Instantly share code, notes, and snippets.

Embed
What would you like to do?
MikroTik (RouterOS) script for setup OpenVPN server and generate certificates

OpenVPN Server and certificate management on MikroTik

Contents

Setup OpenVPN server and generate certificates

# Setup OpenVPN Server and generate certs
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global COUNTRY "UA"
:global STATE "KV"
:global LOC "Kyiv"
:global ORG "My organization"
:global OU ""
:global KEYSIZE "2048"

## functions
:global waitSec do={:return ($KEYSIZE * 10 / 1024)}

## generate a CA certificate
/certificate
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \
  days-valid=3650 key-usage=crl-sign,key-cert-sign
sign ca-template ca-crl-host=127.0.0.1 name="$CN"
:delay [$waitSec]

## generate a server certificate
/certificate
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \
  days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$CN" name="server@$CN"
:delay [$waitSec]

## create a client template
/certificate
add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="client" \
  key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client

## create IP pool
/ip pool
add name=VPN-POOL ranges=192.168.252.128-192.168.252.224

## add VPN profile
/ppp profile
add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \
  remote-address=VPN-POOL use-encryption=yes

## setup OpenVPN server
/interface ovpn-server server
set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \
  default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes

## add a firewall rule
/ip firewall filter
add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN"

Add a new user

# Add a new user and generate/export certs
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global USERNAME "user"
:global PASSWORD "password"

## add a user
/ppp secret
add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn

## generate a client certificate
/certificate
add name=client-template-to-issue copy-from="client-template" \
  common-name="$USERNAME@$CN"
sign client-template-to-issue ca="$CN" name="$USERNAME@$CN"
:delay 20

## export the CA, client certificate, and private key
/certificate
export-certificate "$CN" export-passphrase=""
export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD"

Setup OpenVPN client

  1. Copy the exported certificates from the MikroTik

    sftp admin@MikroTik_IP:cert_export_\*

    Also, you can download the certificates from the web interface. Go to WebFigFiles for this.

  2. Create user.auth file

    The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password.

    user
    password
    
  3. Create OpenVPN config that named like USERNAME.ovpn:

    client
    dev tun
    proto tcp-client
    remote MikroTik_IP 1194
    nobind
    persist-key
    persist-tun
    cipher AES-256-CBC
    auth SHA1
    pull
    verb 2
    mute 3
    
    # Create a file 'user.auth' with a username and a password
    #
    # cat << EOF > user.auth
    # user
    # password
    # EOF
    auth-user-pass user.auth
    
    # Copy the certificates from MikroTik and change
    # the filenames below if needed
    ca cert_export_MikroTik.crt
    cert cert_export_user@MikroTik.crt
    key cert_export_user@MikroTik.key
    
    # Add routes to networks behind MikroTik
    #route 192.168.10.0 255.255.255.0
  4. Try to connect

    sudo openvpn USERNAME.ovpn
    

Decrypt private key to avoid password asking

openssl rsa -passin pass:password -in cert_export_user@MikroTik.key -out cert_export_user@MikroTik.key

Delete a user and revoke his certificate

# Delete a user and revoke his certificate
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global USERNAME "user"

## delete a user
/ppp secret
remove [find name=$USERNAME profile=VPN-PROFILE]

## revoke a client certificate
/certificate
issued-revoke [find name="$USERNAME@$CN"]

Revert OpenVPN server configuration on MikroTik

# Revert OpenVPN configuration
#

/ip pool
remove [find name=VPN-POOL]

/ppp profile
remove [find name=VPN-PROFILE]

/ip firewall filter
remove [find comment="Allow OpenVPN"]

/ppp secret
remove [find profile=VPN-PROFILE]

/certificate
## delete the certificates manually
@bryanm92s

This comment has been minimized.

Show comment
Hide comment
@bryanm92s

bryanm92s Aug 26, 2016

WARNING: Bad encapsulated packet length from peer (21331), which must be > 0 and <= 1562 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link --

Help me.
Thanks.

bryanm92s commented Aug 26, 2016

WARNING: Bad encapsulated packet length from peer (21331), which must be > 0 and <= 1562 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link --

Help me.
Thanks.

@christiannageby

This comment has been minimized.

Show comment
Hide comment
@christiannageby

christiannageby Jan 31, 2018

This doesn't work. And when i tried to run the Resetscript the ruoter disabled dhcp

christiannageby commented Jan 31, 2018

This doesn't work. And when i tried to run the Resetscript the ruoter disabled dhcp

@SmartFinn

This comment has been minimized.

Show comment
Hide comment
@SmartFinn

SmartFinn Feb 5, 2018

@christiannageby I tried this script on RouterOS 6.41.1 works as expected.

Owner

SmartFinn commented Feb 5, 2018

@christiannageby I tried this script on RouterOS 6.41.1 works as expected.

@SmartFinn

This comment has been minimized.

Show comment
Hide comment
@SmartFinn

SmartFinn Feb 5, 2018

@christiannageby oh, I see an error in the revert script. Fixed now. Thanks for the report.

Owner

SmartFinn commented Feb 5, 2018

@christiannageby oh, I see an error in the revert script. Fixed now. Thanks for the report.

@malikshi

This comment has been minimized.

Show comment
Hide comment
@malikshi

malikshi Feb 6, 2018

can you help me?
why is it error?
Tue Feb 06 18:25:36 2018 TAP-WIN32 device [Ethernet 6] opened: \.\Global{E5A23A94-1200-41D8-9971-AE595A85C6F6}.tap
Tue Feb 06 18:25:36 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.252.0/192.168.252.254/255.255.255.0 [SUCCEEDED]
Tue Feb 06 18:25:36 2018 ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address -- both are set to 192.168.252.254 -- please use the --ip-win32 dynamic option to choose a different free address from the --ifconfig subnet for the internal DHCP server
Tue Feb 06 18:25:36 2018 Exiting due to fatal error

malikshi commented Feb 6, 2018

can you help me?
why is it error?
Tue Feb 06 18:25:36 2018 TAP-WIN32 device [Ethernet 6] opened: \.\Global{E5A23A94-1200-41D8-9971-AE595A85C6F6}.tap
Tue Feb 06 18:25:36 2018 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.252.0/192.168.252.254/255.255.255.0 [SUCCEEDED]
Tue Feb 06 18:25:36 2018 ERROR: There is a clash between the --ifconfig local address and the internal DHCP server address -- both are set to 192.168.252.254 -- please use the --ip-win32 dynamic option to choose a different free address from the --ifconfig subnet for the internal DHCP server
Tue Feb 06 18:25:36 2018 Exiting due to fatal error

@SmartFinn

This comment has been minimized.

Show comment
Hide comment
@SmartFinn

SmartFinn Feb 9, 2018

@malikshi I was faced with this problem too. I don't know why but Windows DHCP client doesn't like IP address that ended on .254. To fix that change the VPN-POOL using the following command:

/ip pool
set VPN-POOL ranges=192.168.252.2-192.168.252.224
Owner

SmartFinn commented Feb 9, 2018

@malikshi I was faced with this problem too. I don't know why but Windows DHCP client doesn't like IP address that ended on .254. To fix that change the VPN-POOL using the following command:

/ip pool
set VPN-POOL ranges=192.168.252.2-192.168.252.224
@ctrlaltca

This comment has been minimized.

Show comment
Hide comment
@ctrlaltca

ctrlaltca Apr 4, 2018

A couple notes that could help others:

  • in the IP-> Firewall section i had to move the "Allow OpenVPN" rule up in position 3, just before the builtin "drop input" rule;
  • in the PPP-> OVPN Server section i had to change "Mode" from "ethernet" to "ip".

ctrlaltca commented Apr 4, 2018

A couple notes that could help others:

  • in the IP-> Firewall section i had to move the "Allow OpenVPN" rule up in position 3, just before the builtin "drop input" rule;
  • in the PPP-> OVPN Server section i had to change "Mode" from "ethernet" to "ip".
@flaviostutz

This comment has been minimized.

Show comment
Hide comment
@flaviostutz

flaviostutz May 20, 2018

Just applied the entire script on a remote RB2011 and it worked flawlessly!

flaviostutz commented May 20, 2018

Just applied the entire script on a remote RB2011 and it worked flawlessly!

@UAnton

This comment has been minimized.

Show comment
Hide comment
@UAnton

UAnton commented Jun 8, 2018

deleted

@idenkov

This comment has been minimized.

Show comment
Hide comment
@idenkov

idenkov Jul 28, 2018

I tried your scripts and they to work like a charm, but I have a problem
Clients are connecting, but they do not get the router IP, they keep the ones they have.
I think it should have to do with routes, but I am not sure what should I look for.

idenkov commented Jul 28, 2018

I tried your scripts and they to work like a charm, but I have a problem
Clients are connecting, but they do not get the router IP, they keep the ones they have.
I think it should have to do with routes, but I am not sure what should I look for.

@kerkybon

This comment has been minimized.

Show comment
Hide comment
@kerkybon

kerkybon Aug 4, 2018

Revision :)

/ppp secrets
remove [find profile=VPN-PROFILE]

/ppp secret
remove [find profile=VPN-PROFILE]

kerkybon commented Aug 4, 2018

Revision :)

/ppp secrets
remove [find profile=VPN-PROFILE]

/ppp secret
remove [find profile=VPN-PROFILE]

@SmartFinn

This comment has been minimized.

Show comment
Hide comment
@SmartFinn

SmartFinn Aug 5, 2018

@kerkybon thanks for pointing this out. It fixed now.

Owner

SmartFinn commented Aug 5, 2018

@kerkybon thanks for pointing this out. It fixed now.

@athbot

This comment has been minimized.

Show comment
Hide comment
@athbot

athbot Sep 4, 2018

Hello , i've been testing your script but i had many errors on implementing it on my mikrotik, but before i become more specific about my errors i would like to ask about your base configuration before applying the script . Is it the default out of the box configuration?Do you change anything specific before applying the script? If you do change this what are those and and could you link your base config if it's different from the default out of the box config?I'll keep testing and wait for answer thanks in advance!!!

athbot commented Sep 4, 2018

Hello , i've been testing your script but i had many errors on implementing it on my mikrotik, but before i become more specific about my errors i would like to ask about your base configuration before applying the script . Is it the default out of the box configuration?Do you change anything specific before applying the script? If you do change this what are those and and could you link your base config if it's different from the default out of the box config?I'll keep testing and wait for answer thanks in advance!!!

@SmartFinn

This comment has been minimized.

Show comment
Hide comment
@SmartFinn

SmartFinn Sep 4, 2018

@athbot this script works perfectly with the default configuration and with no configuration. You should understand that this script can conflict with your setup because a lot of names and IPs are hardcoded. It is necessary to check whether there are conflicts before applying this config.

In addition, it is possible that there are no conflicts, but sign command takes longer time than delay calculated by waitSec, as a result, you will get errors when executing subsequent commands. In this case, try to increase the delay by change the line :global waitSec do={:return ($KEYSIZE * 20 / 1024)}

Owner

SmartFinn commented Sep 4, 2018

@athbot this script works perfectly with the default configuration and with no configuration. You should understand that this script can conflict with your setup because a lot of names and IPs are hardcoded. It is necessary to check whether there are conflicts before applying this config.

In addition, it is possible that there are no conflicts, but sign command takes longer time than delay calculated by waitSec, as a result, you will get errors when executing subsequent commands. In this case, try to increase the delay by change the line :global waitSec do={:return ($KEYSIZE * 20 / 1024)}

@athbot

This comment has been minimized.

Show comment
Hide comment
@athbot

athbot Sep 4, 2018

@SmartFinn since your response i have been able to successfully apply the configuration without errors based on what you said me by using the default out of the box config and i have managed to connect to it , but i am unable to access anything behind mikrotik ,only 192.168.88.1 and 192.168.252.1, but nothing else. I tried adding "redirect-gateway def1" and "route 192.168.88.0 255.255.255.0 192.168.252.2" to the .ovpn file but had no luck again. Is there anything i can change in order to test it more?

athbot commented Sep 4, 2018

@SmartFinn since your response i have been able to successfully apply the configuration without errors based on what you said me by using the default out of the box config and i have managed to connect to it , but i am unable to access anything behind mikrotik ,only 192.168.88.1 and 192.168.252.1, but nothing else. I tried adding "redirect-gateway def1" and "route 192.168.88.0 255.255.255.0 192.168.252.2" to the .ovpn file but had no luck again. Is there anything i can change in order to test it more?

@SmartFinn

This comment has been minimized.

Show comment
Hide comment
@SmartFinn

SmartFinn Sep 5, 2018

@athbot see that fork bondarenkod/ovpn-server-with-certs.md. I didn't try to setup VPN with internet access yet.

Owner

SmartFinn commented Sep 5, 2018

@athbot see that fork bondarenkod/ovpn-server-with-certs.md. I didn't try to setup VPN with internet access yet.

@purna89

This comment has been minimized.

Show comment
Hide comment
@purna89

purna89 Sep 16, 2018

it's working, thankyou so much :)

purna89 commented Sep 16, 2018

it's working, thankyou so much :)

@bricktopm

This comment has been minimized.

Show comment
Hide comment
@bricktopm

bricktopm Sep 26, 2018

Hello, its very good, and working fine on WIndows PC's.
But can't use on IOS12 openvpn client.
Help me please, how can I generate crt and keyfiles for IOS devices?

bricktopm commented Sep 26, 2018

Hello, its very good, and working fine on WIndows PC's.
But can't use on IOS12 openvpn client.
Help me please, how can I generate crt and keyfiles for IOS devices?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment