Hy,
i need to configure an VPN between my home network and my office, using an RB951Ui-2HnD Mikrotik.
This is the configuration that normally use from my Windows,Android and iOS client:
NB: I don't use user/password authentication method.

Which is the right configuration to do in mikrotik?

Thanks for future help...

Hi,

If I remember correctly, MT doesn't support certificate authentication only user/ password

Check: http://wiki.mikrotik.com/wiki/Manual:Interface/OVPN

Hi,

If I remember correctly, MT doesn't support certificate authentication only user/ password

Check: http://wiki.mikrotik.com/wiki/Manual:Interface/OVPN

Depends on whether MT is the client or server. If it's the client it'll support certificate auth just fine.

Import the ca cert and the client cert and key. I normally concatenate the client cert and key into 1 pem file and import that.

Create an empty ppp profile and set encryption to yes.

Create an ovpn client and set the user to the client cert's common name.
Set the server, port, mode: ip, client cert, profile, auth, cipher.

Should be as easy as that. I've set up a bunch in the last week or so connecting to a Linux openvpn server.

Depends on whether MT is the client or server. If it's the client it'll support certificate auth just fine.

Import the ca cert and the client cert and key. I normally concatenate the client cert and key into 1 pem file and import that.

Create an empty ppp profile and set encryption to yes.

Create an ovpn client and set the user to the client cert's common name.
Set the server, port, mode: ip, client cert, profile, auth, cipher.

Should be as easy as that. I've set up a bunch in the last week or so connecting to a Linux openvpn server.

Yes, my MT is the client. Today i will try with this solution.
Stay tuned!

Unfortunately I was not able to configure my MT as client ovpn as you described. .....I'm a newbie in routerOs
Can you help my with an step-by-step guide? Or some linke where i can found instruction.
My routerOs version is: 6.27

Thanks.

Assuming you're using Webfig...

Gather your ca cert file and your pem file containing your client cert and key. I'll refer to them as ca.crt and client.pem but they can be named anything.

Connect to the device using Webfig and go to Files.
Upload both the ca.crt and client.pem files.

Go to System/Certificates and import both files. After they're imported, you should see 'T' as the status for ca.crt and 'KT' as the status for the client cert/key. You might want to rename them here since the default names will be cert_1 and cert_2.

Now go to PPP/Profiles and create a new profile named openvpn-client. Set as follows...
Use IPv6: no
Use MPLS: no
Use Compression: no
Use VJ Compression: no
Use Encryption: yes
All other fields can be left empty or at their defaults.

Now go to PPP/Interface and add a new OVPN Client. Set as follows...
Connect to: <server ip address>
Port: 1194 <or whatever port your server uses>
Mode: ip
User: <common name of client cert>
Profile: openvpn-client
Certificate: <your client cert>
Auth: <match your server>
Cipher: <match your server>

The server MUST be set to 'proto tcp' and must not need tls-auth. Neither udp nor tls are supported.

That should do it.

It works!!!!

Thank you! you're the best!!

I apologize for reviving an old thread, but it seems to be the most appropriate thread for my question.

I'm trying to configure my RB1100AHx2 to connect to PrivateInternetAccess (PIA) servers using VPN. PIA had provided me with a crt file as well as a pem file. I am able to import the crt file and RouterOS shows its details correctly. I am however unable to import the PEM file. If I do so by Winbox, nothing happens. By CLI, I get a report of all 0s. No errors, but no keys imported. I have tried using no passpharse ehrn importing, using my RouterOS admin passphrase, and my VPN login passphrase. Nothing works, and I can't get OpenVPN connectivity without it.

And help would be appreciated.

Bumping this, since I have exactly the same problem now.

The .crt gets imported without issues, but the .pem has all zeroes in the status after import. From the contents, it's an X.509 crl (?).