服务器端
创建证书
/certificate
add name=ca-template \
common-name=test.com \
days-valid=3650 \
key-size=4096 \
key-usage=crl-sign,key-cert-sign
add name=server-template \
common-name=*.test.com \
days-valid=3650 \
key-size=4096 \
key-usage=digital-signature,key-encipherment,tls-server
add name=client-template \
common-name=ovpn.test.com \
days-valid=3650 \
key-size=4096 \
key-usage=tls-client
证书签名
/certificate
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate
导出证书
/certificate
export-certificate ca-certificate export-passphrase=""
# 加密
export-certificate client-certificate export-passphrase=12345678
添加OpenVPN服务
/ppp profile
add change-tcp-mss=yes comment="VPN\BF\CD\BB\A7\B6\CB\C5\E4\D6\C3" name=VPN-Client only-one=yes
/interface ovpn-server server set \
default-profile=VPN-Client \
protocol=tcp \
netmask=24 \
mode=ip \
port=22816 \
certificate=server-certificate \
require-client-certificate=yes \
auth=sha1 \
cipher=aes128-cbc,aes256-cbc,aes256-gcm \
enabled=yes
添加防火墙方向OpenVPN服务
/ip firewall filter add chain=input \
protocol=tcp \
dst-port=22816 \
action=accept \
place-before=0 \
comment="Allow OpenVPN"
客户端
去掉私钥密码
openssl rsa -in xxxx-client-certificate.key -out xxxx-client-certificate-nokey.key