Tunneling with OpenVPN on MikroTik: Another Step to Secure Networking Print

Hello, network ninjas!
It’s Emmanuel Corels again, the proud admin of Emmanuel Corels Creatives, here to guide you through another exciting chapter in MikroTik mastery. We’ve explored PPTP and L2TP/IPsec—both solid VPN choices. Now, let’s turn our spotlight onto OpenVPN, an SSL/TLS-based VPN that boasts compatibility with a wide array of devices and operating systems.

Ready for a new mission in the world of secure networking? Let’s jump right in!

1. Why OpenVPN on MikroTik?

OpenVPN is like that reliable friend who’s always got your back. It uses SSL/TLS encryption and can operate over TCP or UDP, making it a versatile choice for remote access, site-to-site connections, or just a cool way to watch cat videos securely (hey, no judgment!).

Key Advantages:

• SSL/TLS Encryption for secure tunnels.
• Cross-Platform Support (Windows, macOS, Linux, mobile devices).
• TCP or UDP flexibility.

2. What You’ll Need

1. MikroTik Router (or CHR) running a version of RouterOS that supports OpenVPN.
2. Certificates if you plan on using TLS (highly recommended).
3. Basic Firewall Rules to ensure OpenVPN traffic is allowed.

Note: MikroTik’s OpenVPN support is somewhat limited to TCP (RouterOS doesn’t support UDP mode for OpenVPN as of this writing). Also, some encryption ciphers are not available by default—so keep it in mind if you’re comparing features with “regular” OpenVPN on other platforms.

3. Generating or Importing Certificates

OpenVPN typically needs server and client certificates to do its SSL/TLS handshake. You can create certificates using:

• A public Certificate Authority (like Let’s Encrypt, if you get creative with domain names and DNS).
• Your own internal CA (using OpenSSL or a tool like XCA).

For simplicity, let’s assume you have three certificates in .pem or .crt/.key format:

• CA Certificate
• Server Certificate + Server Key
• Client Certificate + Client Key (for the connecting device)

3.1 Importing Certificates into MikroTik

1. Open WinBox and go to System -> Certificates.
2. Drag and drop your .crt and .key files into the Files window if you haven’t already.
3. In System -> Certificates, click Import.
4. Select the .crt (or .pem) file.
5. Repeat for the .key file.
6. Confirm that you see a new certificate entry with the correct “K” (Key) and “T” (Trusted) flags once you set it up properly.

4. Configuring the OpenVPN Server on MikroTik

4.1 Enabling OpenVPN Server

1. Go to Interfaces -> OVPN Server (in WinBox).
2. Check “Enabled.”
3. Set Port (default is 1194).
4. For Mode, select ip or ethernet (usually ip is used).
5. Certificate: Choose the server certificate you imported.
6. Auth: Choose an authentication method (e.g., sha1).
7. Cipher: Commonly aes256 if supported.
8. Click OK or Apply.

Terminal Command Example:

/interface ovpn-server server set enabled=yes certificate=<server-cert-name> auth=sha1 cipher=aes256 port=1194

4.2 Creating a PPP Profile

Like other VPNs on MikroTik, OpenVPN sessions use the PPP infrastructure.

1. Go to PPP -> Profiles.
2. Click “+” to create a new profile (e.g., OpenVPN_Profile).
3. Local Address: The router’s IP (e.g., 192.168.99.1).
4. Remote Address: An IP pool or a range (e.g., 192.168.99.2-192.168.99.50).
5. Click OK.

4.3 Adding PPP Secrets (User Accounts)

1. Still in PPP, go to Secrets.
2. Click “+”.
3. Name: ovpnuser (example).
4. Password: strongpassword.
5. Service: ovpn.
6. Profile: OpenVPN_Profile.
7. OK.

Note: If you plan on using certificate-based authentication only (without username/password), you’ll configure it differently. But often people just combine cert-based encryption with a username/password for simplicity.

5. Firewall Rules

You’ll need to allow inbound TCP connections on your chosen OpenVPN port (default 1194):

1. Chain: input
2. Protocol: tcp
3. Dst. Port: 1194
4. Action: accept

Also, ensure you’re not accidentally dropping return traffic or messing up your NAT if you want these clients to reach the internet through your MikroTik.

6. Client-Side Setup

6.1 Installing OpenVPN on a Windows Machine

1. Download the OpenVPN Community Client from https://openvpn.net/community-downloads/.
2. Install it—next, next, finish.

6.2 Client Config File (.ovpn)

Create a .ovpn file with something like:

client
dev tun
proto tcp-client
remote <YOUR_ROUTER_PUBLIC_IP> 1194
resolv-retry infinite
nobind
persist-key
persist-tun

; SSL/TLS Setup
ca ca.crt
cert client.crt
key client.key

cipher AES-256-CBC
auth SHA1

verb 3

• Replace <YOUR_ROUTER_PUBLIC_IP> with your MikroTik’s public IP or domain.
• ca, cert, key: Point to the respective files, or embed them inline if you like.

If you plan to use username/password with the same config, you’ll need a line like auth-user-pass and the client’s credentials will be requested on connection.

6.3 Testing the Connection

1. Place the .ovpn file (and cert/key files if external) into the OpenVPN config folder (usually C:\Program Files\OpenVPN\config).
2. Right-click the OpenVPN GUI icon in your system tray, select Connect.
3. You should see logs indicating a successful handshake.
4. If everything goes well, you’ll see “Initialization Sequence Completed”.

7. Verification and Troubleshooting

7.1 In MikroTik

• PPP -> Active Connections: You should see your ovpn session.
• Logs: Add a openvpn or ovpn logging topic under System -> Logging for detailed info.

7.2 Common Pitfalls

• Incorrect Certificates: Double-check you imported the correct CA, server cert, and keys.
• Mismatch in Ciphers: If your client is set to AES-256-CBC but MikroTik is on something else, handshake fails.
• Firewall: Make sure TCP port 1194 is open.
• Routing: If the client can connect but can’t access LAN resources, you may need routes or NAT rules for your new VPN subnet.

8. Wrapping Up

Congrats—you’ve set up OpenVPN on your MikroTik! This method often offers more robust encryption and better compatibility with various clients. Sure, it may look a bit trickier than PPTP or L2TP/IPsec at first, but once you’ve mastered those certificate details, you’re golden.

Pro Tips:

• Experiment with certificate-only auth, skipping username/password.
• Use RADIUS if you want centralized user management.
• Tweak cipher and auth settings if you want different encryption strengths.

9. Next Steps

You’re quickly becoming a VPN master, my friend! Up next, we could explore Site-to-Site tunnels with OpenVPN or IPsec, or even venture into advanced topics like MPLS or RouterOS scripting. The MikroTik universe is vast, and we’ve only just begun!

Until next time, stay curious, stay secure, and never stop tinkering. If you have questions or want more deep-dives, you know where to find me—right here, always ready to help you push your MikroTik limits.

Authored by:
Emmanuel Corels, Admin
Emmanuel Corels Creatives