OpenVPN Configuration in Mikrotik Router for Remote User

 

This guide will help you to configure OpenVPN in Mikrotik Router and help a remote user to login to head office VPN server and work from remote location. OpenVPN is just like other type of VPN service like PPTP, L2TP, SSTP.

OpnVPN can be used for site to site VPN and also can be configured as VPN Server-Client model where remote user can access to head office network by connecting to VPN server. OpenVPN has complete security features so it is safer than other types of VPN.

In this tutorial, we will see OpenVPN server-client model where remote user connect to head office network by openVPN client software from Windows PC. For PPTP and L2TP there are built-in VPN client apps available on Windows but for OpenVPN we have to use third party application.

Part 1 – OpenVPN Server Configuration in MikroTik Router:

OpenVPN server and client configuration requires SSL certificate for secure communication. MikroTik RouterOS version 6 and above gives ability to create, store and manage certificates in certificate store. So, we will create OpenVPN certificate from our RouterOS. We need three types of certificates for OpenVPN server and client configuration:

  1. CA (Certification Authority) certificate
  2. Server certificate
  3. Client certificate

 

Create CA Certificate: 

First we will create CA certificate. Go to system > Certificate

Click + sign to add

Put a name ca and common name ca. Click on Key Usage tab and uncheck all checkboxes except crl sign and key cert. sign.

Click on Apply button and then click on Sign button. Sign window will appear now. Your newly created certificate name will appear in certificate dropdown menu. Select your newly created certificate template if it is not selected. Now in CA CRL Host field we put our router WAN address 192.168.137.2. Click sign button and our sign certificate is created.

Creating CA Certificate

 

Create Server Certificate: 

Now in this step, we will create our second certificate – Server certificate. Click + sign to add

Put a name server and common name server. Click on Key Usage tab and keep digital signaturekey encipherment and tls server ticked.

 Click on Apply button and then click on Sign button. Certificate: server and CA is CA certificate. Click sign button and our sign certificate is created. If T flag or trusted property doesn’t show any value, double click on it and tick this box for trusted value.

Creating Server Certificate

Create Client Certificate: 

Now in the final part, we will create client certificate. Click + sign to add

Put a name client and common name client. Click on Key Usage tab and keep only tls client ticked.

Click on Apply button and then click on Sign button. Certificate: client and CA is CA certificate. Click sign button and our sign certificate is created.

Client Certificate

Export CA and Client Certificates

After creating certificates, we will now export CA and client certificate so that OpenVPN client can use this certificate.

OpenVPN server will use server certificate from MikroTik RouterOS certificate store. But client certificate has to supply to the OpenVPN client. So, we need to export client certificate and CA certificate from RouterOS certificate store.

 

Double click on CA certificate. Click on export. This file now is now stored in mikrotik files section.

Now double click again. Click on export. From drop down, select client certificate. Now give a password. Password must be 8 character and this password has to provide when OpenVPN client needs to connect.

 

Click on export button and our client certificate and key file exported to mikrotik router file section.

Export CA and Client Certificates

Now we check from the file section. There you can see, we have exported two certificate file and one key file.

Drag and drop these files to desktop. We will use these files when we configure OpenVPN client

CA certificate downloaded file

 

OpenVPN server in Mikrotik Router:

After TLS certificate, we will now configure OpenVPN server in Mikrotik Router.

We go to PPP menu. On the interface tab, we click on OVPN server. Certificate-Server we will choose Server certificate and tick this box require client certificate. For Auth, we will use sha1. For cipher, we will choose aes256. Mikrotik router supports OpenVPN with TCP port 1194. Now tick this box to enable this service.

Configure OpenVPN Server

 

Now we have to create a user and password for remote user. To do this, we will go to secret tab.

Create OpenVPN user

Part 2 – OpenVPN Client Configuration in Windows Operating System:

Now to setup OpenVPN client, we need to download third party application as there is no OpenVPN client apps available on Windows operating system like L2TP or PPTP.

We go to the browser and type openvpn.net. Now from community download, we find our desired file. Download for windows 10 PC.

Now we will install it.

This application will help us to connect with OpenVPN server. Now we will enter the folder of OpenVPN application. Open the config folder. Now we will add certificate and key files in config folder.

We have to create a file with .ovpn extension. I copy and paste the templates to notepad file and save it as client.ovpn.

Download client.ovpn template: Click here to download

Now I will rename the file – ca, client, client.key.

We need one more file for the secret because we have put auth-user-pass file is secret. So our user and password authentication should be stored in a file called secret. We will make this secret file now. This username and password will be used to dial the VPN server.

ovpn

test

Save this as text file. Rename it and don’t give the extension.

OpenVPN file in Directory

 

Now right click on your icon tray from taskbar. Right click on OpenVPN. Click connect and it will ask to put your client certificate password that you have given during client certificate export.

OpenVPN client icon in system tray

 

Providing OpenVPN certificate password

After verifying Client Certificate Password as well as username and password, OpenVPN Client will be connected.

OpenVPN client connection status

 

If you follow until this, you will be able to access your remote office resources with OpenVPN client.

 

Spread the love

15 thoughts on “OpenVPN Configuration in Mikrotik Router for Remote User

  • July 16, 2021 at 1:45 am
    Permalink

    Could You please share interface setup (WAN, LAN)

    Reply
    • August 11, 2021 at 11:17 pm
      Permalink

      Interface setup is just like other setup we do to configure a router. I have WAN IP address which I got from my Internet provider and I choose ether1 port usually if I don’t have sfp port.

      And for LAN setup, I have used the same IP for remote VPN user and internal LAN user. LAN IP: 192.168.1.1 and interface ether5.

      Thanks

      Reply
  • September 23, 2021 at 11:21 pm
    Permalink

    Can you please share Mangle and queue limit for openvpn on mikrotik please?
    also how to route traffic betwen open vpn client and local network client with diferent ip thanks alot

    Reply
    • September 26, 2021 at 4:26 am
      Permalink

      Hi,

      You can limit queue based on openvpn remote user IP in simple queue just like we do to our local user. Better you keep a block of IP for your remote user from your /24 block. Suppose you assigned 192.168.1.0/24 to your LAN and you may assign 192.168.1.240/28 to your remote VPN user for queue limit purpose. LAN interface IP still 192.168.1.1/24.

      When remote user connects with VPN, he will access to local IP to your local office network and all the different reachable IP from local office.

      Thanks

      Reply
  • October 8, 2021 at 4:13 am
    Permalink

    Please help me

    I don’t have file ca.crt, i was export CA but in Files -> missing CA.crt

    How can i fix it?

    Reply
    • October 10, 2021 at 3:56 am
      Permalink

      Hi,

      In the Part-1, I shared the steps to create ca certificate. And later I shared the steps to export CA certificate. Then you must have ca.crt in MIkrotik files section.

      You may also follow youtube video that I have shared with post.

      Thanks.

      Reply
  • November 8, 2021 at 3:44 am
    Permalink

    Do I need to open TCP port 1194 on the Ruouter ISP?
    I need to create a nat rule on the MikroTik dst nat to tcp port 1194 and nat to 192.168.90.1, where 90.1 is a MikroTik?

    Reply
    • November 9, 2021 at 4:24 am
      Permalink

      Yes. You have to open TCP port 1194. But you don’t need DST-NAT rule. Your remote user will connect your router via OpenVPN and can access to your LAN network.

      Reply
      • November 11, 2021 at 11:40 am
        Permalink

        Another thing that’s not working for me …
        Can we talk by email? I wrote you!

        Please please…

        Greetings

        Reply
  • November 19, 2021 at 6:35 pm
    Permalink

    Followed your instructions. Wasn’t clear on importing the certificates into the client so I just imported the ovpn config file. It connects without the certificate…why?

    Reply
    • November 22, 2021 at 2:09 pm
      Permalink

      SOLVED! Further info…the classic OpenVPN client your article references is not available for download from openvpn.org. It has been replaced with OpenVPN Connect. As long as the .ovpn config file and certificates/keys are in the same directory, the certificates are automatically imported with the config file. HTH!

      Reply
  • November 22, 2021 at 5:07 am
    Permalink

    Why VPN assigned 192.168.1.2 and not 192.168.1.241 (remote ip in user configuration)?

    What I have to do for assigning dynamic ip to the clients?

    Reply
  • November 22, 2021 at 7:13 am
    Permalink

    I have a problem.
    My scenario is this
    Router Hex S in DMZ: the router leave pass all traffic to my routerboard that have 172.16.100.9 as Wan address. Lan is 172.16.2.0/24 and local address of routerboard is 172.16.2.1 (gateway of LAN) . I have a dhcp pool on LAN 172.16.2.2-172.16.2.9
    On Signing the CA I wrote 172.16.100.9 as CA CRL host (correct?)
    On ovpn file I wrote 172.16.100.9 as remote address and leave all the others parameters unchanged
    On Vpn User I wrote 172.16.2.99 as local address and 172.16.2.98 (even if I prefer separate)
    When I connect the client all seems to work fine, but when attempting to establish the client hang on Management : state 1637585549

    Any idea?

    Thank you

    Reply
    • November 22, 2021 at 7:51 am
      Permalink

      Now it works. The error was so stupid…on ovpn file I had to write the public IP.
      On local address I put 172.16.2.5 (free ip of my LAN) and on remote 172.16.100.9 (the internal interface of Microtik router that is on DMZ)

      Reply
  • December 29, 2021 at 9:43 pm
    Permalink

    How can we create a pool of IP’s instead of one for each user.
    Happy to block out 5 IPs for the Pool.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *