Mikrotik
      Back to home
      1. Help Center
      2. VPN
      3. Mikrotik

      OpenVPN Installation on Router

      This article will help you learn how to install and configure OpenVPN on a router, using the MikroTik router as an example.

      The configuration of OpenVPN on the MikroTik consists of five stages:

      1. Router preparation.
      2. Keys and certificates generation.
      3. OpenVPN server installation.
      4. OpenVPN client installation on Mikrotik router.
      5. OpenVPN client installation on PC.

      Router Preparation

      1. Set the time on Mikrotik so that there is no time discrepancy between the client and the server.

        In order to set the correct time zone value and disable its automatic detection, open the

        /system clock

        set time-zone-autodetect=no time-zone-name=Europe/NetherlandsMikroTik configuration panel (command line) and enter:

        The time-zone-name option parameter should be the name of your time zone according to tz database.

      2. Then install the NTP package, for this you need to download the Extra packages archive for your architecture and version of RouterOS from the official website:
        /system ntp client

        set enabled=yes primary-ntp=185.209.85.222 secondary-ntp=37.139.41.250

        Please note that instead of domain names of servers, you should specify their IP, keep in mind that pool.ntp.org addresses point to servers randomly selected from the pool, which change every hour, so the addresses you receive may differ from those indicated.

      3. Additionally, download the OpenVPN configuration file (client01-tcp.ovpn) from the provided link: http://server_IP:port/xxxxxxxxxx/. You should have received this link you have received this link via email after activating the service.
        2
        3
      4. You can also find VPN access information in your client area.
        1. In your client area, find the VPN Servers tab.
        2. Click Manage.
          10_en (1)
        3. In the Access section, find the WireGuard settings.
          10_en (2)
        4. Download access information there.
          10_en (3)

      Keys and Certificates Generation

      1. To create a new certificate authority (CA) root certificate, enter certain data and information about them in the console:
        /certificate

        add name=ca country="NL" state="31" locality="BEL" organization="Interface LLC" unit="IT" common-name="ca" key-size=2048 days-valid=3650 key-usage=crl-sign,key-cert-sign

        sign ca ca-crl-host=127.0.0.1
      2. To create a server certificate and private key, run the following command in the console:
        /certificate

        add name=ovpn-server country="NL" state="31" locality="BEL" organization="Interface LLC" unit="IT" common-name="ovpn-server" key-size=2048 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server

        sign ovpn-server ca="ca"
      3. To create client certificates, enter:
        /certificate

        add name=mikrotik country="NL" state="31" locality="BEL" organization="Interface LLC" unit="IT" common-name="mikrotik" key-size=2048 days-valid=365 key-usage=tls-client

        sign mikrotik ca="ca"
      4. For the usage on the client, export the client's private key and certificate, as well as the root certificate of the CA. The most convenient way to do this is to use the PKCS12 format, which contains all the necessary components in one file (certificate, key, and CA certificate). To do this, enter:
        /certificate

        export-certificate mikrotik type=pkcs12 export-passphrase=12345678

      OpenVPN Server Installation

      1. In order to create a pool of addresses for issuing OpenVPN clients, enter:
        /ip pool

        add name=ovpn_pool0 ranges=10.8.8.100-10.8.8.199
      2. Create a new profile:
        /ppp profile

        add local-address=10.8.8.1 name=ovpn remote-address=ovpn_pool0
      3. To enable user authentication, enter:
        /ppp aaa

        set accounting=yes
      4. To create an account, enter:
        /ppp secret

        add name=mikrotik password=123 profile=ovpn service=ovpn
        In this case, an entry was created for the mikrotik user with the 123 password.
      5. To configure the VPN server further, run the following commands:
        /interface ovpn-server server

        set auth=sha1 certificate=ovpn-server cipher=aes256 default-profile=ovpn enabled=yes require-client-certificate=yes
        /ip firewall filter

        add action=accept chain=input dst-port=1194 protocol=tcp

      This completes the configuration of the OpenVPN server based on the Mikrotik router.

      OpenVPN Client Installation On Mikrotik Router

      To set up OpenVPN on a Mikrotik router, follow these steps:

      1. Download the certificate file in PKCS12 format. To download a certificate file in PKCS12 format to the device, run the following in the console:
        /certificate

        import file-name=mikrotik.p12 passphrase=12345678
      2. To create a new OVPN Client interface and set the required parameters, enter:
        /interface ovpn-client

        add certificate=mikrotik.p12_0 cipher=aes256 connect-to=192.168.3.115 name=ovpn-out1 password=123 user=mikrotik
        If everything was done correctly, then the connection is established as soon as you create the interface.
      3. In order for network clients behind the client to have access to the network behind the server and vice versa, configure routing. To set up routing, run the command:
        /ip route

        add distance=1 dst-address=192.168.186.0/24 gateway=ovpn-out1
      4. In order for the route not to "break" when the client is disconnected, create a permanent interface for this client.
        /interface ovpn-server

        add name=ovpn-mikrotik user=mikrotik
      5. To add a route to the network behind the client on the server, enter:
        /ip route

        add distance=1 dst-address=192.168.111.0/24 gateway=ovpn-mikrotik
        Check the connection. Different networks nodes must see each other.

      OpenVPN Client Installation on PC

      1. Place the certificate file in PKCS12 format in the directory for storing keys, and also create a file with credentials C:\OpenVPN\auth.cfg and place the login and password in it in different lines:
        win10

        123
      2. Create a file C:\OpenVPN\keypass.cfg in which you can place the passphrase for the certificate: 
        12345678
      3. Specify that this is a client, the tunnel type is tun and the protocol is tcp:
        client

        dev tun

        proto tcp
      4. Specify server address and port: 
        remote 192.168.3.115 1194
      5. Make sure you have the options:
        persist-key

        persist-tun
      6. Replace the entire block with paths to keys and certificates:
        ca ca.crt

        cert client.crt

        key client.key
      7. Replace the entire block with a single line, which indicates the path to the certificate file in PKCS12 format, as well as where to get credentials for additional authentication and a passphrase:
        pkcs12 C:\\OpenVPN\\keys\\win10.p12

        auth-user-pass C:\\OpenVPN\\auth.cfg

        askpass C:\\OpenVPN\\keypass.cfg
      8. Check for the option and comment it out:
        remote-cert-tls server

        #tls-auth ta.key 1
      9. Add a route to the network behind the server, specify the code we chose on the server, and disable compression:
        route 192.168.186.0 255.255.255.0 10.8.8.1

        cipher AES-256-CBC

        #comp-lzo

      Now try to connect. If everything is done correctly, the client connects to the server and the network resources behind the server are available to it. There is no need to make any additional settings on the server.


      If you have any questions, you can ask them in the online chat in the lower right corner of the site or by ticketing the Techsupport Department.

      To order the Personal VPN and Socks5 Proxy service, please proceed with the order.