Configure OpenVPN on Mikrotik professionally(Site-to-Client)

1- First, we choose and create a network for the VPN clients. In this tutorial I will use 192.168.30.0/24. Than we will create the bridge & IP Pool.

• Creation of the bridge where the network addresses will be added. Bridge->Create new bridge
• Creation of the network address. IP->Addresses
• Creation of the IP Pool. You can set a desidered addresses range depending on how many clients will connect to the VPN. IP->Pool

2- Secondly, we have to create the firewall and NAT rule for the VPN to be able for the clients to communicate with the VPN Server.

• Creation of the firewall filter rule. IP->Firewall->Filter Rules
• Creation of the NAT rule(only if you don't have this rule already). IP->Firewall->NAT

3- Third, we will create and export certificates(CA,server and client) needed for authentication between VPN server and client.

• Creation of CA certificate. System->Certificates

  On General Tab: -Name: CA -Common Name: CA -Key Size: 2048

  On Key Usage Tab: -key cert. sing -crl sing

  On Sing button click: -CA CRL HOST: Your public IP address

• Creation of server certificate. System->Certificates

  On General Tab: -Name: server -Common Name: server -Key Size: 2048

  On Key Usage Tab: -digital signature -key encipherment -tls server

  On Sing button click: -CA: CA

• Creation of client certificate. System->Certificates

  On General Tab: -Name: client -Common Name: client -Key Size: 2048

  On Key Usage Tab: -tls client

  On Sing button click: -CA: CA

  

• Export certificates. System->Certificates

  Right click on CA and server certificates and click export and than export. Right click on client certificate and click export, enter a passphrase and than export.

  After export you can find the certificates on Files where you can download them because will need them on the client part when you will connect to the VPN.

4- Forth, we will create the OpenVPN server, profile and secret credentials for the user who will connect to this VPN server.

• Creation of the OpenVPN server. PPP->Interface->OVPN Server

• Creation of the profile which on this case it will be the default-encryption. PPP->Profiles

• Creation of the user credentials which will be used to connect to the VPN server. PPP->Secrets

5- In this last step we will configure OpenVPN client to be able to connect through VPN

• Convert three certificates from PEM plain text to pmcks encrypted(one file) certificate.

  • Download OpenSSL for Windows on this link and install it. https://slproweb.com/products/Win32OpenSSL.html

  • Open CMD with admin privileages and cd to the OpenSSL bin directory cd C:\Program Files\OpenSSL-Win64\bin

  • Copy certificate files into the same directory and run this command openssl pkcs12 -export -in cert_export_client -inkey cert_export_client.key -certfile cert_export_CA.cert -name MyClient -out client.p12

  • A file named client.p12 will be generated.

• We will create the VPN configuration file client.ovpn with the details above

  client dev tun proto tcp-client remote your public IP here port 1194 proto tcp nobind persist-key persist-tun tls-client remote-cert-tls server verb 4 mute 10 cipher AES-256-CBC auth SHA1 pkcs12 client.p12 auth-user-pass auth-nocache #Add here your local network IP if you want only network access only route x.x.x.x 255.255.255.0 route x.x.x.0 255.255.255.0 #Use this only if you want to route your VPN traffic #redirect-gateway def1

  Finally you will have these two files

• Install OpenVPN client on you Windows Laptop/PC

  You can download it here https://openvpn.net/community-downloads/

  Copy those two files created earlier client.ovpn and client.p12 in the VPN config folder like in the photo

  Click connect on the client, add the passphrase created earlier when you exported the certificates and after fill the user credentials.

  Good job, you should be now connected! If not, check the steps again because you might have done any mistake.

- Some last informations

  The drawbacks of this VPN Server over Mikrotik are:
  
  1- OpenVPN Server on Mikrotik can't push routes to clients (can be done on client configuration)
  2- OpenVPN Server on Mikrotik can't push traffic redirection (can be done on client configuration)
  3- OpenVPN Server on Mikrotik can't use UDP protocol (this is possible on v7 of the RouterOS)
  
- Pros and cons

  Advantages:
  
  Better Security(256-bit encryption keys and high end ciphers)
  Firewall compatibility(can use any TCP or UDP port)
  
  Disadvantages:
  
  Client support(Requires additional software client)
  Configuration(Complex manual configuration)
 
 Thank you.