In the first mini-guide of this series, I showed how to generate SSL Certificates for use with an OpenVPN setup.
This next mini-guide will show how to configure a Mikrotik RouterOS router for use as an OpenVPN Server. This is where your various devices will “dial-in” to.
Obviously, everyone’s network is different. So I’ll try and make this as generic as possible, but without straying from my policy of being as straight forward as I need to be.
So, hopefully, you already have a configured RouterOS router, thats already part of your network.
Designing the VPN Network
The first step of any network change, is to decide where we want to be when we’re done.
This mini-guide is going to show you how to create layer-3 tunnels from a remote device, to your home/office gateway router (running RouterOS).
Because we’re doing a layer-3 configuration, you’ll need to put aside a range of IPs for your VPN clients.
In this setup, I’m going to use 10.0.0.1/24 for our LAN, 10.1.0.1/24 for the VPN.
We create an IP Pool, which RouterOS will use to select and assign IPs for the VPN clients. Start at the second IP, since we’ll use the first IP for the server itself.
/ip pool add name=ovpn-pool ranges=10.1.0.2-10.1.0.100
Then we create an PPP Profile, which is used to define the settings of the session created with a VPN Client.
/ppp profile add change-tcp-mss=default comment="" local-address=10.1.0.1 \ name="openvpn-in" only-one=default remote-address=openvpn-pool \ use-compression=default use-encryption=required use-vj-compression=default
Configure the OpenVPN Server. For this, we’ll need to remember the name of the imported server certificate that you generated in the previous article.
/interface ovpn-server server set auth=sha1,md5 certificate=server-cert \ cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn-in \ enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=24 \ port=1194 require-client-certificate=no
Configure your Firewall to allow inbound OpenVPN connections, and allow the OpenVPN Clients to NAT out of your Internet connection (if you want to allow them internet access).
/ip firewall filter add action=accept chain=input disabled=no protocol=tcp dst-port=1194 /ip firewall nat add action=masquerade chain=src-nat out-interface=
Then, for every user, you should define a username and password. This also gives you the ability to assign each client a fixed IP, and you’ll notice that in the ip pool definition I left a chunk of IPs at the end of the /24 free for this.
/ppp secret add disabled=no name="client1" password="password1"
This user will have a static IP assigned.
/ppp secret add disabled=no name="client2" password="password2" remote-address=10.1.0.101
And that is the OpenVPN Server, all configured.
In the next mini-guide, I’ll show you got to set up a Mikrotik RouterOS router as an OpenVPN client.