Configure OpenVPN client

emic17 · June 16, 2015, 4:25pm

Hy,
i need to configure an VPN between my home network and my office, using an RB951Ui-2HnD Mikrotik.
This is the configuration that normally use from my Windows,Android and iOS client:

client

proto tcp
remote my.openvpn.server
port 1194
float

dev tun
nobind

ca ca.crt
cert my.crt
key my.key

ns-cert-type server

NB: I don’t use user/password authentication method.

Which is the right configuration to do in mikrotik?

Thanks for future help…

kamillo · June 17, 2015, 8:11am

Hi,

If I remember correctly, MT doesn’t support certificate authentication only user/ password

Check: http://wiki.mikrotik.com/wiki/Manual:Interface/OVPN

gtj · June 18, 2015, 12:15am

Depends on whether MT is the client or server. If it’s the client it’ll support certificate auth just fine.

Import the ca cert and the client cert and key. I normally concatenate the client cert and key into 1 pem file and import that.

Create an empty ppp profile and set encryption to yes.

Create an ovpn client and set the user to the client cert’s common name.
Set the server, port, mode: ip, client cert, profile, auth, cipher.

Should be as easy as that. I’ve set up a bunch in the last week or so connecting to a Linux openvpn server.

emic17 · June 18, 2015, 4:51am

Yes, my MT is the client. Today i will try with this solution.
Stay tuned!

emic17 · June 18, 2015, 7:10pm

Unfortunately I was not able to configure my MT as client ovpn as you described. …I’m a newbie in routerOs
Can you help my with an step-by-step guide? Or some linke where i can found instruction.
My routerOs version is: 6.27

Thanks.

gtj · June 18, 2015, 9:58pm

Assuming you’re using Webfig…

Gather your ca cert file and your pem file containing your client cert and key. I’ll refer to them as ca.crt and client.pem but they can be named anything.

Connect to the device using Webfig and go to Files.
Upload both the ca.crt and client.pem files.

Go to System/Certificates and import both files. After they’re imported, you should see ‘T’ as the status for ca.crt and ‘KT’ as the status for the client cert/key. You might want to rename them here since the default names will be cert_1 and cert_2.

Now go to PPP/Profiles and create a new profile named openvpn-client. Set as follows…
Use IPv6: no
Use MPLS: no
Use Compression: no
Use VJ Compression: no
Use Encryption: yes
All other fields can be left empty or at their defaults.

Now go to PPP/Interface and add a new OVPN Client. Set as follows…
Connect to:
Port: 1194
Mode: ip
User:
Profile: openvpn-client
Certificate:
Auth:
Cipher:

The server MUST be set to ‘proto tcp’ and must not need tls-auth. Neither udp nor tls are supported.

That should do it.

emic17 · June 19, 2015, 4:11pm

It works!!!

Thank you! you’re the best!!

therfman · September 17, 2016, 2:46am

I apologize for reviving an old thread, but it seems to be the most appropriate thread for my question.

I’m trying to configure my RB1100AHx2 to connect to PrivateInternetAccess (PIA) servers using VPN. PIA had provided me with a crt file as well as a pem file. I am able to import the crt file and RouterOS shows its details correctly. I am however unable to import the PEM file. If I do so by Winbox, nothing happens. By CLI, I get a report of all 0s. No errors, but no keys imported. I have tried using no passpharse ehrn importing, using my RouterOS admin passphrase, and my VPN login passphrase. Nothing works, and I can’t get OpenVPN connectivity without it.

And help would be appreciated.

emk2203 · June 7, 2017, 3:58pm

Bumping this, since I have exactly the same problem now.

The .crt gets imported without issues, but the .pem has all zeroes in the status after import. From the contents, it’s an X.509 crl (?).
-----BEGIN X509 CRL-----
MIICWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRl
cm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAw
HgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0
ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRl
aW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZa
MCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG
9w0BAQ0FAAOCAQEAQZo9X97ci8EcPYu/uK2HB152OZbeZCINmYyluLDOdcSvg6B5
jI+ffKN3laDvczsG6CxmY3jNyc79XVpEYUnq4rT3FfveW1+Ralf+Vf38HdpwB8EW
B4hZlQ205+21CALLvZvR8HcPxC9KEnev1mU46wkTiov0EKc+EdRxkj5yMgv0V2Re
ze7AP+NQ9ykvDScH4eYCsmufNpIjBLhpLE2cuZZXBLcPhuRzVoU3l7A9lvzG9mjA
5YijHJGHNjlWFqyrn1CfYS6koa4TGEPngBoAziWRbDGdhEgJABHrpoaFYaL61zqy
MR6jC0K2ps9qyZAN74LEBedEfK7tBOzWMwr58A==
-----END X509 CRL-----