I have working Linux OpenVPN server and I’m trying to setup RouterOS (actually, ten of them:-) as a client(s). I haven’t found any documentation, except the wiki article famous on this forum of being unprofitable (gotchas like udp on linux server for routeros are not so funny).

My server config is:

port 1194
proto tcp
dev tun0

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

client-config-dir ccd

server 172.16.100.0 255.255.255.248

route 172.16.1.0 255.255.255.248
route 10.1.0.0 255.255.255.0
route 10.1.1.1 255.255.255.0

push "route 192.168.1.0 255.255.255.0"

keepalive 10 30
comp-lzo
max-clients 700
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append      /var/log/openvpn.log
verb 3

Client-config-dir for this client adds also:

iroute 172.16.1.0 255.255.255.248
iroute 10.1.0.0 255.255.255.0
iroute 10.1.1.1 255.255.255.0

So… what’s the proper way to configure the RouterOS as a client here? from all I’ve read it should go like this:

/interface ovpn-client 
  add name="ovpn-out1" connect-to=my-server port=1194 mode=ethernet user="username" password="password" profile=default certificate=vpngate-client cipher=aes256 add-default-route=no

I’m not sure what does it mean:

1. user
2. password
3. profile (guess this is routeros specific?)
4. certificate (is this client certificate or ca certificate or what?)

I would be very thankful if somebody point me to right direction (documentation, working example - I need Linux server, RouterOS clients, I don’t care about configs, UDP over TCP falmewars, LZO and so on).

Thanks,
js

I’m not sure what does it mean:

1. user
2. password
3. profile (guess this is routeros specific?)
4. certificate (is this client certificate or ca certificate or what?)

I would be very thankful if somebody point me to right direction (documentation, working example - I need Linux server, RouterOS clients, I don’t care about configs, UDP over TCP falmewars, LZO and so on).

1. user is the username you’d use to log into the VPN server
2. password is the password you’d use to log into the VPN server
3. profile is the PPP profile to use (see “/ppp profiles”) - default should work, I think.
4. certificate is the client certificate that you need to upload if you are using one, and import via “/certificate import”

If you only use client certificates and no usernames and passwords, you can’t use RouterOS as a client. It requires at least username and password, and can optionally use a client certificate.

You should also set the mode to ‘ip’ (tun) instead of ‘ethernet’ (tap). As far as LZO goes - the wiki alludes to RouterOS not being able to use compression at least in a 3.0RC, so you may have to turn that off.

1. user is the username you’d use to log into the VPN server
2. password is the password you’d use to log into the VPN server

Ok, no certificates, that’s fair enough.

So I’ve reconfigured OpenVPN server to allow connections with username/passwords (hope it works, no experience here).

But still I got some drawbacks on OpenVPN RouterOS implementation:

1. I cannot write a hostname, I need to specify IP (which is rather stupid, as OpenVPN documentations says that DNS is simple failover), but leave it, the more important is:

2. I don’t know howto import those certificates!

I’ve prepared ca.crt, client.crt, client.key, copied with scp to /files directory and tried to import. No success, I can import only the ca.crt which is actually not needed (my guess). What kind of nightmare this implementation is ?? What kind of certificates it needs, decrypted, not using keys?

How are you trying to import? How does it fail?

I’m successfully using RSA certificates with passphrases (though not for VPN).

I'm generating keys using easy-rsa bundled with openvpn:

./buil-key client

Then, I copy them to the routerboard

scp keys/client.crt  admin@172.16.1.2:/files
scp keys/client.key   admin@172.16.1.2:/files

I also copy ca.crt file:

scp /etc/openvpn/ca.crt admin@172.16.1.2:/files

Yes, I've diffed ca.crt from openvpn dir and easy-rsa dir, they're the same

Then, I'm checking if there is no other key:

[admin@MikroTik] /interface ovpn-client> /certificate print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa

Then I'm trying to import them this way:

[admin@MikroTik] /interface ovpn-client> /certificate import file-name=files
passphrase: ********
     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

So far, so good, but certificate print shows ca.crt imported only:

[admin@MikroTik] /interface ovpn-client> /certificate print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa
 0  D name="cert1" subject=C=US,ST=CA,L=SanFrancisco,O=Fort-Funston,CN=client,emailAddress=me@myhost.mydomain
      issuer=C=PL,ST=xxx,L=x,O=Fort-Funston,CN=myCAnamehere,emailAddress=root@ca
      serial-number="02" email=me@myhost.mydomain invalid-before=oct/07/2009 20:29:33
      invalid-after=oct/05/2019 20:29:33 ca=yes

So, I guess until now there is an error, so the next command is not working:

[admin@MikroTik] /interface ovpn-client> add name=nas001 connect-to=my-vpn-here port=1194 mode=ethernet user="yeahitslate" password="reallylate" profile=default certificate=cert1  add-default-route=no
failure: no certificate found

There is no option to choose except cert1, and BTW: I cannot choose profile ppp, I got only ethernet available.

What am I doing wrong now?

Ok, partial success - I abandoned the certificates, got vpn link on. Hosts doesn’t see each other yet, but I may have some bad entries / routing yet.

Ok, not done for today - now I have linux server config:

port 1194
proto tcp
dev tap

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

plugin /usr/lib64/openvpn/openvpn-auth-pam.so login
client-cert-not-required
username-as-common-name

client-config-dir ccd

server 172.16.100.0 255.255.255.248

route 172.16.1.0 255.255.255.248
route 10.1.0.0 255.255.255.0
route 10.1.1.1 255.255.255.0

push "route 192.168.1.0 255.255.255.0"

keepalive 10 30
max-clients 700
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append      /var/log/openvpn.log
verb 3

RouterOS has configuration as prevoiusly. OpenVPN connects but, I cannot ping devices from server 172.16.100.0 255.255.255.248 network (1 and 2). I cannot do it even locally on ROuter os, but I can ping the local interface on Linux. Routes leads properly through tap device.

What can I check if my interface cannot be ping, even if it has IP configured?


EDIT: answer - Netfilter…

Ok, so here is short summary.

I wanted to setup Linux OpenVPN server and RouterOS OpenVPN client. There are some gotchas and this needs to be said:

• RouterOS VPN client works only with TCP,
• it doesn’t work with LZO compression,
• it doesn’t resolve DNS queries (needs IP address instead of FQDN),
• it doesn’t work with client certificates,
• it doesn’t work with pre-shared keys.

Thankfully, yet it strives to work Of course, the server needs certificates.

To configure Linux server I needed:

port 1194
proto tcp
dev tap

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
plugin /usr/lib64/openvpn/openvpn-auth-pam.so login
client-cert-not-required
username-as-common-name
client-config-dir ccd
server 172.16.100.0 255.255.255.248
route 172.16.1.0 255.255.255.248
route 10.1.0.0 255.255.255.0
route 10.1.1.1 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
keepalive 10 30
max-clients 700
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append      /var/log/openvpn.log
verb 3

and in ccd directory:

iroute 172.16.1.0 255.255.255.248
iroute 10.1.0.0 255.255.255.0
iroute 10.1.1.1 255.255.255.0

EDIT: the code above should go to the file named"UsernameOnUnixServer" and places in /etc/oprnvpn/ccd directory (or where ever the ccd in your config exists). The user name makes the same role as CN (Common Name) of the certificate file (absent here) - see directive “username-as-common-name”.

Ok, here goes the client, RouterOS, part:

/interface ovpn-client add name=VPN_Interface connect-to=xxxx port=1194 mode=ethernet user="UsernameOnUnixServer" password="123" profile=default-encryption   add-default-route=no

Now I needed to add UsernameOnUnixServer on Linux machine and set the password to it (123).

This should be enough to start. In my setup there are some issues with routing, but I haven’t check them yet properly and expect them solved (static routing or ospf).

There is also another gotcha: Linux generally doesn’t work well with tap interfaces (hope yours does). When applying local server routes/netfilter rules check if the interface hasn’t changed from tap0 to tap1 on openvpn restart.

Regards,
js

EDIT2: I also made the service working on tun interface, now without any troubles (tap → tun).

You should be able to make this work with a tun interface on the Linux side. On the RouterOS side you’d specify mode=ip instead of mode=ethernet.

Thanks fewi for your tips!

yes, I’ve tried tun interface but OpenVPN warned me that I’m using inconsistent devices, inconsistent MTU, etc. So I corrected; neverthless, this is very good tip as tun interfaces are much more polite on my system.

As far as it goes to RouterOS I’m done today, as I’ve cut myself off (BTW: how Netfilter is called in Mikrotik? excuse me, this is my first day of Mikrotik ever). I’ll check in next days.

Thank you very much for your patience.

js

Firewalling capabilities are available under “/ip firewall”. It has several subsections - for filtering, NAT and marking.