And while at it, you can create a bit more imaginative user/password: /ppp profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool secret add name= user profile=vpn-profile password= passwordįinally, we can enable OpenVPN server interface: /interface ovpn-server server set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes Assumption is your Mikrotik will also be a DNS server. Instead of editing the default encrypted profile, we can create a new one. I will assume you have your clients in some other network (e.g. Next we need a separate pool of IP addresses for clients. After copying this on computer for later I like to rename them to ca.crt, client.crt, and client.key respectively. This should give you three files: cert_export_ca-certificate.crt, cert_export_client-certificate.crt, and cert_export_client-certificate.key. With this we need to export a few files: /certificate export-certificate ca-certificate export-passphrase="" export-certificate client-certificate export-passphrase= 12345678 Or alternatively check name of certificate – template part will disappear once signing is completed. Any yes, if you have dynamic IP and you are not using your own domain, you can put *. there – no worries.Ĭreated certificates will need signing: /certificate sign ca-template name=ca-certificate sign server-template name=server-certificate ca=ca-certificate sign client-template name=client-certificate ca=ca-certificateĭepending on your router’s speed, that sign command might time-out – nothing to worry about – just wait for CPU to drop below 100%. However, some other VPNs are not as forgiving (yes SSTP, I am looking at you) so it might be best to have either your external IP or host name as the common-name text.
Yes, strictly speaking, client certificate is optional but let’s not skimp on security.įirst we create all the certificate templates (10 years validity) we’ll need: /certificate add name=ca-template common-name= days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign add name=server-template common-name= *. days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server add name=client-template common-name= days-valid=3650 key-size=2048 key-usage=tls-clientįor the purpose of OpenVPN server common name can be really anything. For OpenVPN we need main Certificate Authority, server, and client certificate. Prerequisite for any VPN server is to get certificates sorted. Commands are actually quite descriptive and easy to “translate” into GUI actions if that is your preference. That way I will simply repeat commands needed instead of going through the screens. This guide is going to assume you are to enter commands into the New Terminal window from WinBox. However, as often with Mirotik, not all is straight forward. The variables/placeholders are encapsulated by the percent (%) symbol.Having OpenVPN server on your router is a nifty feature. Note that these commands include placeholders that will need to be changed to better suit your network environment. For simplicity (I hope), I’ve added the MikroTik terminal commands needed to create the certificates.
We will need to create the certificates on MikroTik A (Server). The OpenVPN local and remote IP addresses are configured in the PPP profile, which we will get to later. For example, MikroTik A’s OpenVPN gateway IP address is 192.168.200.254 and MikroTik B’s OpenVPN gateway IP address is 192.168.200.10. The OpenVPN local and remote IP addresses represent the respective gateway address for each end of the tunnel between MikroTik A (Server) and MikroTik B (Client).
In addition, the OpenVPN tunnel is using a different subnet as well, which means – between the two MikroTik routers and the OpenVPN tunnel, we have three different subnets. In this example, we will be using two MikroTik RB951G-2HnD running RouterOS v6.34.3 on firmware v3.24, each using a different subnet.