Mikrotik OpenVPN server / Windows 7 client
Mikrotik make awesome routers based on their excellent RouterOS operating system, with awesome possibilities when you consider that one of their basic routers is only around $40.
This is a tutorial on how to setup a client/server vpn using a Mikrotik (with RouterOS lv 4 licence) as the vpn server and Windows 7 clients, in what basically is a road warrior scenario. OpenVPN will be used, bear in mind that the Mikrotik implementation does not support the UDP protocol or lzo compression. This however should not be a problem for typical VPN usage (e.g. remote desktop, accessing shares).
You will need:
Latest version of OpenVPN (2.1 rc15 at time of writing) for Windows and Linux
A Mikrotik Routerboard or pc running RouterOS with a lvl 4 licence, already configured as a basic router
The security modules installed on RouterOS
An Ubuntu or other linux VM to create the certificates (optional)
- Create certificates needed as OpenVPN uses SSL for security:
First of all, avoid the method described in the Mikrotik Wiki that uses CAcert.org, as this doesnt seem to work. Instead use easy-rsa that comes with OpenVPN. I found it easier to use an Ubuntu VM on Virtualbox, as the windows implementation of easy-rsa didnt work well for me:
Edit the vars file with your settings
Do not rename the whichopenssl.cnf file to openssl.cnf, however tempted by the easy-rsa readme, it wont work!sudo source vars
./clean-all
build-ca
build-key-server serverand provide appropriate info/password where necessary. You will then get a ca.crt , server.key and server.crt file among others.
- Import to your RouterOS router:
Copy the server.crt and server.key, open Winbox. Go to Files and paste. As simple as that.
then open the terminal and import the certificates:
/certificate import file-name=server.crt
/certificate import file-name=server.keyWhen asked, provide the password used during the creation of the certificate.
if you then do a /certificate print it should show you the imported certificate with a KR flag next to it, meaning it successfully decrypted the certificate. - Create an IP pool for the VPN users:
/ip pool add name=ovpn-pool ranges=172.21.0.10-172.21.0.20
/ppp profile add local-address=172.21.0.1 name=ovpn remote-address=ovpn-pool
/ppp secret add name=user password=pass profile=ovpn service=ovpn
/interface ovpn-server server set default-profile=ovpn enabled=yes mode=ethernet netmask=24 require-client-certificate=no certificate=cert1replace user and password with your login credentials. You can use any IP range but better use a rarely found one so you dont have IP clashes while using the VPN.
- Configure the client:
Copy the client.ovpn file in the sample-config folder in OpenVPN installation directory to the config folder.
Also copy the ca.crt you previously created here. Open it using Notepad++ or any other proper text editor. In it write the following:dev tap
remote your-external-ip-address
proto tcp-client
tls-client
ca ca.crt
auth-user-pass
pull
nobind
persist-key
resolv-retry infinite
verb 3
script-security 2 system
route-up “route add LAN-IP mask 255.255.255.0 172.21.0.1″
auth-nocachewhich uses a bridge interface to connect to the Mikrotik, and authenticate using the previously created login details.
script-security 2 system is used to allow the route-up command below it to successfully push the default route to the clients routing table when it connects. Additionally for this to work you will have to open the OpenVPN GUI as an administrator every time.If the default route isnt manually or automatically put on the client PC, the VPN will work but will be practically useless as the computer wont know what to do with requests for your LAN on the other side of the VPN. Unfortunately the RouterOS implementation cant push the routes over the VPN, so we have to resort to the above method (which works very well, it also removes the route after disconnection).
- Thats pretty much it. It also works with portable versions of OpenVPN, thus all you need is a usb with portable OpenVPN on it, the client config and the ca.crt file and you’re good to go!
Sources: Mikrotik OpenVPN Wiki, Mikrotik Forum post, Serverfault
Note: Initially I played around with CAcert.org certificates following the Wiki. I didnt manage to get it to work, and additionally even after I removed all the certificates on the Mikrotik that were created with the CAcert.org website and imported the easy-rsa ones, I would get a
VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /CN=my-domain
after authenticating. This was solved after a restart of the Mikrotik which seems to have cleared the value that was stuck in memory.
Hi,
Thanks for your tutorial, I have followed it as you have indicated but am getting an error from the router board:
could not load private key
I am using ubuntu 11.10 to generate the certs and keys.
What do you reckon could be the issue?
Thanks.
where exactly do you get this?
You forgot that Mikrotik needs the key in text.
You need to convert the server key to text like:
openssl rsa -in server.key -text > server.key.txt
Then import the resulting text file to get the KR flag.
Hi Paul
I havent needed this and have setup many vpn’s with this guide… I will also amend it with client certificates in the future. Why would it need it in text?
Hi Man, i configured everything just like you said and it connects okey and also pings from (remote-pc) to router real lan ip, wich is 128.1.1.239 and of course to the vpn lan ip 172.21.0.1 , but the problem is i can’t ping other pc’s of the network. do you have any idea why could this be happening?
Are your routes correct? Also if on Windows Vista/7, you have to open the Openvpn gui as an administrator for it to be able to pass the route.
it worked! , i had some bad routing-mark’s settings wich were messiing up
, thanks !
hi Manic! it’s me again.
i have a new problem. i have several WAN connections in various ports on mikrotik.
i use mark routing for certain local ips to go out from certain different isps.
i.e. : i mark local ip 128.1.1.8 with the mark “ISP2″, and i also have a route wich redirects that mark to the isp 2 port.
my question is: how can i make the VPN go out from a different wan than the default?. i tried marking the traffic but it goes through the VPN default route….that is a non-static interfaz that appears when vpn client connects, and i think it’s going out from the default port.
do you have any idea how can i acheive this?
try marking the IP range that openvpn uses, in my example 172.21.0.10-172.21.0.20
i tried marking the range as src address and as dst addres, no one worked.
it marks the route BUT then what i think happens is that it takes the default route from ovpn server (distance 0) and ignores the route wich redirects the mark to isp2 (distance 1). problem here is default route is dynamic so i can’t modify or remove it, also if i remove it i think the vpn would stop working.
Hi,
I have a problem is my first time trying to configure this router as a vpn server
so i followed your tutorial, it works very nice but i can’t connect to lan computers and can’t ping the lan gateway
lan ip 192.168.88.1
vpn ip your tutorial ip
and ipconfig in windows does not show a gateway
So plz can you help me out ?
I find this article very easy to follow, and has given me instant positive results. I’ve migrated from a plain Debian OpenVPN package in a NSLU2 network appliance, and I am missing a couple of features:
- Being able to continue using client certificates authentication instead of using user/password
- Being able to secure the identity of the OpenVPN server with the ta.key check.
heloo
i use this turtial but i coonected to microtek but my gate way dont change and my sit filter same my clinet !
i thing my gate way dont active in my client ?
hello sir
i try so much to configure openvpn on my mikrotik but i cant configure it can you configure it on my mikrotik ? pls say yes i need so much open vpn on mikrotik pls pls configure it in my mikro
i have debin and mikrotik if you want i give you details of my server and you configure it i am wait for your onswer
thank you so much
kind regards
Where are you encountering problems? if you follow my guide to the letter you should be ok..
Great worked for me. thx
but I should add this line to set its adapter to default gateway
redirect-gateway
hi .. i have problem .. when i conect to ovpn .. in log my mikrotik os .. get to me
could not negotiate TLS in Time . WHats That <<
make sure that the time and date is set correctly on the Mikrotik
I set the date and time on the router but still no
Hi
thanks for your tutorial, but there is a big problem in your tutorial
In windows7, openvpn install TAP-Windows Adapter V9…
that means openvpn client conf should use “dev tap”, but mikrotik just support “tun” connections…
so your tutorial not work in windows7…
Hi Ali
This is working fine with Windows XP, 7 and 8, tested in many implementations and PCs..
sorry, you right
it’s my mistake…
i forgot to change Mode of OVPN Server in Mikrotik.
after i change it to ethernet mod it’s work fine.
thanks
Np
Hi, following your guide can connect to my RB OVPN server. The problem is when need to connect by telnet to a telnet server.
I have a firewall rules, dstnat and src nat correctly configured (in L2TP connection all is ok).
I know that the problem are in the routes; please tell me if incorrect:
route-up “route add 192.168.1.0 mask 255.255.255.0 192.168.10.1″
192.168.1.0 –> Network of OVPN client (my ip is 192.168.1.105)
192.168.10.1 –> PPP local address of my PPP profile (use encription = yes)
Is the route actually passed in windows? do a route print in cmd and check. OpenVPN needs to be run as an administrator in order to pass routes.