Community discussions

MikroTik App
 
ASYmpTON
just joined
Topic Author
Posts: 2
Joined: Mon Aug 16, 2021 10:46 pm

OpenVPN Server

Mon Aug 16, 2021 10:50 pm

Hi,

I am starting with my mikrotik and I saw in the configuration that it was possible to create an OpenVPN server.

Internet service providers in my country do not necessarily deliver a public IPV4 to each subscriber. This solution could be suitable for my clients.

I had echoes of a provider having had problems with this service on mikrotik.

Do you have an opinion on OpenVPN on mikrotik ? Do you have conclusive experiences ? Is it hard to configure ?

Thanks

ASYmpTON
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: OpenVPN Server  [SOLVED]

Tue Aug 17, 2021 4:09 pm

My personal experience with the OpenVPN server in RouterOS has been very good.

As long as the server side has a public IPv4 address (fixed is preferable but using FQDN and dynamic DNS can also work) then OpenVPN is a great way to get around the problem of ISPs using CG-NAT and not giving customers a public IPv4 address (a very common issue with mobile broadband providers).

The actual configuration isn't very difficult but you do need to create certificates for the server and clients (this can be done directly on the MikroTik) and create a client configuration file.

I have attached the instructions I wrote (and have tested) for you to look at (they assume your MikroTik is directly connected to the Internet). If you have any questions about the configuration I used, I'd be happy to try and answer them.
You do not have the required permissions to view the files attached to this post.
 
atuxnull
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Tue Feb 07, 2017 10:02 pm

Re: OpenVPN Server

Tue Aug 24, 2021 12:45 pm

@MickeyT

I am stuck at step 7 (Remove Password from Client Key). I should get the MikrotikCA, Client1 and which one is the client key, please? How do i download them? In the files list i see only two files
cert_export_Client1.crt 
&
cert_export_Client1.key
.
Which ones do i need?
You do not have the required permissions to view the files attached to this post.
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: OpenVPN Server

Tue Aug 24, 2021 4:00 pm

You need both of those files but the password is only on the cert_export_Client1.key file. So the files you download are:
  • cert_export_MikroTikCA.crt (The MikroTik CA certificate file)
  • cert_export_Client1.crt (The client certificate file)
  • cert_export_Client1.key (The client private key file)

You then want to remove the password from cert_export_Client1.key with the command (This is done on a computer with OpenSSL installed rather than on the MikroTik):
openssl rsa -in cert_export_Client1.key -out cert_export_Client1.nopass.key

Linux computers will already have OpenSSL installed but, if you're on a Windows computer, you can download OpenSSL from OpenSSL Wiki - Binaries or use Cygwin.
 
ASYmpTON
just joined
Topic Author
Posts: 2
Joined: Mon Aug 16, 2021 10:46 pm

Re: OpenVPN Server

Wed Aug 25, 2021 11:00 pm

Hi,

a big thank you, it works perfectly

I just had to add the 'remote-cert-tls server' option in the client.ovpn files and it worked perfectly

thank you so much
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: OpenVPN Server

Thu Aug 26, 2021 11:55 am

You're welcome. I'm pleased to hear that you got it all working.

I haven't come across the need for the "remote-cert-tls server" line in the client config file before, but thank you for letting me know about it. Out of curiosity, what version of RouterOS are you using? The instructions I wrote were for RouterOS 6.47.10 so I wonder if the additional line is needed in the newer versions (I haven't had a chance to check yet).
 
User avatar
MarkScott
just joined
Posts: 5
Joined: Mon Jul 02, 2018 7:50 pm

Re: OpenVPN Server

Thu Sep 09, 2021 11:05 pm

Can anyone spot what's missing or incorrect and causing my OpenVPN configuration to fail?

I have a Mikrotik HAP-AC as my main router, and a static public IP address from my ISP.
My home network runs on addresses 172.28.16.0/24. The router itself is .1. I have reserved a bunch of static IP addresses for access points, NAS, printers, etc. between .2 and .63; there's a general DCHP address pool from .64 to .199; and I've reserved a third pool, vpnpool, for OpenVPN connections from .200 to .210.

I set up a PPP profile called ovpn, with local address 172.28.16.1 and remote address vpnpool, and suitable DNS server addresses.

I have added PPP secret entries for authorised users, with userids and passwords and specifying the ovpn profile.

I have created a CA certificate, a server certificate, and a client certificate/key.

I've enabled the OpenVPN server with the relevant ovpn profile and server certificate.

I've downloaded the certificates and key files and copied them to a folder on my Android phone, along with a "secret" file that has my userid/password as defined in the PPP secret, and an ovpn configuration file as follows:
dev tun
proto tcp-client
remote <my static IP>
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca CA.crt
cert PHClient.crt
key PHClient.key
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass secret
auth-nocache
I'm using the OpenVPN Connect app (https://play.google.com/store/apps/deta ... n_GB&gl=US). The connection gets established, and my phone gets an IP address from the vpnpool. But I can't access anything on the LAN. When I try to scan the LAN (using Net Analyzer app) I see only the addresses of the router at .1, one of my printers at (static) .34, and a robot vacuum - of all things - at a DHCP address. When I check the phone's IP configuration I see there is no gateway address, although DNS servers are as expected. There's nowhere I can see to explicitly specify the gateway address in the configuration, though I'd expect the server to have supplied it to the client along with DNS addresses.

I must be missing something, but what?
 
User avatar
MarkScott
just joined
Posts: 5
Joined: Mon Jul 02, 2018 7:50 pm

Re: OpenVPN Server

Wed Sep 15, 2021 12:14 am

I found a fix, or more likely a work-around, which has resolved the issue for me.
I set the bridge to "proxy-arp" rather than "arp". I now have visibility of all LAN devices when connected via OpenVPN.

Who is online

Users browsing this forum: CGGXANNX, holvoetn, Netstumble, patrikg and 43 guests