Skip to content

Instantly share code, notes, and snippets.

@SmartFinn
Last active September 4, 2024 17:07
Show Gist options
  • Save SmartFinn/8324a55a2020c56b267b to your computer and use it in GitHub Desktop.
Save SmartFinn/8324a55a2020c56b267b to your computer and use it in GitHub Desktop.
MikroTik (RouterOS) script for setup OpenVPN server and generate certificates

OpenVPN Server and certificate management on MikroTik

Contents

Setup OpenVPN server and generate certificates

# Setup OpenVPN Server and generate certs
#
# Change variables below if needed then copy the whole script
# and paste into MikroTik terminal window.
#

:global CN [/system identity get name]
:global PORT 1194

## generate a CA certificate
/certificate
add name=ca-template common-name="$CN" days-valid=3650 \
  key-usage=crl-sign,key-cert-sign
sign ca-template ca-crl-host=127.0.0.1 name="$CN"
:delay 10

## generate a server certificate
/certificate
add name=server-template common-name="server@$CN" days-valid=3650 \
  key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$CN" name="server@$CN"
:delay 10

## create a client template
/certificate
add name=client-template common-name="client" days-valid=3650 \
  key-usage=tls-client

## create IP pool
/ip pool
add name=VPN-POOL ranges=192.168.252.128-192.168.252.224

## add VPN profile
/ppp profile
add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \
  remote-address=VPN-POOL use-encryption=yes

## setup OpenVPN server
/interface ovpn-server server
set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \
  default-profile=VPN-PROFILE mode=ip netmask=24 port="$PORT" \
  enabled=yes require-client-certificate=yes

## add a firewall rule
/ip firewall filter
add chain=input action=accept dst-port="$PORT" protocol=tcp \
  comment="Allow OpenVPN"
add chain=input action=accept dst-port=53 protocol=udp \
  src-address=192.168.252.0/24 \
  comment="Accept DNS requests from VPN clients"
move [find comment="Allow OpenVPN"] 0
move [find comment="Accept DNS requests from VPN clients"] 1

## Setup completed. Do not forget to create a user.

NOTE: To allow clients to surf the Internet, make sure that there are permissive rules, such as:

/ip firewall filter
add chain=forward action=accept src-address=192.168.252.0/24 \
  out-interface-list=WAN place-before=0
add chain=forward action=accept in-interface-list=WAN \
  dst-address=192.168.252.0/24 place-before=1
/ip firewall nat
add chain=srcnat src-address=192.168.252.0/24 out-interface-list=WAN \
  action=masquerade

Add a new user

# Add a new user and generate/export certs
#
# Change variables below if needed then copy the whole script
# and paste into MikroTik terminal window.
#

:global CN [/system identity get name]
:global USERNAME "user"
:global PASSWORD "password"

## add a user
/ppp secret
add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn

## generate a client certificate
/certificate
add name=client-template-to-issue copy-from=client-template \
  common-name="$USERNAME@$CN"
sign client-template-to-issue ca="$CN" name="$USERNAME@$CN"
:delay 10

## export the CA, client certificate, and private key
/certificate
export-certificate "$CN" export-passphrase=""
export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD"

## Done. You will find the created certificates in Files.

Setup OpenVPN client

  1. Copy the exported certificates from the MikroTik

    sftp admin@MikroTik_IP:cert_export_\*

    Also, you can download the certificates from the web interface or Winbox. Open Winbox/WebFig → Files for this.

  2. Create user.auth file

    The file auth.auth holds your username/password combination. On the first line must be the username and on the second line your password.

    user
    password
    
  3. Create OpenVPN config that named like USERNAME.ovpn:

    client
    dev tun
    proto tcp-client
    remote MikroTik_IP 1194
    nobind
    persist-key
    persist-tun
    cipher AES-128-CBC
    auth SHA1
    pull
    verb 2
    mute 3
    
    # Create a file 'user.auth' with a username and a password
    #
    # cat << EOF > user.auth
    # user
    # password
    # EOF
    auth-user-pass user.auth
    
    # Copy the certificates from MikroTik and change
    # the filenames below if needed
    ca cert_export_MikroTik.crt
    cert cert_export_user@MikroTik.crt
    key cert_export_user@MikroTik.key
    
    # Uncomment the following line if Internet access is needed
    #redirect-gateway def1
    
    # Add routes to networks behind MikroTik
    #route 192.168.88.0 255.255.255.0
  4. Try to connect

    sudo openvpn USERNAME.ovpn
    

Decrypt private key to avoid password asking (optional)

openssl rsa -passin pass:password -in cert_export_user@MikroTik.key -out cert_export_user@MikroTik.key

Delete a user and revoke his certificate

# Delete a user and revoke his certificate
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global USERNAME "user"

## delete a user
/ppp secret
remove [find name=$USERNAME profile=VPN-PROFILE]

## revoke a client certificate
/certificate
issued-revoke [find name="$USERNAME@$CN"]

## Done.

Revert OpenVPN server configuration on MikroTik

## Revert OpenVPN configuration

/interface ovpn-server server
set enabled=no default-profile=default port=1194

/ip pool
remove [find name=VPN-POOL]

/ppp secret
remove [find profile=VPN-PROFILE]

/ppp profile
remove [find name=VPN-PROFILE]

/ip firewall filter
remove [find comment="Allow OpenVPN"]
remove [find comment="Accept DNS requests from VPN clients"]

/certificate
## delete the certificates manually
@davidromba
Copy link

i dont kow why but i am able to connect to the vpn but when i go to any explorer i am not able to access the websites, but i am able to ping their corespoding ip adresses and i am also able to connect to the local network of the router. basically i am not able to resolve dns names but iam able to ping their respective ip adrresses , i am able to reach the local network of the router.
if anyone is able to help i´d appreciate it.

@SmartFinn
Copy link
Author

@davidromba make sure that Allow Remote Requests option in IP → DNS is enabled (/ip dns set allow-remote-requests=yes) and the servers list is not empty, or just change DNS servers for VPN clients with /ppp profile set VPN-PROFILE dns-server=8.8.8.8,8.8.4.4

@davidromba
Copy link

Thanks your advice almost worked i also needed to uncomment the "redirect-gateway def1" on the ovpn file.

@alexforsale
Copy link

any way to pass ipv6 address to the clients?

@deyvissonbrenoveras
Copy link

Hey guys, I'm using this website to generate my .ovpn files with a mikrotik server: https://ovpnconfig.com.br

Is trustworthy?

Source code of https://ovpnconfig.com.br is available now: https://github.com/deyvissonbrenoveras/ovpnconfig.com.br.

@sandorhoffmann
Copy link

Works, I can connect, can access internet, but can not access my server with mstsc, and the shared folders.
I tried everything above. Could someone please help?
Thanks!

@HaithamDev
Copy link

Hello
Can you do this on my own device?
I followed the steps carefully, but it didn't work for me

@shakisha
Copy link

Hello, after a router restore openvpn stopped working. What can be the issue?

@shakisha
Copy link

I have found the issue.... after updating from routers 6 to 7 the vpn stops working.
Downgrading again to 6 will make things again working.

@Vaskata84
Copy link

Hi, this script doesn't work on the latest version 7.8v

@jwirt
Copy link

jwirt commented Mar 24, 2023

I've also found that there is an error raised by the script on routeros version 7.8. At least one of the issues is that Mikrotik has change the names of the aes ciphers. When running the script you will receive an error on this section:

setup OpenVPN server

/interface ovpn-server server
set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256
default-profile=VPN-PROFILE mode=ip netmask=24 port="$PORT"
enabled=yes require-client-certificate=yes

To fix the error you need to change the names used in the "cipher=" portion. If you use "aes128-cbc,aes192-cbc,aes256-cbc" then that portion of the script will not throw an error.

@nlavri
Copy link

nlavri commented Feb 2, 2024

Thanks a lot for the script. I got VPN connection between Android 13 and Mikrotik working, but there was no access to LAN and no firewall filter rules helped.
I have 192.168.200.0 addresses assigned to VPN clients and 192.168.100.0 LAN (so route 192.168.100.0 255.255.255.0 was added to client open vpn profile just like in the script above).
However adding firewal nat masquerade helped.
/ip firewall nat add action=masquerade
chain=srcnat
src-address=192.168.200.0/24
comment="Allow OpenVPN clients to access LAN"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment