Dst. Address: 192.168.218.0/24 (lan do outro lado)
Geteway: openvpn-gw-criado-automaticamente
Routinha Mark: OpenVpn-NOME (dado a regra acima de Mangle)
Boa sorte.
Ulisses Féres Cerqueira
Infraestrutura e Projeto
55 32 3722-4004 ramal 928
55 32 98489-6455
www.abratel.com.br
[image: http://www.digavoip.com.br/assinatura/logo.png]

signature&utm_campaign=

Post by Marcel Laino
signaturevirality&>
Att,
*Marcel Laino*
Vivo: (11) 95287-5837
facebook.com/marcellaino <http://Facebook.com/marcellaino>
youtube.com/marcellaino
br.linkedin.com/in/marcellaino
google.com/+MarcelLaino

Post by Marcel Laino
Alguem pode ajudar com essa configuracao. a vpn esta conectada, porem

Post by Marcel Laino
redes nao se falam de jeito nenhum.
segui esse cenario, porem nao vai. tentei ipsec e tb n conecta. tinha
ipsec conectado com esse mikrotik na versao 2.1.5 porem atualizei o

pfsense

key

TLS

Post by Marcel Laino
key)
Peer Certificate Authority: vpn-tunnel-ca
Server Certificate: vpn-tunnel
Encryption algorithm: BF-CBC (128-bit)
Auth Digest Algorithm: SHA1 (160-bit)
IPv4 Tunnel Network: x <http://172.20.20.0/30>.x.x.x/30
IPv4 Local Network/s: l <http://192.168.0.0/24>an
IPv4 Remote Network/s: lan client <http://10.10.2.0/26>
Compression: No Preference
Advanced: client-to-client
4. VPN -> OpenVPN -> Client Specific Overrides
Common name: mik-vpn
Advanced: iroute (lan client) mask
*MikroTik:*
1. Copy two certificate files and the key file to Files. Import all of
them from System/Certificates.
Name: ovpn-office
Connect To: wan pfsense
Port: 1195
Mode: ip
User: any
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: blowfish 128
Add Default Route: (do not check this)
It works as expected - I can ping workstations from both sides of the
tunnel.
Att,
*Marcel Laino*
Vivo: (11) 95287-5837
facebook.com/marcellaino <http://Facebook.com/marcellaino>
youtube.com/marcellaino
br.linkedin.com/in/marcellaino
google.com/+MarcelLaino
‌
<https://mailtrack.io/> Enviado com Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=

signature&utm_campaign=signaturevirality&>
_______________________________________________
Pfsense-pt mailing list
http://lists.pfsense.org/mailman/listinfo/pfsense-pt

_______________________________________________
Pfsense-pt mailing list
http://lists.pfsense.org/mailman/listinfo/pfsense-pt

<https://mailtrack.io/> Enviado com Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality&>

Victor Franca

2018-03-15 15:42:15 UTC

pela descrição, se não se falam é regra de firewall. Se do seu lado está
OK, sim ele terá que fazer as regras de Iptables lá.

Post by Marcel Laino
Bom dia.
— Compressão Lzo (eu estava usando o padrao: no preference )
— Porta UDP ( configurei para rodar TCP apenas ipv4)
Vou converter as chaves pelo shell do pfsense e enviar para o tecnico do
mikrotik importar. pois a vpn conectou, mas nao pinga e nem acessa o \\.
agora precisa fazer todas aquelas configuracoes de iptables mesmo do lado
do mikrotik ? apenas preciso que as lans se falem via ip para acessar o \\
na outra ponta.
fazendo os acertos do certificado as redes nao vao se falar ainda ?
‌
Att,
*Marcel Laino*
Vivo: (11) 95287-5837
facebook.com/marcellaino <http://Facebook.com/marcellaino>
youtube.com/marcellaino
br.linkedin.com/in/marcellaino
google.com/+MarcelLaino
On Thu, Mar 15, 2018 at 10:27 AM, Ulisses Féres - Abratel Telecom <

ONDE O

Post by Ulisses FÃ©res - Abratel Telecom
SERVIDOR VPN ASTERISK ENCONTRA-SE*
To keep things simple we’re going to do our routing directly with

iptables

Post by Ulisses FÃ©res - Abratel Telecom
rather than the new firewalld.
First, make sure the iptables service is installed and enabled.
yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables –flush
Next we’ll add a rule to iptables to forward our routing to our OpenVPN
subnet, and save this rule.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
Then we must enable IP forwarding in sysctl. Open sysctl.conf for

editing.

Post by Ulisses FÃ©res - Abratel Telecom
1
2
3
4
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
Then restart the network service so the IP forwarding will take effect.
1
systemctl restart network.service
*Step 5 — Starting OpenVPN*
1
2
*No mk crie uma regra de mascaramento:*
NAT –> ADD
Chain: srcnat
Src. Address: rede lan (exemplo: 192.168.88.0/24)
Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24)
Out Interface: nome-da-open-vpn-interface
Action: Masquerade
*Em MANGLE:*
ADD
Chain: Prerouting
Src. Address: rede lan (exemplo: 192.168.88.0/24)
Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24)
Action: Mark routing
New Routing Mark: OpenVpn-NOME
*Desmarcar Passthrough*
* IP –> ROUTES*
ADD
Dst. Address: 192.168.218.0/24 (lan do outro lado)
Geteway: openvpn-gw-criado-automaticamente
Routinha Mark: OpenVpn-NOME (dado a regra acima de Mangle)
Boa sorte.
Ulisses Féres Cerqueira
Infraestrutura e Projeto
55 32 3722-4004 ramal 928
55 32 98489-6455
www.abratel.com.br
[image: http://www.digavoip.com.br/assinatura/logo.png]

Post by Marcel Laino
a vpn esta conectada, porem nao pinga e nao acessa nada. nos logs

aparece

Post by Marcel Laino
isso.
openVPN_mikrotik_BAHIA / wan mikrotik: 32852 Byte de cabeçalho de
descompressão do stub de compressão incorreta: 42
‌
<https://mailtrack.io/> Enviado com Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=

signature&utm_campaign=

Post by Marcel Laino
Alguem pode ajudar com essa configuracao. a vpn esta conectada, porem

Post by Marcel Laino
redes nao se falam de jeito nenhum.
segui esse cenario, porem nao vai. tentei ipsec e tb n conecta. tinha
ipsec conectado com esse mikrotik na versao 2.1.5 porem atualizei o

pfsense

Server

Post by Marcel Laino
(vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert

and

Post by Marcel Laino
key

TLS

Post by Marcel Laino
them from System/Certificates.
Name: ovpn-office
Connect To: wan pfsense
Port: 1195
Mode: ip
User: any
Certificate: mik-vpn.crt_0
Auth: sha 1
Cipher: blowfish 128
Add Default Route: (do not check this)
It works as expected - I can ping workstations from both sides of the
tunnel.
Att,
*Marcel Laino*
Vivo: (11) 95287-5837
facebook.com/marcellaino <http://Facebook.com/marcellaino>
youtube.com/marcellaino
br.linkedin.com/in/marcellaino
google.com/+MarcelLaino
‌
<https://mailtrack.io/> Enviado com Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=

signature&utm_campaign=signaturevirality&>
_______________________________________________
Pfsense-pt mailing list
http://lists.pfsense.org/mailman/listinfo/pfsense-pt

_______________________________________________
Pfsense-pt mailing list
http://lists.pfsense.org/mailman/listinfo/pfsense-pt

<https://mailtrack.io/> Enviado com Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=
signaturevirality&>
_______________________________________________
Pfsense-pt mailing list
http://lists.pfsense.org/mailman/listinfo/pfsense-pt

--
..................................................................
Atenciosamente

Victor França

Analista de Suporte

EW Informática

Rua Uruguaiana nº 10, Sala 309 - Rio de Janeiro, Centro.

+55 21 3203 - 0368 (Opção 5)
+55 21 99519 - 5342 (VIVO)

e-mail: ***@ewinfo.com.br
GTalk: ***@ewinfo.com.br
Telegram: https://t.me/victorfmaraujo

Acesse nosso site http://ewinfo.com.br e solicite seu atendimento pelo
nosso chat on-line

Marcel Laino

2018-03-15 18:54:10 UTC

do meu lado (pfsense) eu liberei tudo na regra do tunel da openvpn.

criei uma regra na LAN, para permitir tudo para a lan do cliente.
e criei outra regra na WAN permitindo a entrada do IP WAN do cliente. nao
falta mais nada certo ? vou enviar o email para ele.

<https://mailtrack.io/> Enviado com Mailtrack
<https://mailtrack.io?utm_source=gmail&utm_medium=signature&utm_campaign=signaturevirality&>

Att,

*Marcel Laino*
Vivo: (11) 95287-5837
***@gmail.com
facebook.com/marcellaino <http://Facebook.com/marcellaino>
youtube.com/marcellaino
br.linkedin.com/in/marcellaino
google.com/+MarcelLaino

Post by Victor Franca
pela descrição, se não se falam é regra de firewall. Se do seu lado está
OK, sim ele terá que fazer as regras de Iptables lá.

Post by Marcel Laino
na outra ponta.
fazendo os acertos do certificado as redes nao vao se falar ainda ?
‌
Att,
*Marcel Laino*
Vivo: (11) 95287-5837
facebook.com/marcellaino <http://Facebook.com/marcellaino>
youtube.com/marcellaino
br.linkedin.com/in/marcellaino
google.com/+MarcelLaino
On Thu, Mar 15, 2018 at 10:27 AM, Ulisses Féres - Abratel Telecom <

Post by Ulisses FÃ©res - Abratel Telecom
— Compressão Lzo
— Porta UDP
Alguns ajustes são necessários. Ainda no linux, converter as chaves

para

Post by Ulisses FÃ©res - Abratel Telecom
openssl rsa -in ca.key -text > ca.rsa
openssl rsa -in client2.key -text > client2.rsa
*NO MIKROTIK*
Importar do linux esses 4 arquivos abaixo e arrasta-los para dentro do
mikrotik.
Depois no terminal do mesmo executar
1
2
3
4
/certificate import file-name=ca.crt (pressione enter até concluir)
/certificate import file-name=ca.rsa (pressione enter até concluir)
/certificate import file-name=client4.crt (pressione enter até

concluir)

Post by Ulisses FÃ©res - Abratel Telecom
/certificate import file-name=client4.rsa (pressione enter até

concluir)

Post by Ulisses FÃ©res - Abratel Telecom
*INTERFACES –> ADD –> OPENVPN CLIENT*
1
2
3
4
5
6
7
8
9
Dialup: A.B.C.D (ip do servidor openvpn)
porta: 1195
mode: ip
user: cliente4 (nome da chave)
pass: vazia
profile: default-encryptation
Certificate: client4.crt_0
Auth: sha1
Cipher: blowfish 128
Após conexão, em *IP –> ROUTE* observe se automaticamente criou a rota
para o rede destino/rede_destino saindo pelo openvpn client.
1
2
3
SOURCE: rede LAN mikrotik
OutInterface: openvpncliete criada
Aba Action: Masquerad
*Step 4 — Routing – SOMENTE SE NECESSITAR ACESSAR A REDE INTERNA LAN

ONDE O

Post by Ulisses FÃ©res - Abratel Telecom
SERVIDOR VPN ASTERISK ENCONTRA-SE*
To keep things simple we’re going to do our routing directly with

iptables

editing.

Post by Ulisses FÃ©res - Abratel Telecom
1
2
3
4
vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
Then restart the network service so the IP forwarding will take effect.
1
systemctl restart network.service
*Step 5 — Starting OpenVPN*
Now we’re ready to run our OpenVPN service. So lets add it to
1
2
*No mk crie uma regra de mascaramento:*
NAT –> ADD
Chain: srcnat
Src. Address: rede lan (exemplo: 192.168.88.0/24)
Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24)
Out Interface: nome-da-open-vpn-interface
Action: Masquerade
*Em MANGLE:*
ADD
Chain: Prerouting
Src. Address: rede lan (exemplo: 192.168.88.0/24)
Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24)
Action: Mark routing
New Routing Mark: OpenVpn-NOME
*Desmarcar Passthrough*
* IP –> ROUTES*
ADD
Dst. Address: 192.168.218.0/24 (lan do outro lado)
Geteway: openvpn-gw-criado-automaticamente
Routinha Mark: OpenVpn-NOME (dado a regra acima de Mangle)
Boa sorte.
Ulisses Féres Cerqueira
Infraestrutura e Projeto
55 32 3722-4004 ramal 928
55 32 98489-6455
www.abratel.com.br
[image: http://www.digavoip.com.br/assinatura/logo.png]

Post by Marcel Laino
a vpn esta conectada, porem nao pinga e nao acessa nada. nos logs

aparece

signature&utm_campaign=

Post by Marcel Laino
Alguem pode ajudar com essa configuracao. a vpn esta conectada,

porem

Post by Marcel Laino
redes nao se falam de jeito nenhum.
segui esse cenario, porem nao vai. tentei ipsec e tb n conecta.

tinha

Post by Marcel Laino
ipsec conectado com esse mikrotik na versao 2.1.5 porem atualizei o

pfsense

Server

Post by Marcel Laino
(vpn-tunnel) and one for the MikroTik client (mik-vpn). Export cert

and

Post by Marcel Laino
key

shared

the