In the previous tutorial, we installed and configured a brand new MikroTik hAP ac³ router for connection to the Internet. We also improved the overall security of the router by implementing simple steps to harden it. These include things like disabling unused services, enabling HTTPS for device management, updating RouterOS, and reconfiguring the firewall rules. In this tutorial, we will take a closer look at more advanced configurations, such as:
- Dynamic DNS (DDNS)
- Guest wireless LAN (Guest WiFi)
- OpenVPN server
Picture 1 - MikroTik hAP ac³ Running OpenVPN server, DDNS Client and Guest WLAN
1. MikroTik Dynamic DNS Configuration
1.1 Registering New DNS domain on Dynu.com
Dynu.com offers free registration of four three-level domains. Complete your Dynu.com registration and log in to your account. Navigate to Control Panel -> DDNS Services (Picture 2). Click the Add Dynamic DNS button. Choose the hostname and select the domain name from the list (Option 1). In my case, the hostname is a102 and the domain is mywire.org. Do not fill in option 2 - "Use your domain name". Click the Add button. Click the Save button in the next window to complete the process of registering your new DDNS domain.
Picture 2 - Dynu.com Control Panel
To enhance security, you can use IP Update Password instead of your account password with IP update clients. Navigate to Control Panel-> My Account-> Username/Password and enter the "New IP Update Password". This is the password used by DDNS client to authenticate its IP address updates sent to the DDNS server (dynu.com).
Picture 3 - Registered DNS Domains
1.2 Dynamic DNS Configuration on MikroTik
MikroTik supports Dynamic DNS client configuration in form of the script run by scheduled task. Firstly, download the script dyn.com-script.txt.rsc from the Linux Ubuntu into MikroTik router via SSH. Login to MikroTik via terminal and enter the command below:
> /tool fetch url="sftp://192.168.88.253/home/user123/dyn.com-script.txt.rsc" user=user123 password=pass_to_linux upload=no dst-path=configuration-file.txt.rsc
192.168.88.253 - IP address of Ubuntu
user123/pass_to_linux - login credentials to login to OpenSSH server running on Linux
dst-path=configuration-file.txt.rsc - name of the script in MikroTik filesystem
Note: If the download is successful, the text file configuration-file.txt.rsc appears in the output of the command /file print.
Now we will create a script called Dynu (Picture 4):
> /system script add name=Dynu dont-require-permissions=yes policy=reboot,read,write,policy,test source=[/file get configuration-file.txt.rsc contents]
> /system script print brief
Picture 4 - MikroTik Script Registered
This will evaluate the potion in the braces which produces the content of the file and use that content as the value for source. Now, we can run the script nd check if the IP address is updated (Picture 5):
> /system script run Dynu
Picture 5 - Registered DNS Domains with New IP address 91.127.181.25
In case of any trouble, check the log file with the command below (Picture 6):
Picture 6 - Successful DDNS Update
Once we have the script "registered" we can use the /system scheduler to invoke it:
> /system scheduler add comment="Update Dynu DDNS" interval=5m name=ddns_sheduller on-event="/system script run Dynu\r\n" policy=read,write,test,reboot start-time=startup
2. Guest Wireless Network
Guest Wifi is isolated wireless connection for visitors or devices allowing connection to the Internet only but without an access to local resources. This limitation helps to preserve integrity and privacy of your data.
2.1 Security Profile for Guest WiFi
Create a new security profile for guest WLAN.
> /interface wireless security-profiles add name="my home wifi guest" authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=your_secret_pass
2.2 Wireless Virtual Interface wlan3 for Guest WiFi
So far, they are two wireless interfaces created by default - wlan1 and wlan2. Create a new WLAN interface wlan3.
> /interface wireless add name=wlan3 band=2ghz-b/g/n master-interface=wlan1 security-profile="my home wifi guest" ssid="internethome-guest" disabled=no
2.3 Bridge Interface and Add Interface wlan3 to Bridge
Create a new bridge interface bridge-guest and add interface wlan3 to the bridge.
> /interface bridge add name=bridge-guest
> /interface bridge port add bridge="bridge-guest" interface=wlan3
2.4 Assign IP Address to Bridge Interface
The IP 192.168.99.1/24 is the address that we will configure on the bridge interface. This is the default gateway address for devices connected to the guest WLAN.
> /ip address add address=192.168.99.1/24 netmask=255.255.255.0 disabled=no interface=bridge-guest network=192.168.99.0
2.5 DHCP Pool Assign and DHCP server
Create a new DHCP pool pool-guest and assign it to DHCP server dhcp-guest.
> /ip pool add name=pool-guest ranges=192.168.99.10-192.169.99.250
> /ip dhcp-server add name=dhcp-guest address-pool=pool-guest interface=bridge-guest disabled=no
> /ip dhcp-server network add address=192.168.99.0/24 gateway=192.168.99.1 dns-server=192.168.99.1
At this point, you should be able to ping IP addresses located in our primary subnet, e.g. 192.168.88.0/24.
2.6 Firewall Configuration
Block access from guest wifi to your primary subnet:
> /ip firewall filter add comment="drop all from guest wifi to primary subnet" chain=forward src-address=192.168.99.0/24 dst-address=192.168.88.0/24 action=drop
In our case, the primary subnet is 192.168.88.0/24.
Picture 7 depicts a default firewall configuration for INPUT chain. Notice the last rule number 4 which drops all traffic not coming from LAN. In order to allow clients in guest subnet to reach DNS cache server running on MikroTik, we must allow UDP traffic sent to the IP address 192.168.99.1, the destination port 53.
Picture 7 - Default Firewall Filter Input Chain Configuration
The interface list defines set of interfaces for easier interface management in different interface based configuration sections such as Neighbor discovery, Firewall, Bridge and Internet Detect. Create a new interface list wifi-guest and add bridge interface bridge-guest in to the interface list wifi-guest.
> /interface list add name=wifi-guest
> /nterface list member add interface=bridge-guest list=wifi-guest
Create a new rule that accept DNS requests coming from interface-list wifi-guest to the IP address of DNS cache server 192.168.99.1.
> /ip firewall filter add chain=input action=accept protocol=udp dst-port=53 in-interface-list=wifi-guest dst-address=192.168.99.1 place-before=4 comment="accept DNS request from Guest WiFi"
The rule is placed before the rule that drops all traffic to the router not coming from LAN interface (Picture 8).
Picture 8 - Firewall Configuration Changed
2.7 DNS Cache Server
DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time. We have configured DNS cache IP address 192.168.99.1 in DHCP server configuration for clients connected to guest WiFi subnet. In our scenario, the external DNS servers IPs are assigned via DHCP from ISP DHCP server. Therefore, we do not need to specify external DNS server IP. All we need to do, is to allow remote requests (Picture 9):
> /ip dns set allow-remote-requests=yes
Picture 9 - DNS Cache Server Configuration
3. OpenVPN Server
The OpenVPN server running on a Mikrotik router provides clients with an encrypted VPN tunnel over a public network. It allows clients to securely access the local LAN. OpenVPN uses SSL/TLS certificates on both the server and client side. Clients authenticate to the server using a username and password; each client has unique credentials and uses its own client certificate.
In our scenario, the MikroTik is connected to the Internet through an Ether1 interface. The router's public IP address is dynamically assigned from the ISP's DHCP server. Thanks to the dynamic DNS client running on the router that we configured in Section 1, our OpenVPN clients use the domain name a102.mywire.org to access the OPenVPN server instead of the dynamically assigned public IP address. It is very likely that the IP address changes every time the Mikrotik device reboots, so we would also have to change the client configuration file in such a case.
3.1 Creating TLS Certificate for CA, OpenVPN Server and Client
OpenVPN Server and Client require three types of certificates:
- CA (Certification Authority) Certificate
- Server Certificate and
- Client Certificate
Create own Certification Authority:
> /certificate add name=ca-template common-name=a102.mywire.org days-valid=3650 key-size=4096 key-usage=key-cert-sign,crl-sign
Create server certificate:
> /certificate add name=openvpn-server-template common-name=openvpn-server.a102.mywire.org days-valid=3650 key-size=4096 key-usage=digital-signature,key-encipherment,tls-server
Create client1 certificate:
> /certificate add name=openvpn-client1-template common-name=openvpn-client1.a102.mywire.org days-valid=3650 key-size=4096 key-usage=tls-client
Sign created certificates with CA certificate:
> /certificate sign ca-template name=ca-certificate
> /certificate sign openvpn-server-template name=openvpn-sever-certificate ca=ca-certificate
> /certificate sign openvpn-client1-template name=openvpn-client1-certificate ca=ca-certificate
Export certificates:
> /certificate export-certificate ca-certificate export-passphrase=""
> /certificate export-certificate openvpn-client1-certificate export-passphrase="your_pass_phrase"
This should give you three files: cert_export_ca-certificate.crt, cert_export_client-certificate.crt and cert_export_openvpn-client1-certificate.key". Once we copy them on client, we will rename them to ca.crt, client.crt and client.key.
3.2 OpenVPN Server Configuration
Next, we need to create a separate pool of IP addresses for clients. In other words, this is the subnet where the clients will be located.
> /ip pool add name=pool-vpn ranges=192.168.100.10-192.168.100.100
Create an user profile profile-vpn and assign ip pool pool-vpn to the profile. It is the set of settings users will be sharing.The IP address 192.168.100.1 is the VPN Gateway address.
> /ppp profile add name=profile-vpn use-encryption=yes local-address=192.168.100.1 remote-address=pool-vpn
Create OpenVPN user user_xyz and assign the user profile to the user.
> /ppp secret add name=user_xyz profile=profile-vpn password=user_secret_Pass
Note: Since RouterOS version 7.1 Mikrotik supports UDP for OpenVPN.
Enable OpenVPN server interface:
> /interface ovpn-server server set default-profile=profile-vpn certificate=openvpn-sever-certificate require-client-certificate=yes auth=sha512 cipher=aes128,aes192,aes256 port=1194 enabled=yes protocol=udp
3.3 Adjusting MikroTik Firewall to Allow Connection to Port 1194
We need to open UDP port 1194 for OpenVPN traffic destined for MikroTik device. Picture 10 depicts firewall configuration before our changes.
Picture 10 - Firewall Filter Table Input Chain Before Configuration
> /ip firewall filter add chain=input protocol=udp dst-port=1194 action=accept place-before=5 comment="accept OpenVPN UDP" log=yes log-prefix="openvpn"
Picture 11 - Firewall Filter Table Input Chain After Configuration
Note: If you need to allow SSH connection from VPN tunnel to Mikrotik, just add the following rule:
> ip firewall filter add action=accept protocol=tcp src-address=192.168.100.0/24 dst-address=192.168.88.1 dst-port=22 comment="Mikrotik_from_OpenVPN" place-before=6 chain=input
3.4 OpenVPN Client Configuration in Ubuntu
We need to copy the CA/client certificates and the client private key from MikroTik to Linux:
- cert_export_openvpn-client1-certificate.crt
- cert_export_ca-certificate.crt
- cert_export_openvpn-client1-certificate.key
Assuming the OpenSSH server is configured and running on Linux system, enter the following commands in the the MikroTik console.
> /tool fetch url=sftp://192.168.88.241/home/user123/cert_export_openvpn-client1-certificate.crt user=linux_user password=linux_pass upload=yes
> /tool fetch url=sftp://192.168.88.241/home/user123/cert_export_ca-certificate.crt user=linux_user password=linux_pass upload=yes
> /tool fetch url=sftp://192.168.88.241/home/user123/cert_export_openvpn-client1-certificate.key user=linux_user password=linux_pass upload=yes
Login to Linux OS and copy the files into the directory /etc/openvpn/client/.
$ sudo cp /home/brezular/cert_export_ca-certificate.crt /etc/openvpn/client/
$ sudo cp /home/brezular/cert_export_openvpn-client1-certificate.crt /etc/openvpn/client/
$ sudo cp /home/brezular/cert_export_openvpn-client1-certificate.key /etc/openvpn/client/
$ cd /etc/openvpn/client/
Rename the files below:
$ sudo mv cert_export_ca-certificate.crt ca.crt
$ sudo mv cert_export_openvpn-client1-certificate.crt client.crt
$ sudo mv cert_export_openvpn-client1-certificate.key client.key
Create the new configuration file client.ovpn for OpenVPN client in the directory /etc/openvpn/client/.
$ sudo vi client.ovpn
Finally, connect to Mikrotik OpenVPN server with the commands below.
$ sudo openvpn /etc/openvpn/client/client.ovpn
The log file is here.
End.
Good post!
Thank you.
And one more tip - you don't need to setup DDNS thru 3rd side services,
Mikrotik includes their own DDNS service.
/IP/Cloud/DDNS check
How to activate IPv6 service on hAP ax3
Thanks