Turning Your MikroTik Router into an OpenVPN Server (Detailed Certificate Configuration Included) Print

Hello there! It’s Emmanuel Corels from Emmanuel Corels Creatives. In this guide, we’ll walk through turning your MikroTik router into an OpenVPN server with a focus on every detail—especially generating and configuring certificates. We’ll explain each parameter, why it matters, and which ones you can skip. This guide is designed for beginners, so let’s break it down step by step.

Why Use OpenVPN on MikroTik?

OpenVPN is a secure, flexible VPN solution that allows remote clients to connect to your network. Although MikroTik’s OpenVPN implementation (available in RouterOS v7 and later) supports only TCP mode, it provides robust security using SSL/TLS. In this guide, we’ll cover certificate generation and explain each option so that you know what each field does.

Step 1: Prepare Your Router

1. Ensure RouterOS v7+
   • Open WinBox, go to System → Packages, and check that you’re running RouterOS v7 or later. OpenVPN support on MikroTik requires version 7+.
2. Backup Configuration
   • Before making major changes, back up your current configuration:

     /system backup save name=pre-openvpn-backup
     

Step 2: Generate Certificates for OpenVPN

OpenVPN requires certificates for its SSL/TLS handshake. We need a server certificate (with a corresponding private key) and, optionally, a CA certificate. You can generate these directly on your MikroTik. Here’s how:

Access the Certificate Manager

1. In WinBox, navigate to System → Certificates.

Adding a New Certificate

Click the “+” button to add a certificate. You will see several fields:

• Name:
  • Example: ovpn-server-cert
  • Purpose: A friendly name to identify this certificate.
• Common Name (CN):
  • Example: OpenVPN Server or your domain name if you have one (e.g., vpn.myhome.com).
  • Purpose: This is used during the SSL/TLS handshake to identify the server. Clients may verify that the certificate’s CN matches the hostname they are connecting to.
• Key Size:
  • Suggested Value: 2048 bits (or higher, like 4096, if you require more security)
  • Purpose: Determines the strength of the key. A 2048-bit key is generally sufficient for most purposes.
• Key Usage:
  • Default Options: Typically, you can leave this at default. For an OpenVPN server, you generally need it to be used for digital signatures and key encipherment.
  • Explanation: Key usage defines what the certificate can be used for. MikroTik often pre-selects suitable usage for VPN certificates.
• Subject Alternative Name (SAN):
  • Optional: If you have multiple domain names or IP addresses that clients might use, list them here.
  • Skip If: You only need a simple certificate for testing or internal use.
• Organization (O) and Country (C):
  • Optional but Recommended:
    • Organization: e.g., MyCompany
    • Country: e.g., US
  • Purpose: These fields add information to your certificate but are not strictly required for functionality.

After filling in these details, click OK.

Signing the Certificate

Now, you need to “sign” the certificate. For a self-signed certificate (common for testing or internal VPNs):

1. Select your new certificate (ovpn-server-cert).
2. Click Sign.
3. You may be prompted for:
   • Signing Key: Choose the same certificate if self-signing.
   • Lifetime: Specify the validity period in days (e.g., 365 days).
     Example: Enter 365 so that the certificate is valid for one year.
4. Click Sign to finalize the process.

The certificate will now show flags indicating that it is signed. For beginners, a self-signed certificate is acceptable. For production, you might use a trusted Certificate Authority (CA) or set up an internal CA.

Exporting the Certificate and Key (For Clients)

To configure your OpenVPN clients, you’ll need to export:

• The CA certificate (if applicable)
• The server certificate (if you plan to distribute it)
• The private key

1. Right-click your certificate in System → Certificates and choose Export.
2. Set an export passphrase if desired (leave blank for no passphrase, though not recommended for production).
3. Save the exported file (this will create a file with a .crt or .pem extension, and a key file with .key).

Example CLI commands:

/certificate export-certificate [find name="ovpn-server-cert"] export-passphrase="MyPass123"

Make sure to keep the private key secure!

Step 3: Configure the OpenVPN Server

Now that your certificate is ready, let’s set up the OpenVPN server.

1. Navigate to OVPN Server Settings:
   In WinBox, go to Interfaces → OVPN Server.

2. Enable the OpenVPN Server:

   • Check the Enabled box.

3. Configure Server Parameters:

   • Port: Set to 1194 (default) or another port if needed.
   • Mode: Choose ip (for IP-based tunneling; “ethernet” mode is for bridging and is less common in basic setups).
   • Certificate: Select the certificate you just created (ovpn-server-cert).
   • Auth: Choose sha1 (or sha256 if supported; note that some clients require matching settings).
   • Cipher: Select aes256 (if available) for strong encryption.
   • Compression: Typically left as default (compression is generally disabled in many secure setups).

   Important: Make sure the certificate is correctly assigned because it is critical for the handshake process.

   CLI Equivalent:

   /interface ovpn-server server set enabled=yes port=1194 mode=ip certificate=ovpn-server-cert auth=sha1 cipher=aes256
   

4. Apply and Save:
   Click Apply and OK.

Step 4: Configure PPP Profiles and Secrets for OpenVPN Users

Since MikroTik handles OpenVPN sessions via its PPP subsystem, we need to create a profile and user account.

1. Create a PPP Profile:

   • Go to PPP → Profiles.
   • Click the “+” button.
   • Name: Enter OpenVPN_Profile.
   • Local Address: Set an IP for the OpenVPN server (e.g., 10.10.10.1).
   • Remote Address: Define an IP pool for connecting clients (e.g., 10.10.10.2-10.10.10.254).
   • Click OK.

   CLI Example:

   /ppp profile add name=OpenVPN_Profile local-address=10.10.10.1 remote-address=10.10.10.2-10.10.10.254
   

2. Add a PPP Secret (User Account):

   • Go to PPP → Secrets.
   • Click “+”.
   • Name: e.g., vpnuser.
   • Password: Choose a strong password, e.g., StrongPass123.
   • Service: Select ovpn.
   • Profile: Select OpenVPN_Profile.
   • Click OK.

   CLI Example:

   /ppp secret add name=vpnuser password=StrongPass123 service=ovpn profile=OpenVPN_Profile
   

Step 5: Firewall Considerations

To allow OpenVPN traffic, ensure your firewall isn’t blocking it.

• Allow OpenVPN Traffic:

  /ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept comment="Allow OpenVPN"
  

Make sure this rule is placed before any general “drop” rules for incoming traffic.

Step 6: Configure the OpenVPN Client

Now configure a client (e.g., on Windows, macOS, or mobile):

1. Download and Install the OpenVPN Client:

   • For Windows, visit OpenVPN Community Downloads.

2. Create a Client Configuration File (.ovpn): Here’s an example configuration:

   client
   dev tun
   proto tcp
   remote [Your_Public_IP_or_DDNS] 1194
   resolv-retry infinite
   nobind
   persist-key
   persist-tun
   
   ; SSL/TLS setup
   ca ca.crt
   cert client.crt
   key client.key
   
   ; Security settings
   cipher AES-256-CBC
   auth SHA1
   verb 3
   

   Explanation of Each Parameter:

   • client: Tells the software that this configuration is for a client.
   • dev tun: Uses a TUN (virtual network) interface.
   • proto tcp: Since MikroTik OpenVPN supports TCP mode.
   • remote [Your_Public_IP_or_DDNS] 1194: Replace with your router’s public IP or dynamic DNS hostname and the port you set.
   • resolv-retry infinite: Keeps retrying DNS resolution indefinitely.
   • nobind: Doesn’t bind to a specific local port.
   • persist-key and persist-tun: Maintain keys and tunnel state across restarts.
   • ca ca.crt, cert client.crt, key client.key: These reference your certificate files. For a simple setup, you might share the same CA with clients. You need to export the client certificate and key from your CA or generate them separately.
   • cipher AES-256-CBC and auth SHA1: These must match the settings you configured on the server.
   • verb 3: Sets logging verbosity for debugging.

3. Import the .ovpn File into your OpenVPN client and initiate a connection.

Step 7: Testing and Troubleshooting

1. Check Server Status:
   • In WinBox, go to PPP → Active Connections. You should see your OpenVPN connection listed if a client connects.
2. Test Connectivity:
   • From the client, try pinging the VPN gateway (10.10.10.1).
3. Review Logs:
   • On the router, check Log or use /log print to review any error messages.
4. Common Troubleshooting Areas:
   • Certificate Issues: Ensure the Common Name in your certificate matches what the client expects. Double-check key sizes and signing.
   • Firewall Rules: Confirm that TCP port 1194 is open and not blocked.
   • Routing: If the client connects but can’t reach the LAN, ensure proper routing/NAT is configured.
   • Client Config: Ensure the client configuration file has correct paths and settings for certificates and keys.

Final Thoughts

Turning your MikroTik router into an OpenVPN server involves careful certificate management, precise configuration of the OpenVPN server, and proper setup of PPP profiles for client management. By understanding each certificate parameter and what it does, you can ensure a secure, functional VPN solution. Experiment with these settings in a test environment before deploying to production, and refer to logs and monitoring tools for troubleshooting.

If you have any questions or need further clarification on any step, feel free to reach out. Happy VPN-ing, and here’s to secure, remote access with MikroTik!

Explained in detail by
Emmanuel Corels – Admin, Emmanuel Corels Creatives