Skip to content

Instantly share code, notes, and snippets.

@timefcuk

timefcuk/ovpn-server-with-certs.md

Forked from SmartFinn/ovpn-server-with-certs.md
Last active June 16, 2024 21:13
Show Gist options
  • Save timefcuk/2306a4fceabf21e09b7bb74ca2f0f1b6 to your computer and use it in GitHub Desktop.
Save timefcuk/2306a4fceabf21e09b7bb74ca2f0f1b6 to your computer and use it in GitHub Desktop.
Download ZIP
MikroTik (RouterOS) script for setup OpenVPN server and generate certificates
Raw
ovpn-server-with-certs.md

OpenVPN Server and certificate management on MikroTik

This setup allows VPN client to access both LAN and internet through OpenVPN server

Contents

Setup OpenVPN server and generate certificates

#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN MikroTik
:global COUNTRY "UA"
:global STATE "Kharkivska"
:global LOC "Kharkiv"
:global ORG "Timefcuk"
:global OU ""
:global KEYSIZE "4096"

## functions
:global waitSec do={:return ($KEYSIZE * 10 / 1024)}

## generate a CA certificate
/certificate
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \
  days-valid=3650 key-usage=crl-sign,key-cert-sign
sign ca-template ca-crl-host=127.0.0.1 name="$CN"
:delay [$waitSec]

## generate a server certificate
/certificate
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \
  days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$CN" name="server@$CN"
:delay [$waitSec]

## create a client template
/certificate
add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \
  organization="$ORG" unit="$OU" common-name="client" \
  key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client

## add VPN profile
/ppp profile
add dns-server=192.168.88.1 local-address=192.168.88.1 name=OVPN-Profile \
  remote-address=dhcp use-encryption=yes

## setup OpenVPN server
/interface ovpn-server server
set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \
  default-profile=OVPN-Profile enabled=yes keepalive-timeout=disabled \
  mac-address=00:00:00:00:00:00 max-mtu=1450 port=1993 \
  require-client-certificate=yes

## add a firewall rule (don't forget to move this rule upwards in UI - above drop all from !LAN) 
/ip firewall filter
add chain=input dst-port=1993 protocol=tcp comment="Allow OpenVPN"
add chain=input action=accept protocol=tcp in-interface=all-ppp comment="Allow OpenVPN"

Add a new user

# Add a new user and generate/export certs
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global USERNAME "user"
:global PASSWORD "password"

## add a user
/ppp secret
add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn

## generate a client certificate
/certificate
add name=client-template-to-issue copy-from="client-template" \
  common-name="$USERNAME@$CN"
sign client-template-to-issue ca="$CN" name="$USERNAME@$CN"
:delay 20

## export the CA, client certificate, and private key
/certificate
export-certificate "$CN" export-passphrase=""
export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD"

Setup OpenVPN client

  1. Copy the exported certificates from the MikroTik

    sftp admin@MikroTik_IP:cert_export_\*

    Also, you can download the certificates from the web interface. Go to WebFigFiles for this.

  2. Create user.auth file

    The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password.

    user
password

  3. Create OpenVPN config that named like USERNAME.ovpn:

    client
dev tun
proto tcp-client
remote ${EXTERNAL_MIKROTIK_IP} 1993
nobind
persist-key
persist-tun
verb 2
mute 3
pull
cipher AES-256-CBC
auth SHA1

##############################################
#
# Create a file 'user.auth' with a user and a password
#
# cat << EOF > user.auth
# user
# password
# EOF
auth-user-pass admin.auth.unknown

# CA CERT
ca cert_export_MikroTik.crt

# USER CERTS
cert cert_export_admin@MikroTik.crt
key cert_export_admin@MikroTik.key

#Add routes to networks behind MikroTik
route 192.168.88.0 255.255.255.0 192.168.88.1
redirect-gateway def1

  4. Try to connect

    sudo openvpn USERNAME.ovpn

Decrypt private key to avoid password asking

openssl rsa -passin pass:password -in cert_export_user@MikroTik.key -out cert_export_user@MikroTik.key

Delete a user and revoke his certificate

# Delete a user and revoke his certificate
#
# Change variables below and paste the script
# into MikroTik terminal window.
#

:global CN [/system identity get name]
:global USERNAME "user"

## delete a user
/ppp secret
remove [find name=$USERNAME profile=VPN-PROFILE]

## revoke a client certificate
/certificate
issued-revoke [find name="$USERNAME@$CN"]

Revert OpenVPN server configuration on MikroTik

# Revert OpenVPN configuration
#

/ip pool
remove [find name=VPN-POOL]

/ppp profile
remove [find name=VPN-PROFILE]

/ip firewall filter
remove [find comment="Allow OpenVPN"]

/ppp secret
remove [find profile=VPN-PROFILE]

/certificate
## delete the certificates manually
@SyFizz
Copy link

SyFizz commented Aug 6, 2023

Hello.

I did all the steps described, but i have a problem :
Something is preventing DNS resolution from working on client.

When i do a UDP traceroute, we can see that a packet sent to 1.1.1.1 on port 53 is successfully sent through the VPN, but does not go further.

Any idea ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment