OpenVPN to Mikrotik 4.15 router

[jantypas]

This isn't exactly on-topic, but I'm hoping someone can explain how OpenVPN is SUPPOSED to work -- maybe Mikrotik has a different approach.

I've had OpenVPN running on a Linux box for a couple of years, no issues. I used the easy-rsa to create the self-signed certificates and all works between the Linux server (Fedora 14) and a Mac running Viscosity (10.6.x).

I know have a Mikrotik RB1100 router which claims to support OpenVPN> However, there appers to be a different between the way Linux OpenVPN and Mikrotik want to handle certs.

What works on Unix:

build-ca -- create the CA
build-key-server servername -- create the OpenVPN certs for the server
build-key clientname -- create the client certs for OpenVPN

-- Alll works. I then try to do a certificate import into Mikrotik --

ca.crt - imports
openvpn server.crt -- imports
openvpn.server.key -- imports

However, the router complains the certificate isn't correct.

What works on the Mikrotik

Directly using OpenSSL, create self-signed certs. I can then create the cert, but I don't have the CA cert so I don't know what to put into the client?

Has anyone successfully done OpenVPN with Mikrotik routers? The wiki for Mikrotik doesn't provide a method to generate valid certs.

[gladiatr72]

Hey there,

Out of curiosity, have you looked into using the easy-rsa (2.0) scripts? I don't know if this is what is hanging you up, but its pkitool knows how to properly create server and client scripts--the difference being the following stanza:

X509v3 Extended Key Usage:
TLS Web Client Authentication

vs

Netscape Cert Type:
SSL Server

X509v3 Extended Key Usage:
TLS Web Server Authentication


It also avoids the whole business of self-signed certs.

Other than that, I've got nothin'

Best of luck!

Regards,
Stephen