This is complete tutorial, tested and working. You can just copy-paste commands. Will be good, if admins can copy it to WIKI pages.
Goal: Use Mikrotik OVPN client connection as gateway interface to encrypt your internet activity from prying eyes.
What we have:
- Mikrotik Router (in my case - RB951G-2HnD v6.6)
- OpenVZ VPS service (in my case - BuyVM with Ubuntu 12.04 LTS Server x64)
- Working internet connection (via Mikrotik Router)
TUTORIAL:
-
Install Ubuntu 12.04 LTS on your VPS service and start it
-
SSH connect to installed server (with Putty for example)
-
Login as root
-
Use command line:
apt-get update
apt-get dist-upgrade -y
apt-get install openvpn openssl udev
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
nano /etc/openvpn/easy-rsa/2.0/whichopensslcnf
change
else
cnf="$1/openssl.cnf"
fi
to
else
cnf="$1/openssl-1.0.0.cnf"
fi
save and exit
nano /etc/openvpn/easy-rsa/2.0/vars
change
export EASY_RSA="`pwd`"
to
export EASY_RSA="/etc/openvpn/easy-rsa/2.0"
and
export KEY_SIZE=1024
to
export KEY_SIZE=2048
save and exit
Initialize the certificate authority and the public key infrastructure (PKI) by issuing the following commands in sequence:
cd /etc/openvpn/easy-rsa/2.0/
. /etc/openvpn/easy-rsa/2.0/vars
. /etc/openvpn/easy-rsa/2.0/clean-all
. /etc/openvpn/easy-rsa/2.0/build-ca
(After issuing the last command (above), you’ll be prompted to enter some values.)
. /etc/openvpn/easy-rsa/2.0/build-key-server server
. /etc/openvpn/easy-rsa/2.0/build-key client
. /etc/openvpn/easy-rsa/2.0/build-dh
cd /etc/openvpn/easy-rsa/2.0/keys
cp ca.crt ca.key dh2048.pem server.crt server.key /etc/openvpn
cd /etc/openvpn/
nano openvpn.conf
type in:
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.10.0.0 255.255.255.0
cipher AES-256-CBC
user nobody
group nogroup
status /var/log/openvpn-status.log
log-append /var/log/openvpn
verb 3
mute 0
max-clients 100
keepalive 10 120
persist-key
persist-tun
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push “dhcp-option DNS 8.8.4.4″
save and exit
nano /etc/rc.local
type in:
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.10.0.0/24 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.10.0.0/24 -j SNAT --to-source YOUR_VPS_IP
YOUR_VPS_IP is external IP of your VPS
save and exit
nano /etc/sysctl.conf
remove # from line:
net.ipv4.ip_forward=1
save and exit
echo 1 > /proc/sys/net/ipv4/ip_forward
/etc/init.d/openvpn restart
cd /etc/openvpn/easy-rsa/2.0/keys
openssl rsa -in /etc/openvpn/easy-rsa/2.0/keys/client.key -out /etc/openvpn/easy-rsa/2.0/keys/client.pem
Connect to your server using SFTP (FileZilla for example) and copy /etc/openvpn/easy-rsa/2.0/keys folder to your local PC.
Reboot your installed Ubuntu server.
- Start WinBox application on local PC
Open “Files”
Drug and drop ca.crt client.crt client.pem from LOCAL PC to Mikrotik File List window
Open “System → Certificates”
Import ca.crt client.crt and client.pem
CA will be with “T” and Client with “KT” now
Close “Certificates” and open it again or you will get error on the next step.
Rename your CA and Client Certificates as you want to remember it.
Open “PPP”
Click “+” and “OVPN Client” there
Connect to: YOUR_VPS_IP
Port: 443
Mode: ip
User: client
Password:
Profile: default
Certificate: choose your client certificate (not CA)
Auth: sha1
Cipher: aes 256
Click “OK”
Now your OVPN connection should be up and running. If not - you make some mistakes somewhere before.
Now you need to add a Mangle rule which IP addresses you want to give access to VPN through Mikrotik:
Go IP → “Firewall” → “Mangle” tab, select “Add new”.
In “Chain”, select “prerouting”.
In “Src. Adress”, enter the IP or IP range you want to have routed through the VPN connection.
In “Action”, select “mark routing”.
In “New Routing Mark”, here enter any name for the routing mark, e.g. “OVPN”
Tick Passthrough
Click “OK”.
Next, you need to add routes for the new VPN connection:
Go to “IP” and then to “Routes” and “Add New”.
Dst. Address: has to be “0.0.0.0/0”.
Gateway: Here enter the name of the VPN connection you created, e.g. “OVPN”
Routing Mark: select the routing mark you created before. (OVPN)
Click “OK”.
Add Masquerade for this OpenVPN connection:
Now please go to “IP” tab and select “Firewall” and “NAT”.
In “Chain”, select “srcnat”, and check the “Enabled” checkbox.
In “Out. Interface”, select the name of the OpenVPN connection you just created and check the box.
In “Action”, select “Masquerade”.
Click “OK”.
If you have firewall - you will need to accept 443 TCP port on out OVPN interface in chain “Output” and all ports on out OVPN interface in chain “Forward”
That’s all. If you did all steps, all devices with IPs or IP ranges you enter in the Mangle rule will go to internet via your OVPN tunnel. External IP will be same as YOUR_VPS_IP
Hope you like it. If you have any suggestions, corrections or questions - please write in this topic. 
(c) Enot