Avantguard Computer & Security Systems

MikroTik OpenVPN

Certificate Creation

# Create CA
/certificate
add name=ca-cert common-name=CA days-valid=3650 key-size=2048 key-usage=key-cert-sign,crl-sign
sign ca-cert ca=ca-cert

# Create server certificate
add name=server-cert common-name=vpn.example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
sign server-cert ca=ca-cert

# Create client certificate
add name=client1-cert common-name=client1 days-valid=3650 key-size=2048 key-usage=tls-client
sign client1-cert ca=ca-cert

Export certificates:

/certificate export-certificate ca-cert type=pem
/certificate export-certificate client1-cert type=pkcs12 export-passphrase=yourpassword

PPP Profile

/ppp profile
add name=ovpn-profile local-address=10.8.0.1 remote-address=10.8.0.2 use-encryption=yes

/ppp secret
add name=client1 password=clientpassword profile=ovpn-profile

OpenVPN Server

/interface ovpn-server server
set enabled=yes port=1194 mode=ip protocol=tcp \
    certificate=server-cert require-client-certificate=yes \
    auth=sha1 cipher=aes128-cbc

Firewall

/ip firewall filter
add chain=input protocol=tcp dst-port=1194 action=accept comment="Allow OpenVPN"

client.ovpn

client
dev tun
proto tcp
remote vpn.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
-----BEGIN CERTIFICATE-----
[ca-cert contents here]
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
[client cert contents here]
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
[client key contents here]
-----END PRIVATE KEY-----
</key>
auth SHA1
cipher AES-128-CBC
verb 3