Basic VPN Network Setup on MikroTik - Open VPN

We will configure Open-VPN (OVPN) on our MikroTik routerboard.

OpenVPN is a open-source VPN software that create secure point-to-point connections.

Server Side Configuration (MikroTik "VPN Only" Routerboard)

1) Login to VPN-Server MikroTik

2) Create SSL Certificates

I assume that, you are logged in to server-side MikroTik, and submit the command below from here in server-side MikroTik terminal:

/certificate

add name=vpn-ca common-name=vpn.local days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign

sign vpn-ca

set vpn-ca trusted=yes

add name=vpnserver common-name=vpnserver.local days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server

sign vpnserver ca=vpn-ca

set vpnserver trusted=yes

add name=vpnclient common-name=vpnclient.local days-valid=3650 key-size=2048 key-usage=tls-client

sign vpnclient ca=vpn-ca

set vpnclient trusted=yes

Export SSL-Cert to use on Client-side MikroTik routerboard.

Currently you are logged in to server-side MikroTik, and submit the below command from here in server-side MikroTik terminal:

/certificate

export-certificate vpn-ca export-passphrase=""

export-certificate vpnclient export-passphrase=12345678
(you should use your own password)

After exported, you will find the certificate files (CA Cert, SSL Cert, and Private Key) in MikroTik’s File List. (Winbox > Files)

Download the Certs from file list and save those files in your local computer. (Use drag and drop to download)

3) Create VPN Network

We will decide a range of IP addresses for server side VPN Network creation to give IP to client router.
( Example: 172.16.22.0/24 )

Currently you are logged in to server-side MikroTik, and submit the command below from here in server-side MikroTik terminal:

Add VPN IP address Pool

/ip

pool add name="vpn-pool" ranges=172.16.22.2-172.16.22.254

Create a VPN Authentication (Auth) profile.

/ppp

profile add name="vpn-profile" local-address=172.16.22.1 remote-address=vpn-pool dns-server=8.8.8.8,1.1.1.1 use-encryption=yes

Attention ! Here 172.16.22.1 ip-address is the main and default gateway ip.
Keep in mind at this CHR ip 172.16.22.1 to use it as the cloud MikroTik's private IP.

4) Create VPN Users/Client

Your VPN network Host is the server-side MikroTik's real IP.

Create a VPN User (Currently you are logged in to server-side MikroTik, and submit the command below from here in server-side MikroTik terminal):

/ppp

secret add name=khulnarouter password=dSw3eVcRt profile=vpn-profile remote-address=172.16.22.2

If you have more home/office router available then create more users as needed. Just remember that the remote IP address remote-address= will increment by 1 to each user.

Example (in terminal, /ppp):

secret add name=faridpurrouter password=dRk8vHa5j profile=vpn-profile remote-address=172.16.22.3

secret add name=ctgrouter password=gWk2vLa4c profile=vpn-profile remote-address=172.16.22.4

5) Keep Note of VPN User Credentials

So, from the above config, you get the VPN username and password.

When configure a VPN in your site office (Client router MikroTik) use the example below as we configured above:

VPN Host: xx.xx.xx.xx (VPN-Server side MikroTik's Real IP)
User: khulnarouter
Password: dSw3eVcRt

VPN-Server Network (Private):
IP-Range: 172.16.22.0/24
Subnet Mask: 255.255.255.0
Gateway: 172.16.22.1

6)  Run/Enable OpenVPN Server

* Currently you are logged in to server-side MikroTik, and do the below job from here in server-side MikroTik.

Important ! Please create/enable “OVPN Server” from the Winbox GUI, not by command line input. Keep the below information handy.

Port = 1194 (or custom port 51194)
Mode = ip
Netmask = 24
Max MTU = 1500
Keepalive Timeout = 86400
Default Profile = default-encryption
Certificate = vpnserver
Require Client Certificate = yes
Auth = sha1
Cipher = aes 128, aes 256

 

 

Enable the server, and configure the settings. Then apply.

Now that our VPN server is running ok.

7) Configure Firewall to Accept VPN Connections

* Currently you are logged in to server-side MikroTik, and submit the command below from here in server-side MikroTik terminal:

/ip firewall filter

add chain=input protocol=tcp dst-port=1194,51194 action=accept comment="Allow VPN Connect"
(place above the "established, related" input rule)

add chain=input in-interface=all-ppp action=accept comment="Allow remote vpn users to reach to this router"
(place above the "established, related" input rule)

add chain=input protocol=tcp dst-port=8291,58291 action=accept comment="Allow MikroTik Access"

add chain=forward in-interface=all-ppp action=accept comment="Allow remote vpn users to forwarding to local services"
(place above the "established, related" forward rule)

add chain=forward dst-address=172.16.22.0/24 out-interface=all-ppp action=accept comment="Allow Local/Lan users to reach to other vpn routers/services"
(place above the "established, related" forward rule)

/ip firewall nat

add chain=srcnat dst-address=172.16.22.0/24 out-interface=all-ppp action=masquerade comment="Allow Local/Lan users to reach to other vpn routers/services"

 

Remember ! Drag and drop the allow rules move above the drop rules.

Done ! Server side configuration is ok.

 

Client Side MikroTik Config (Login to Client MikroTik)

 

8) Upload and import the SSL certificate files first

* Currently you are logged in to client-side MikroTik, and do the below job from here in client-side MikroTik.

To upload: Winbox > Files > Drag & Drop SSL Cert Files (which SSL cert files you downloaded from Server side MikroTik)

To import: Winbox > System > Certificates > Import (GUI Button)

When importing key file, enter 12345678 as password, or the password you set before.

9) Create a OpenVPN Client Connection Interface

* Currently you are logged in to client-side MikroTik, and do the below job from here in client-side MikroTik.

 

 

 

Keep the below information handy. As you get the credentials from Server side MikroTik.

Connect to = xx.xx.xx.xx (VPN-Server side MikroTik's Real IP)
Port = 1194 (or custom port 51194)
Mode = ip
User: khulnarouter
Password: dSw3eVcRt
Profile = default-encryption
Certificate = vpnclient.crt
Verify Server Certificate = no
Auth = sha1
Cipher = aes128
Use Peer DNS = yes
Add Default Route = no

Apply the settings.

As we have set  Add Default Route = NO so we have to add the route manually (Winbox > IP > Routes) by using gateway ovpn-out1

10) Add Route (Winbox > IP > Routes)

* Currently you are logged in to client-side MikroTik, and submit the command below from here in client-side MikroTik terminal:

/ip route

add dst-address=0.0.0.0/0 gateway=172.16.22.1%ovpn-out1 check-gateway=ping distance=12 comment="VPN Route"

 

11) Set More Firewall

* Currently you are logged in to client-side MikroTik, and submit the terminal command here in client-side MikroTik.

/ip firewall filter

add chain=input in-interface=ovpn-out1 action=accept comment="Allow remote vpn users to reach to this router"
(place above the "established, related" input rule)

add chain=input protocol=tcp dst-port=8291,58291 action=accept comment="Allow MikroTik Access"

add chain=forward in-interface=ovpn-out1 action=accept comment="Allow remote vpn users to reach to this router/services"
(place above the "established, related" forward rule)

add chain=forward dst-address=172.16.22.0/24 out-interface=ovpn-out1 action=accept comment="Allow Local/Lan users to reach to other vpn routers/services"
(place above the "established, related" forward rule)

/ip firewall nat

add chain=srcnat dst-address=172.16.22.0/24 out-interface=ovpn-out1 action=masquerade comment="Allow Local/Lan users to reach to other vpn routers/services"

Done, and enjoy !