Skip to main content

Enable OpenVPN Server on MikroTik RouterOS

·
Table of Contents

This article will be more networking-oriented. We’ll enable an OpenVPN server on MikroTik RouterOS, and we’ll do so on the router with the shortest of names, the MikroTik RB4011iGS+5HacQ2HnD-IN . It should work on other MikroTik routers as well. We’ll be using RouterOS console in this article, but you should be able to do this with Webfig or Winbox too.

Generate CA and Certificates #

To use OpenVPN securely, we’ll need certificates. Change the values (my_ca_name and 10.0.0.1) below to match your desired configuration! First, we’ll generate the certificate authority (CA):

/certificate
add name=my_ca_name common-name=my_ca_name key-usage=cert-sign,crl-sign
sign my_ca_name ca-crl-host=my_router_ip_address name=my_ca_name
export-certificate my_ca_name

The above commands will do the following:

  1. Add a new CA certificate called my_ca_name
  2. Sign the certificate
  3. Export the certificate as my_ca_name

Next, we’ll generate the certificate for our VPN (change the values my_vpn_server, my_user, my_ca_name and please_use_a_good_passphrase):

/certificate
add name=my_vpn_server common-name=my_vpn_server
add name=my_user common-name=my_user
sign my_vpn_server ca=my_ca_name name=my_vpn_server
sign my_user ca=my_ca_name name=my_user
export-certificate export-passphrase=please_use_a_good_passphrase my_user

These commands will:

  1. Add a new server certificate called my_vpn_server
  2. Add a new user certificate called my_user
  3. Sign both certificates
  4. Export the user certificate as my_user, with the passphrase: please_use_a_good_passphrase – change this!

Configure IP Pool, PPP Profile, and Login Credentials #

Create an IP pool called ovpn-pool with a range of IP addresses. In this example, we’ll use 10.0.1.100-10.0.1.200:

/ip
pool add name=ovpn-pool range=10.0.1.100-10.0.1.200

Create a PPP profile with associated PPP credentials (don’t forget to change these values: my_ppp_profile, 10.0.0.1, my_ppp_user, please_use_a_good_password to match your configuration):

/ppp
profile add name=my_ppp_profile local-address=10.0.0.1 remote-address=ovpn-pool dns-server=10.0.0.1
secret add name=my_ppp_user password=please_use_a_good_password profile=my_ppp_profile

Create OpenVPN Server Interface #

The following command will create an OpenVPN server interface in RouterOS, with your server certificate (my_vpn_server), sha1 authentication, and aes256 encryption, running on port 1194 (default):

/interface
ovpn-server server set enabled=yes certificate=my_vpn_server auth=sha1 cipher=aes256 port=1194 netmask=24 require-client-certificate=yes mode=ip

Configure Firewall to Allow OpenVPN Connections #

Make sure your router allows incoming TCP connections on port (1194 below matches your configuration above):

/ip firewall filter
add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN"

Let’s clear the console history to get rid of sensitive information:

/console clear-history

Now we have a working OpenVPN server running on MikroTik RouterOS!

Client Configuration #

To connect to your newly configured OpenVPN server, you must also configure your clients. A sample OpenVPN client configuration can look like this, based on the values we have entered earlier (example.com, 10.0.0.1, 1194, and you’ll also need to paste the CA certificate, user certificate, and private keys generated earlier in this tutorial where it says so below):

client
dev tun
proto tcp
remote example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 1
cipher AES-256-CBC
auth SHA1
auth-user-pass
dhcp-option DOMAIN example.com
dhcp-option DNS 10.0.0.1
redirect-gateway def1
route 0.0.0.0 0.0.0.0 10.0.0.1 1
route 10.0.0.0 255.255.255.0

<ca>
-----BEGIN CERTIFICATE-----
# paste your CA certificate here #
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
# paste your user certificate here #
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
# paste your user private key here #
-----END RSA PRIVATE KEY-----
</key>

I hope you found this tutorial helpful! Good luck, and let me know if I can make it better. Thank you!

Revision #

2023-08-31 Revised language