Hi,
I am starting with my mikrotik and I saw in the configuration that it was possible to create an OpenVPN server.
Internet service providers in my country do not necessarily deliver a public IPV4 to each subscriber. This solution could be suitable for my clients.
I had echoes of a provider having had problems with this service on mikrotik.
Do you have an opinion on OpenVPN on mikrotik ? Do you have conclusive experiences ? Is it hard to configure ?
Thanks
ASYmpTON
Re: OpenVPN Server [SOLVED]
My personal experience with the OpenVPN server in RouterOS has been very good.
As long as the server side has a public IPv4 address (fixed is preferable but using FQDN and dynamic DNS can also work) then OpenVPN is a great way to get around the problem of ISPs using CG-NAT and not giving customers a public IPv4 address (a very common issue with mobile broadband providers).
The actual configuration isn't very difficult but you do need to create certificates for the server and clients (this can be done directly on the MikroTik) and create a client configuration file.
I have attached the instructions I wrote (and have tested) for you to look at (they assume your MikroTik is directly connected to the Internet). If you have any questions about the configuration I used, I'd be happy to try and answer them.
As long as the server side has a public IPv4 address (fixed is preferable but using FQDN and dynamic DNS can also work) then OpenVPN is a great way to get around the problem of ISPs using CG-NAT and not giving customers a public IPv4 address (a very common issue with mobile broadband providers).
The actual configuration isn't very difficult but you do need to create certificates for the server and clients (this can be done directly on the MikroTik) and create a client configuration file.
I have attached the instructions I wrote (and have tested) for you to look at (they assume your MikroTik is directly connected to the Internet). If you have any questions about the configuration I used, I'd be happy to try and answer them.
You do not have the required permissions to view the files attached to this post.
Re: OpenVPN Server
@MickeyT
I am stuck at step 7 (Remove Password from Client Key). I should get the MikrotikCA, Client1 and which one is the client key, please? How do i download them? In the files list i see only two files& .
Which ones do i need?
I am stuck at step 7 (Remove Password from Client Key). I should get the MikrotikCA, Client1 and which one is the client key, please? How do i download them? In the files list i see only two files
Code: Select all
cert_export_Client1.crt Code: Select all
cert_export_Client1.keyWhich ones do i need?
You do not have the required permissions to view the files attached to this post.
Re: OpenVPN Server
You need both of those files but the password is only on the cert_export_Client1.key file. So the files you download are:
You then want to remove the password from cert_export_Client1.key with the command (This is done on a computer with OpenSSL installed rather than on the MikroTik):
Linux computers will already have OpenSSL installed but, if you're on a Windows computer, you can download OpenSSL from OpenSSL Wiki - Binaries or use Cygwin.
- cert_export_MikroTikCA.crt (The MikroTik CA certificate file)
- cert_export_Client1.crt (The client certificate file)
- cert_export_Client1.key (The client private key file)
You then want to remove the password from cert_export_Client1.key with the command (This is done on a computer with OpenSSL installed rather than on the MikroTik):
Code: Select all
openssl rsa -in cert_export_Client1.key -out cert_export_Client1.nopass.keyLinux computers will already have OpenSSL installed but, if you're on a Windows computer, you can download OpenSSL from OpenSSL Wiki - Binaries or use Cygwin.
Re: OpenVPN Server
Hi,
a big thank you, it works perfectly
I just had to add the 'remote-cert-tls server' option in the client.ovpn files and it worked perfectly
thank you so much
a big thank you, it works perfectly
I just had to add the 'remote-cert-tls server' option in the client.ovpn files and it worked perfectly
thank you so much
Re: OpenVPN Server
You're welcome. I'm pleased to hear that you got it all working.
I haven't come across the need for the "remote-cert-tls server" line in the client config file before, but thank you for letting me know about it. Out of curiosity, what version of RouterOS are you using? The instructions I wrote were for RouterOS 6.47.10 so I wonder if the additional line is needed in the newer versions (I haven't had a chance to check yet).
I haven't come across the need for the "remote-cert-tls server" line in the client config file before, but thank you for letting me know about it. Out of curiosity, what version of RouterOS are you using? The instructions I wrote were for RouterOS 6.47.10 so I wonder if the additional line is needed in the newer versions (I haven't had a chance to check yet).
Re: OpenVPN Server
Can anyone spot what's missing or incorrect and causing my OpenVPN configuration to fail?
I have a Mikrotik HAP-AC as my main router, and a static public IP address from my ISP.
My home network runs on addresses 172.28.16.0/24. The router itself is .1. I have reserved a bunch of static IP addresses for access points, NAS, printers, etc. between .2 and .63; there's a general DCHP address pool from .64 to .199; and I've reserved a third pool, vpnpool, for OpenVPN connections from .200 to .210.
I set up a PPP profile called ovpn, with local address 172.28.16.1 and remote address vpnpool, and suitable DNS server addresses.
I have added PPP secret entries for authorised users, with userids and passwords and specifying the ovpn profile.
I have created a CA certificate, a server certificate, and a client certificate/key.
I've enabled the OpenVPN server with the relevant ovpn profile and server certificate.
I've downloaded the certificates and key files and copied them to a folder on my Android phone, along with a "secret" file that has my userid/password as defined in the PPP secret, and an ovpn configuration file as follows:
I'm using the OpenVPN Connect app (https://play.google.com/store/apps/deta ... n_GB&gl=US). The connection gets established, and my phone gets an IP address from the vpnpool. But I can't access anything on the LAN. When I try to scan the LAN (using Net Analyzer app) I see only the addresses of the router at .1, one of my printers at (static) .34, and a robot vacuum - of all things - at a DHCP address. When I check the phone's IP configuration I see there is no gateway address, although DNS servers are as expected. There's nowhere I can see to explicitly specify the gateway address in the configuration, though I'd expect the server to have supplied it to the client along with DNS addresses.
I must be missing something, but what?
I have a Mikrotik HAP-AC as my main router, and a static public IP address from my ISP.
My home network runs on addresses 172.28.16.0/24. The router itself is .1. I have reserved a bunch of static IP addresses for access points, NAS, printers, etc. between .2 and .63; there's a general DCHP address pool from .64 to .199; and I've reserved a third pool, vpnpool, for OpenVPN connections from .200 to .210.
I set up a PPP profile called ovpn, with local address 172.28.16.1 and remote address vpnpool, and suitable DNS server addresses.
I have added PPP secret entries for authorised users, with userids and passwords and specifying the ovpn profile.
I have created a CA certificate, a server certificate, and a client certificate/key.
I've enabled the OpenVPN server with the relevant ovpn profile and server certificate.
I've downloaded the certificates and key files and copied them to a folder on my Android phone, along with a "secret" file that has my userid/password as defined in the PPP secret, and an ovpn configuration file as follows:
Code: Select all
dev tun
proto tcp-client
remote <my static IP>
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca CA.crt
cert PHClient.crt
key PHClient.key
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass secret
auth-nocacheI must be missing something, but what?
Re: OpenVPN Server
I found a fix, or more likely a work-around, which has resolved the issue for me.
I set the bridge to "proxy-arp" rather than "arp". I now have visibility of all LAN devices when connected via OpenVPN.
I set the bridge to "proxy-arp" rather than "arp". I now have visibility of all LAN devices when connected via OpenVPN.