Mikrotik OpenVPN Server

If you aren’t using a VPN yet, it’s time to get started. There are many uses for a VPN, but the most important thing is security. I would not dare to connect to an open hotspot, e.g. in a cafe or train station, without an active VPN connection. There are many VPN service providers, but if you have a Mikrotik router, you can set up such a server at your home or office. I will try to introduce you to the advantages and disadvantages of VPN in the next post. Now we will focus on configuring Mikrotik OpenVPN Server.

Connections Diagram

Mikrotik OpenVPN Server Diagram

Openvpn Server Configuration

First we have to generate 3 certs(CA, Client and Server). From left menu click on System->Certificates. If you have other CA you dont need to create new one, just import it. In this tutorial our Mikrotik will be also CA.

Mikrotik OpenVPN Configuration
Mikrotik OpenVPN Server generate CA Cert
  • Name: set anything you want
  • Common Name: domain name or public ip
  • Key Size: 4096
  • Days Valid: 3650, 10 years
  • Key Usage: key cert sign, crl sign

Preparing Server Certificate

  • Name: type anything
  • Common Name: *.grzegorzkowalik.com(wildcard cert)
  • Key Size: 4096
  • Days Valid: 3650(10 years)
  • Key Usage: digital signature, key enciphement, data enciphement, tls server
Mikrotik OpenVPN Server Certificates

Preparing Client Certificate

  • Name: type anything
  • Common Name: user.grzegorzkowalik.com
  • Key Size: 4096
  • Days Valid: 3650(10 years)
  • Key Usage: tls client
Mikrotik OpenVPN Server Client Certificate

Signing Certificates

In the next step, we have to signs our certificates. Depends of using hardware, router CPU can increas very highly also signing process can take serval minutes. We can sign our certificates in two ways. Using console and Windbox. When we are using console, very often you can see timeout, my advise is to look at cpu utilizating, when it go downs, signing process is complete.
Our CA we will sign in terminal:

sign CA-Cert name=CA-Certificate
Mikrotik OpenVPN Server Sign Certificate

Server and Client certificate we will signing in Winbox. Right click on certificate, then Sign.

Export Certificates

OpenVPN Client using certificate by defualt, in next step we will export Certificates from Mikrotik. Right click on CA and Export. Remember to set password, otherwise key wont be exported. We can find certs in File. Use drag&drop to copy certs to desktop.

Mikrotik OpenVPN Server Export Certs

Adding IP Pool for VPN Clients

From side menu click on IP and Pool.

  • Name: anything
  • Addresses: ip range or whole subnet
  • Next Pool: None
Mikrotik OpenVPN Server IP Address Pool

OpenVPN Server Configuration

Click on PPP from side menu, choose Profile and create new Profile.

  • Name: anything
  • Local Address: use same subnet as vpn pool before, ex 10.0.0.1
  • Remote Address: vpn pool created before
  • DNS Server: public or local dns server
  • Use Encrytpion: yes
Mikrotik OpenVPN Server PPP Profile

Switch do Secrets and create new topic. Its very important that Common Name(without domain) from User Certificates must be the same as Secret Name. Few steps before we generated user cert with common name user.grzegorzkowalik.com so secret name must be set to “user”

  • Service: ovpn
  • Profile: profile we created before

Almost last step is activate OpenVPN Server Interface.

  • Enabled: checked
  • Port: 1194
  • Mode: ip
  • Netmask: 24
  • Max MTU: 1500
  • Default Profile: openvpn
  • Certificate: Server-Cert
Mikrotik OpenVPN Server Interface PPP

Preparing Firewall Rules

Last step is allow connections on 1194 tcp port. From side menu choose IP then Firewall. Add new rule

  • Chain: input
  • Protocol: tcp
  • Dst. Port: 1194
  • Action: accept
Mikrotik OpenVPN Server Firewall Rules allow 1194

OpenVPN Client – Windows 7/10

Download latest openvpn client. Import exporeted certificates. Depend on OS it should be C:\Users\user_name\OpenVPN\config or C:\Program Files\OpenVPN\config. Example of .ovpn config:

client
dev tun
proto tcp
remote grzegorzkowalik.com 1194 #Public IP of router or domain with record A
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user.crt
key user.key
remote-cert-tls server
cipher AES-256-CBC
auth SHA1
auth-user-pass
redirect-gateway def1
verb 3
2 Comments

Add a Comment

Your email address will not be published. Required fields are marked *