Mikrotik Openvpn for remote access dial-in into a corporate network is one of the powerful ways to securely connect to a remote network and resolve one or two issues while having a time of your life in a location far away from the coperate network. At a time like this when most workers are working from home and organizations are battling to stay afloat, IT managers are looking for affordable yet secure VPN solutions for their telecommuters.
While the RouterOS is packed with many options for implementing site-to-site and remote access vpn, for example, IPSEC, GRE Tunneling, PPTP Tunneling, and L2TP, Mikrotik Openvpn is not only considered one of the most secured but also one of the easiest to setup and use on client devices.
In this post, I will be sharing the steps required to setpup Mikrotik Openvpn on routerOS as well as the installation and configuration of the Openvpn client application on an iOS device, eg. an iPhone.
The first step is to creat the certificates that will be used for the Mikrotik Openvpn setup. This involves the creation of three certificates on the Mikrotik router that will serve as your vpn gateway. This router must have a public IP address assigned to its internet-facing interface.
Creation of certificates
The three certificates that will be created are the Ca, server, and client certificates. Let’s create them below.
So, as shown in the above images, in the general tab, the name and common name must be set to ca. Then click on the key usage tab and check the options for crl sign and key cert sign only. Click on apply and click on sign. In the dialog box that appears, leave the certficate at ca, enter your vpn gateway’s public IP address in the CA CRL Host field, eg. 192.168.1.1 (not a public IP, I know), and click on sign.
For the server certificate, follow the steps shown in the images below.
As shown in the images above, for the server certificate creation, in the general tab, the name and common name is server, in the key usage tab, the certificate is server, the certificate authority is the ca created earlier. After you have confirmed that the required paramenters have been checked as shown the above images, click on the sign button and close out of the dialog box. No IP address is required for this.
You may also like: How to permit l2tp ipsec vpn through Mikrotik firewall
Finally, in this certificate creation section, we will create the client certificate. This will be required by the connecting vpn client for secure authentication. Click on the add sign in the certificate menu. In the general tab, set the name and common name to client, and click on the key usage tab. Check the box for “tls client” only, click on apply and sign. In the dialog box that appears, leave the certificate name as client, select “ca” as the certificate authority, click on sign and close out of the dialog box. Again, no public IP is required here. See images below for guide. It is importatant that the created client and server certificates must appear as trusted. To do this, double-click on each of them, in the general tab of the dialog box that appears, check the box for “trust” as shown in the image below.
Next, we export the ca and client certficates. This will make them visible in the file section of the Mikrotik router, from where we can download them to the connecting clients. To export the ca and client certificates, double-click on anyone of the two certificates files in the certificate menu, click on export and click on export. Ensure that the right certificate is selected. See image below for guide.
Do the same thing for the client certificate. Note that the server certificate is not exported. For the client certificate, a passphrase can be set.
Three files (two certificate files and one key file) are now available in the file section of the Mikrotik router.
Having exported these files, create a folder on your computer and drag them to it. Then, shorten the names to ca.crt, client.crt, and client.key After that, download the client.ovpn template and edit it. The client.ovpn file must be stored in the certificate folder created. After that, open your notepad and type in a username and a password. The username comes first with the password directly below it on the next line. This notepad file should be named secret without an extention and saved in the certificate folder.
Enable Mikrotik Openvpn on the router.
Click on the PPP tab, click on Openvpn server and enter your details. Use the attached image as a guide.
Enable proxy arp on the LAN interface
To allow your vpn clients communicate with devices on your corporate network, you need to enable proxy arp on the router’s interface connecting to your corporate LAN. Simply double-click on the interface and change arp setting from the default enabled to proxy-arp.
Create a secret key for vpn users
Here, you simply create user credentials for vpn users. In the PPP menu, click on secret, enter a name for the user and enter his/her password. This must exactly be the same with the username and passwords entered in the secret file created earlier. The local address is the private address on your router’s LAN interface while the remote IP is the address that will be assigned to the vpn client upen successful connection. See image below.
Setting up Openvpn client on Apple iOS
First of all, look for the Openvpn app on the Appstore and download it. Then, connect your Apple device to to your PC and lunch the iTunes app. Click on file sharing, On the left side of the dialog box that appears, click on OpenVPN and click on add file. Locate the certificate folder that contains all the certificate files, the client.ovpn file and the secret file. Select all of them and click on open.
Finally, launch the Openvpn app on your phone and connect.
That’s all there is to it. For more on Mikrotik Openvpn configuration and the different setup approaches, like integrating with ipsec, kindly visit the Mikrotik wikipage.