OVPN server failover

RouterOS General
1

Hello
I have a working configuration of OVPN Server (Mikrotik) and Client (OpenVPN Gui@Windows).
I have generated certificates on the server, exported and used it with the client, it’s working fine.
In case this info is useful, the public IP is held by a fiber modem which does NAT on OVPN port to the Mikrotik on LAN side.

Now I want to failover the Mikrotik router. The idea is to have a second identitical Mikrotik, with a LAN VRRP IP, so if the Mikrotik1 fails, the second gets up. Problem comes with the certificate.
I have exported the CA and certificate from Mikrotik1 to Mikrotik2, and when I try to connect (to Mikrotik2), i get a message on Mikrotik2 log.

How can I handle this situation?

2

Ok i got it working, here is the procedure if someone has the same problem

  • Export the CA on Mikrotik1 with a passphrase. It will generate 2 files (CA and key)
  • Copy the files to Mikrotik2, import the CA, and then the key to have the “K” flag set up
  • generate a certificate for the ovpn server with the imported CA certificate as CA.
  • Use that certificate for OVPN server

So we have 2 machines with 2 different certificates, but using the same CA, and the ovpn client finds it cool.