I know ovpn is now the strongest side of ROS, but frankly speakig, MT guys did a lot of work to have ovpn working well enough at current level. I used to use built-in ovpn-server for years (with AD-backed auth).
But what I wonder now is if I can set up ovpn-server to auth users not with username/password but with certificates? Sounds awful but for legacy reasons I’d like to set it up that way, rather that keed another (linux-based) box behind Mikrotik just to terminate cert-authed ovpn sessions.
I don’t know how to handle per-user cert so can’t see a way to do that myself but may this be possible somehow? Maybe via radius or by some script?
Looks like you missed the point. You can create say ovep client with both certificate and username/password, and it’s up to server config if you’ll be auth’ed using cert or using username/pass pair. It it’ll be cert-based auth, then you can type 111 or aaa or whatever as username/password, as it’l; be ignored (never used).
Not sure for ovpn server. May there be any way to employ cert-based auth and ignore username/pass?
I know about RouterOS OpenVPN client, which requires you to provide username, but server (non-RouterOS) is free to ignore it and only use client certificate for authentication. But you were asking about server. And OpenVPN server in RouterOS wants usernames. As far as I know, it can only verify if client certificate should be trusted, but nothing more. There’s no advanced verification like in official OpenVPN, no mapping of CN to usernames, or anything like that.