{{tag>openvpn vpn mikrotik networking}}

====== Mikrotik OpenVPN setup ======

===== Create certificates =====

    mkdir mikrotik_certs
    cd mikrotik_certs
    openssl genrsa -des3 -out mikrotik_ca.key 4096

**Use different Common name (CN) for ca.crt here then for server.crt below:**

    openssl req -new -x509 -days 3650 -key mikrotik_ca.key -out mikrotik_ca.crt -config openssl.cnf

Generate server.key and .crt and sign with mikrotik_ca.crt:

    openssl genrsa -des3 -out server.key 4096
    openssl req -new -key server.key -out server.csr
    openssl x509 -req -days 3650 -in server.csr -CA mikrotik_ca.crt -CAkey mikrotik_ca.key -set_serial 01 -out server.crt

Then upload server.crt and server.key to Mikrotik.

===== In Mikrotik terminal execute =====

    /ip pool add name=openvpn-pool range=10.21.21.2-10.21.21.254
    /ppp profile add name=openvpn local-address=10.21.21.1 remote-address=openvpn-pool

Add desired users and passwords:
    /ppp secret add name=user1 password=pwd1234 profile=openvpn
    /ppp secret add name=user2 password=pwd5678 profile=openvpn
    ...

Import cert and key:
    /certificate> import file-name=server.crt
    /certificate> import file-name=server.key

    /interface ovpn-server server set enabled=yes certificate=server.crt_0
    /ip firewall filter add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp


===== Import ovpn config file to client =====


For linux config (i.e. [[wiki:ovpn_file_example|ovpn file]]) copy the mikrotik_ca.crt at end of file inside <ca></ca> fields. Also change the "remote" and "route" lines to match the created config above.

<WRAP center round important 60%>
Mikrotik does not support LZO compression or UDP connection. :-(
</WRAP>

====== See also ======
  * [[wiki:access_device_different_subnet_mikrotik|Access device on different subnet on Mikrotik]]
  * [[wiki:mikrotik_limit_traffic_burst|Mikrotik limit traffic with burst]]
  * [[wiki:mikrotik_website_blocking|Mikrotik website blocking]]

====== References ======
  * https://wiki.mikrotik.com/wiki/Manual:Create_Certificates#Generate_certificates_on_RouterOS
  * https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN
  * https://www.micu.eu/ovpn-server/