Mikrotik OpenVPN server / Windows 7 client
Mikrotik make awesome routers based on their excellent RouterOS operating system, with awesome possibilities when you consider that one of their basic routers is only around $40.
This is a tutorial on how to setup a client/server vpn using a Mikrotik (with RouterOS lv 4 licence) as the vpn server and Windows 7 clients, in what basically is a road warrior scenario. OpenVPN will be used, bear in mind that the Mikrotik implementation does not support the UDP protocol or lzo compression. This however should not be a problem for typical VPN usage (e.g. remote desktop, accessing shares).
You will need:
Latest version of OpenVPN (2.1 rc15 at time of writing) for Windows and Linux
A Mikrotik Routerboard or pc running RouterOS with a lvl 4 licence, already configured as a basic router
The security modules installed on RouterOS
An Ubuntu or other linux VM to create the certificates (optional)
- Create certificates needed as OpenVPN uses SSL for security:
First of all, avoid the method described in the Mikrotik Wiki that uses CAcert.org, as this doesnt seem to work. Instead use easy-rsa that comes with OpenVPN. I found it easier to use an Ubuntu VM on Virtualbox, as the windows implementation of easy-rsa didnt work well for me:
Edit the vars file with your settings
Do not rename the whichopenssl.cnf file to openssl.cnf, however tempted by the easy-rsa readme, it wont work!
sudo source vars
and provide appropriate info/password where necessary. You will then get a ca.crt , server.key and server.crt file among others.
- Import to your RouterOS router:
Copy the server.crt and server.key, open Winbox. Go to Files and paste. As simple as that.
then open the terminal and import the certificates:
/certificate import file-name=server.crt
/certificate import file-name=server.key
When asked, provide the password used during the creation of the certificate.
if you then do a /certificate print it should show you the imported certificate with a KR flag next to it, meaning it successfully decrypted the certificate.
- Create an IP pool for the VPN users:
/ip pool add name=ovpn-pool ranges=172.21.0.10-172.21.0.20
/ppp profile add local-address=172.21.0.1 name=ovpn remote-address=ovpn-pool
/ppp secret add name=user password=pass profile=ovpn service=ovpn
/interface ovpn-server server set default-profile=ovpn enabled=yes mode=ethernet netmask=24 require-client-certificate=no certificate=cert1
replace user and password with your login credentials. You can use any IP range but better use a rarely found one so you dont have IP clashes while using the VPN.
- Configure the client:
Copy the client.ovpn file in the sample-config folder in OpenVPN installation directory to the config folder.
Also copy the ca.crt you previously created here. Open it using Notepad++ or any other proper text editor. In it write the following:
script-security 2 system
route-up “route add LAN-IP mask 255.255.255.0 172.21.0.1″
which uses a bridge interface to connect to the Mikrotik, and authenticate using the previously created login details.
script-security 2 system is used to allow the route-up command below it to successfully push the default route to the clients routing table when it connects. Additionally for this to work you will have to open the OpenVPN GUI as an administrator every time.
If the default route isnt manually or automatically put on the client PC, the VPN will work but will be practically useless as the computer wont know what to do with requests for your LAN on the other side of the VPN. Unfortunately the RouterOS implementation cant push the routes over the VPN, so we have to resort to the above method (which works very well, it also removes the route after disconnection).
- Thats pretty much it. It also works with portable versions of OpenVPN, thus all you need is a usb with portable OpenVPN on it, the client config and the ca.crt file and you’re good to go!
Note: Initially I played around with CAcert.org certificates following the Wiki. I didnt manage to get it to work, and additionally even after I removed all the certificates on the Mikrotik that were created with the CAcert.org website and imported the easy-rsa ones, I would get a
VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /CN=my-domain
after authenticating. This was solved after a restart of the Mikrotik which seems to have cleared the value that was stuck in memory.