Setting up an OpenVPN server on MikroTik

Posted byVyacheslav Leave a comment on Setting up an OpenVPN server on MikroTik

One day some mobile operators started blocking ports to L2TP servers, so I set up a more secure OpenVPN server on MikroTik.

First, let’s create certificates, the first root certificate with KLAT flags, which we will use to sign other certificates:
System – Sertificates – Add New
Name: ca
Country: UA
State: Kyiv
Locality: Kyiv
Common Name: ca
Key Size: 4096
Days Valid: 3650 (10 years)
Key Usage: crl sign, key cert. sign
Press OK, then open it and press Sign, specify Certificate: ca, CA CRL Host: 127.0.0.1 and press Start
Make sure that this certificate is marked “Trusted”.

Let’s create a certificate for the OpenVPN server:
System – Certificates – Add New
Name: ovpn_server
Country: UA
State: Kyiv
Locality: Kyiv
Common Name: ovpn_server
Key Size: 4096
Days Valid: 3650 (10 years)
Key Usage: digital signature, key encipherment, tls server
Click OK, then open it and click Sign, specify Certificate: ovpn_server, CA: ca and click Start
The certificate will have KI flags.

Let’s create a certificate for the client that will connect to the OpenVPN server (each client has its own certificate):
System – Certificates – Add New
Name: ovpn_client1
Country: UA
State: Kyiv
Locality: Kyiv
Common Name: ovpn_client1
Key Size: 4096
Days Valid: 3650 (10 years)
Key Usage: tls client
Click OK, then open it and click Sign, specify Certificate: ovpn_client1, CA: ca and click Start
The certificate will have KI flags.

Now right-click on the “ca” certificate and select Export, Type: PEM so that it appears in the Files folder.
Also do an Export of the client certificate, but put a password on it and also select Type: PEM.

Let’s create an IP pool for ovpn clients:
IP – Pool
Name: ovpn_pool
Addresses: 192.168.7.10-192.168.7.50

Let’s create a profile for the OVPN server (the IP address of the OVPN server should not be in the IP pool):
PPP – Profiles – Add New
Name: ovpn_server
Local Address: 192.168.7.1
Remote Address: ovpn_pool

Make sure accounting is enabled:
PPP – Secrets – PPP Authentication&Accounting – Accounting: +

Let’s add a login and password for each client:
PPP – Secrets – Add New
Name: ixnfo.com
Password: …
Service: ovpn
Profile: ovpn_server

Activate the OVPN server:
PPP – Interface – OVPN Server
Enabled: +
Port: 1194 (can be changed)
Default Profile: ovpn_server
Certificate: ovpn_server
Require Client Certificate: +
Redirect Gateway: disabled (you can specify def1 so that all client traffic goes through the OVPN server, for example, I did this to administer office devices that are in different networks and so as not to add routes to each network on the client device)

If you need to add a route to the client network on the server:
IP – Routes – Add New
Dst. Address: 192.168.89.0/24
Gateway: ovpn_client1
And on the client, we will add a route to the server network, you can do it directly in the .ovpn file:
route 192.168.24.0 255.255.255.0

In the firewall, open a port for the OVPN server (the rule should be at the top before the prohibiting rules):
IP – Firewall – Filter Rules – Add New
Chain: input
Protocol: tcp
Dst. Port: 1194
Action: accept
Comment: ovpn

Now we export the finished file with the configuration and certificates:
PPP – Interface – OVPN Server – Export .ovpn
Server Public Address (IP or DNS): …
CA Certificate: …
Client Certificate: …
Client Certificate Key: …
We will then open it through the OVPN client application on Windows openvpn.net/client/client-connect-vpn-for-windows/
Or send it by mail to a mobile phone, and then open it directly from the mail through the application, for example for iOS it is apps.apple.com/ru/app/openvpn-connect-openvpn-app/id590379981

On older versions of RouterOS 6 there is no .ovpn export button, so you need to upgrade to RouterOS 7+, to do this, click System — Packages, select Channel: upgrade, then upgrade again, but with Channel: stable.

I had a NAT server in my network, and behind it an office MikroTik with an OVPN server and a local gray IP address, so I forwarded a port on the NAT server:

iptables -t nat -A PREROUTING -d 172.16.5.5/32 -i ens3f1 -p tcp --dport 1194 -j DNAT --to-destination 10.0.0.2:1194

See also my articles:
Configuring the VPN IPSec / L2TP server on Mikrotik
Configuring SOCKS in MikroTik
Port forwarding in iptables on NAT server

Leave a comment

Leave a Reply