Esse artigo foi homologado no equipamento CCR2116-12G-4S+, na versão v7.18.2, o uso em uma versão diferente pode não resultar da mesma forma.
/certificate/add \
name=ca1-ovpn-smart-layer \
common-name=ca1-ovpn-smart-layer \
country=BR \
state=GO \
locality=MHS \
organization="SMART LAYER MORRINHOS" \
unit="001-IPV4" \
key-usage=crl-sign,key-cert-sign \
#
/certificate/sign \
ca1-ovpn-smart-layer \
ca-crl-host=10.64.255.1 \
#
/certificate/export-certificate \
ca1-ovpn-smart-layer \
type=pem \
file-name=ca1-ovpn-smart-layer \
#
/certificate/add \
name=server1-ovpn-smart-layer \
common-name=server1-ovpn-smart-layer \
country=BR \
state=GO \
locality=MHS \
organization="SMART LAYER MORRINHOS" \
unit="001-IPV4" \
key-usage=digital-signature,key-encipherment,tls-server \
#
/certificate/sign \
server1-ovpn-smart-layer \
ca=ca1-ovpn-smart-layer \
#
/certificate/set \
server1-ovpn-smart-layer \
trusted=yes \
#
/certificate/add \
name=client1-ovpn-admin \
common-name=client1-ovpn-admin \
country=BR \
state=GO \
locality=MHS \
organization="SMART LAYER MORRINHOS" \
unit="ADMIN" \
key-usage=tls-client \
#
/certificate/sign \
client1-ovpn-admin \
ca=ca1-ovpn-smart-layer \
#
/certificate/set \
client1-ovpn-admin \
trusted=yes \
#
/certificate/export-certificate \
client1-ovpn-admin \
type=pem \
export-passphrase=#@SenhaSegura2024#@ \
file-name=cliente1-ovpn-admin \
#
/ip/pool/add \
name=pool-OVPN \
ranges=10.98.7.2-10.98.7.254 \
#
/ppp/profile/add \
name=profile-OVPN \
local-address=10.98.7.1 \
remote-address=pool-OVPN \
change-tcp-mss=yes \
only-one=yes \
#
/interface/ovpn-server/server/add \
disabled=yes \
name=SMART-LAYER-MORRINHOS-IPV4-ADMIN \
certificate=server1-ovpn-smart-layer \
cipher=blowfish128,aes128-cbc,aes256-cbc,aes256-gcm \
default-profile=profile-OVPN \
port=20124 \
protocol=udp \
redirect-gateway=def1 \
require-client-certificate=yes \
#
/ppp/secret/add \
name=smart \
password=#@SenhaSegura2024#@ \
service=ovpn \
#
/interface/ovpn-server/server/export-client-configuration \
server=SMART-LAYER-MORRINHOS-IPV4-ADMIN
server-address=10.64.255.1 \
ca-certificate=ca1-ovpn-smart-layer \
client-certificate=client1-ovpn-admin.crt \
client-cert-key=client1-ovpn-admin.key \
#
/ip/firewall/filter/add \
action=accept \
chain=input \
comment="!::ACCEPT-INPUT-OPEN-VPN" \
dst-port=20120 \
protocol=udp \
#
/ip/firewall/nat/add \
action=dst-nat \
chain=dstnat \
comment="!::DSTNAT-OPEN-VPN" \
dst-address=192.0.2.254 \
dst-port=20120 \
protocol=udp \
to-addresses=10.64.255.1 \
to-ports=20120 \
#