Mikrotik – Configuring OpenVPN Server + Linux client

Published on Author gryzliLeave a comment

The first thing we must assure is the following:

– We have working configuration on our Mikrotik router (internet access + local network)

– We have generated SSL certfificate/key pair for the OpenVPN server

 

Import SSL Certificates + Root CA on the router

We can use FTP to upload the following files:

cacert.pem (  Root CA certificate)

openvpn.crt ( The certificate for openvpn serve)

openvpn_key.pem ( The private key )

After we upload the files through FTP (or another preferred method)  we must import them.

1.1 Login to mikrotik web inteface

1.2 Navigate to [System] -> [Certificates]

1.3 Choose “Import” for all of the files

Make dedicated IP pool for the VPN clients

Login to the router, and navigate to the following  menu:

[IP] –> [Pool] –> [Add New] :

Name:  openvpn-pool1

Addresses:  192.168.89.0 - 192.168.89.20

Next pool: none

 

 

Create OpenVPN PPP Profile

Navigate to:

[PPP] –> [Profiles] –> [ Create New]:

 

{Name} = "OpenVPN Profile"

{Local Address}     = "192.168.89.254"

{Remote Address} = "openvpn-pool1"

{Address List}        = "192.168.89.1-192.168.89.50"

{DNS Server} = "8.8.8.8"

{DNS Server} = "8.8.4.4"

 

Create OpenVPN Client credentials

Navigate to:

[PPP] –> [Secrets] –> [Add New]

{Enabled} = "yes"

{user} = "some_vpn_user"

{pass} = "some_pass"

{profile} = "OpenVPN Profile"

 

 Enable OpenVpn server

Navigate to:

[PPP] –> [OVPN Server]

{Mode} = {ip}   (ip is for TUN , ether is for TAP interface)

{Default Profile}  = "OpenVPN Profile" # This is the name of the profile we have created earlier

{Certificate} = "cert1"   # Or whatever is the name of the newly added certificate

 

 

Linux openvpn client configuration

Make sure to copy “cacert.pem” to the current directory.

If you use the client under Windows OS, you must change the “dev tun1” line to “dev tap

client
ca cacert.pem
auth-user-pass
dev tun1
proto tcp-client
tls-client
remote mysite.com  1194
resolv-retry infinite
nobind
persist-key
persist-tun
cipher BF-CBC        # Blowfish (default)
auth SHA1
verb 4
keepalive 10 15

 

Activate Masquarading on Mikrotik

This step is necessary for us to be able, to access internet through the VPN.

Navigate to: [IP] –> [Firewall] –> [Nat] 

Add srcnat rule, for network: [192.168.89.0/24] with action [masquarading]

References

OpenVPN Step by step configuration

Leave a Reply

Your email address will not be published. Required fields are marked *