This article does not discuss why you should use VPN, or specifically OpenVPN – just how to implement OpenVPN server on Mikrotik RouterOS.

Change these to fit your setup:

  • This router’s local address: 10.0.0.1
  • Local certificate authority name: myCa
  • Name for the VPN server in the certificate: server
  • Name for the VPN client in the certificate: client1
  • Passphrase for the client’s key file: mysecret
  • Name of the IP address pool to give to the VPN clients: ovpn-pool
  • IP addresses to give to the VPN clients: 10.0.0.80-10.0.0.85
  • Port number: 1194. You’re free to change this to something else.
  • OpenVPN username: vpnuser
  • OpenVPN password: mypassword

Add a certificate authority in RouterOS:

/certificate
add name=myCa common-name=myCa key-usage=key-cert-sign,crl-sign
sign myCa ca-crl-host=10.0.0.1 name=myCa

Export the certificate authority:

/certificate export-certificate myCa

We now have the certificate authority file in /file print. We can copy it out via many methods: SFTP, Winbox, FTP and others.

Generate certificates for both server and client:

/certificate
add name=server common-name=server
add name=client1 common-name=client1
sign server ca=myCa name=server
sign client1 ca=myCa name=client1

Export the certificate for the client (no need to export the server’s certificate):

/certificate export-certificate export-passphrase=mysecret client1

We can then transfer both the .key and .crt files out by many methods. Next, create a pool, PPP profile, and login credentials:

/ip pool add name=ovpn-pool range=10.0.0.80-10.0.0.85
/ppp profile add name=ovpn local-address=10.0.0.1 remote-address=ovpn-pool dns-server=10.0.0.1
/ppp secret add name=vpnuser password=mypassword profile=ovpn

Enable the OpenVPN server, select the server’s certificate, and use this new PPP profile:

/interface ovpn-server server set enabled=yes certificate=server auth=sha1 cipher=aes128 port=1194 netmask=24 require-client-certificate=yes mode=ip

The following is a sample configuration file for the client. Before using it, replace the following:

  • Public address and port number (default is 1194) in the line remote.
  • Use the correct cipher. This configuration uses SHA1 with AES 128 bits.
  • Domain name in the line dhcp-option DOMAIN. You can put a fictional one if you don’t have one.
  • DNS server in the line dhcp-option DNS.
  • Route to the local network at the VPN side in the line route
  • Content from the export of the certificate authority in the <ca> section.
  • Content of the client’s certificate file in the <cert> section.
  • Content of the client’s key file in the <key> section. If the key file has a passphrase, generate a decrypted version of it on a UNIX/Linux box:
    openssl rsa -in /path/to/client1.key -text
client

# this is a layer 3 (IP) VPN
dev tun

# Mikrotik only supports TCP at the moment
proto tcp

# put your VPN Server's routable (WAN or Internet-accessible) IP address here
remote 1.2.3.4 1149

resolv-retry infinite
nobind

# Mikrotik does not support link compression at the moment
#comp-lzo

persist-key
persist-tun
#mute-replay-warnings

# OpenVPN client debug log verbosity
verb 1

#cipher BF-CBC
cipher AES-128-CBC
#cipher AES-192-CBC
#cipher AES-256-CBC

#auth MD5
auth SHA1

# Mikrotik's PPP server requires username/password authentication
# at the moment and it uses this in conjunction with both client and
# server-side x.509v3 certificate authentication
auth-user-pass

# domain name for home LAN
dhcp-option DOMAIN mydomain.tld

# DNS server (replace with your own)
dhcp-option DNS 10.0.0.1

# SMB WINS name server if you have one
#dhcp-option WINS 10.0.0.1

# route to multiple networks
redirect-gateway def1
route 0.0.0.0 0.0.0.0 10.0.0.1 1
route 10.0.0.0 255.255.255.0

# Mikrotik accepts a CA cert
<ca>
-----BEGIN CERTIFICATE-----
...content goes here...
-----END CERTIFICATE----- 
</ca>

# Mikrotik expects a VPN Client Certificate
<cert>
-----BEGIN CERTIFICATE-----
...content goes here...
-----END CERTIFICATE----- 
</cert>

# OpenVPN Client needs the VPN Client Private Key to decrypt
# info sent by the server during the SSL/TLS handshake
<key>
-----BEGIN RSA PRIVATE KEY-----
...content goes here...
-----END RSA PRIVATE KEY-----
</key>

Once we have the configuration file for the VPN client ready, simply import it and connect to our new OpenVPN server!

One comment on “OpenVPN Server on Mikrotik RouterOS

Leave a Reply

Your email address will not be published. Required fields are marked *