OpenVPN Server

ASYmpTON · August 16, 2021, 7:50pm

Hi,

I am starting with my mikrotik and I saw in the configuration that it was possible to create an OpenVPN server.

Internet service providers in my country do not necessarily deliver a public IPV4 to each subscriber. This solution could be suitable for my clients.

I had echoes of a provider having had problems with this service on mikrotik.

Do you have an opinion on OpenVPN on mikrotik ? Do you have conclusive experiences ? Is it hard to configure ?

Thanks

ASYmpTON

MickeyT · August 17, 2021, 1:09pm

My personal experience with the OpenVPN server in RouterOS has been very good.

As long as the server side has a public IPv4 address (fixed is preferable but using FQDN and dynamic DNS can also work) then OpenVPN is a great way to get around the problem of ISPs using CG-NAT and not giving customers a public IPv4 address (a very common issue with mobile broadband providers).

The actual configuration isn’t very difficult but you do need to create certificates for the server and clients (this can be done directly on the MikroTik) and create a client configuration file.

I have attached the instructions I wrote (and have tested) for you to look at (they assume your MikroTik is directly connected to the Internet). If you have any questions about the configuration I used, I’d be happy to try and answer them.
MikroTik OpenVPN Configuration.pdf (162 KB)

atuxnull · August 24, 2021, 9:45am

@MickeyT

I am stuck at step 7 (Remove Password from Client Key). I should get the MikrotikCA, Client1 and which one is the client key, please? How do i download them? In the files list i see only two files

cert_export_Client1.crt

&

cert_export_Client1.key

.
Which ones do i need?
Screenshot 2021-08-24 124220.png

MickeyT · August 24, 2021, 1:00pm

You need both of those files but the password is only on the cert_export_Client1.key file. So the files you download are:

cert_export_MikroTikCA.crt (The MikroTik CA certificate file)
cert_export_Client1.crt (The client certificate file)
cert_export_Client1.key (The client private key file)

You then want to remove the password from cert_export_Client1.key with the command (This is done on a computer with OpenSSL installed rather than on the MikroTik):

openssl rsa -in cert_export_Client1.key -out cert_export_Client1.nopass.key

Linux computers will already have OpenSSL installed but, if you’re on a Windows computer, you can download OpenSSL from OpenSSL Wiki - Binaries or use Cygwin.

ASYmpTON · August 25, 2021, 8:00pm

Hi,

a big thank you, it works perfectly

I just had to add the ‘remote-cert-tls server’ option in the client.ovpn files and it worked perfectly

thank you so much

MickeyT · August 26, 2021, 8:55am

You’re welcome. I’m pleased to hear that you got it all working.

I haven’t come across the need for the “remote-cert-tls server” line in the client config file before, but thank you for letting me know about it. Out of curiosity, what version of RouterOS are you using? The instructions I wrote were for RouterOS 6.47.10 so I wonder if the additional line is needed in the newer versions (I haven’t had a chance to check yet).

MarkScott · September 9, 2021, 8:05pm

Can anyone spot what’s missing or incorrect and causing my OpenVPN configuration to fail?

I have a Mikrotik HAP-AC as my main router, and a static public IP address from my ISP.
My home network runs on addresses 172.28.16.0/24. The router itself is .1. I have reserved a bunch of static IP addresses for access points, NAS, printers, etc. between .2 and .63; there’s a general DCHP address pool from .64 to .199; and I’ve reserved a third pool, vpnpool, for OpenVPN connections from .200 to .210.

I set up a PPP profile called ovpn, with local address 172.28.16.1 and remote address vpnpool, and suitable DNS server addresses.

I have added PPP secret entries for authorised users, with userids and passwords and specifying the ovpn profile.

I have created a CA certificate, a server certificate, and a client certificate/key.

I’ve enabled the OpenVPN server with the relevant ovpn profile and server certificate.

I’ve downloaded the certificates and key files and copied them to a folder on my Android phone, along with a “secret” file that has my userid/password as defined in the PPP secret, and an ovpn configuration file as follows:

dev tun
proto tcp-client
remote <my static IP>
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca CA.crt
cert PHClient.crt
key PHClient.key
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass secret
auth-nocache

I’m using the OpenVPN Connect app (https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en_GB&gl=US). The connection gets established, and my phone gets an IP address from the vpnpool. But I can’t access anything on the LAN. When I try to scan the LAN (using Net Analyzer app) I see only the addresses of the router at .1, one of my printers at (static) .34, and a robot vacuum - of all things - at a DHCP address. When I check the phone’s IP configuration I see there is no gateway address, although DNS servers are as expected. There’s nowhere I can see to explicitly specify the gateway address in the configuration, though I’d expect the server to have supplied it to the client along with DNS addresses.

I must be missing something, but what?

MarkScott · September 14, 2021, 9:14pm

I found a fix, or more likely a work-around, which has resolved the issue for me.
I set the bridge to “proxy-arp” rather than “arp”. I now have visibility of all LAN devices when connected via OpenVPN.