The first steps work fine:
/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client1-template common-name=client1
add name=client2-template common-name=client2
However, when attempting to follow step 2 it errs out at the “sign template”. Help does not show that “template” should be used. However, I am not sure how to work around that.
AFAIK, the idea is to consult the specified URL in order to determine whether a certificate is revoked by the CA or not.
I’m not really sure what the protocol is, but seeing there’s an Apache module for it, I’m assuming it’s an HTTP flavor of sorts, so if you have an HTTPS server, it could probably act as a CRL for its own self signed certificate. If you had your certificate issued by a 3rd party, they’d embed their own servers as CRLs, since after all, it’s up to them to block your certificate, should someone steal it or whatever.
I sincerely appreciate this help. I spend so much time working on this and now finally got the connection right. We will be using the openvpn to connection to our network from wan side. I now I just need the final step to get the routing right too.
In the openvpn client config file I have specified "route 10.0.0.0 255.255.255.0" but I am not sure if this is adequate.
Connection through from wan side how should I set up the routing. I saw some solution suggesting to make a NAT rule masquerade - or should I add the OpenVPN interface to the bridge? or how will clients connecting get access to the units on the lan (10.0.0.0)
after connecting through the openvpn client (windows) my routing table look as in below.
I don't understand the first line
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 10
is it correct that according above, then everything is still sent to 192.168.0.1 i.e. the gateway on the lan where the remote client is connected. If so, then i have achived nothing.
Objective was that everything has to go throught he VPN to 10.0.0.0
or does below mean that everything 10.0.0.0 goes through the vpn and anything else goes to the local gateway where the client is connected 192.168.0.1?
192.168.100.xxx is the openvpn connection
10.0.1.1 is the remote address where the mikrotik server is located.
10.0.0.0 is the lan on the server side I wish to connect to.
192.168.0.xxx is the remote lan where the windows client is connected - connecting to 10.0.1.1 through the openvpn to get on lan 10.0.0.0
I got a bit of a break, but still have a long way to go, I am affraid. I am totally new to openvpn.
I got access to the units on the server side by changing from IP/TUN to Ethernet/TAP and delete the route in the client config file. So far so good, but I would like to revert back to TUN/IP to have more control and also to have the option that only the traffic designated for the “office” lan goes through the VPN and other internet traffic just goes directly. As well as, would also like to limit access to specific IP’s on the office lan.
So any advice how to setup the routing on the mikrotik vpn server is more than appreciated.