Below you will find how to setup the OpenVPN server on your MikroTik router from a command-line (terminal) quickly and easily, and how to connect to it using an OpenVPN client.
Cool Tip: Minimize risks by using a MikroTik’s safe mode feature!
MikroTik OpenVPN Server Setup
SSH into a Mikrotik router:
C:\> ssh admin@192.168.88.1
1️⃣ Create Certificates
OpenVPN is based on TLS/SSL technology, in which a server and clients can verify each other’s identities using certificates 📜.
To setup the MikroTik OpenVPN server you should generate the following certificates:
- Certificate Authority (CA) – a master (root) certificate that will be used to sign server and client certificates. Clients receive a copy of the public part of the CA certificate to verify the validity of the server certificate. The server in its turn verifies the validity of the client certificates.
- Server – provides the proof of identity for the server and what the OpenVPN daemon runs on. The private key and public key stay on the server and the server sends the public key to clients for identity purposes.
- Client – a private key and public key generated for each new user account. The client has a copy of its private key and the public key that is in the connection profile. The public key is sent to the server for identity purposes.
Certificate Template: To create a certificate in MikroTik, firstly it is required to create a certificate template that will be automatically removed right after the certificate is signed.
⏳ It may take some time! The time of the key signing process depends on a certificate key-size and a CPU power of a MikroTik router.
1️⃣.1️⃣ ─ Create the CA key pair:
[admin@MikroTik] > /certificate add name=ca-template \ common-name=ovpn-ca \ days-valid=36500 \ key-size=2048 \ key-usage=crl-sign,key-cert-sign [admin@MikroTik] > /certificate sign ca-template name=ovpn-ca
1️⃣.2️⃣ ─ Create the OpenVPN server key pair and sign it with the CA key:
[admin@MikroTik] > /certificate add name=server-template \ common-name=ovpn-server\ days-valid=36500 \ key-size=2048 \ key-usage=digital-signature,key-encipherment,tls-server [admin@MikroTik] > /certificate sign server-template name=ovpn-server \ ca=ovpn-ca
1️⃣.3️⃣ ─ Create the OpenVPN client key pair and sign it with the CA key:
[admin@MikroTik] > /certificate add name=client-template \ common-name=ovpn-client1 \ days-valid=36500 \ key-size=2048 \ key-usage=tls-client [admin@MikroTik] > /certificate sign client-template name=ovpn-client1 \ ca=ovpn-ca
Individual Client Keys: For each OpenVPN client it is recommended to create an individual key pair to avoid an impact on the other users if one of the private keys is compromised.
To list the certificates:
[admin@MikroTik] > /certificate print - sample output - Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted # NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT 0 K A T ovpn-ca ovpn-ca be0... 1 K I ovpn-server ovpn-server f89... 2 K I ovpn-client1 ovpn-client1 d92...
Cool Tip: How to backup and restore a MikroTik router!
2️⃣ Configure OpenVPN Server
2️⃣.1️⃣ ─ Create a pool of IP addresses for OpenVPN clients:
[admin@MikroTik] > /ip pool add name=ovpn-dhcp-pool \ range=192.168.99.10-192.168.99.254
2️⃣.2️⃣ ─ Configure and start the OpenVPN server:
[admin@MikroTik] > /ppp profile add name=ovpn-server \ use-encryption=yes \ local-address=192.168.99.1 \ dns-server=192.168.99.1 \ remote-address=ovpn-dhcp-pool [admin@MikroTik] > /interface ovpn-server server set default-profile=ovpn-server \ certificate=ovpn-server \ require-client-certificate=yes \ auth=sha1 \ cipher=aes128-gcm,aes192-gcm,aes256-gcm \ port=443 \ enabled=yes
dns-server=192.168.99.1– Configures the Mikrotik router to be also a DNS server for the OpenVPN clients.port=443– Starts the OpenVPN server on the port443(by default:1194) to avoid an Internet service provider (ISP) from detecting and blocking the VPN traffic.
Cool Tip: How to setup DNS servers on a MikroTik router! Read more →
2️⃣.3️⃣ ─ Enable a dynamic DNS (DDNS) service to connect to the OpenVPN server by a permanent domain name (very useful when your ISP provides a dynamic IP address that changes periodically):
[admin@MikroTik] > /ip cloud set ddns-enabled=yes [admin@MikroTik] > /ip cloud print - sample output - ddns-enabled: yes ddns-update-interval: none update-time: yes public-address: XXX.XXX.XXX.XXX dns-name: <uniqAddress>.sn.mynetname.net status: updated warning: Router is behind a NAT. Remote connection might not work.
If you get the “warning: Router is behind a NAT. Remote connection might not work.“, you should configure a port forwarding on an ISP’s router which your MikroTik router is connected to.
For this, login to the ISP’s router through a user interface (UI) and configure the port forwarding in the NAT settings, for example, as follows:
If the ISP’s router issues a dynamic IP address to your MikroTik router, it is better to go to DHCP settings and make it static:
To get the IP and MAC addresses of the MikroTik’s interface connected to the ISP’s router (usually ether1), execute:
[admin@MikroTik] > /ip address print - sample output - Flags: D - DYNAMIC Columns: ADDRESS, NETWORK, INTERFACE # ADDRESS NETWORK INTERFACE ;;; defconf 0 192.168.88.1/24 192.168.88.0 bridge 1 D 192.168.1.93/24 192.168.1.0 ether1 [admin@MikroTik] > :put [/interface ethernet get \ [/interface ethernet find default-name=ether1] mac-address ] - sample output - XX:XX:XX:XX:52:F0
Cool Tip: A default MikroTik firewall config for dummies! Read more →
3️⃣ Configure Firewall
The firewall rules, that have to be created, should be moved above the DROP rules, otherwise you will get the “Connection reset, restarting [-1]” error while trying to connect to your OpenVPN server.
3️⃣.1️⃣ ─ List the firewall rules and note a number of the “drop all not coming from LAN” rule (in the example below it is 5):
[admin@MikroTik] > /ip firewall filter print all without-paging - sample output - Flags: X - disabled, I - invalid; D - dynamic 0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 1 ;;; defconf: accept established,related,untracked chain=input action=accept connection-state=established,related,untracked 2 ;;; defconf: drop invalid chain=input action=drop connection-state=invalid 3 ;;; defconf: accept ICMP chain=input action=accept protocol=icmp 4 ;;; defconf: accept to local loopback (for CAPsMAN) chain=input action=accept dst-address=127.0.0.1 5 ;;; defconf: drop all not coming from LAN chain=input action=drop in-interface-list=!LAN ...
3️⃣.2️⃣ ─ Create firewall rules to allow incoming connections to the VPN server and to allow OpenVPN clients from the 192.168.99.0/24 network to access a LAN (by default, 192.168.88.0/24) and the MikroTik router itself (to use it as a DNS server and to be able to login to it):
[admin@MikroTik] > /ip firewall filter add chain=input \ action=accept \ protocol=tcp \ dst-port=443 \ disabled=no \ comment="Allow incoming connections to OpenVPN" \ place-before=X [admin@MikroTik] > /ip firewall filter add chain=input \ action=accept \ src-address=192.168.99.0/24 \ disabled=no \ comment="Allow OpenVPN clients to access MikroTik" \ place-before=X+1 [admin@MikroTik] > /ip firewall nat add action=masquerade \ chain=srcnat \ src-address=192.168.99.0/24 \ comment="Allow OpenVPN clients to access LAN"
ℹ️ Replace X and X+1 according to the number of the “drop all not coming from LAN” rule, i.e. 5 and 6 respectively, in my case.
The resulting order of the firewall rules in my case looks like as follows:
[admin@MikroTik] > /ip firewall filter print all without-paging - sample output - Flags: X - disabled, I - invalid; D - dynamic ... 5 ;;; Allow incoming connections to OpenVPN chain=input action=accept protocol=tcp dst-port=443 6 ;;; Allow OpenVPN clients to access MikroTik chain=input action=accept src-address=192.168.99.0/24 7 ;;; defconf: drop all not coming from LAN chain=input action=drop in-interface-list=!LAN ... [admin@MikroTik] > /ip nat filter print all without-paging - sample output - Flags: X - disabled, I - invalid; D - dynamic ... 1 ;;; Allow OpenVPN clients to access LAN chain=srcnat action=masquerade src-address=192.168.99.0/24 log=no log-prefix=""
Cool Tip: Configure an OpenVPN client as a systemd service in Linux! Read more →
4️⃣ Configure OpenVPN Client
4️⃣.1️⃣ ─ Export the CA certificate and client keys, generated earlier (copy to the “Files” folder on the MikroTik router from which they can then be downloaded):
[admin@MikroTik] > /certificate export-certificate ovpn-ca export-passphrase="" [admin@MikroTik] > /certificate export-certificate ovpn-client1 export-passphrase="12345678"
Export Passphrase: MikroTik doesn’t allow to export a private key without protecting it with a passphrase. Fortunately the passphrase can be removed using the OpenSSL and i will show how to do this in the later steps.
To list the exported files:
[admin@MikroTik] > /file print - sample output - # NAME TYPE SIZE CREATION-TIME 0 cert_export_ovpn-ca.crt .crt file 1119 oct/25/2022 14:31:40 1 cert_export_ovpn-client1.crt .crt file 1155 oct/25/2022 14:32:57 2 cert_export_ovpn-client1.key .key file 1858 oct/25/2022 14:32:58
4️⃣.2️⃣ ─ Copy the exported files from the MikroTik router to your computer:
C:\> sftp admin@192.168.88.1:cert_export_*
Alternatively, you can download the files from the WinBox/WebFig interface by going to the “Files” menu:
4️⃣.3️⃣ ─ After copying the CA certificate and the client key pair to the computer, I prefer to rename them to ca.crt, client1.crt and client1.key respectively:
C:\> rename cert_export_ovpn-ca.crt ca.crt C:\> rename cert_export_ovpn-client1.crt client1.crt C:\> rename cert_export_ovpn-client1.key client1.key
4️⃣.4️⃣ ─ Remove the passphrase from the client’s private key using the OpenSSL:
C:\> openssl rsa -in client1.key -out client1.key
- sample output -
Enter pass phrase for client1.key: 12345678
writing RSA key
As the OpenSSL is not installed on a Windows system by default, you may receive the following error:
‘openssl’ is not recognized as an internal or external command, operable program or batch file.
Unfortunately there is no official version of the OpenSSL for Windows but it is easy and secure to use the one that comes with a Git for Windows.
Once you have installed the Git for Windows, you can run the openssl command by providing the full path to the executable, for example:
C:\> "C:\Program Files\Git\usr\bin\openssl.exe" rsa -in client1.key -out client1.key
- sample output -
Enter pass phrase for client1.key: 12345678
writing RSA key
4️⃣.5️⃣ ─ In the MikroTik router, create an OpenVPN user and set the password:
[admin@MikroTik] > /ppp secret add name=client1 profile=ovpn-server password="passw0rd"
4️⃣.6️⃣ ─ Download and install the OpenVPN client.
4️⃣.7️⃣ ─ Change the current directory to %USERPROFILE%\OpenVPN\config (create if doesn’t exist) and copy the ca.crt, client1.crt and client1.key files into it:
C:\> mkdir "%USERPROFILE%\OpenVPN\config" C:\> chdir "%USERPROFILE%\OpenVPN\config" C:\> copy %USERPROFILE%\ca.crt . C:\> copy %USERPROFILE%\client1.crt . C:\> copy %USERPROFILE%\client1.key .
4️⃣.8️⃣ ─ Create a file with the OpenVPN user credentials:
C:\> notepad client1-creds.conf
- sample output -
C:\> type client1-creds.conf
client1
passw0rd
4️⃣.9️⃣ ─ Create an OpenVPN client configuration file:
C:\> notepad client1.ovpn C:\> type client1.ovpn - sample output - client dev tun proto tcp remote <uniqAddress>.sn.mynetname.net 443 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key remote-cert-tls server cipher AES-128-GCM auth SHA1 --auth-user-pass client1-creds.conf redirect-gateway def1 verb 3
The final content of the %USERPROFILE%\OpenVPN\config folder should look like as follows:
C:\> dir
- sample output -
Volume in drive C is Windows
Volume Serial Number is 9AFA-3990
Directory of %USERPROFILE%\OpenVPN\config
05/02/2023 10:35 PM <DIR> .
05/02/2023 10:35 PM <DIR> ..
05/02/2023 09:10 PM 1,070 ca.crt
05/02/2023 10:31 PM 17 client1-creds.conf
05/02/2023 09:10 PM 1,103 client1.crt
05/02/2023 09:13 PM 1,679 client1.key
05/02/2023 10:34 PM 293 client1.ovpn
05/31/2022 09:20 AM 226 README.txt
6 File(s) 4,388 bytes
2 Dir(s) 159,665,164,288 bytes free
4️⃣.1️⃣0️⃣ ─ Connect to the OpenVPN Server
Right-click on an OpenVPN GUI tray icon and select “Connect”:
If everything is all right, the VPN connection will be established:
Voilà! The MikroTik OpenVPN server configuration is done! 😎
Preparing and importing the OpenVPN configuration file
Next step is to provide the OpenVPN app with a configuration
file. When you use the client.ovpn extension, you can easily import it later
on. But let’s start with setting up the configuration file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | clientdev tunproto udpremote pi.example.org 1194comp-lzoredirect-gateway<ca>-----BEGIN CERTIFICATE-----...q0c4PYC3BB7pIOA2fH7Clkb8TduDcz0kzPqStD3mVjLXx1+KVxVeGMgbj0QLbPoG...-----END CERTIFICATE-----</ca># other options (mostly defaults)nobindpersist-keypersist-tunuser nobodygroup nogroupresolv-retry infinite |
Comentarios
Publicar un comentario