TheLazy.Dev
Portfolio GitHub

Blog

OpenVPN Server and certificate management on MikroTik

garyker

Ihor

Posted on March 15, 2019

OpenVPN Server and certificate management on MikroTik

Setup OpenVPN Server and generate certs

Change variables below and paste the script

into MikroTik terminal window.

:global CN [/system identity get name]
:global COUNTRY "UA"
:global STATE "KV"
:global LOC "Kyiv"
:global ORG "My organization"
:global OU ""
:global KEYSIZE "2048"

functions

:global waitSec do={:return ($KEYSIZE * 10 / 1024)}

generate a CA certificate

/certificate
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \
organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \
days-valid=3650 key-usage=crl-sign,key-cert-sign
sign ca-template ca-crl-host=127.0.0.1 name="$CN"
:delay [$waitSec]

generate a server certificate

/certificate
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \
organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \
days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$CN" name="server@$CN"
:delay [$waitSec]

create a client template

/certificate
add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \
organization="$ORG" unit="$OU" common-name="client" \
key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client

create IP pool

/ip pool
add name=VPN-POOL ranges=192.168.252.128-192.168.252.224

add VPN profile

/ppp profile
add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \
remote-address=VPN-POOL use-encryption=yes

setup OpenVPN server

/interface ovpn-server server
set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \
default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes

add a firewall rule

/ip firewall filter
add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN"

Add a new user

Add a new user and generate/export certs

Change variables below and paste the script

into MikroTik terminal window.

:global CN [/system identity get name]
:global USERNAME "user"
:global PASSWORD "password"

add a user

/ppp secret
add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn

generate a client certificate

/certificate
add name=client-template-to-issue copy-from="client-template" \
common-name="$USERNAME@$CN"
sign client-template-to-issue ca="$CN" name="$USERNAME@$CN"
:delay 20

export the CA, client certificate, and private key

/certificate
export-certificate "$CN" export-passphrase=""
export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD"

Setup OpenVPN client

Copy the exported certificates from the MikroTik

sftp admin@MikroTik_IP:cert_export_*

Also, you can download the certificates from the web interface. Go to WebFig → Files for this.

Create user.auth file

The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password.
user
password

Create OpenVPN config that named like USERNAME.ovpn:
client
dev tun
proto tcp-client
remote MikroTik_IP 1194
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA1
pull
verb 2
mute 3

Create a file 'user.auth' with a username and a password

cat << EOF > user.auth

user

password

EOF

auth-user-pass user.auth

Copy the certificates from MikroTik and change

the filenames below if needed

ca cert_export_MikroTik.crt
cert cert_export_user@MikroTik.crt
key cert_export_user@MikroTik.key

Add routes to networks behind MikroTik

route 192.168.10.0 255.255.255.0

Try to connect
sudo openvpn USERNAME.ovpn

Decrypt private key to avoid password asking
openssl rsa -passin pass:password -in cert_export_user@MikroTik.key -out cert_export_user@MikroTik.key

Delete a user and revoke his certificate

Delete a user and revoke his certificate

Change variables below and paste the script

into MikroTik terminal window.

:global CN [/system identity get name]
:global USERNAME "user"

delete a user

/ppp secret
remove [find name=$USERNAME profile=VPN-PROFILE]

revoke a client certificate

/certificate
issued-revoke [find name="$USERNAME@$CN"]

Revert OpenVPN server configuration on MikroTik

Revert OpenVPN configuration

/ip pool
remove [find name=VPN-POOL]

/ppp profile
remove [find name=VPN-PROFILE]

/ip firewall filter
remove [find comment="Allow OpenVPN"]

/ppp secret
remove [find profile=VPN-PROFILE]

/certificate

delete the certificates manually

💖 💪 🙅 🚩
garyker
Ihor

Posted on March 15, 2019

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

If you're a beginner, definitely check this open source guide. I've explained almost everything you need to know.
undefined If you're a beginner, definitely check this open source guide. I've explained almost everything you need to know.

November 28, 2024

Exploring Typesafe design tokens in Tailwind 4
tailwindcss Exploring Typesafe design tokens in Tailwind 4

November 29, 2024

Where GitOps Meets ClickOps
devops Where GitOps Meets ClickOps

November 29, 2024

The best way to get better at writing code is...
development The best way to get better at writing code is...

November 28, 2024

How to Use KitOps with MLflow
beginners How to Use KitOps with MLflow

November 29, 2024