Mikrotik: How to Setup OpenVPN for remote user

Posted on 11 May 2019 in Tutorial

Mikrotik is small , cheap and feature rich for those who have limited budget. One of the feature itself that very leveraging me is Mikrotik OpenVPN. it is same as regular OpenVPN software you can find but with some missing feature like push static routing or whatever you name it.

In this post, i’m gonna show you how to setup and configure openVPN for remote user in you mikrotik device.

I’m gonna write down everything i found about how to setup this openVPN on mikrotik for remote user purpose (because i find myself in trouble especially when making the certificate).

Generate Certificate

Open winbox and go to System and choose certificate then click “+” button

Follow detail below to creata CA (repeat 2 times for client, and server)

For CA

For Server

For Client

Or you can just executing using this command line to fasten the process

/certificate add name=CA country="ID" state="ID" locality="Jakarta" organization="<your company name>" unit="<your company initial>" common-name="CA" key-size=4096 days-valid=365000 key-usage=crl-sign,key-cert-sign
/certificate sign CA ca-crl-host=<your public ip> name="CA"

/certificate add name=server country="ID" state="ID" locality="Jakarta" organization="<your company name>" unit="<your company initial>" common-name="server" key-size=4096 days-valid=365000 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign server ca="CA" name="server"

/certificate add name=client country="ID" state="ID" locality="Jakarta" organization="<your company name>" unit="<your company initial>" common-name="client" key-size=4096 days-valid=365000 key-usage=tls-client
/certificate sign client ca="CA" name="client"

/certificate add name=client1 copy-from="client" common-name="client1"
/certificate sign client1 ca="CA" name="client1"

After done creating the certificate, export and download your certificate with this command:

/certificate export-certificate CA export-passphrase=""
/certificate export-certificate client1 export-passphrase=12345678

and save the exported file to your PC/Laptop

Please keep the password you use for generating client cert , it’ll be using to decrypt the key later

Setup OpenVPN Server

First, create new pool for openVPN user

/ip pool
add name=ovpn ranges=192.168.87.30-192.168.87.254
/ip dhcp-server network
add address=192.168.87.0/24 comment=vpn dns-server=192.168.89.1 gateway=\
 192.168.89.1 netmask=24

Now, configure the openVPN server

/ppp profile
add dns-server=192.168.89.1 local-address=<take ip from your ovpn dhcp pool> name=open_vpn \
 remote-address=ovpn use-compression=no use-encryption=required
/interface ovpn-server server
set certificate=server cipher=blowfish128,aes128,aes192,aes256 default-profile=open_vpn enabled=yes \
 require-client-certificate=yes

Masquarade your openVPN IP Address in NAT tab (if your openVPN not functioning as router, otherwise you can skip this part)

/ip firewall nat
add chain=srcnat src-address=192.168.87.0/24 action=masquerade

Create User in Secret tab

/ppp secret
add name=client1 password=password1 profile=open_vpn service=ovpn

Allow openVPN in firewall

/ip firewall filter
add action=accept chain=input comment=VPN dst-port=1194 protocol=tcp

Install openVPN Client on user device

Open openVPN site and go to download page

Choose the client type suitable for your operating system (in this case i only show how to configure client on windows system)

Save the download file to your client PC/Laptop and start the installation process

Please make sure you tick “EasyRSA 2 Certificate Managementr Scripts”

Click “Next” and Click “Install”

Create Config File for openVPN Client

You need to decrypt cert key generate to avoid password asking in mikrotik before using it in config file for openVPN client by using this command

openssl rsa -passin pass:password -in cert_export_user@MikroTik.key -out cert_export_user@MikroTik.key

Open your text editor or notepad , and copy paste this

client
dev tun
proto tcp-client
remote MikroTik_IP 1194
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA1
pull
verb 2
mute 3

# Create a file 'user.auth' with a username and a password
#
# cat << EOF > user.auth
# user
# password
# EOF
auth-user-pass user.auth

# Copy the certificates from MikroTik and change
# the filenames below if needed
ca cert_export_MikroTik.crt
cert cert_export_user@MikroTik.crt
key cert_export_user@MikroTik.key

# Add routes to networks behind MikroTik
#route 192.168.10.0 255.255.255.0

Or you can user this file to simplify the configuration

client
dev tun
proto tcp
remote <your ip/public ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
tls-cipher DEFAULT
remote-cert-tls server
cipher AES-256-CBC
auth sha1
auth-nocache
auth-user-pass
dhcp-option DOMAIN <your domain>
dhcp-option DNS <dns server ip>
dhcp-option DNS <dns server ip>
verb 3

route subnet A 255.255.255.0
route subnet B 255.255.255.0
route subnet C 255.255.255.0
route subnet D 255.255.255.0
route subnet E 255.255.255.0
route subnet F 255.255.255.0
route subnet G 255.255.255.0

For Apple user (Macbook, iPad, iPhone) you need to add “redirect-gateway def1”

client
dev tun
proto tcp
remote <your ip/public ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
tls-cipher DEFAULT
remote-cert-tls server
cipher AES-256-CBC
auth sha1
auth-nocache
auth-user-pass
dhcp-option DOMAIN <your domain>
dhcp-option DNS <dns server ip>
dhcp-option DNS <dns server ip>
redirect-gateway def1  #<-- add this
verb 3

route subnet A 255.255.255.0
route subnet B 255.255.255.0
route subnet C 255.255.255.0
route subnet D 255.255.255.0
route subnet E 255.255.255.0
route subnet F 255.255.255.0
route subnet G 255.255.255.0

Note : Create user.auth put your client username and password in it. Also create Cert for placing your 3 key and don’t forget to copy paste the keys start with
—–BEGIN CERTIFICATE—–
and end with
—–END CERTIFICATE—–

MySQL 8: How to reset root password on Centos 7

Zabbix: How to download and install template

0 0 votes

Article Rating

7 Comments

Oldest

Newest Most Voted

Inline Feedbacks

View all comments

Andy Afrizal

9 April, 2020 1:36 PM

my Log still connecting , and RESOLVE : cannot resolve host address <202xx.xx.xx>:1194 (no address aassosiate with hostname ) can you help me ?

Chandra

11 April, 2020 8:43 AM

Reply to Andy Afrizal

check you firewall and make sure you already open the port on your firewall, and open DNS port as well.

Carlo Camporeale

1 April, 2020 2:49 PM

I’m having these problems on vpn client :

Wed Apr 01 16:48:21 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Apr 01 16:48:21 2020 TLS Error: TLS handshake failed
Wed Apr 01 16:48:21 2020 Fatal TLS error (check_tls_errors_co), restarting

Chandra

2 April, 2020 4:56 AM

Reply to Carlo Camporeale

Please check your NAT configuration, did you already open port 1194 for both TCP and UDP on your firewall?

Carlo Camporeale

2 April, 2020 10:15 AM

Reply to Chandra

Yes 1194 tcp and udp are opened.

Chandra

3 April, 2020 7:07 AM

Reply to Carlo Camporeale

Please try change the port (1194) , your isp probably blocked the openvpn default port

Chandra

3 April, 2020 7:07 AM

Reply to Carlo Camporeale

Please try change the port (1194) , your isp probably blocked the openvpn default port

wpDiscuz

The Dummit