{"id":1095,"date":"2019-07-16T11:13:29","date_gmt":"2019-07-16T14:13:29","guid":{"rendered":"http:\/\/blog.abratel.com.br\/?p=1095"},"modified":"2022-07-06T06:58:38","modified_gmt":"2022-07-06T09:58:38","slug":"openvpn-server-mikrotik","status":"publish","type":"post","link":"https:\/\/blog.abratel.com.br\/?p=1095","title":{"rendered":"OpenVpn Server Mikrotik"},"content":{"rendered":"

Referencia: https:\/\/delphinus.qns.net\/xwiki\/bin\/view\/Blog\/Mikrotik%20OpenVPN%20in%2090%20seconds
\nPosted by Quentin Conner<\/p>\n

So, you want to install and configure a VPN to your home network using your Mikrotik router and OpenVPN for your client?<\/p>\n

In my case I wanted to use a Mikrotik RB750 with the PPP package installed and the OpenVPN client for MacOS, Tunnelblick. My RouterOS software version is 6.34.3, current at the time of writing. My OpenVPN client software is Tunnelblick, 3.5.8 (which incorporates OpenVPN 2.3.6).<\/p>\n

The idea is to create a VPN into my home network, accessed from the Internet. I started by reading the Mikrotik OpenVPN documentation:<\/p>\n

http:\/\/wiki.mikrotik.com\/wiki\/OpenVPN<\/p>\n

Then I looked at the easy_rsa scripts that come with OpenVPN, on my Mac (this would be an alternate source for key pairs and certificate artifact generation):<\/p>\n

https:\/\/openvpn.net\/index.php\/open-source\/documentation\/miscellaneous\/77-rsa-key-management.html<\/p>\n

Between the two I managed to gain an understanding and get it running using the Mikrotik for key and certificate generation. I captured my implementation steps, complete with an OpenVPN template configuration you can reuse.<\/p>\n

There are three main tasks:<\/p>\n

Create encryption artifacts (files) used to establish SSL \/ TLS connections
\nConfigure a OpenVPN \/ PPP profile in the VPN server
\nConfigure an OpenVPN profile on the client
\nEncryption Artifacts
\nFirst we ssh into the Mikrotik router and create our own Certification Authority (CA) named “myCa”.<\/p>\n

I used my Mikrotik router’s inside LAN IP address for the ca-crl-host. I’m not planning a CRL server for this use case.<\/p>\n

\n[admin@MikroTik-gw] &gt;\/certificate\n[admin@MikroTik-gw] \/certificate&gt; add name=myCa days-valid=3650 common-name=myCa key-usage=key-cert-sign,crl-sign\n[admin@MikroTik-gw] \/certificate&gt; sign myCa ca-crl-host=127.0.0.1 name=myCa\nNow export the CA certificate, download and save the .crt file.\n<\/pre>\n
You will use this file and two others later when creating the .ovpn (OpenVPN) client configuration.<\/p>\n
\n[admin@MikroTik-gw] \/certificate&gt; export-certificate myCa\nNow we create a private and public key pair for the VPN Server followed by another key pair for the VPN Client:\n<\/pre>\n
\n[admin@MikroTik-gw] \/certificate&gt; add name=VPNserver days-valid=3650 common-name=server\n[admin@MikroTik-gw] \/certificate&gt; add name=VPNclient1 days-valid=3650 common-name=client1\nWe need to sign both public keys with our new CA:\n\n[admin@MikroTik-gw] \/certificate&gt; sign VPNserver ca=myCa name=server\n[admin@MikroTik-gw] \/certificate&gt; sign VPNclient1 ca=myCa name=client1\nExport the VPN Client's private key and public key+certificate files.\n<\/pre>\n
The following command creates two files which you need to download and save for use later (when creating the .ovpn OpenVPN client configuration file).<\/p>\n
\n[admin@MikroTik-gw] \/certificate&gt; export-certificate export-passphrase=mysecret client1\n<\/pre>\n
To check your work, first check your Mikrotik certificates and look for the “KLAT” on the CA certificate and “KA” flags on the client and server entries.  These entries represent a tuple of Private Key, Public Key and CA-signed Certificate.  Yes, the “myCa” CA certificate is “self-signed”.<\/p>\n
\n[admin@MikroTik-gw] \/certificate&gt; print\nFlags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted\n#          NAME                            COMMON-NAME                         SUBJECT-ALT-NAME                                                      FINGERPRINT\n0 K L A  T myCa                            myCa                                                                                                      c9c129cb1b7...\n1 K   A    server                          server                                                                                                    03883a34bdc...\n2 K   A    client1                         client1                                                                                                   a67a988df5e...\n<\/pre>\n
Now go to the Files section of the Mikrotik Web GUI, or sftp to your Mikrotik.
\nYou should see:<\/p>\n
cert_export_client1.crt
\ncert_export_client1.key
\ncert_export_myCa.crt<\/p>\n
VPN Server Configuration
\nAdding a PPP profile to the Mikrotik enables a VPN Server endpoint for one or more VPN Clients.<\/p>\n
The OpenVPN solution appears to be a PPP connection over an encrypted TLS (SSL) connection.<\/p>\n
In this case I will choose AES256 for my session encryption, SHA1 for session message authentication and I will use 2048 bit RSA private keys as the basis for the client and server certificates.<\/p>\n
This use case assumes a simple home network where the 192.168.1.0\/24 TCP\/IP network exists and the Mikrotik router is the gateway to the Internet.  We will add a second network number for use by the VPN clients, since this is an IP-based VPN.<\/p>\n
On this network we will assign IP addresses for an IP address pool to be used by VPN Clients; it is a small range of addresses from 192.168.2.10 to 192.168.2.19.  This synthetic network will exist virtually, inside the Mikrotik router and appears to be defined via the \/PPP Profile and the \/interface openvpn-server server commands.<\/p>\n
Our Mikrotik router is the default route to the WAN (Internet) and on 192.168.1.1 for its internal LAN interface.  For the VPN Client’s synthetic network (192.168.2.0\/24) our VPN Server will present itself as 192.168.2.1 to the VPN Client.<\/p>\n
First create the PPP profile and IP address pool:<\/strong><\/p>\n
\n[admin@MikroTik-gw] &gt; \/ip pool add name=ovpn-pool range=192.168.2.10-192.168.2.19\n[admin@MikroTik-gw] &gt; \/ppp profile add name=ovpn local-address=192.168.2.1 remote-address=ovpn-pool\n<\/pre>\n
Add our “client1” user with “second factor secret” (the certificate embedded in the .ovpn file will be the other factor):<\/p>\n
\n[admin@MikroTik-gw] &gt; \/ppp secret add name=client1 password=mysecret profile=ovpn\n<\/pre>\n
Create a synthetic interface in the Mikrotik representing the VPN Server endpoint on the synthetic VPN Client network, then associate it with the VPN Client IP pool:<\/p>\n
\n[admin@MikroTik-gw] &gt; \/interface ovpn-server server set enabled=yes certificate=server auth=sha1 cipher=aes256 port=1194 netmask=24 require-client-certificate=yes mode=ip\nOpenVPN Client Configuration\n<\/pre>\n
Each OpenVPN user (VPN Client) needs their own distinct .ovpn configuration file.<\/p>\n
In this use case we will configure only a single client.
\nThe client1.ovpn file follows.  Make four substitutions in your version of this template.<\/p>\n
Change 11.12.13.14 to your public IP address (or maybe hostname) for your Mikrotik router.
\nIn the  section below, replace with your CA certificate text.
\nIn the  section, replace with your VPN Client Certificate text.
\nIn the  section, replace with your unprotected VPN Client Private Key text.
\nOptionally, if you run your own DNS server on your home network, you may want to make an additional substitution.<\/key><\/cert><\/ca><\/p>\n
Change 8.8.8.8 to the IP address for your home network DNS server, somewhere on 192.168.1.0\/24 in this example.
\nPotentially, this could be your Mikrotik router (192.168.1.1 in this example), if you enabled the DNS service there.
\nTo get the unprotected (non-encrypted) Private Key text from the password-protected VPN Client Private Key file you downloaded earlier, run the following from a UNIX shell prompt where you have access to openssl:<\/p>\n
\n$ openssl rsa -in cert_export_client1.key -text\nYou can copy\/paste the following to create an initial .ovpn file for the four substitutions\/edits above:\n\n$ cat &gt; client1.ovpn &lt;&lt; _END_\nclient\n\n# this is a layer 3 (IP) VPN\ndev tun\n\n# Mikrotik only supports TCP at the moment\nproto tcp\n\n# put your VPN Server's routable (WAN or Internet-accessible) IP address here\nremote 11.12.13.14 1194\n\nresolv-retry infinite\nnobind\n\n# Mikrotik does not support link compression at the moment\n#comp-lzo\n\npersist-key\npersist-tun\n#mute-replay-warnings\n\n# OpenVPN client debug log verbosity\nverb 1\n#verb 3\n#verb 6\n\n#cipher BF-CBC\n#cipher AES-128-CBC\n#cipher AES-192-CBC\ncipher AES-256-CBC\n\n#auth MD5\nauth SHA1\n\n# Mikrotik's PPP server requires username\/password authentication\n# at the moment and it uses this in conjunction with both client and\n# server-side x.509v3 certificate authentication\nauth-user-pass\n\n# domain name for home LAN\ndhcp-option DOMAIN your.home.domain.name\n\n# DNS server (replace with your own)\ndhcp-option DNS 8.8.8.8\n\n# SMB WINS name server if you have one\n#dhcp-option WINS 192.168.1.1\n\n# route to multiple networks\nroute 192.168.0.0 255.255.0.0\n\n# Mikrotik accepts a CA cert\n&lt;ca&gt;\n-----BEGIN CERTIFICATE-----\nBAMMBG15Q2GgAwIBAgIIfp+KAYv5zqIwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE\n...\nurKNm8k8KGt9ur15zL22C0YeYfef4H0BTAvuwOMgIOWzw5k0By==\n-----END CERTIFICATE-----\n&lt;\/ca&gt;\n\n# Mikrotik expects a VPN Client Certificate\n&lt;cert&gt;\n-----BEGIN CERTIFICATE-----\nG6kUxIYCx9cGbwAZMv8OtHnu2R+pk0A\/cxg1ReYcp161Wed0bir0MIIDTTCCAjWg\n...\nc7OYas3x1DE2kJYQ8Z8ZakSXVBq8WScUa\n-----END CERTIFICATE-----\n&lt;\/cert&gt;\n\n# OpenVPN Client needs the VPN Client Private Key to decrypt\n# info sent by the server during the SSL\/TLS handshake\n&lt;key&gt;\n-----BEGIN RSA PRIVATE KEY-----\nPF85doECgYEA8b1fuDTh17NLzXPxDG9O4LilGzQX7AEPiY8gOfk1iQrrlcvvFeS7\n...\nF8nyWXTcXD74Ygj\/CXxirR+Q3w==\n-----END RSA PRIVATE KEY-----\n&lt;\/key&gt;\n\n_END_\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
Referencia: https:\/\/delphinus.qns.net\/xwiki\/bin\/view\/Blog\/Mikrotik%20OpenVPN%20in%2090%20seconds Posted by Quentin Conner So, you want to install and configure a VPN to your home network using your Mikrotik router and OpenVPN for your client? In my case I wanted to use a Mikrotik RB750 with the PPP package installed and the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[14],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts\/1095"}],"collection":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1095"}],"version-history":[{"count":7,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts\/1095\/revisions"}],"predecessor-version":[{"id":1453,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=\/wp\/v2\/posts\/1095\/revisions\/1453"}],"wp:attachment":[{"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1095"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1095"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.abratel.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1095"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}