Mikrotik OpenVPN

This is going to be one of the first english articles, to expand the access.
Well, today i am going to talk about how to configure a vpn using openvpn, on your, mine,
mikrotik router.
Why? because i need to access K8S services from outside, lets go!

This configuration as a special thing: i want the vpn users yo be on the same network on the local users,
so i dont need to create specail rules. And hence i am the only one is going to use it, it is safe for me.

So, in this case i will:

• use the same pool as the user subnet dhcp
• enable proxy-arp

First, we need to prepare your router certificates, so, login into the mikrotik and:

1. Creation of CA certificates

   1	/certificate add name=CA common-name=CA key-usage=key-cert-sign,crl-sign

2. Creation of server certificates

   1	/certificate add name=ovpn-server common-name=server

3. Creation of client certificate (you can create one per use, for instance)

   1	/certificate add name=ovpn-user1 common-name=ovpn-user1

4. Now, we sign all the certificates

   1 2 3 4

   /certificate sign ca ca-crl-host=[YOUR ROUTER IP] name=CA sign ovpn-server ca=CA name=server sign ovpn-user1 ca=CA name=ovpn-user1

5. And we set to trusted

   1 2 3 4

   /certificate set CA trusted=yes set ovpn-server trusted=yes /interface ovpn-server server set enabled=yes certificate=server

6. Now, export them and add your passphrase, if not, privkey wont be exported

   1 2	/certificate export-certificate CA /certificate export-certificate ovpn-user1 export-passphrase=xxxxxxxx

7. Lets see what we got

   1 2 3 4 5 6

   [level5@Satan] /ppp active> /certificate print Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted # NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT 0 KL A T ovpn-ca CA c3fa7e5482f19ae1398f783ab6... 1 K I T ovpn-server ovpn-server 894f47752c54dfba20880dde34... 2 K I ovpn-user1 ovpn-user1 53e544b436fd4485f84a83171f...

8. First, we check our ip pools, which in this case is dhcp

   1 2 3 4 5 6 7 8

   [level5@Satan] /ip> pool print # NAME RANGES 0 dhcp 192.168.88.200-192.168.88.250 1 ;;; pool management p_management 192.168.87.2-192.168.87.254 2 p_servers 192.168.90.2-192.168.90.254 3 p_empty 192.168.89.2-192.168.89.254 4 p_guest 192.168.100.2-192.168.100.254

9. Create the profile

   1 2 3

   /ppp profile add name="ovpn" local-address=192.168.88.1 remote-address=dhcp bridge-learning=default use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=default use-upnp=default

10. Add the arp timeout to the bridge interface (because we use bridge, if you users are on another one, like a vlan, do it in the vlan)

    1	/interface> bridge set [interface name || bridge ] arp=proxy-arp

11. Now create the user

    1 2	/ppp secret add name=ovpn-user1 password=123 profile=ovpn

12. Time to import to your ovpn client. This you need the exported certificates which are on the files folder from your mikrotik. Use de GUI to download them.

13. Use this template for creating your ovpn file

    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

    #level5.ovpn client dev tun proto tcp-client remote [YOU VPN PUBLIC IP/HOST] port 1194 nobind persist-key persist-tun tls-client remote-cert-tls server ca ca.crt cert client.crt key client.key verb 4 mute 10 cipher AES-256-CBC auth SHA1 auth-user-pass secret auth-nocache

14. Save your username / password in a file named secret like:

    1 2	username password

    and upload it to your vpn client.

15. Open the port in the firewall

    1	/ip firewall add chain=input action=accept protocol=tcp in-interface=[interface exposed to www] dst-port=1194 log=yes

Done!