Skip to content

Instantly share code, notes, and snippets.

@AndersonIncorp

AndersonIncorp/mikrotik-ovpn.md

Last active March 5, 2022 22:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save AndersonIncorp/fa5b2f795e08f14a17bf80cfc2b93362 to your computer and use it in GitHub Desktop.
Save AndersonIncorp/fa5b2f795e08f14a17bf80cfc2b93362 to your computer and use it in GitHub Desktop.
Download ZIP
Short guide for setting up MikroTik ovpn server
Raw
mikrotik-ovpn.md

CA cert

> System > Certificates
    > [Add new]
        Name: ca
        Country: UA
        Common name: ca
        Key size: 4096
        Key Usage: key cert. sign
    > [Apply]
    > [Sign]
        Certificate: ca
        > [Start]
        > Wait for done, press [Close]

Server ovpn cert

> System > Certificates
    > [Add new]
        Name: ovpn-server
        Country: UA
        Common name: ovpn-server
        Key size: 4096
        Key Usage: digital signature, key encipherment, tls server
    > [Apply]
    > [Sign]
        Certificate: ovpn-server
        CA: ca
        > [Start]
        > Wait for done, press [Close]

Server ovpn setup pool

> IP > Pool
    > [Add New]
        Name: ovpn
        Addresses: 10.8.8.10-10.8.8.254
        > [OK]
> PPP > Profiles
    > [Add New]
        Name: ovpn
        Local Address: 10.8.8.1
        Remote Address: ovpn

Server ovpn enable

> PPP > Iterface
    > [OVPN Server]
        Enabled: [X]
        Default Profile: ovpn
        Certificate: ovpn-server
        Require Client Certificate: [X]
        Auth.: sha1
        Cipher: aes 256
        > [OK]

Server ovpn firewall

> IP > Firewall > Filter Rules
    > [Add new]
        Chain: input
        Protocol: tcp
        Dst. Port: 1194
        Action: Accept
        Comment: admin: accept OVPN
        > [OK]
> Drag rule below rule 'defconf: accept ICMP'

client1 setup, repeat for each client
But you can use one cert for multiple clients

> System > Certificates
    > [Add new]
        Name: client1
        Country: UA
        Common name: client1
        Key size: 4096
        Key Usage: tls client
    > [Apply]
    > [Sign]
        Certificate: client1
        CA: ca
        > [Start]
        > Wait for done, press [Close]
> PPP > Secrets
    > [Add new]
        Name: client1
        Password: client1password # something lengthy e.g. 12 chars
        Service: ovpn
        Profile: ovpn
        > [OK]
> PPP > Interface
    > [Add New > OVPN Server Binding]
        Name: ovpn-client1
        User: client1
        > [OK]
> System > Certificates > client1
    > [Export]
        Certificate: client1
        Type: PKCS12
        Export Passphrase: 1234567890 # Required, otherwise no private key will be exported
        File Name: client1
        > [Export]
> Files
    > File name: client1.p12 [Download]
> On local machine, convert p12 to txt
    $ openssl pkcs12 -in client1.p12 -out client1.txt -nodes

client1 setup, ovpn file template
suggestion: upload client1-tcp.ovpn file back to Files on mikrotik for storage

client1-tcp.ovpn
-
client
dev tun
proto tcp
remote fqdn1.example 1194
remote 203.0.113.2 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verb 2
auth SHA1
cipher AES-256-CBC
tls-exit
push-peer-info
reneg-sec 0
redirect-gateway def1
<ca>
-----BEGIN CERTIFICATE-----
# contents of client1.txt where subject=/C=UA/CN=ca
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
# contents of client1.txt where subject=/C=UA/CN=client1
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
# contents of client1.txt
-----END PRIVATE KEY-----
</key>
<auth-user-pass>
client1
client1password
</auth-user-pass>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment