DEV Community

Ihor
Ihor

Posted on

OpenVPN Server and certificate management on MikroTik

Setup OpenVPN Server and generate certs

Change variables below and paste the script

into MikroTik terminal window.

:global CN [/system identity get name]
:global COUNTRY "UA"
:global STATE "KV"
:global LOC "Kyiv"
:global ORG "My organization"
:global OU ""
:global KEYSIZE "2048"

functions

:global waitSec do={:return ($KEYSIZE * 10 / 1024)}

generate a CA certificate

/certificate
add name=ca-template country="$COUNTRY" state="$STATE" locality="$LOC" \
organization="$ORG" unit="$OU" common-name="$CN" key-size="$KEYSIZE" \
days-valid=3650 key-usage=crl-sign,key-cert-sign
sign ca-template ca-crl-host=127.0.0.1 name="$CN"
:delay [$waitSec]

generate a server certificate

/certificate
add name=server-template country="$COUNTRY" state="$STATE" locality="$LOC" \
organization="$ORG" unit="$OU" common-name="server@$CN" key-size="$KEYSIZE" \
days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign server-template ca="$CN" name="server@$CN"
:delay [$waitSec]

create a client template

/certificate
add name=client-template country="$COUNTRY" state="$STATE" locality="$LOC" \
organization="$ORG" unit="$OU" common-name="client" \
key-size="$KEYSIZE" days-valid=3650 key-usage=tls-client

create IP pool

/ip pool
add name=VPN-POOL ranges=192.168.252.128-192.168.252.224

add VPN profile

/ppp profile
add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \
remote-address=VPN-POOL use-encryption=yes

setup OpenVPN server

/interface ovpn-server server
set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \
default-profile=VPN-PROFILE enabled=yes require-client-certificate=yes

add a firewall rule

/ip firewall filter
add chain=input dst-port=1194 protocol=tcp comment="Allow OpenVPN"

Add a new user

Add a new user and generate/export certs

Change variables below and paste the script

into MikroTik terminal window.

:global CN [/system identity get name]
:global USERNAME "user"
:global PASSWORD "password"

add a user

/ppp secret
add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn

generate a client certificate

/certificate
add name=client-template-to-issue copy-from="client-template" \
common-name="$USERNAME@$CN"
sign client-template-to-issue ca="$CN" name="$USERNAME@$CN"
:delay 20

export the CA, client certificate, and private key

/certificate
export-certificate "$CN" export-passphrase=""
export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD"

Setup OpenVPN client

Copy the exported certificates from the MikroTik

sftp admin@MikroTik_IP:cert_export_*

Also, you can download the certificates from the web interface. Go to WebFig → Files for this.

Create user.auth file

The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password.
user
password

Create OpenVPN config that named like USERNAME.ovpn:
client
dev tun
proto tcp-client
remote MikroTik_IP 1194
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA1
pull
verb 2
mute 3

Create a file 'user.auth' with a username and a password

cat << EOF > user.auth

user

password

EOF

auth-user-pass user.auth

Copy the certificates from MikroTik and change

the filenames below if needed

ca cert_export_MikroTik.crt
cert cert_export_user@MikroTik.crt
key cert_export_user@MikroTik.key

Add routes to networks behind MikroTik

route 192.168.10.0 255.255.255.0

Try to connect
sudo openvpn USERNAME.ovpn

Decrypt private key to avoid password asking
openssl rsa -passin pass:password -in cert_export_user@MikroTik.key -out cert_export_user@MikroTik.key

Delete a user and revoke his certificate

Delete a user and revoke his certificate

Change variables below and paste the script

into MikroTik terminal window.

:global CN [/system identity get name]
:global USERNAME "user"

delete a user

/ppp secret
remove [find name=$USERNAME profile=VPN-PROFILE]

revoke a client certificate

/certificate
issued-revoke [find name="$USERNAME@$CN"]

Revert OpenVPN server configuration on MikroTik

Revert OpenVPN configuration

/ip pool
remove [find name=VPN-POOL]

/ppp profile
remove [find name=VPN-PROFILE]

/ip firewall filter
remove [find comment="Allow OpenVPN"]

/ppp secret
remove [find profile=VPN-PROFILE]

/certificate

delete the certificates manually

Top comments (0)