Table of Contents
The first thing we must assure is the following:
– We have working configuration on our Mikrotik router (internet access + local network)
– We have generated SSL certfificate/key pair for the OpenVPN server
Import SSL Certificates + Root CA on the router
We can use FTP to upload the following files:
– cacert.pem ( Root CA certificate)
– openvpn.crt ( The certificate for openvpn serve)
– openvpn_key.pem ( The private key )
After we upload the files through FTP (or another preferred method) we must import them.
1.1 Login to mikrotik web inteface
1.2 Navigate to [System] -> [Certificates]
1.3 Choose “Import” for all of the files
Make dedicated IP pool for the VPN clients
Login to the router, and navigate to the following menu:
[IP] –> [Pool] –> [Add New] :
Name: openvpn-pool1 Addresses: 192.168.89.0 - 192.168.89.20 Next pool: none
Create OpenVPN PPP Profile
Navigate to:
[PPP] –> [Profiles] –> [ Create New]:
{Name} = "OpenVPN Profile" {Local Address} = "192.168.89.254" {Remote Address} = "openvpn-pool1" {Address List} = "192.168.89.1-192.168.89.50" {DNS Server} = "8.8.8.8" {DNS Server} = "8.8.4.4"
Create OpenVPN Client credentials
Navigate to:
[PPP] –> [Secrets] –> [Add New]
{Enabled} = "yes" {user} = "some_vpn_user" {pass} = "some_pass" {profile} = "OpenVPN Profile"
Enable OpenVpn server
Navigate to:
[PPP] –> [OVPN Server]
{Mode} = {ip} (ip is for TUN , ether is for TAP interface) {Default Profile} = "OpenVPN Profile" # This is the name of the profile we have created earlier {Certificate} = "cert1" # Or whatever is the name of the newly added certificate
Linux openvpn client configuration
Make sure to copy “cacert.pem” to the current directory.
If you use the client under Windows OS, you must change the “dev tun1” line to “dev tap“
client ca cacert.pem auth-user-pass dev tun1 proto tcp-client tls-client remote mysite.com 1194 resolv-retry infinite nobind persist-key persist-tun cipher BF-CBC # Blowfish (default) auth SHA1 verb 4 keepalive 10 15
Activate Masquarading on Mikrotik
This step is necessary for us to be able, to access internet through the VPN.
Navigate to: [IP] –> [Firewall] –> [Nat]
Add srcnat rule, for network: [192.168.89.0/24] with action [masquarading]