Você está na página 1de 10

OpenVPN Server Setup on Mikrotik RouterOS | Lazy Geek -:)

1 din 10

https://rbgeek.wordpress.com/2014/09/10/openvpn-server-setup-on-mik...

In this post, Ill describe the step by step procedure to setup Mikrotik RouterOS as OpenVPN server. Ill use the Ubuntu Server in order to create CA, server and client(s) certificates.

Please remember a few things about Mikrotik OpenVPN server implementation:


UDP mode is not supported, only supports TCP mode
username/password is must even though client certificates are being used for authentication
Install the openvpn package on Ubuntu Server using the following command:
sudo apt-get install openvpn easy-rsa

Make an easy-rsa directory inside /etc/openvpn:


cd /etc/openvpn/
sudo mkdir easy-rsa

Use the following command to copy the default easy-rsa into /etc/openvpn/easy-rsa for setting up Certificate Authority (CA), certificates and keys generation for OpenVPN server
and clients:

Follow

4/16/2016 11:55 AM

OpenVPN Server Setup on Mikrotik RouterOS | Lazy Geek -:)

2 din 10

https://rbgeek.wordpress.com/2014/09/10/openvpn-server-setup-on-mik...

cp -r /usr/share/easy-rsa/* /etc/openvpn/easy-rsa/

Edit /etc/openvpn/easy-rsa/vars:
cd /etc/openvpn/easy-rsa/
vi vars

Edit these parameters according to your need:


export
export
export
export
export

KEY_COUNTRY="US"
KEY_PROVINCE="NC"
KEY_CITY="Winston-Salem"
KEY_ORG="Example Company"
KEY_EMAIL="me@example.com"

Run the clean-all command:


source vars
./clean-all

Now, generate the CA certificate:


./build-ca

Next, generate a server certificate and private key:


./build-key-server mikrotik

Follow

4/16/2016 11:55 AM

OpenVPN Server Setup on Mikrotik RouterOS | Lazy Geek -:)

3 din 10

https://rbgeek.wordpress.com/2014/09/10/openvpn-server-setup-on-mik...

Move to the keys directory (/etc/openvpn/easy-rsa/keys):


cd /etc/openvpn/easy-rsa/keys/

Copy the ca certificate, server certificate and key to the mikrotik router:
ncftpput -u admin 10.10.10.1 / ca.crt mikrotik.crt mikrotik.key

VPN client also need a certificate to authenticate itself to the server. Move to the /etc/openvpn/easy-rsa/ directory and create the different certificate for each client:
cd /etc/openvpn/easy-rsa/
source vars
./build-key arbabpc

Mikrotik OpenVPN Server Configuration:


1) Connect to the Mikrotik using Winbox. Goto the Files,there you will find all the files, that you have copied from Linux server:

Follow

4/16/2016 11:55 AM

OpenVPN Server Setup on Mikrotik RouterOS | Lazy Geek -:)

4 din 10

https://rbgeek.wordpress.com/2014/09/10/openvpn-server-setup-on-mik...

2) Then goto the System > Certificates:

Click on Import Button, then select the ca certificate file (in my case, it is ca.crt) and press Import:

Double click on the imported certificate and change its name (This step is optional):

Once again,click on Import Button, then select the server certificate file (in my case, it is mikrotik.crt) and press Import:

Next, import the server key using the above step:

Double click on the imported server certificate and change its name (This step is optional):

Follow

4/16/2016 11:55 AM

OpenVPN Server Setup on Mikrotik RouterOS | Lazy Geek -:)

5 din 10

https://rbgeek.wordpress.com/2014/09/10/openvpn-server-setup-on-mik...

Once you have imported the private key, the server certificate will get the KR written in-front of it:
K: Decrypted-Private-Key
R: RSA

Next we need to create the pool for openvpn client, for this, goto the IP->Pool:

Create each pool of /30 subnet:


(Reason to create the /30 subnet is that, I am getting the below mentioned error on Windows machine, and that trick work for me)
There is a problem in your selection of --ifconfig endpoints [local=172.25.10.2, remote=172.25.10.1].
The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a
limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets'
option for more info.

Create as many pool as you have openvpn clients:

Follow

4/16/2016 11:55 AM

OpenVPN Server Setup on Mikrotik RouterOS | Lazy Geek -:)

6 din 10

https://rbgeek.wordpress.com/2014/09/10/openvpn-server-setup-on-mik...

Give in the name of the immediately next pool name in the Next Pool field:

Create the profile for openvpn client by selecting Profiles tab and click on + button:

Move over to the Secrets tab and click on the + button to create user for openvpn client:

Enable OpenVPN Service and Select Valid Certificate by moving to the Interface take and click on OVPN Server:

Windows as OpenVPN Client installation & Configuration:


Download free OpenVPN client for windows from here, and install it. Once its installed, move to the openvpn directory(C:\Program Files\OpenVPN\config):

Follow

4/16/2016 11:55 AM

OpenVPN Server Setup on Mikrotik RouterOS | Lazy Geek -:)

7 din 10

https://rbgeek.wordpress.com/2014/09/10/openvpn-server-setup-on-mik...

Download the sample configuration file from here. Modify it as per your requirement:

Create the auth.cfg file inside the C:\Program Files\OpenVPN\config folder, with the openvpn username and password that you have created on mikrotik server:

Run the OpenVPN client with Administrator privileges:

Right click on the openvpn icon at System Tray and click on Connect:

Once, it will be connected, will show you the similar detail:

Follow

4/16/2016 11:55 AM

OpenVPN Server Setup on Mikrotik RouterOS | Lazy Geek -:)

8 din 10

https://rbgeek.wordpress.com/2014/09/10/openvpn-server-setup-on-mik...

Check the Routing Table:


route PTINT -4

Ping to the internal host:

Success
Hope this will help you!
Please Remember me in your prayers!
Enjoy
Reference:
1) http://wiki.mikrotik.com/wiki/OpenVPN
2) http://lukas.dzunko.sk/index.php/MikrotTik:_OpenVPN
3) http://forum.mikrotik.com/viewtopic.php?f=9&t=36987
4) http://blog.nettraptor.net/?p=446
5) http://daffy.za.net/2010/02/openvpn-mini-guides-mikrotik-routeros-vpn-server/
6) http://daffy.za.net/2010/02/openvpn-mini-guides-certificates/
7) http://mybroadband.co.za/vb/showthread.php/375258-OpenVPN-Server-on-a-Routerboard-RB750-R-OS-5-7
8) http://itsavedmyass.cyprusmania.net/remote-access/mikrotik-openvpn-server-windows-7-client/
9) http://wiki.mikrotik.com/wiki/OpenVPN_Configuration_Step_by_Step
10) https://www.async.fi/2012/01/mikrotik-openvpn-server/
11) http://help.unotelly.com/support/solutions/articles/184300-openvpn-info-and-files-please-read
12) http://www.vpntutorials.com/tutorials/openvpn-client-setup-tutorial-for-windows-8/
Name (required)

Email (required)

Website

Follow

4/16/2016 11:55 AM

OpenVPN Server Setup on Mikrotik RouterOS | Lazy Geek -:)

9 din 10

https://rbgeek.wordpress.com/2014/09/10/openvpn-server-setup-on-mik...

Comment (required)

Rate this:
10 Votes
Share this:

Be the first to like this.

Related

OpenVPN server on Ubuntu 12.04 behind


NAT

Linux, Mikrotik

OpenVPN server on CentOS 6.4 behind NAT

Install OpenVPN server using Ansible over


AWS VPC

linux, openvpn, openvpn server on mikrotik, secure vpn, soho network, ubuntu server

PPTP Server Setup on Mikrotik

Block WordPress xmlprc.php DDOS attacks using Fail2Ban

2 responses to OpenVPN Server Setup on Mikrotik RouterOS

Follow

4/16/2016 11:55 AM

OpenVPN Server Setup on Mikrotik RouterOS | Lazy Geek -:)

10 din 10

https://rbgeek.wordpress.com/2014/09/10/openvpn-server-setup-on-mik...

Matt February 16, 2016 at 6:25 pm


Hello this was a great article. However something that appears to not quite work is the route in the config file. That is, yes it applies the windows route. However the
Mikrotik will sometimes assign you the IP 172.25.10.1 instead of itself, in which case the route would need to specify 172.25.10.2 as the gateway since the Mikrotik
assigns itself .2 periodically. Any way of getting around this problem?

Reply
Matt February 16, 2016 at 6:39 pm
Ah yes the pool, looks like to avoid this happening on the latest OS you should create a local assigned pool just on the .1. Then the rest should work. In the
graphic above it shows the same pool for local and remote.

Reply

Create a free website or blog at WordPress.com. The zBench Theme.

Top

Follow

4/16/2016 11:55 AM