Mikrotik OpenVPN Server

If you aren’t using a VPN yet, it’s time to get started. There are many uses for a VPN, but the most important thing is security. I would not dare to connect to an open hotspot, e.g. in a cafe or train station, without an active VPN connection. There are many VPN service providers, but if you have a Mikrotik router, you can set up such a server at your home or office. I will try to introduce you to the advantages and disadvantages of VPN in the next post. Now we will focus on configuring Mikrotik OpenVPN Server.

Connections Diagram

Openvpn Server Configuration

First we have to generate 3 certs(CA, Client and Server). From left menu click on System->Certificates. If you have other CA you dont need to create new one, just import it. In this tutorial our Mikrotik will be also CA.

• Name: set anything you want
• Common Name: domain name or public ip
• Key Size: 4096
• Days Valid: 3650, 10 years
• Key Usage: key cert sign, crl sign

Preparing Server Certificate

• Name: type anything
• Common Name: *.grzegorzkowalik.com(wildcard cert)
• Key Size: 4096
• Days Valid: 3650(10 years)
• Key Usage: digital signature, key enciphement, data enciphement, tls server

Preparing Client Certificate

• Name: type anything
• Common Name: user.grzegorzkowalik.com
• Key Size: 4096
• Days Valid: 3650(10 years)
• Key Usage: tls client

Signing Certificates

In the next step, we have to signs our certificates. Depends of using hardware, router CPU can increas very highly also signing process can take serval minutes. We can sign our certificates in two ways. Using console and Windbox. When we are using console, very often you can see timeout, my advise is to look at cpu utilizating, when it go downs, signing process is complete.
Our CA we will sign in terminal:

Server and Client certificate we will signing in Winbox. Right click on certificate, then Sign.

Export Certificates

OpenVPN Client using certificate by defualt, in next step we will export Certificates from Mikrotik. Right click on CA and Export. Remember to set password, otherwise key wont be exported. We can find certs in File. Use drag&drop to copy certs to desktop.

Adding IP Pool for VPN Clients

From side menu click on IP and Pool.

• Name: anything
• Addresses: ip range or whole subnet
• Next Pool: None

OpenVPN Server Configuration

Click on PPP from side menu, choose Profile and create new Profile.

• Name: anything
• Local Address: use same subnet as vpn pool before, ex 10.0.0.1
• Remote Address: vpn pool created before
• DNS Server: public or local dns server
• Use Encrytpion: yes

Switch do Secrets and create new topic. Its very important that Common Name(without domain) from User Certificates must be the same as Secret Name. Few steps before we generated user cert with common name user.grzegorzkowalik.com so secret name must be set to “user”

• Service: ovpn
• Profile: profile we created before

Almost last step is activate OpenVPN Server Interface.

• Enabled: checked
• Port: 1194
• Mode: ip
• Netmask: 24
• Max MTU: 1500
• Default Profile: openvpn
• Certificate: Server-Cert

Preparing Firewall Rules

Last step is allow connections on 1194 tcp port. From side menu choose IP then Firewall. Add new rule

• Chain: input
• Protocol: tcp
• Dst. Port: 1194
• Action: accept

OpenVPN Client – Windows 7/10

Download latest openvpn client. Import exporeted certificates. Depend on OS it should be C:\Users\user_name\OpenVPN\config or C:\Program Files\OpenVPN\config. Example of .ovpn config: