-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 1 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
OpenVPN Configuration Step by StepFrom MikroTik WikiIn this
article i will talk about Open VPN , And How to Setup that as
completly , such Basic Configuration , Certificate ,
OpenVPNConfigurations .
in many topics and Forums Users talk about OpenVPN and proximate
90% of their have problem to run and correct installations
ofOpenVPN .
so , i decide to show you how you can do it correctly , Let's go
!
What is OpenVPN ?
OpenVPN has been ported to various platforms, including Linux
and Windows, and it's configuration is throughout likewise on each
of thesesystems, so it makes it easier to support and maintain.
Also, OpenVPN is one of the few VPN protocols that can make use
of a proxy, which might be handy sometimes.
and You are able to use Various Port ( TCP Port ) for Your VPN
Connections .
For More Information Click Here
(http://wiki.mikrotik.com/wiki/OpenVPN)
Requirements :
RouterOS or Routerboard ( In This Article I have RB493AH ,
Version 6 RC 13 )
Public or Private IP Address or Valid Domain Name ( My Router
91.108.151.193 , Domain Name : Reza.IPExperts.Ir )
If you have a Domain Name same as this Article , you can Point
all request for Certificate to your Domain , Unless you should
useyour IP Address !
Public or Private Certificate for OpenVPN ( i will use CaCert
(http://Cacerts.Org) Free Certificate )
PPP Package ( To Install Openvpn Service )
OpenVPN GUI for Windows ( if you OpenVPN Client is Windows User
OpenVPN GUI (http://openvpn.se/) , in this Article Client is
anotherRouterboard )
Linux Operation System with Openssl Service
Basic Configuration :
Please Set IP Address and Default Route and other Basic
Configurations in Your MikroTik ( DNS , NTP , etc. )
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 2 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
ip addressadd address=91.108.151.193/28 comment="Public IP"
interface="WLAN 1 - Home" \ network=91.108.151.192
Add a Default Route
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 3 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
ip routeadd distance=1 gateway=91.108.151.194
Certificate :
OpenVPN use Certificate to setup Connections , So Open a New
Terminal window and create a certificate request with your
Information :
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 4 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
certificate create-certificate-request
You will be asked a number of questions , Some of them are
important , some of them is not .
select name for certificate request file.
it will be created after you finish entering all required
information.
certificate request file name: certificate-request.pem
select name of private key file.
if such file does not exist, it will be created later.
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 5 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
file name: private-key.pem
private key file already exists and will be overwritten if you
continue.
please enter passphrase that will be used to encrypt generated
private key file.
you must enter it twice to be sure you have not made any typing
errors.
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 6 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
passphrase: 123456 [IMPORTANT]
verify passphrase: 123456 [IMPORTANT]
enter number of bits for RSA key.
longer keys take more time to generate.
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 7 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
rsa key bits: 2048 [Default]
now you will be asked to enter values that make up distinguished
name of your certificate.
you can leave some of them empty.
CA may reject your certificate request if some of these values
are incorrect or missing, so please check what are the requirements
of your CA.
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 8 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
enter two character country code.
country name: IR [NOT IMPORTANT]
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 9 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
enter full name of state or province.
state or province name: Khuzestan [NOT IMPORTANT]
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 10 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
enter locality (e.g. city) name
locality name: Ahvaz [NOT IMPORTANT]
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 11 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
enter name of the organization
organization name: IPExperts [NOT IMPORTANT]
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 12 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
enter organizational unit name
organization unit name: IT Department [NOT IMPORTANT]
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 13 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
enter common name.
for ssl web servers this must be the fully qualified domain name
(FQDN) of the server that will use this certificate
(likewww.someverysecuresitename.com) .
this is checked by browsers.
common name: reza.ipexperts.ir [IMPORTANT] or common name :
91.108.151.193 [IMPORTANT]
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 14 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
enter email address
email address: [email protected] [NOT IMPORTANT]
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 15 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
now you can enter challenge password.
it's use depends on your CA.
it may be used to revoke this certificate.
challenge password: 123456 [NOT IMPORTANT]
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 16 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
you can enter unstructured address, if your CA accepts or
requires it.
unstructured address: Reza Moghadam [NOT IMPORTANT]
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 17 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
After a few seconds you will receive notification that the
Certificate Request file was created:
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 18 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
You can see Certificate-Request.pem and Private-key.pem is added
in Files Menu
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 19 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
CaCerts :
Please Drag and Drop Request Files Include (
Certificate-Request.pem and Private-Key.pem ) to your Desktop .
first open Certificate-Request.pem file with Wordpad , Copy All
String Include Begin and Ends of Certificate Request , Then Login
to yourAccount in Cacert and Make a New Server Certificate .
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 20 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
Paste your Certificate-Request.pem Strings to CSR Fields in Your
Account ( New Server Certificate ) and Submit That .
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 21 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
Domain is Accepted .
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 22 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
Copy and Paste your Certificate Response from Cacert in a
Wordpad and save that with .pem file ( In Here :
certificate-response.pem )
Private Key :
We need a Private-Key as Key file , But Generated private keys
will be in pkcs8 format, which is not supported in RouterOS.
To import such keys we should use Openssl Tool in Linux
Distributes and make a Privat-Key File .
We can setup Openssl via these command :
apt-get install openssloryum install openssl
Upload or Move Private-Key.pem file to That Linux OS with
Openssl Service ( Bitvise SSH Client )
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 23 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
make your Private-Key.key file via these command :
openssl rsa -in private-key.pem -text
copy and paste export String ( Include Begin and End ) to a New
File ( Ex. Private-Key.Key )
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 24 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
Import Certificate
Import Files ( Certificate-Response.pem , Private-Key.Key ) to
Your MikroTik Files Menu .
First Import Certificate-Response.pem file with that
Paraphrase
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 25 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
Second Import Private-Key.Key file with that Paraphrase
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 26 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
Once you have imported the private key, your certificate should
get a "KR" written next to it K: Decrypted-Private-Key R: RSA
Now you will be able to use this key for OVPN.
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 27 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
OpenVPN Server Configuration :
we should make a IP Pool for Openvpn clients .
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 28 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
ip pooladd name=PPP
ranges=1.1.1.1-1.1.1.100,1.1.1.150-1.1.1.200
Make a Profile for OpenVPN Service .
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 29 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
Warning: screenshot shows incorrect local address, it should be
1.1.1.254 as per command below
ppp profileset 0 dns-server=4.2.2.4,8.8.8.8add
dns-server=4.2.2.4,8.8.8.8 local-address=1.1.1.254 name=\ "OpenVPN
Profile" remote-address=PPP
Make a Username & Passowrd for OpenVPN Client
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 30 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
ppp secretadd name=1 password=1 profile="OpenVPN Profile"
Enable OpenVPN Service and Select Valid Certificate .
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 31 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
interface ovpn-server serverset certificate=cert1
enabled=yes
NAT :
add a masquared firewall nat rule to share internet with OpenVPN
Client .
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 32 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 33 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
ip firewall natadd action=masquerade chain=srcnat
src-address=1.1.1.0/24
OpenVPN Client :
Make a OpenVPN Client and Set Address of OpenVPN Server and
Username & Password .
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 34 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
interface ovpn-clientadd auth=none cipher=none
connect-to=reza.ipexperts.ir mac-address=\ 02:FB:D1:D8:20:B7
name=ovpn-out1 password=1 user=1
Finally :
you can see OpenVPN Client is Connected and you will able to
Ping it .
-
1/6/15, 4:47 PMOpenVPN Configuration Step by Step - MikroTik
Wiki
Page 35 of
35http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&printable=yes
Reza Moghadam
--MikroTik Certified Trainer 12:02, 4 April 2013 (UTC)
Retrieved from
"http://wiki.mikrotik.com/index.php?title=OpenVPN_Configuration_Step_by_Step&oldid=26115"
This page was last modified on 26 February 2014, at 13:23.This
page has been accessed 165,932 times.