The Dummit

  • Tutorial
  • Tips & Tricks
  • About Me
  • Reference

Mikrotik: How to Setup OpenVPN for remote user

Posted on 11 May 2019 in Tutorial

 loading


Mikrotik is small , cheap and feature rich for those who have limited budget. One of the feature itself that very leveraging me is Mikrotik OpenVPN. it is same as regular OpenVPN software you can find but with some missing feature like push static routing or whatever you name it.


In this post, i’m gonna show you how to setup and configure openVPN for remote user in you mikrotik device.


I’m gonna write down everything i found about how to setup this openVPN on mikrotik for remote user purpose (because i find myself in trouble especially when making the certificate).

Generate Certificate


Open winbox and go to System and choose certificate then click “+” button



Follow detail below to creata CA (repeat 2 times for client, and server)



For CA


For Server


For Client


Or you can just executing using this command line to fasten the process

/certificate add name=CA country="ID" state="ID" locality="Jakarta" organization="<your company name>" unit="<your company initial>" common-name="CA" key-size=4096 days-valid=365000 key-usage=crl-sign,key-cert-sign
/certificate sign CA ca-crl-host=<your public ip> name="CA"

/certificate add name=server country="ID" state="ID" locality="Jakarta" organization="<your company name>" unit="<your company initial>" common-name="server" key-size=4096 days-valid=365000 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign server ca="CA" name="server"

/certificate add name=client country="ID" state="ID" locality="Jakarta" organization="<your company name>" unit="<your company initial>" common-name="client" key-size=4096 days-valid=365000 key-usage=tls-client
/certificate sign client ca="CA" name="client"

/certificate add name=client1 copy-from="client" common-name="client1"
/certificate sign client1 ca="CA" name="client1"

After done creating the certificate, export and download your certificate with this command:

/certificate export-certificate CA export-passphrase=""
/certificate export-certificate client1 export-passphrase=12345678

and save the exported file to your PC/Laptop


  Remember

Please keep the password you use for generating client cert , it’ll be using to decrypt the key later

Setup OpenVPN Server


First, create new pool for openVPN user


/ip pool
add name=ovpn ranges=192.168.87.30-192.168.87.254
/ip dhcp-server network
add address=192.168.87.0/24 comment=vpn dns-server=192.168.89.1 gateway=\
 192.168.89.1 netmask=24

Now, configure the openVPN server


/ppp profile
add dns-server=192.168.89.1 local-address=<take ip from your ovpn dhcp pool> name=open_vpn \
 remote-address=ovpn use-compression=no use-encryption=required
/interface ovpn-server server
set certificate=server cipher=blowfish128,aes128,aes192,aes256 default-profile=open_vpn enabled=yes \
 require-client-certificate=yes

Masquarade your openVPN IP Address in NAT tab (if your openVPN not functioning as router, otherwise you can skip this part)


/ip firewall nat
add chain=srcnat src-address=192.168.87.0/24 action=masquerade 

Create User in Secret tab


/ppp secret
add name=client1 password=password1 profile=open_vpn service=ovpn

Allow openVPN in firewall


/ip firewall filter
add action=accept chain=input comment=VPN dst-port=1194 protocol=tcp

Install openVPN Client on user device


Open openVPN site and go to download page


Choose the client type suitable for your operating system (in this case i only show how to configure client on windows system)



Save the download file to your client PC/Laptop and start the installation process


Please make sure you tick “EasyRSA 2 Certificate Managementr Scripts”

Click “Next” and Click “Install”

Create Config File for openVPN Client


You need to decrypt cert key generate to avoid password asking in mikrotik before using it in config file for openVPN client by using this command


openssl rsa -passin pass:password -in [email protected] -out [email protected]

Open your text editor or notepad , and copy paste this

client
dev tun
proto tcp-client
remote MikroTik_IP 1194
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA1
pull
verb 2
mute 3

# Create a file 'user.auth' with a username and a password
#
# cat << EOF > user.auth
# user
# password
# EOF
auth-user-pass user.auth

# Copy the certificates from MikroTik and change
# the filenames below if needed
ca cert_export_MikroTik.crt
cert [email protected]
key [email protected]

# Add routes to networks behind MikroTik
#route 192.168.10.0 255.255.255.0

Or you can user this file to simplify the configuration


client
dev tun
proto tcp
remote <your ip/public ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
tls-cipher DEFAULT
remote-cert-tls server
cipher AES-256-CBC
auth sha1
auth-nocache
auth-user-pass
dhcp-option DOMAIN <your domain>
dhcp-option DNS <dns server ip>
dhcp-option DNS <dns server ip>
verb 3

route subnet A 255.255.255.0
route subnet B 255.255.255.0
route subnet C 255.255.255.0
route subnet D 255.255.255.0
route subnet E 255.255.255.0
route subnet F 255.255.255.0
route subnet G 255.255.255.0

For Apple user (Macbook, iPad, iPhone) you need to add “redirect-gateway def1”


client
dev tun
proto tcp
remote <your ip/public ip> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
tls-cipher DEFAULT
remote-cert-tls server
cipher AES-256-CBC
auth sha1
auth-nocache
auth-user-pass
dhcp-option DOMAIN <your domain>
dhcp-option DNS <dns server ip>
dhcp-option DNS <dns server ip>
redirect-gateway def1  #<-- add this
verb 3

route subnet A 255.255.255.0
route subnet B 255.255.255.0
route subnet C 255.255.255.0
route subnet D 255.255.255.0
route subnet E 255.255.255.0
route subnet F 255.255.255.0
route subnet G 255.255.255.0


Note : Create user.auth put your client username and password in it. Also create Cert for placing your 3 key and don’t forget to copy paste the keys start with
—–BEGIN CERTIFICATE—–
and end with
—–END CERTIFICATE—–

 loading

MySQL 8: How to reset root password on Centos 7

 loading

Zabbix: How to download and install template

Recent Post

  • openldap
    How to compile, install and configure openLDAP in Centos 8
    5 September 2020
  • zimbra desktop
    Zimbra Desktop : How to recover your local folder after crash (Win 10)
    2 September 2020
  • doh
    Mikrotik : How to use DoH with Cloudflare
    7 July 2020
  •  loading
    How to install Openfire and configure server to server on Centos 7
    12 August 2019
  •  loading
    MySQL 5.7 : How to configure Replication (Master/Slave) Database on Centos 7
    25 June 2019