Hello,
While I love the MikroTik routers for the versatility in routing configurations, and squeezing a lot of performance and functionality out of the limited hardware, I am not a fan of their OpenVPN implementation. These are problems/limitations that I've encountered getting it to work:
- No support for UDP transport - this is very bad. Look up the term "TCP Meltdown" if you want to know why.
- No support for compression - this is complicated. We advise not to use compression. But for historical reasons you need to have SUPPORT for it.
- No support for autologin profiles - we can work around this though with user-locked profile.
- No support for host names - can only connect by IP. Can't help you if you have a dynamic IP.
- No support for .ovpn files - have to copy/paste your own set of certificates and upload them and import them.
- No support for custom config - got some special setting for OpenVPN you need on the client side? Too bad.
I can tell you that
it is possible to get MikroTik connected to OpenVPN Access Server by adjusting a number of things and using obscure settings. But
it will lower your security considerably and I cannot in good conscience recommend doing this.
It would be much better to leave default settings and connecting a 'real' OpenVPN client to it. But, in case you wanted to do this after reading this disclaimer, then take the steps below - and reader beware that if you do this on a production Access Server, you will break things and make your security a lot less. Also you MUST have as recent a version of Access Server as possible for this or it won't work - so be sure to upgrade!
Go to Access Server Admin UI, go to Configuration, go to Advanced VPN, and make sure that TLS auth is turned off and that compression is turned off. Go to User Permissions and create a user and set a password for it. If you're using an external authentication system like RADIUS/LDAP or such, then take care of creating an account there. Do not make this an autologin profile.
Then go to the Access Server Client UI, log in as that user, and download a user-locked profile for this user account. Open the client.ovpn in a text editor. Take the piece between <ca> and </ca> and save it as
ca.crt. Do not include the <ca> and </ca> lines themselves in this file, just what's inbetween them. Then take the piece between <cert> and </cert> and save that as
cert.crt. And then take the piece between <key> and </key> and save that as
key.pem. Note that the file extensions are important or it won't work.
Now go to the Access Server command line interface (SSH access to server, and gain root privileges). Then run these commands (replace <USERNAME> with the actual username of the account you just created on the Admin UI):
Code: Select all
cd /usr/local/openvpn_as/scripts/
./sacli --user <USERNAME> --key "prop_cc_cmds" --value 'compress stub-v2,push "compress stub-v2"' UserPropPut
service openvpnas restart
Go to the MikroTik web interface and go to files. Upload all 3 files: ca.crt, cert.crt, key.pem. Now go to System > Certificates, and click the [import] button. Select the file ca.crt first. Repeat the process with cert.crt. And as final file you import key.pem. You should now end up with 2 certificates listed. One will be the
OpenVPN CA which we will use for verifying the server's identity. It will be marked with just the letter T meaning it is trusted. And the other will be the client cert which will have the username as common name in the cert, it will be marked with the letter T and the letter K, meaning it is trusted, and we have the private key for it.
Again go to the MikroTik web interface and go to Interfaces. Click [add new] and select
OVPN Client. In 'connect to' you must enter the IP address of your OpenVPN Access Server. As port, the default will be TCP 443, so just enter 443. Port 1194 on Access Server is UDP by default so won't work. Mode should be left to 'IP' (Layer3). Enter username and password. Profile you can leave as is, and certificate must be select to the cert.crt you uploaded in a previous step - the one that has the private key too. This will be our client cerificate+key. Check the box to verify server certificate. Set auth to sha1. Set cipher to aes 256. The final two settings for using peer DNS or adding default route are up to your use-cases - if you just want split tunnel I would leave those off and just rely on whatever routes the Access Server pushes down.
Under IP > Routes you should see which routes are available and you should see new ones populated here when the connection is up and running.
You can now use Tools > Ping from the MikroTik interface to ping IP addresses that should be reachable through the OpenVPN tunnel, and it should now work. You should be able to see the ping packets travel through the Access Server by running
tcpdump -eni any icmp on the Access Server itself while pinging through the VPN tunnel from the MikroTik router.
--
That's it. Again, I recommend against this as it kills TLS-auth which is pretty big part of the security of OpenVPN, and it only works over TCP, which is a problem for reliability. But if you really want to, this is how you can do it.
Kind regards,
Johan
OpenVPN Inc.