Hello,
I am configuring some Mikrotik routers and I want to manage with OpenVPN connection from outside.
Is it possible to connect with OpenVPN client without certificate? Just with username and password?
Anyone could help me with some command line steps?
Thanks for your help.
Kind regards.
I search for the same problem 
And did you find it?
Regards.
Yes, it is possible, client can use only username and password.
Thanks!
Could you help please?
I made this steps:
Create a pool for VPN users:
/ip pool add name=VPN_pool ranges=10.10.10.150-10.10.10.159
Create OpenVPN profile:
/ppp profile add local-address=10.10.10.1 name="OpenVPN Profile" remote-address=VPN_pool
Add user and pass:
/ppp secret add name=user1 password=password1 profile="OpenVPN Profile"
Which steps I am missing?
I will appreciate your help.
You need also ovpn server certificate and enable ovpn server.
http://wiki.mikrotik.com/wiki/Manual:Interface/OVPN#Application_Examples
Thanks again,
But I don’t want to use certificate, is it obligatory to create the certificate?
Thanks for your great help.
Kind regards.
Certificate on the server is mandatory. Only client certificate is not reqired.
Thanks again,
I read some blogs and now I have this:
/certificate add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
/certificate add name=server-template common-name=server
/certificate sign ca-template ca-crl-host=192.168.88.1 name=myCa
/certificate sign ca=myCa server-template name=server
/certificate set server trusted=yes
/ip pool add name=VPN_pool ranges=10.10.10.150-10.10.10.159
/ppp profile add local-address=10.10.10.1 name="OpenVPN Profile" remote-address=VPN_pool
/ppp secret add name=user1 password=password1 profile="OpenVPN Profile"
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.10.0/24
/interface ovpn-server server set enabled=yes certificate=server
/ip firewall filter add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp
I have no errors when I add this commands in the Mikrotik, but the service is not working. I can not connect from a OpenVPN client.
Could you point me to the right direction?
I appreciate your help.
Kind regards.
No i’m still searching i really have bad relation with certificate
If I do a “telnet LAN_IP 1194” it works inside the LAN.
But from WAN “telnet WAN_IP 1194” it doesn’t work.
How could I enable the OpenVPN service in the WAN interface?
Regards.
Hey, first of all you must enable ovpn server as interface
/interface ovpn-server server
set auth=sha1,md5 certificate=router_cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
port=1194 require-client-certificate=no
All your certeficates must be signed and set as Trusted.
I used easy-rsa tool for certeficates, it comes with openvpn soft.
I had some problems with ovpn soft when tried to use ip pools. solution - set it static or use 1 pool in range of 2 ips.
Then ofc u have to configure ovpn client side.
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.10.0/24
I’d set the out-interface on that rule.
Thanks!
I got this line, but nothing. From WAN it is not possible to do a telnet to 1194 port. It works from LAN.
This is my NAT rules:
[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade to-addresses=123.X.X.X
out-interface=ether1-gateway log=no log-prefix=""
1 chain=srcnat action=masquerade src-address=10.10.10.0/24
out-interface=ether1-gateway log=no log-prefix=""
Need I configure something else?
Kind regards.
Check /ip firewall filter
Thanks pukkita,
This is what I have:
[admin@MikroTik] > /ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp log=no log-prefix=""
1 ;;; default configuration
chain=input action=accept connection-state=established,related log=no log-prefix=""
2 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway log=no log-prefix=""
3 ;;; default configuration
chain=forward action=accept connection-state=established,related log=no log-prefix=""
4 ;;; default configuration
chain=forward action=drop connection-state=invalid log=no log-prefix=""
5 ;;; default configuration
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix=""
6 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log=no log-prefix=""
7 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 log=no
log-prefix=""
8 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22 log=no
log-prefix=""
9 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 log=no
log-prefix=""
10 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 log=no log-prefix=""
11 ;;; OpenVPN
chain=input action=accept protocol=tcp in-interface=all-ethernet dst-port=1194 log=no log-prefix=""
Thanks and regards.
Add rule in input chain to allow ovpn before drop rule.
Thanks mrz,
How could I do that?
I try from web interface but I don’t know how to up the rule.
Best regards.
drag&drop