Hi, it`s my first post here and my english is not very elaborated so please be patient.
Looking around for some hours how to configure OpenVPN correctly i didn`t found a tutorial matching my beginners needs.
At the end i got it to work merging informations from various websites. For sure it is not an experts work but it works for me and maybe for others.
As i am beginner and coming from Windows world (working with gui) i try to explain step by step with links and pictures assuming that you use a Linux Client Machine (debian) to generate the Certificates.
This tutorial is mainly based on the ressources for Open VPN-Server on Mikrotik Devices that you can find here: https://www.youtube.com/watch?v=if91HJH ... l]MikroTik Tutorial 22 openvpn Einführung (In german language Parts 22 to 26).
PLEASE NOTE: This Configuration does NOT TUNNEL ALL THE TRAFFIC. Even OpenVPN-Configuration Setting "Seamless Tunnel" on Android-Phones has NO EFFECT. This Configuration only let connect you with your home-LAN form outside.
My RouterOS Version is 6.39.1
1. CERTIFICATES - Generate the Certificates (ca.cr + server.ca + client.ca). This is the minimum. If you need more certificates, the procedure is always the same.
a. Download Easy-RSA (https://github.com/OpenVPN/easy-rsa) and follow the steps described in the document README.quickstart.md which you will find in the main folder.
b. Edit the vars.example file to fill in your specific information and rename it to vars.
c. From the easyrsa3 folder open a terminal and type ./easyrsa init-pki as this will generate a new folder where the certificates and keys are stored.
d. After that type ./easyrsa build-ca as this will build your ca (certificate authority - the topmost trunk of your certificate tree).
e. SERVER-CERTIFICATE: Into the same terminal window you can now type ./easyrsa gen-req my_server which will generate a certificate request for your OpenVPN-server.
f. Always in the same terminal type ./easyrsa sign-req server my_server which signs the certificate. Otherwise it will not be valid.
g. CLIENT-CERTIFICATE: If you wish to generate client certificates too, and you will do the work on the same machine you have done so far, you only have to repeat steps e. ./easyrsa gen-req my_client to f. ./easyrsa sign-req server my_client
2. IMPORTING THE CERTIFICATES - Connect to your mikrotik using for example filezilla and transfer the following files to the certificates folder on your mikrotik:
a. ca.cert (/easyrsa3/pki/)
b. my_server.crt (/easyrsa3/pki/issued)
c. my_server_key (/easyrsa3/pki/private)
d. Login via browser or winbox to your mikrotik and go to system/certificates
e. Import the certificates. Search for your ca.crt file and type in the passphrase you entered during the generation of the certificate. Do not import the ca.key file.. Then import your my_server.crt and your my_server_key. Should lokk like this:
3. OPENVPN-SERVER CONFIGURATION - IP-POOL - In the mikrotik webinterface or winbox gui choose IP then pool. Add a new pool like this . You can use whatever ip-pool you like but please be aware that the pool consists only of two ip-addresses, the client one and the server one. Th e other sliders do not need configuration.
4. OPENVPN-SERVER CONFIGURATION - PROFILES - In the mikrotik webinterface or winbox gui choose PPP then the Profiles Slider. Add a new Profile with the following values . For local and remote address enter the ip-pool designed in the previous step. As DNS-Server enter your LAN-DNS. The other fields and sliders do not need configuration.