How to Set Up an OpenVPN Server on Mikrotik: A Comprehensive Guide

Are you looking to set up an OpenVPN Server on Mikrotik? While Mikrotik's OpenVPN isn't entirely full-featured, in certain scenarios, it can be much more efficient than other VPN solutions. Today, I'll provide a step-by-step guide to help you through this process.

There's a wealth of online resources detailing how to get OpenVPN running on Mikrotik with OpenSSL. But here's a simpler route, exclusively harnessing Mikrotik tools:

1. Root Certificate Generation

/certificate add name=template-CA country="" state="" locality="" organization="" unit="" common-name="templ-OVPN-CA" key-size=2048 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign template-CA ca-crl-host=127.0.0.1 name="OVPN-CA"

2. Crafting a Server Certificate

/certificate add name=template-SRV country="" state="" locality="" organization="" unit="" common-name="srv-OVPN" key-size=2048 days-valid=1095 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign template-SRV ca="OVPN-CA" name="srv-OVPN"

3. Designing a Client Certificate Template

/certificate add name=template-CL country="" state="" locality="" organization="" unit="" common-name="client-ovpn-template" key-size=2048 days-valid=365 key-usage=tls-client

4. Client Certificate Creation

/certificate add name=template-CL-to-issue copy-from="template-CL" common-name="client-ovpn-1"
/certificate sign template-CL-to-issue ca="OVPN-CA" name="client-ovpn-1"

Remember, for multiple clients, ensure the common-name and name in your commands are consistent. For example, for second cliend command should be:

/certificate add name=template-CL-to-issue copy-from="template-CL" common-name="client-ovpn-2"
/certificate sign template-CL-to-issue ca="OVPN-CA" name="client-ovpn-2"

5. Essential OpenVPN Configuration on Mikrotik

From IP pool creation to user authentication, these steps ensure a seamless VPN experience.

/ip pool add name=OVPN_srv_pool ranges=192.168.100.2-192.168.100.254
/ppp profile add name=OVPN_server local-address=192.168.100.1 remote-address=OVPN_srv_pool
/ppp aaa set accounting=yes
/ppp secret add name=test-user-1 password=P@sswOrd1 service=ovpn profile=OVPN_server
/interface ovpn-server server set auth=sha1 cipher=aes256-gcm default-profile=OVPN_server mode=ip netmask=24 require-client-certificate=yes certificate=srv-OVPN enabled=yes

Don't forget to set your ip ranges, address and user credentials.

6. Exporting Certificates

Exporting correctly ensures a secure connection later on.

/certificate export-certificate OVPN-CA export-passphrase=""
/certificate export-certificate client-ovpn-1 export-passphrase=11111111

The certificate name should match the name of the client certificate. In this command - remember the passphrase - you will need it when connecting

7. Transferring Certificates: Using Winbox

For those unfamiliar, Winbox is a nifty Mikrotik tool that makes file transfers a breeze. Just go to files menu and drag'n'drop certificates to your desktop.

8. Final Touches: Creating Configuration Files

Before you can connect, you'll need to set up some configuration files.

Example of client.ovpn content:

client
dev tun
--cipher AES-258-GCM
--data-ciphers AES-258-GCM
proto tcp
remote 45.135.135.214 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca cert_export_OVPN-CA.crt
cert cert_export_client-ovpn-1.crt
key cert_export_client-ovpn-1.key
--auth-user-pass user-pwd.txt
remote-cert-tls server
verb 3
route-delay 5
;Это маршрут до сети за микротиком (0.0 - сеть за микротиком, 100.1 - адрес микротика в ovpn)
;route 192.168.0.0 255.255.255.0 192.168.100.1
;это если нужно будет, что бы микротик был шлюзом по умолчанию
redirect-gateway def1

Remember to update the 'remote' address to your Mikrotik's actual IP.

If you don't want Mikrotik to be set as the default gateway, comment out the last line and uncomment the penultimate one (;route 192.168.0.0 255.255.255.0 192.168.100.1) — replace 192.168.0.0 with the network you need.

Also you'll need the file user-pwd.txt:

test-user-1
P@sswOrd1

To revoke user's certificate use:

certificate issued-revoke

Conclusion

Setting up OpenVPN on Mikrotik can be a straightforward process with the right guide. Ensure you follow each step carefully, and in no time, you'll have a secure VPN connection. For those looking to further their knowledge, check out our resources on revoking certificates and advanced Mikrotik configurations.