Hello everyone,
I need assistance migrating a complex OpenVPN setup from an older Debian Linux server to a new MikroTik CCR2116-12G-4S+ running RouterOS v7.19.4.
My Linux server is running multiple OpenVPN instances with two different authentication methods, and I want to replicate this setup correctly on the MikroTik.
Here is a summary of my configuration:
Part 1: TLS Server (with 'CCD' / User accounts)
This is my main server for remote users. It uses TLS certificates for authentication and a client-config-dir (CCD) to assign static IPs and push specific routes to clients.
Linux Server Config (tunus.conf):
Ini, TOML
log-append tunus.log
port 53002
proto udp
dev tunus
txqueuelen 250
script-security 3
ca tunus/keys/ca.crt
cert tunus/keys/server.crt
key tunus/keys/server.key
dh tunus/keys/dh2048.pem
server 192.168.32.0 255.255.255.0
client-config-dir tunus/ccd
keepalive 27 198
ping-timer-rem
tls-auth tunus/keys/ta.key 0
cipher AES-256-CBC
comp-lzo
max-clients 40
user nobody
group nogroup
persist-key
persist-tun
status tunus.status
verb 3
mute 100
Example CCD Config (/tunus/ccd/example-user): This file assigns a static IP and a route to the client example-user.
Ini, TOML
ifconfig-push 192.168.32.218 192.168.32.217
push "route 192.168.22.0 255.255.255.0"
Example Client Config (example-user.ovpn): This is a typical config file used by my clients (OpenVPN 3.3.7).
Fragment kodu
client
dev tun
proto udp
remote PUBLIC_IP.EXAMPLE.COM 53002
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo
verb 3
key-direction 1
<ca>
[...content of ca.crt...]
</ca>
<cert>
[...content of user certificate (CN=example-user)...]
</cert>
<key>
[...content of user private key...]
</key>
<tls-auth>
[...content of ta.key...]
</tls-auth>
Files I have: I have all the necessary files from the Linux server: ca.crt, server.crt , server.key , dh2048.pem , ta.key , and all the individual client certificates/keys.
Part 2: Static Key (PSK) Servers (Site-to-Site)
I also run 8 simple site-to-site tunnels. These use dev tap (Layer 2) and a pre-shared static key (secret).
Example Linux Server Config (tap21.conf):
Ini, TOML
dev tap21
txqueuelen 250
# remote REMOTE_SITE_IP PORT
local MY_PUBLIC_IP_1
lport 49921
user nobody
group nogroup
secret ./tap2x/tap21.key
comp-lzo
ping 17
ping-restart 49
persist-tun
persist-key
cipher AES-256-CBC
verb 3
status tap21.status
log-append tap21.log
Other Instances: I have 7 other similar configs (tap22, tap23, tap24, tap31, tap32, tap33, tap34) all on different UDP ports (e.g., 49922, 49923, 49926, 49931-49936) and using different static key files.
Static Key (tap21.key): I have all 8 of these .key files.
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
[...content of static key...]
-----END OpenVPN Static key V1-----
My Questions for the Migration
TLS Server (tunus): What is the correct procedure to import the ca.crt , server.crt , server.key , and dh2048.pem into RouterOS 7? How do I configure the OVPN Server in PPP to use these files for authentication?
-
CCD /
Secrets: How do I replicate theclient-config-dirfunctionality? I need to assign a static IP (192.168.32.218) andpush "route 192.168.22.0 255.255.255.0"toexample-user. Is this done inPPP -> Secrets? Does theNamefield inSecretshave to exactly match the client certificate's Common Name (CN)?
PSK Servers (tap): How do I create multiple OVPN Server instances for the 8 tap devices? Do I just create a new OVPN Server interface for each, set the Mode to ethernet, and paste the static key into the Static Key field?
comp-lzo: All my configs use comp-lzo. I've read RouterOS v7 does not support this. Is my only option to disable compression on the server and then remove the comp-lzo line from all client configs?
Firewall: What are the basic input chain firewall rules needed to allow traffic on these new UDP ports (53002 and the 499xx range)?
Any help, guides, or configuration examples would be greatly appreciated. I want to make sure I do this migration correctly.
BTW, Clients only use the OpenVPN client version 3.3.7, any other version gives out an error about wrong hashing method on the CA certificates
Thank you!