OpenVPN on MikroTik routers
Connect to MikroTik via the web interface. You can use the Router OS web interface, which includes the following screens, or the Winbox app.
Default prot for OpenVPN is 1194. You can customize it as you want, but do not forget to allow port on your firewall. In section IP-> Firewall, add row as below::
Firewall
Chain: input
Protocol: (6) tcp
Dst.Port: 1194
Action: accept
1) Certificates
First, we create ca, server and client certificates (you can use any name). In System -> Certificates, click Add new and, after completing the fields, sign it immediately using the Sign option.
CA
Server
Client
The whole settings under certificates should look something like this:
Next, download the certificates to your computer in the Files section.
2) Address range
We create our own address range for VPN. If you have a primary "Pool" range, such as 192.168.1.1-100, you can create another or use some part of the existing range, such as 192.168.1.201-230, etc. The settings can be done in tab IP -> Pool
3) Profile creation and VPN service launch
In PPP -> Profiles, create a new profile using "Add new." Fill in any name and set Local Address to an address that is not occupied and not in any range. In this example, 192.168.1.200. In the Remote address, select the range from the previous point.
Then, in the PPP -> Interface -> OVPN server tab, click "Enabled," choose the port (default image), and VPN profile and server certificate. Select Auth and Ciper as shown.
4) VPN Accounts
In the PPP -> Secrets tab, use "Add new" to add a new user. In this example, we can see how account for Paul might look like. Be sure to choose a strong password, select a service and profile created earlier.
That's all!!!
Tip: To allow users to access your primary range via VPN, where you have such as smart home, NAS, etc., you still need to make last setting, in Interfaces on "bridge" set in the ARP section - proxy-ARP
5) Configuration file
To make it as easy as possible for the users you give access to, create a configuration file, such as VPN.ovpn, where the following data will be available. Replace the orange text with your external address and your certificate contents generated on MikroTik.
client
remote YourPublicIPAddress 1194
auth-user-pass
cipher AES-256-CBC
dev tun
proto tcp
nobind
auth-nocache
script-security 2
persist-key
persist-tun
user nobody
group nobody
push "redirect-gateway autolocal def1"
push "redirect-gateway def1"
<ca>
-----BEGIN CERTIFICATE-----
//paste certificate here
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
//paste certificate here
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
//paste certificate here
-----END ENCRYPTED PRIVATE KEY-----
</key>
Send configuration file by email to user and share credentials via mobile phone separately. You can also find how to connect to existing OpenVPN from Android or iOS in this blog.
Add comment