I found lots of how-to guides already but none really matched what I wanted to achieve and quite a few seemed pretty out of date, with commands for RouterOS that no longer work.
What I wanted to end up with is something like this:
So fairly standard for a VPN but I was keen that once set up, it just keeps working. Things at Site A on 192.168.88.0/24 subnet should be able to access things at Site B on the 192.168.89.0/24 subnet automatically. It also needed to survive a reboot of either router.
One big stumbling block I ran into with OpenVPN on Mikrotiks is that they don't support push-route so you can get the VPN server to push routes to the client(s). So in the end I had to set up static IPs for the VPN to use (on the 10.9.9.50/32 subnet) and static routes by IP address.
Worth noting that the Mikrotik routers also don't support OpenVPN over UDP but this wasn't an issue for me.
How to set up
Steps are:
- set up NTP
- generate certificates
- set up server
- set up client
- add static routes on both ends
Set up NTP
It's important that the time is correct on both routers for the certificates to work. Ideally they need to be talking to some NTP servers.
In the web interface or Winbox, go to System & SNTP Client. Add some NTP servers, if using pool.ntp.org then ensure you add several DNS names:
Generating Certificates
There's several ways of doing this, if you have OpenVPN installed on a "normal" computer (such as a Linux server or desktop) then you can use the Easy-RSA package to generate certificates for you. There are also websites which will do the job for you. I used the Mikrotik router itself to do the job. All the work is done using one router.
Using newer versions of RouterOS (I'm using 6.25 for this), you create certificate templates first and then sign them. It's possible using the web interface or the Winbox tool (which runs fine with wine) but I used the command line interface because it was quicker.
Generate templates:
/certificate add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-signChange the common-name to something more descriptive if you want.
/certificate add name=server-template common-name=server
/certificate add name=client1-template common-name=client1
Then sign the certificates:
/certificate sign ca-template ca-crl-host=192.168.88.1 name=myCaSet CA and server cert as trusted:
/certificate sign ca=myCa server-template name=server
/certificate sign ca=myCa client1-template name=client1
/certificate set myCa trusted=yesNow export the CA and the client certificate so they can be copied onto the Mikrotik router for Site B:
/certificate set server trusted=yes
/certificate export-certificate myCaCopy these two files off router A and onto router B, this is easy to do in the web interface or Winbox.
/certificate export-certificate client1 export-passphrase=xxxxxxxx
In web interface or Winbox on router B, go to "System" & "Certificates" and import the CA and the client certificate.
Setup the Server
This is all done on router A which is acting as the server. It doesn't matter which router you use as the server but it should ideally have a static IP address on the Internet facing interface (or at least be using some kind of dynamic DNS service) - the client has to know where to access the server! The client(s) could be on dynamic IPs.
Create a PPP profile for this VPN:
Note how the static IP addresses to be used for the VPN (10.9.9.50 & 10.9.9.51) are defined here. You can choose whatever IPs you want but they shouldn't clash with any of the subnets already in use at any of the sites you are going to connect on this VPN.
Create a PPP authentication for this client to use:
As well as being used for authentication, it associates the client with the PPP profile you created above so if you have multiple clients, create multiple profiles and multiple authentications linking them together.
Click on the OVPN Server button on the PPP Interfaces tab and enable the OpenVPN server:
Select the "server" certificate, make sure "require client certificate" is chosen. You can use whatever authentication methods and ciphers you want, just make sure that when you set up a client, you set it to use matching settings.
The last job on the server is to open up the OpenVPN port on the firewall:
The last job on the server is to open up the OpenVPN port on the firewall:
Setup the Client
Assuming you have already loaded and imported the CA & client1 certificates, connecting to the OpenVPN server is simple.
Add a new PPP interface of type OVPN Client:
This should be fairly self-explanatory by now! Make sure to use the correct username & password as configured for the PPP Profile on the server, choose the correct certificate and make sure the auth method & cipher are compatible with your server settings.
For what I want, I don't want the default route setting because I only want to use the VPN to access devices on the remote network, all other traffic should still go out over the local Internet connection. So we will add static routes to do this next.
Add Static Routes
By now the VPN is connected and working. But, site A wants to access devices on the 192.168.89.0/24 subnet at site B and site B wants to access devices on the 192.168.88.0/24 subnet at site A. A static route is needed at each end for this.
At site A, add a new route. The only required information is the destination address and the gateway to use. These will be the local network at site B, and the OpenVPN address of site B:
Then at site B, do the same but using the local subnet at site A and the OpenVPN IP address at site A.
Once these are saved they will persist OpenVPN being restarted, Internet connection failures etc...
The great thing I find with OpenVPN is that once you've got it up and running you can just forget about it and it keeps on working. It is very good at reconnecting after failures too (such as Internet connection drop outs, router reboots etc...).
This comment has been removed by the author.
ReplyDeleteI get TLS failed error. I had to disable "require client certificate" option. Maybe when generating certificate I had to add for "key-usage=" also TLS.
ReplyDeleteOtherwise great tutorial.
I get TLS fail error, i don't find the solution, can you help ?
ReplyDeleteHey, I just tried this tutorial and saw your comment.
DeleteCN cert client must match PPP Secret Name
CN cert server must match OVPN Client, new interface, Connect to
You have to import client.key file to router B.
ReplyDeleteIt works! Thank you.
ReplyDeleteWhich Authentication and Cipher is the safest?
ReplyDeleteI guess 'null' is not an option at all... So MD5 or SHA1? I read SHA1 is stronger than MD5.
If there is AES256 why would I use AES192 or 128? (Is higher number better?) And of course there is Blowfish 128 too. Which is better and why?
SHA1 is stronger than MD5. The options for weaker encryption methods will be there in order to get maximum performance on lower power hardware and to be compatible with other devices that do OpenVPN but perhaps don't support some encryption methods.
ReplyDeleteAt the end of the day if you are just using at home or a small company then just the fact it is encrypted at all is probably enough. It depends what kind of data you have going over the VPN I suppose.
I'm not a cryptography expert by any means but I believe Blowfish is generally thought to be the strongest/hardest to brute force. But that doesn't mean "better", better or not depends what you want.
ReplyDeleteThanks for putting this in plain english. MikroTik tutorials are sometimes really, really difficult to follow. I was wondering, can a client on LAN A reach a client on LAN B by computer name instead of IP?
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteI get the tunnel up, when I ping from the console, it works. But when I ping from the LAN it doesn't work, could someone tell me why it's failing?
ReplyDelete