This article does not discuss why you should use VPN, or specifically OpenVPN – just how to implement OpenVPN server on Mikrotik RouterOS.
Change these to fit your setup:
- This router’s local address: 10.0.0.1
- Local certificate authority name: myCa
- Name for the VPN server in the certificate: server
- Name for the VPN client in the certificate: client1
- Passphrase for the client’s key file: mysecret
- Name of the IP address pool to give to the VPN clients: ovpn-pool
- IP addresses to give to the VPN clients: 10.0.0.80-10.0.0.85
- Port number: 1194. You’re free to change this to something else.
- OpenVPN username: vpnuser
- OpenVPN password: mypassword
Add a certificate authority in RouterOS:
/certificate add name=myCa common-name=myCa key-usage=key-cert-sign,crl-sign sign myCa ca-crl-host=10.0.0.1 name=myCa
Export the certificate authority:
/certificate export-certificate myCa
We now have the certificate authority file in /file print. We can copy it out via many methods: SFTP, Winbox, FTP and others.
Generate certificates for both server and client:
/certificate add name=server common-name=server add name=client1 common-name=client1 sign server ca=myCa name=server sign client1 ca=myCa name=client1
Export the certificate for the client (no need to export the server’s certificate):
/certificate export-certificate export-passphrase=mysecret client1
We can then transfer both the .key and .crt files out by many methods. Next, create a pool, PPP profile, and login credentials:
/ip pool add name=ovpn-pool range=10.0.0.80-10.0.0.85 /ppp profile add name=ovpn local-address=10.0.0.1 remote-address=ovpn-pool dns-server=10.0.0.1 /ppp secret add name=vpnuser password=mypassword profile=ovpn
Enable the OpenVPN server, select the server’s certificate, and use this new PPP profile:
/interface ovpn-server server set enabled=yes certificate=server auth=sha1 cipher=aes128 port=1194 netmask=24 require-client-certificate=yes mode=ip
The following is a sample configuration file for the client. Before using it, replace the following:
- Public address and port number (default is 1194) in the line remote.
- Use the correct cipher. This configuration uses SHA1 with AES 128 bits.
- Domain name in the line dhcp-option DOMAIN. You can put a fictional one if you don’t have one.
- DNS server in the line dhcp-option DNS.
- Route to the local network at the VPN side in the line route
- Content from the export of the certificate authority in the <ca> section.
- Content of the client’s certificate file in the <cert> section.
- Content of the client’s key file in the <key> section. If the key file has a passphrase, generate a decrypted version of it on a UNIX/Linux box:
openssl rsa -in /path/to/client1.key -text
client # this is a layer 3 (IP) VPN dev tun # Mikrotik only supports TCP at the moment proto tcp # put your VPN Server's routable (WAN or Internet-accessible) IP address here remote 126.96.36.199 1149 resolv-retry infinite nobind # Mikrotik does not support link compression at the moment #comp-lzo persist-key persist-tun #mute-replay-warnings # OpenVPN client debug log verbosity verb 1 #cipher BF-CBC cipher AES-128-CBC #cipher AES-192-CBC #cipher AES-256-CBC #auth MD5 auth SHA1 # Mikrotik's PPP server requires username/password authentication # at the moment and it uses this in conjunction with both client and # server-side x.509v3 certificate authentication auth-user-pass # domain name for home LAN dhcp-option DOMAIN mydomain.tld # DNS server (replace with your own) dhcp-option DNS 10.0.0.1 # SMB WINS name server if you have one #dhcp-option WINS 10.0.0.1 # route to multiple networks redirect-gateway def1 route 0.0.0.0 0.0.0.0 10.0.0.1 1 route 10.0.0.0 255.255.255.0 # Mikrotik accepts a CA cert <ca> -----BEGIN CERTIFICATE----- ...content goes here... -----END CERTIFICATE----- </ca> # Mikrotik expects a VPN Client Certificate <cert> -----BEGIN CERTIFICATE----- ...content goes here... -----END CERTIFICATE----- </cert> # OpenVPN Client needs the VPN Client Private Key to decrypt # info sent by the server during the SSL/TLS handshake <key> -----BEGIN RSA PRIVATE KEY----- ...content goes here... -----END RSA PRIVATE KEY----- </key>
Once we have the configuration file for the VPN client ready, simply import it and connect to our new OpenVPN server!