Goal : 

- Create OpenVPN Server using MikroTik

- Generate self sign certificate  for OpenVPN server and client in MikroTik

- Connect client PC & Android Device to OpenVPN MikroTik Server

 

/ip address

add address=xxx.xxx.x64.10 interface=ether5 network=xxx.xxx.x64.0

add address=10.100.100.1/24 interface=bridge1 network=10.100.100.0

 

/ip pool

add name=OpenVPN_Pool ranges=10.100.100.2-10.100.100.10

 

/ppp secret

add name=user1 password=secret1 profile=default-encryption service=ovpn

add name=user2 password=secret2 profile=default-encryption service=ovpn

 

/ppp profile

 set *FFFFFFFE local-address=10.100.100.1 remote-address=OpenVPN_Pool

  

Create & Sign CA

------------------------------------------------------------------------------------------------

/certificate add name=CA-tpl country="ID" state="ID" locality="Jakarta" organization="myComp" unit="RND" common-name="openv-at.id" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign

/certificate sign CA-tpl ca-crl-host=127.0.0.1 name="CA"

 

Create & Sign Cert Server

------------------------------------------------------------------------------------------------

/certificate add name=server-tpl country="ID" locality="Jakarta" organization="myComp" unit="RND" common-name="xxx.xxx.x64.10" key-size=4096 days-valid=700 key-usage=digital-signature,key-enchiperment,tls-server

/certificate sign server-tpl ca="CA" name="SERVER"

 

Create Client Template Cert  -> This is template for create users certificates.

------------------------------------------------------------------------------------------------

/certificate add name=client-tpl country="ID" locality="Jakarta" organization="myComp" unit="RND" common-name="CLIENT" key-size=4096 days-valid=700 key-usage=tls-client

 

Create & Sign Client1 Cert  -> Next time you want to create another access for user, just change CLIENT1 to appropriate name client cert.

------------------------------------------------------------------------------------------------

/certificate add name=CLIENT1 copy-from="client-tpl" common-name="CLIENT1"

 

/certificate sign CLIENT1 ca="CA" name="CLIENT1"

 

 

Export to Mikrotik File

------------------------------------------------------------------------------------------------

/certificate export-certificate CA export-passphrase=""

/certificate export-certificate CLIENT1 export-passphrase=securepassphrase

 

- Download file certificate from mikrotik files.

 

- Enable OVPN Server

/interface ovpn-server server

set auth=sha1 certificate=SERVER cipher=aes256 default-profile=\

    default-encryption enabled=yes require-client-certificate=yes

  

- For PC (Windows7), download openvpn client (for this lab, i used openvpn community edition).

- Create .ovpn profile, for sample please see in here. (make sure CA,Cert, key & .ovpn profile in the same directory)

- Copy CA,Cert,key from mikrotik and .opvn profile to C:\Program Files\OpenVPN\config

- Open command prompt 'cd' to C:\Program Files\OpenVPN\config

- Type this to command prompt

"c:\Program Files\OpenVPN\bin\openssl.exe" rsa -in cert_export_CLIENT4.key -out cert_export_CLIENT4.key --> change CLIENT4 with appropriate name.

- If you ask passphrase, you can get from mikrotik terminal when you created before.

- Then Open the  Open VPN GUI, Connect! (Windows system tray)

OpenVPN Client Windows 7

 

- For Android, download in playstore.

- Create .ovpn profile, (actually theres no different between profile for PC, except secret key)

- Copy CA,Cert,key from mikrotik and .opvn profile to SD Card

- Choose menu Import> Import Profile from SD Card

- Application automatically read profile in SD Card, then Connect!

OpenVPN Client Android

 

 

Note : CA,Cert and key can convert to unified form (like XML syntax) by pasting content of each file to single .ovpn profile, for the refference you can see here.