OpenVPN Configuration in Mikrotik Router for Remote User

This guide will help you to configure OpenVPN in Mikrotik Router and help a remote user to login to head office VPN server and work from remote location. OpenVPN is just like other type of VPN service like PPTP, L2TP, SSTP.

OpnVPN can be used for site to site VPN and also can be configured as VPN Server-Client model where remote user can access to head office network by connecting to VPN server. OpenVPN has complete security features so it is safer than other types of VPN.

In this tutorial, we will see OpenVPN server-client model where remote user connect to head office network by openVPN client software from Windows PC. For PPTP and L2TP there are built-in VPN client apps available on Windows but for OpenVPN we have to use third party application.

Part 1 – OpenVPN Server Configuration in MikroTik Router:

OpenVPN server and client configuration requires SSL certificate for secure communication. MikroTik RouterOS version 6 and above gives ability to create, store and manage certificates in certificate store. So, we will create OpenVPN certificate from our RouterOS. We need three types of certificates for OpenVPN server and client configuration:

  1. CA (Certification Authority) certificate
  2. Server certificate
  3. Client certificate

 

Create CA Certificate: 

First we will create CA certificate. Go to system > Certificate

Click + sign to add

Put a name ca and common name ca. Click on Key Usage tab and uncheck all checkboxes except crl sign and key cert. sign.

Click on Apply button and then click on Sign button. Sign window will appear now. Your newly created certificate name will appear in certificate dropdown menu. Select your newly created certificate template if it is not selected. Now in CA CRL Host field we put our router WAN address 192.168.137.2. Click sign button and our sign certificate is created.

Creating CA Certificate

 

Create Server Certificate: 

Now in this step, we will create our second certificate – Server certificate. Click + sign to add

Put a name server and common name server. Click on Key Usage tab and keep digital signaturekey encipherment and tls server ticked.

 Click on Apply button and then click on Sign button. Certificate: server and CA is CA certificate. Click sign button and our sign certificate is created. If T flag or trusted property doesn’t show any value, double click on it and tick this box for trusted value.

Creating Server Certificate

Create Client Certificate: 

Now in the final part, we will create client certificate. Click + sign to add

Put a name client and common name client. Click on Key Usage tab and keep only tls client ticked.

Click on Apply button and then click on Sign button. Certificate: client and CA is CA certificate. Click sign button and our sign certificate is created.

Client Certificate

Export CA and Client Certificates

After creating certificates, we will now export CA and client certificate so that OpenVPN client can use this certificate.

OpenVPN server will use server certificate from MikroTik RouterOS certificate store. But client certificate has to supply to the OpenVPN client. So, we need to export client certificate and CA certificate from RouterOS certificate store.

 

Double click on CA certificate. Click on export. This file now is now stored in mikrotik files section.

Now double click again. Click on export. From drop down, select client certificate. Now give a password. Password must be 8 character and this password has to provide when OpenVPN client needs to connect.

 

Click on export button and our client certificate and key file exported to mikrotik router file section.

Export CA and Client Certificates

Now we check from the file section. There you can see, we have exported two certificate file and one key file.

Drag and drop these files to desktop. We will use these files when we configure OpenVPN client

CA certificate downloaded file

 

OpenVPN server in Mikrotik Router:

After TLS certificate, we will now configure OpenVPN server in Mikrotik Router.

We go to PPP menu. On the interface tab, we click on OVPN server. Certificate-Server we will choose Server certificate and tick this box require client certificate. For Auth, we will use sha1. For cipher, we will choose aes256. Mikrotik router supports OpenVPN with TCP port 1194. Now tick this box to enable this service.

Configure OpenVPN Server

 

Now we have to create a user and password for remote user. To do this, we will go to secret tab.

Create OpenVPN user

Part 2 – OpenVPN Client Configuration in Windows Operating System:

Now to setup OpenVPN client, we need to download third party application as there is no OpenVPN client apps available on Windows operating system like L2TP or PPTP.

We go to the browser and type openvpn.net. Now from community download, we find our desired file. Download for windows 10 PC.

Now we will install it.

This application will help us to connect with OpenVPN server. Now we will enter the folder of OpenVPN application. Open the config folder. Now we will add certificate and key files in config folder.

We have to create a file with .ovpn extension. I copy and paste the templates to notepad file and save it as client.ovpn.

Download client.ovpn template: Click here to download

Now I will rename the file – ca, client, client.key.

We need one more file for the secret because we have put auth-user-pass file is secret. So our user and password authentication should be stored in a file called secret. We will make this secret file now. This username and password will be used to dial the VPN server.

ovpn

test

Save this as text file. Rename it and don’t give the extension.

OpenVPN file in Directory

 

Now right click on your icon tray from taskbar. Right click on OpenVPN. Click connect and it will ask to put your client certificate password that you have given during client certificate export.

OpenVPN client icon in system tray

 

Providing OpenVPN certificate password

After verifying Client Certificate Password as well as username and password, OpenVPN Client will be connected.

OpenVPN client connection status

 

If you follow until this, you will be able to access your remote office resources with OpenVPN client.

 

2 thoughts on “OpenVPN Configuration in Mikrotik Router for Remote User

  • July 16, 2021 at 1:45 am
    Permalink

    Could You please share interface setup (WAN, LAN)

    Reply
    • August 11, 2021 at 11:17 pm
      Permalink

      Interface setup is just like other setup we do to configure a router. I have WAN IP address which I got from my Internet provider and I choose ether1 port usually if I don’t have sfp port.

      And for LAN setup, I have used the same IP for remote VPN user and internal LAN user. LAN IP: 192.168.1.1 and interface ether5.

      Thanks

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *