Goals :
- Create OpenVPN Server using MikroTik
- Generate self sign certificate for OpenVPN server and client in MikroTik
- Connect client PC & Android Device to OpenVPN MikroTik Server
/ip address
add address=xxx.xxx.x64.10 interface=ether5 network=xxx.xxx.x64.0
add address=10.100.100.1/24 interface=bridge1 network=10.100.100.0
/ip pool
add name=OpenVPN_Pool ranges=10.100.100.2-10.100.100.10
/ppp secret
add name=user1 password=secret1 profile=default-encryption service=ovpn
add name=user2 password=secret2 profile=default-encryption service=ovpn
/ppp profile
set *FFFFFFFE local-address=10.100.100.1 remote-address=OpenVPN_Pool
Create & Sign CA
------------------------------------------------------------------------------------------------
/certificate add name=CA-tpl country="ID" state="ID" locality="Jakarta" organization="myComp" unit="RND" common-name="openv-at.id" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign CA-tpl ca-crl-host=127.0.0.1 name="CA"
Create & Sign Cert Server
------------------------------------------------------------------------------------------------
/certificate add name=server-tpl country="ID" locality="Jakarta" organization="myComp" unit="RND" common-name="xxx.xxx.x64.10" key-size=4096 days-valid=700 key-usage=digital-signature,key-enchiperment,tls-server
/certificate sign server-tpl ca="CA" name="SERVER"
Create Client Template Cert -> This is template for create users certificates.
------------------------------------------------------------------------------------------------
/certificate add name=client-tpl country="ID" locality="Jakarta" organization="myComp" unit="RND" common-name="CLIENT" key-size=4096 days-valid=700 key-usage=tls-client
Create & Sign Client1 Cert -> Next time you want to create another access for user, just change CLIENT1 to appropriate name client cert.
------------------------------------------------------------------------------------------------
/certificate add name=CLIENT1 copy-from="client-tpl" common-name="CLIENT1"
/certificate sign CLIENT1 ca="CA" name="CLIENT1"
Export to Mikrotik File
------------------------------------------------------------------------------------------------
/certificate export-certificate CA export-passphrase=""
/certificate export-certificate CLIENT1 export-passphrase=securepassphrase
- Download file certificate from mikrotik files.
- Enable OVPN Server
/interface ovpn-server server
set auth=sha1 certificate=SERVER cipher=aes256 default-profile=\
default-encryption enabled=yes require-client-certificate=yes
- For PC (Windows7), download openvpn client (for this lab, i used openvpn community edition).
- Create .ovpn profile, for sample please see in here. (make sure CA,Cert, key & .ovpn profile in the same directory)
- Copy CA,Cert,key from mikrotik and .opvn profile to C:\Program Files\OpenVPN\config
- Open command prompt 'cd' to C:\Program Files\OpenVPN\config
- Type this to command prompt
"c:\Program Files\OpenVPN\bin\openssl.exe" rsa -in cert_export_CLIENT4.key -out cert_export_CLIENT4.key --> change CLIENT4 with appropriate name.
- If you ask passphrase, you can get from mikrotik terminal when you created before.
- Then Open the Open VPN GUI, Connect! (Windows system tray)
- For Android, download in playstore.
- Create .ovpn profile, (actually theres no different between profile for PC, except secret key)
- Copy CA,Cert,key from mikrotik and .opvn profile to SD Card
- Choose menu Import> Import Profile from SD Card
- Application automatically read profile in SD Card, then Connect!
Note : CA,Cert and key can convert to unified form (like XML syntax) by pasting content of each file to single .ovpn profile, for the refference you can see here.