This guide will help you to configure OpenVPN in Mikrotik Router and help a remote user to login to head office VPN server and work from remote location. OpenVPN is just like other type of VPN service like PPTP, L2TP, SSTP.
OpnVPN can be used for site to site VPN and also can be configured as VPN Server-Client model where remote user can access to head office network by connecting to VPN server. OpenVPN has complete security features so it is safer than other types of VPN.
In this tutorial, we will see OpenVPN server-client model where remote user connect to head office network by openVPN client software from Windows PC. For PPTP and L2TP there are built-in VPN client apps available on Windows but for OpenVPN we have to use third party application.
Part 1 – OpenVPN Server Configuration in MikroTik Router:
OpenVPN server and client configuration requires SSL certificate for secure communication. MikroTik RouterOS version 6 and above gives ability to create, store and manage certificates in certificate store. So, we will create OpenVPN certificate from our RouterOS. We need three types of certificates for OpenVPN server and client configuration:
- CA (Certification Authority) certificate
- Server certificate
- Client certificate
Create CA Certificate:
First we will create CA certificate. Go to system > Certificate
Click + sign to add
Put a name ca and common name ca. Click on Key Usage tab and uncheck all checkboxes except crl sign and key cert. sign.
Click on Apply button and then click on Sign button. Sign window will appear now. Your newly created certificate name will appear in certificate dropdown menu. Select your newly created certificate template if it is not selected. Now in CA CRL Host field we put our router WAN address 192.168.137.2. Click sign button and our sign certificate is created.
Create Server Certificate:
Now in this step, we will create our second certificate – Server certificate. Click + sign to add
Put a name server and common name server. Click on Key Usage tab and keep digital signature, key encipherment and tls server ticked.
Click on Apply button and then click on Sign button. Certificate: server and CA is CA certificate. Click sign button and our sign certificate is created. If T flag or trusted property doesn’t show any value, double click on it and tick this box for trusted value.
Create Client Certificate:
Now in the final part, we will create client certificate. Click + sign to add
Put a name client and common name client. Click on Key Usage tab and keep only tls client ticked.
Click on Apply button and then click on Sign button. Certificate: client and CA is CA certificate. Click sign button and our sign certificate is created.
Export CA and Client Certificates
After creating certificates, we will now export CA and client certificate so that OpenVPN client can use this certificate.
OpenVPN server will use server certificate from MikroTik RouterOS certificate store. But client certificate has to supply to the OpenVPN client. So, we need to export client certificate and CA certificate from RouterOS certificate store.
Double click on CA certificate. Click on export. This file now is now stored in mikrotik files section.
Now double click again. Click on export. From drop down, select client certificate. Now give a password. Password must be 8 character and this password has to provide when OpenVPN client needs to connect.
Click on export button and our client certificate and key file exported to mikrotik router file section.
Now we check from the file section. There you can see, we have exported two certificate file and one key file.
Drag and drop these files to desktop. We will use these files when we configure OpenVPN client
OpenVPN server in Mikrotik Router:
After TLS certificate, we will now configure OpenVPN server in Mikrotik Router.
We go to PPP menu. On the interface tab, we click on OVPN server. Certificate-Server we will choose Server certificate and tick this box require client certificate. For Auth, we will use sha1. For cipher, we will choose aes256. Mikrotik router supports OpenVPN with TCP port 1194. Now tick this box to enable this service.
Now we have to create a user and password for remote user. To do this, we will go to secret tab.
Part 2 – OpenVPN Client Configuration in Windows Operating System:
Now to setup OpenVPN client, we need to download third party application as there is no OpenVPN client apps available on Windows operating system like L2TP or PPTP.
We go to the browser and type openvpn.net. Now from community download, we find our desired file. Download for windows 10 PC.
Now we will install it.
This application will help us to connect with OpenVPN server. Now we will enter the folder of OpenVPN application. Open the config folder. Now we will add certificate and key files in config folder.
We have to create a file with .ovpn extension. I copy and paste the templates to notepad file and save it as client.ovpn.
Download client.ovpn template: Click here to download
Now I will rename the file – ca, client, client.key.
We need one more file for the secret because we have put auth-user-pass file is secret. So our user and password authentication should be stored in a file called secret. We will make this secret file now. This username and password will be used to dial the VPN server.
Save this as text file. Rename it and don’t give the extension.
Now right click on your icon tray from taskbar. Right click on OpenVPN. Click connect and it will ask to put your client certificate password that you have given during client certificate export.
After verifying Client Certificate Password as well as username and password, OpenVPN Client will be connected.
If you follow until this, you will be able to access your remote office resources with OpenVPN client.