Posted by Quentin Conner
So, you want to install and configure a VPN to your home network using your Mikrotik router and OpenVPN for your client?
In my case I wanted to use a Mikrotik RB750 with the PPP package installed and the OpenVPN client for MacOS, Tunnelblick. My RouterOS software version is 6.34.3, current at the time of writing. My OpenVPN client software is Tunnelblick, 3.5.8 (which incorporates OpenVPN 2.3.6).
The idea is to create a VPN into my home network, accessed from the Internet. I started by reading the Mikrotik OpenVPN documentation:
Then I looked at the easy_rsa scripts that come with OpenVPN, on my Mac (this would be an alternate source for key pairs and certificate artifact generation):
Between the two I managed to gain an understanding and get it running using the Mikrotik for key and certificate generation. I captured my implementation steps, complete with an OpenVPN template configuration you can reuse.
There are three main tasks:
Create encryption artifacts (files) used to establish SSL / TLS connections
Configure a OpenVPN / PPP profile in the VPN server
Configure an OpenVPN profile on the client
First we ssh into the Mikrotik router and create our own Certification Authority (CA) named “myCa”.
I used my Mikrotik router’s inside LAN IP address for the ca-crl-host. I’m not planning a CRL server for this use case.
[admin@MikroTik-gw] /certificate> add name=myCa common-name=myCa key-usage=key-cert-sign,crl-sign
[admin@MikroTik-gw] /certificate> sign myCa ca-crl-host=192.168.1.1 name=myCa
Now export the CA certificate, download and save the .crt file.
You will use this file and two others later when creating the .ovpn (OpenVPN) client configuration.
[admin@MikroTik-gw] /certificate> export-certificate myCa
Now we create a private and public key pair for the VPN Server followed by another key pair for the VPN Client:
[admin@MikroTik-gw] /certificate> add name=VPNserver common-name=server
[admin@MikroTik-gw] /certificate> add name=VPNclient1 common-name=client1
We need to sign both public keys with our new CA:
[admin@MikroTik-gw] /certificate> sign VPNserver ca=myCa name=server
[admin@MikroTik-gw] /certificate> sign VPNclient1 ca=myCa name=client1
Export the VPN Client's private key and public key+certificate files.
The following command creates two files which you need to download and save for use later (when creating the .ovpn OpenVPN client configuration file).
[admin@MikroTik-gw] /certificate> export-certificate export-passphrase=mysecret client1
To check your work, first check your Mikrotik certificates and look for the “KLAT” on the CA certificate and “KA” flags on the client and server entries. These entries represent a tuple of Private Key, Public Key and CA-signed Certificate. Yes, the “myCa” CA certificate is “self-signed”.
[admin@MikroTik-gw] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
# NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT
0 K L A T myCa myCa c9c129cb1b7...
1 K A server server 03883a34bdc...
2 K A client1 client1 a67a988df5e...
Now go to the Files section of the Mikrotik Web GUI, or sftp to your Mikrotik.
You should see:
VPN Server Configuration
Adding a PPP profile to the Mikrotik enables a VPN Server endpoint for one or more VPN Clients.
The OpenVPN solution appears to be a PPP connection over an encrypted TLS (SSL) connection.
In this case I will choose AES256 for my session encryption, SHA1 for session message authentication and I will use 2048 bit RSA private keys as the basis for the client and server certificates.
This use case assumes a simple home network where the 192.168.1.0/24 TCP/IP network exists and the Mikrotik router is the gateway to the Internet. We will add a second network number for use by the VPN clients, since this is an IP-based VPN.
On this network we will assign IP addresses for an IP address pool to be used by VPN Clients; it is a small range of addresses from 192.168.2.10 to 192.168.2.19. This synthetic network will exist virtually, inside the Mikrotik router and appears to be defined via the /PPP Profile and the /interface openvpn-server server commands.
Our Mikrotik router is the default route to the WAN (Internet) and on 192.168.1.1 for its internal LAN interface. For the VPN Client’s synthetic network (192.168.2.0/24) our VPN Server will present itself as 192.168.2.1 to the VPN Client.
First create the PPP profile and IP address pool:
[admin@MikroTik-gw] > /ip pool add name=ovpn-pool range=192.168.2.10-192.168.2.19
[admin@MikroTik-gw] > /ppp profile add name=ovpn local-address=192.168.2.1 remote-address=ovpn-pool
Add our “client1″ user with “second factor secret” (the certificate embedded in the .ovpn file will be the other factor):
[admin@MikroTik-gw] > /ppp secret add name=client1 password=mysecret profile=ovpn
Create a synthetic interface in the Mikrotik representing the VPN Server endpoint on the synthetic VPN Client network, then associate it with the VPN Client IP pool:
[admin@MikroTik-gw] > /interface ovpn-server server set enabled=yes certificate=server auth=sha1 cipher=aes256 port=1194 netmask=24 require-client-certificate=yes mode=ip
OpenVPN Client Configuration
Each OpenVPN user (VPN Client) needs their own distinct .ovpn configuration file.
In this use case we will configure only a single client.
The client1.ovpn file follows. Make four substitutions in your version of this template.
Change 18.104.22.168 to your public IP address (or maybe hostname) for your Mikrotik router.
In the section below, replace with your CA certificate text.
In the section, replace with your VPN Client Certificate text.
In the section, replace with your unprotected VPN Client Private Key text.
Optionally, if you run your own DNS server on your home network, you may want to make an additional substitution.
Change 22.214.171.124 to the IP address for your home network DNS server, somewhere on 192.168.1.0/24 in this example.
Potentially, this could be your Mikrotik router (192.168.1.1 in this example), if you enabled the DNS service there.
To get the unprotected (non-encrypted) Private Key text from the password-protected VPN Client Private Key file you downloaded earlier, run the following from a UNIX shell prompt where you have access to openssl:
$ openssl rsa -in cert_export_client1.key -text
You can copy/paste the following to create an initial .ovpn file for the four substitutions/edits above:
$ cat > client1.ovpn << _END_
# this is a layer 3 (IP) VPN
# Mikrotik only supports TCP at the moment
# put your VPN Server's routable (WAN or Internet-accessible) IP address here
remote 126.96.36.199 1194
# Mikrotik does not support link compression at the moment
# OpenVPN client debug log verbosity
# Mikrotik's PPP server requires username/password authentication
# at the moment and it uses this in conjunction with both client and
# server-side x.509v3 certificate authentication
# domain name for home LAN
dhcp-option DOMAIN your.home.domain.name
# DNS server (replace with your own)
dhcp-option DNS 188.8.131.52
# SMB WINS name server if you have one
#dhcp-option WINS 192.168.1.1
# route to multiple networks
route 192.168.0.0 255.255.0.0
# Mikrotik accepts a CA cert
# Mikrotik expects a VPN Client Certificate
# OpenVPN Client needs the VPN Client Private Key to decrypt
# info sent by the server during the SSL/TLS handshake
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----