Mikrotik is small , cheap and feature rich for those who have limited budget. One of the feature itself that very leveraging me is Mikrotik OpenVPN. it is same as regular OpenVPN software you can find but with some missing feature like push static routing or whatever you name it.
In this post, i’m gonna show you how to setup and configure openVPN for remote user in you mikrotik device.
I’m gonna write down everything i found about how to setup this openVPN on mikrotik for remote user purpose (because i find myself in trouble especially when making the certificate).
Generate Certificate
Open winbox and go to System and choose certificate then click “+” button
Follow detail below to creata CA (repeat 2 times for client, and server)
For CA
For Server
For Client
Or you can just executing using this command line to fasten the process
/certificate add name=CA country="ID" state="ID" locality="Jakarta" organization="<your company name>" unit="<your company initial>" common-name="CA" key-size=4096 days-valid=365000 key-usage=crl-sign,key-cert-sign
/certificate sign CA ca-crl-host=<your public ip> name="CA"
/certificate add name=server country="ID" state="ID" locality="Jakarta" organization="<your company name>" unit="<your company initial>" common-name="server" key-size=4096 days-valid=365000 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign server ca="CA" name="server"
/certificate add name=client country="ID" state="ID" locality="Jakarta" organization="<your company name>" unit="<your company initial>" common-name="client" key-size=4096 days-valid=365000 key-usage=tls-client
/certificate sign client ca="CA" name="client"
/certificate add name=client1 copy-from="client" common-name="client1"
/certificate sign client1 ca="CA" name="client1"
After done creating the certificate, export and download your certificate with this command:
/certificate export-certificate CA export-passphrase=""
/certificate export-certificate client1 export-passphrase=12345678
and save the exported file to your PC/Laptop
Remember
| Please keep the password you use for generating client cert , it’ll be using to decrypt the key later |
Setup OpenVPN Server
First, create new pool for openVPN user
/ip pool
add name=ovpn ranges=192.168.87.30-192.168.87.254
/ip dhcp-server network
add address=192.168.87.0/24 comment=vpn dns-server=192.168.89.1 gateway=\
192.168.89.1 netmask=24
Now, configure the openVPN server
/ppp profile
add dns-server=192.168.89.1 local-address=<take ip from your ovpn dhcp pool> name=open_vpn \
remote-address=ovpn use-compression=no use-encryption=required
/interface ovpn-server server
set certificate=server cipher=blowfish128,aes128,aes192,aes256 default-profile=open_vpn enabled=yes \
require-client-certificate=yes
Masquarade your openVPN IP Address in NAT tab (if your openVPN not functioning as router, otherwise you can skip this part)
/ip firewall nat
add chain=srcnat src-address=192.168.87.0/24 action=masquerade
Create User in Secret tab
/ppp secret
add name=client1 password=password1 profile=open_vpn service=ovpn
Allow openVPN in firewall
/ip firewall filter
add action=accept chain=input comment=VPN dst-port=1194 protocol=tcp
Install openVPN Client on user device
Open openVPN site and go to download page
Choose the client type suitable for your operating system (in this case i only show how to configure client on windows system)
Save the download file to your client PC/Laptop and start the installation process
Please make sure you tick “EasyRSA 2 Certificate Managementr Scripts”
Click “Next” and Click “Install”
Create Config File for openVPN Client
You need to decrypt cert key generate to avoid password asking in mikrotik before using it in config file for openVPN client by using this command
openssl rsa -passin pass:password -in [email protected] -out [email protected]
Open your text editor or notepad , and copy paste this
client
dev tun
proto tcp-client
remote MikroTik_IP 1194
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA1
pull
verb 2
mute 3
# Create a file 'user.auth' with a username and a password
#
# cat << EOF > user.auth
# user
# password
# EOF
auth-user-pass user.auth
# Copy the certificates from MikroTik and change
# the filenames below if needed
ca cert_export_MikroTik.crt
cert [email protected]
key [email protected]
# Add routes to networks behind MikroTik
#route 192.168.10.0 255.255.255.0
Or you can user this file to simplify the configuration
client
dev tun
proto tcp
remote <your ip/public ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
tls-cipher DEFAULT
remote-cert-tls server
cipher AES-256-CBC
auth sha1
auth-nocache
auth-user-pass
dhcp-option DOMAIN <your domain>
dhcp-option DNS <dns server ip>
dhcp-option DNS <dns server ip>
verb 3
route subnet A 255.255.255.0
route subnet B 255.255.255.0
route subnet C 255.255.255.0
route subnet D 255.255.255.0
route subnet E 255.255.255.0
route subnet F 255.255.255.0
route subnet G 255.255.255.0
For Apple user (Macbook, iPad, iPhone) you need to add “redirect-gateway def1”
client
dev tun
proto tcp
remote <your ip/public ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
tls-cipher DEFAULT
remote-cert-tls server
cipher AES-256-CBC
auth sha1
auth-nocache
auth-user-pass
dhcp-option DOMAIN <your domain>
dhcp-option DNS <dns server ip>
dhcp-option DNS <dns server ip>
redirect-gateway def1 #<-- add this
verb 3
route subnet A 255.255.255.0
route subnet B 255.255.255.0
route subnet C 255.255.255.0
route subnet D 255.255.255.0
route subnet E 255.255.255.0
route subnet F 255.255.255.0
route subnet G 255.255.255.0
Note : Create user.auth put your client username and password in it. Also create Cert for placing your 3 key and don’t forget to copy paste the keys start with
—–BEGIN CERTIFICATE—–
and end with
—–END CERTIFICATE—– | |