Today I have project to building openvpn server on mikrotik, this openvpn used for remote office from remote site as alternative another tunneling. This project use Mikrotik routerboard RB400 Series with router OS Version 5.8 and using winbox for configuration, to do this job i prepare Centos 5.5 for building certificate. This first documentation on wiki mikrotik, here the step by step how to make configuration.
The first time building certificate, here I am using centos 5.5 to build it and openvpn-2.2.1.tar.gz
[root@ardcentos ~]# tar -zxvf openvpn-2.2.1.tar.gz
[root@ardcentos ~]# cd openvpn-2.2.1/easy-rsa/2.0/
[root@ardcentos 2.0]# nano vars
Edit from the line export KEY_COUNTRY location and organitation
[root@ardcentos 2.0]# source vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /root/openvpn-2.2.1/e
[root@ardcentos 2.0]# ./clean-all
[root@ardcentos 2.0]# ./pkitool –initca
root@ardcentos 2.0]# ./pkitool –pass –server myoffice
when ask Enter PEM pass phrase I do my_passphrase_for_openvpn
[root@ardcentos 2.0]# openssl rsa -in keys/myoffice.key -out keys/myoffice.pem
Enter pass phrase for keys/myoffice.key: (just according have
been made before)
If you want make client certificate you can use command below if mikrotik require client certificate checked.
[root@ardcentos 2.0]# ./pkitool –pass forclient
Enter PEM pass phrase:
[root@ardcentos 2.0]# openssl rsa -in keys/forclient.key -out keys/forclient.pem
Enter pass phrase for keys/forclient.key:
[root@ardcentos 2.0]# cd keys/
[root@ardcentos keys]# ls
01.pem ca.key index.txt myoffice.csr rsa.key
02.pem forclient.crt index.txt.attr myoffice.key serial
03.pem forclient.csr index.txt.attr.old myoffice.pem s
erial.old
04.pem forclient.key index.txt.old rsa.crt
ca.crt forclient.pem myoffice.crt rsa.csr
Upload certificate have been made before there are : myoffice.crt, myoffice.pem and ca.crt into mikrotik routerboard
Below is step by step to do on the mikrotik routerboard
For first step login into mikrotik routerboard with winbox and the I have to do :
Click system and the chose certificate the would be appearing like picture below
Import all certificate have been upload
On the only file chose certificate and passphrase with passphrase when we build certificate on linux before, if we have finished import certificate
After that go to main winbox menu chose ip then click on the submenu pool like picture below
Symbol plus with red color to add pool, here I have made myopenvpn with range ip 192.168.10.100 until xx.xx.xx.254 is my pool.
Next go to main winbox menu then chose ppp then make profile and here my profile that I have made.
Then on the ppp chose interface then enable openvpn server like picture below
And the last just make secret to make user access, on the ppp chose secret then make user access:
With service chose any it’s make user can make connection with other service beside openvpn service like PPTP or L2PT, ect.
Client configuration
For client configuration I am using windows 7 with openvpn.2.2.1 :
proto tcp-client
remote MY_REMOTE_IP
dev tap
nobind
persist-key
tls-client
ca ca.crt
auth-user-pass auth.cfg #auth.cfg containing my user and password openvpn
ping 10
verb 3
cipher AES-256-CBC
auth SHA1
pull
resolv-retry infinite
script-security 2 system
route-up “route add MY_LAN mask xxxxx MY_REMOTE_GATEWAY”
auth-nocache
Here sample when client connected from windows
On the picture I have to connection openvpn server so there are two icon, red color mean not connected and green connected. And from mikrotik can be monitored on active connection like picture below.
Note :
– This configuration still work with router OS version 5.4 but for mikrotik OS version 4.xx it seems have some bug on mikrotik
– If on the openvpn server require client certificate checked, I should import forclient.crt, forclient.pem, and ca.crt on the client if unchecked I only import ca.crt
– CMIW
how do i setup mikrotik server to limit bandwidth FOR each USER by using username and password after installting mikrotik server…
If you want to limit bandwith user mikrotik may be it’s not posible today, but if you want to limit user vpn you can limitted by profile or user secret and for to do it, on winbox chose ppp
Hi is any way to set up mikrotik server asi linux server, vith push “redirect-gateway”?
Basically what i need to do is let all clients connected via VPN use the gateway of the OpenVPN server. This would then let all the clients use the same external IP for the outer world (going through the Gateway of the OpenVPN server). In such a way, all the connected clients would “appear” to the outer world like being located really behind the gateway of the OpenVPN server.
You could try replace => route-up “route add MY_LAN mask xxxxx MY_REMOTE_GATEWAY” with => push “route 0.0.0.0 0.0.0.0 your_server_openvpn”. If don’t work you should add manually on the client
Thank you for your answer. Unfortunately it does not work, Mikrotik Ovpn can not be used as a gateway to the Internet
🙁
heloo
tank you for this tournomets
i do that i coonected to microtik i see in microtik activiti ! so after i conect my ip dont changed ! and i cant open filtered web sited ?> for example face book !> becaus in my country facebook is filterd by isp !>?
but when i user pptp or l2tps my ip changed and i can open face book ! so why open vpn dont do that whis my problem ?
On my configuration openvpn mikrotik can not change the default route of the client. On the l2tp or pptp the default route of the client will be changed when conneted via pptp or l2tp, I don’t know it’s just bug of the mikrotik or not. For openvpn mikrotik I should add static routing at the client. Maybe this bug will be fix on newer mikrotik OS