DEV Community: Ihor

OpenVPN Server and certificate management on MikroTik

Ihor — Fri, 15 Mar 2019 08:17:13 +0000

Setup OpenVPN Server and generate certs

Change variables below and paste the script

into MikroTik terminal window.

:global CN [/system identity get name]
:global COUNTRY "UA"
:global STATE "KV"
:global LOC "Kyiv"
:global ORG "My organization"
:global OU ""
:global KEYSIZE "2048"

functions

:global waitSec do={:return ($KEYSIZE * 10 / 1024)}

generate a CA certificate

/certificate
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \
organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \
days-valid=3650 key-usage=crl-sign,key-cert-sign
sign ca-template ca-crl-host=127.0.0.1 name="$CN"
:delay [$waitSec]

generate a server certificate

/certificate
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \
organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \
days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$CN" name="server@$CN"
:delay [$waitSec]

create a client template

/certificate
add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \
organization="$ORG" unit="$OU" common-name="client" \
key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client

create IP pool

/ip pool
add name=VPN-POOL ranges=192.168.252.128-192.168.252.224

add VPN profile

/ppp profile
add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \
remote-address=VPN-POOL use-encryption=yes

setup OpenVPN server

/interface ovpn-server server
set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \
default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes

add a firewall rule

/ip firewall filter
add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN"

Add a new user

Add a new user and generate/export certs

Change variables below and paste the script

into MikroTik terminal window.

:global CN [/system identity get name]
:global USERNAME "user"
:global PASSWORD "password"

add a user

/ppp secret
add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn

generate a client certificate

/certificate
add name=client-template-to-issue copy-from="client-template" \
common-name="$USERNAME@$CN"
sign client-template-to-issue ca="$CN" name="$USERNAME@$CN"
:delay 20

export the CA, client certificate, and private key

/certificate
export-certificate "$CN" export-passphrase=""
export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD"

Setup OpenVPN client

Copy the exported certificates from the MikroTik

sftp admin@MikroTik_IP:cert_export_*

Also, you can download the certificates from the web interface. Go to WebFig → Files for this.

Create user.auth file

The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password.
user
password

Create OpenVPN config that named like USERNAME.ovpn:
client
dev tun
proto tcp-client
remote MikroTik_IP 1194
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA1
pull
verb 2
mute 3

Create a file 'user.auth' with a username and a password

cat << EOF > user.auth

user

password

EOF

auth-user-pass user.auth

Copy the certificates from MikroTik and change

the filenames below if needed

ca cert_export_MikroTik.crt
cert cert_export_user@MikroTik.crt
key cert_export_user@MikroTik.key

Add routes to networks behind MikroTik

route 192.168.10.0 255.255.255.0

Try to connect
sudo openvpn USERNAME.ovpn

Decrypt private key to avoid password asking
openssl rsa -passin pass:password -in cert_export_user@MikroTik.key -out cert_export_user@MikroTik.key

Delete a user and revoke his certificate

Change variables below and paste the script

into MikroTik terminal window.

:global CN [/system identity get name]
:global USERNAME "user"

delete a user

/ppp secret
remove [find name=$USERNAME profile=VPN-PROFILE]

revoke a client certificate

/certificate
issued-revoke [find name="$USERNAME@$CN"]

Revert OpenVPN server configuration on MikroTik

Revert OpenVPN configuration

/ip pool
remove [find name=VPN-POOL]

/ppp profile
remove [find name=VPN-PROFILE]

/ip firewall filter
remove [find comment="Allow OpenVPN"]

/ppp secret
remove [find profile=VPN-PROFILE]

/certificate

delete the certificates manually

AWS Classic Load Balancer vs Application Load Balancer

Ihor — Mon, 11 Feb 2019 13:41:12 +0000

Elastic Load Balancing supports two types of load balancers: Application Load Balancers and Classic Load Balancers. While there is some overlap in the features, AWS does not maintain feature parity between the two types of load balancers. Content below lists down the feature comparison for both.

Usage Pattern

A Classic Load Balancer is ideal for simple load balancing of traffic across multiple EC2 instances,
Application Load Balancer is ideal for microservices or container-based architectures where there is a need to route traffic to multiple services or load balance across multiple ports on the same EC2 instance.
AWS ELB Classic Load Balancer vs Application Load Balancer
Supported Protocols

Classic Load Balancer operates at layer 4 and supports HTTP, HTTPS, TCP, SSL while Application Load Balancer operates at layer 7 and supports HTTP, HTTPS, HTTP/2, WebSockets
If Layer-4 features are needed, Classic Load Balancers should be used
Supported Platforms

Classic Load Balancer supports both EC2-Classic and EC2-VPC while Application Load Balancer supports only EC2-VPC
Stick Sessions (Cookies)

Stick Sessions (Session Affinity) enables the load balancer to bind a user’s session to a specific instance, which ensures that all requests from the user during the session are sent to the same instance
Both Classic & Application Load Balancer supports sticky sessions to maintain session affinity
Idle Connection Timeout

Idle Connection Timeout helps specify a time period, which ELB uses to close the connection if no data has been sent or received by the time that the idle timeout period elapses
Both Classic & Application Load Balancer supports idle connection timeout
Connection Draining

Connection draining enables the load balancer to complete in-flight requests made to instances that are de-registering or unhealthy
Both Classic & Application Load Balancer supports connection draining
SSL Termination

Both Classic Load Balancer and ALB support SSL Termination to decrypt requests from clients before sending them to targets and hence reducing the load. SSL certificate must be installed on the load balancer.
Back-end Server Authentication

Back-end Server Authentication enables authentication of the instances. Load balancer communicates with an instance only if the public key that the instance presents to the load balancer matches a public key in the authentication policy for the load balancer.
Classic Load Balancer supports while Application Load Balancer does notsupport Back-end Server Authentication
Cross-zone Load Balancing

Cross-zone Load Balancing help distribute incoming requests evenly across all instances in its enabled AZs. By default, Load Balancer will evenly distribute requests evenly across its enabled AZs, irrespective of the instances it hosts.
Both Classic & Application Load Balancer both support Cross-zone load balancing, however for Classic it needs to be enabled while for ALB it is always enabled
Health Checks

Both Classic & Application Load Balancer both support Health checks to determine if the instance is healthy or unhealthy
ALB provides health check improvements that allow detailed error codes from 200-399 to be configured
CloudWatch Metrics

Both Classic & Application Load Balancer integrate with CloudWatch to provide metrics, with ALB providing additional metrics
Access Logs

Access logs capture detailed information about requests sent to the load balancer. Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses
Both Classic & Application Load Balancer provide access logs, with ALB providing additional attributes
Host-based Routing & Path-based Routing

Host-based routing use host conditions to define rules that forward requests to different target groups based on the host name in the host header. This enables ALB to support multiple domains using a single load balancer.
Path-based routing use path conditions to define rules that forward requests to different target groups based on the URL in the request. Each path condition has one path pattern. If the URL in a request matches the path pattern in a listener rule exactly, the request is routed using that rule.
Only ALB supports Host-based & Path-based routing.
Dynamic Ports

Only ALB supports Dynamic Port Mapping with ECS, which allows two containers of a service to run on a single server on dynamic ports that ALB automatically detects and reconfigures itself.
Deletion Protection

Only ALB supports Deletion Protection, wherein a load balancer can’t be deleted if deletion protection is enabled
Request Tracing

Only ALB supports Request Tracing to track HTTP requests from clients to targets or other services.
IPv6 in VPC

Only ALB supports IPv6 in VPC
AWS WAF

Only ALB supports AWS WAF, which can be directly used on ALBs (both internal and external) in a VPC, to protect websites and web services