I'm reasonably familiar with the configuration of OpenVPN client/server on windows/Linux. We have a Linux VM running right now that is serving as an OpenVPN server. I was hoping that I could decommission the server and migrate the functionality to the Mikrotik.

I've been running into some walls getting my preliminary attempts at a simple configuration working using a windows client. My current simple config is still a ways off from what I was actually trying to accomplish. Before I spend a bunch more time banging my head on the wall, I was hoping someone could verify if Mikrotik OpenVPN supports the following setup:

Front network: routable.ip.address
Back network: 10.0.x.x

When clients VPN in, I'd like to assign them a 192.168.8.x IP with the MT acting as 192.168.8.1. Some people will get dynamic IPs that can access everything in 10.0.x.x and some people will be issued static IPs. I'd like to be able to write FW rules that enable only access to certain IPs/ports.

I'd also like to be able to enable a "point to point" connection where only a certificate and no UN/PW is required for traffic from a specific IP.

Can anyone verify whether MT can support this?

Yes, RouterOS can assign routable IP address to the client.
In ppp profile you can specify firewall chain and use it to block unwanted packets for specific users.
Client side certificate verification is also supported.

Yes, RouterOS can assign routable IP address to the client.
In ppp profile you can specify firewall chain and use it to block unwanted packets for specific users.
Client side certificate verification is also supported.

Thanks for the information!

What documentation/resources would you recommend for getting OpenVPN set up? I've found the Wiki, but I was having trouble getting windows clients to connect.

I found this post:

http://forum.mikrotik.com/viewtopic.php?f=2&t=36987

and it resolved the problem I was having getting windows clients to connect to it. It really is kind of a pain in the ass though (i.e. having to set up a whole series of IP pools).

I've managed to get a VPN connection established and have ping connectivity, but for some reason haven't managed to get TCP based connectivity working (i.e. telnet, http, smtp), but I assume that may be some other sort of FW rule/issue.

Here is the config I am using so far. I'd really like to just assign the router 192.168.9.1 and define a pool if IPs (i.e. 192.168.9.2-100) for dynamic assignments.


ian@MikroTik] /ppp profile> print

Flags: * - default
0 * name="default" use-compression=default use-vj-compression=default
use-encryption=default only-one=default change-tcp-mss=yes

1 name="your_profile" local-address=192.168.9.1 remote-address=ovpn-pool
use-compression=default use-vj-compression=default
use-encryption=required only-one=default change-tcp-mss=default

2 * name="default-encryption" use-compression=default
use-vj-compression=default use-encryption=yes only-one=default
change-tcp-mss=yes



[ian@MikroTik] /ip pool> print
# NAME RANGES
0 back-pool1 192.168.9.1-192.168.9.2
1 back-pool2 192.168.9.5-192.168.9.6
2 back-pool3 192.168.9.9-192.168.9.10


[ian@MikroTik] /interface ovpn-server server> print
enabled: yes
port: 1194
mode: ip
netmask: 27
mac-address: FE:92:EF:66:F1:92
max-mtu: 1500
keepalive-timeout: disabled
default-profile: your_profile
certificate: server
require-client-certificate: yes
auth: sha1,md5
cipher: blowfish128,aes128,aes192,aes256

I ended up getting this config to work. The problem was that 192.168.0.0 was defined as an invalid IP address in some of the FW rules.

Unfortunately, this config feels very "gimped". The apparent need to manually create a series of address pools, lack of comprsesion, need to create all certificates/etc outside of the system, etc have led me to stick with our current implementation (i.e. a standalone linux server running a traditional OpenVPN instance)...

I have a couple of questions regarding openvpn in mikrotik:

1) Should each client have a different certificate and username/password or should all of them have the same certificate and a different username/password?
2) If I use different certificates for each client and a different username what do I do when I want to deny someone access to the server? I disable/delete the username but what do I do about the certificate?