MikroTik OpenVPN Setup with Windows

Client
April 2, 2018 Abu Sayeed MikroTik Router, VPN Configuration
VPN (Virtual Private Network) technology provides a secure and encrypted tunnel across a
public network. So, a private network user can send and receive data to any remote private
network through VPN tunnel as if his/her network device was directly connected to that private
network.
MikroTik OpenVPN Server provides a secure and encrypted tunnel across public network for
transporting IP traffic using PPP. OpenVPN uses SSL Certificates. So, OpenVPN Tunnel is a
trusted tunnel to send and receive data across public network. MikroTik OpenVPN Server can be
applied in two methods.
 Connecting remote workstation/client: In this method, OpenVPN client software installed
any operating system such as Windows can communicate with MikroTik OpenVPN server
through OpenVPN tunnel whenever required and can access remote private network as if it
was directly connected to the remote private network.
 Site to Site OpenVPN: This method is also known as VPN between routers. In this method,
an OpenVPN client supported router always establishes an OpenVPN tunnel with MikroTik
OpenVPN Server. So, private networks of these routers can communicate with each other as
if they were directly connected to the same router.
The goal of this article is to connect a remote client using OpenVPN Tunnel across public
network. So, in this article I will only show how to configure MikroTik OpenVPN Server for
connecting a remote workstation/client (Windows Client).
Network Diagram
To configure a MikroTik OpenVPN Tunnel for connecting a remote workstation/client, I am
following a network diagram like below image.

OpenVPN Remote Office Network

In this network, MikroTik Router (RouterOS v6.38.1) is connected to internet through ether1
interface having IP address 192.168.30.2/30. In your real network, this IP address should be
replaced with public IP address. MikroTik Router’s ether2 interface is connected to local
network having IP network 10.10.11.0/24. We will configure OpenVPN server in this router and
after OpenVPN configuration the router will create a virtual interface (OpenVPN Tunnel) across
public network whose IP address will be 10.10.11.1. On the other hand, a remote laptop
(workstation/client) is connected to internet and wants to connect to our OpenVPN server for
accessing local network resources. We will configure OpenVPN client in this laptop and after
establishing an OpenVPN Tunnel across public network, this laptop will get a MikroTik Router’s
local IP 10.10.11.10 and will be able to access MikroTik Router’s private network.

MikroTik OpenVPN Server Configuration

We will now start OpenVPN Server configuration. Complete OpenVPN configuration can be
divided into two parts.
 Part 1: OpenVPN Server Configuration in MikroTik Router
 Part 2: OpenVPN Client Configuration in Windows OS

Part 1: OpenVPN Server Configuration in MikroTik Router

According to our network diagram, MikroTik Router is our OpenVPN Server. So, we will setup
and configure OpenVPN Server in MikroTik Router. Complete MikroTik RouterOS
configuration for OpenVPN Server can be divided into five steps.
 Step 1: MikroTik Router basic configuration
 Step 2: Creating SSL certificate for OpenVPN server and client
 Step 3: OpenVPN Server configuration
 Step 4: PPP Secret creation for OpenVPN client
 Step 5: Enabling Proxy ARP on LAN interface
Step 1: MikroTik Router basic configuration
In MikroTik Router basic configuration, we will assign WAN, LAN and DNS IP and perform
NAT and Route configuration. The following steps will show how to do these topics in your
RouterOS.
 Login to MikroTik RouterOS using winbox and go to IP > Addresses. In Address List
window, click on PLUS SIGN (+). In New Address window, put WAN IP address
(192.168.30.2/30) in Address input field and choose WAN interface (ether1) from Interface
dropdown menu and click on Apply and OK button. Click on PLUS SIGN again and put
LAN IP (10.10.11.1/24) in Address input field and choose LAN interface (ether2) from
Interface dropdown menu and click on Apply and OK button.
 Go to IP > DNS and put DNS servers IP (8.8.8.8 or 8.8.4.4) in Servers input field and click
on Apply and OK button.
 Go to IP > Firewall and click on NAT tab and then click on PLUS SIGN (+). Under General
tab, choose srcnat from Chain dropdown menu and click on Action tab and then
choose masquerade from Action dropdown menu. Click on Apply and OK button.
 Go to IP > Routes and click on PLUS SIGN (+). In New Route window, click on Gateway
input field and put WAN Gateway address (192.168.30.1) in Gateway input field and click
on Apply and OK button.
Basic RouterOS configuration has been completed. Now we will Create SSL certificate for
OpenVPN server and client.
Step 2: Creating SSL certificate for OpenVPN Server and Client
OpenVPN server and client configuration requires SSL certificate because OpenVPN uses SSL
certificate for secure communication. MikroTik RouterOS version 6 gives ability to create, store
and manage certificates in certificate store. So, we will create required OpenVPN certificate from
our RouterOS. OpenVPN server and client configuration requires three types of certificates:
1. CA (Certification Authority) certificate
2. Server certificate and
3. Client certificate
Creating CA certificate
The following steps will show how to create CA certificate in MikroTik RouterOS.
 Go to System > Certificates menu item from winbox and click on Certificates tab and then
click on PLUS SIGN (+). New Certificate window will appear.
 Put your CA certificate name (for example: ca) in Name input field. Also put a certificate
common name (for example: ca) in Common Name input field.
 You will find some optional fields in General tab. You can fill if you wish. All fields are self-
defined.
 Click on Key Usage tab and uncheck all checkboxes except crl sign and key cert. sign
 Click on Apply button and then click on Sign button. Sign window will appear now.
 Your newly created certificate template will appear in certificate dropdown menu. Select
your newly created certificate template if it is not selected.
 Put MikroTik Router’s WAN IP address (192.168.30.2) in CA CRL Host input field.
 Click on Sign button. Your Sign certificate will be created within few seconds.
 Click on OK button to close New Certificate window.
 If newly created CA certificate does not show T flag or Trusted property shows no value,
double click on your CA certificate and click on Trusted checkbox located at the bottom of
General tab and then click on Apply and OK button.
CA certificate has been created successfully. Now we will create server certificate.
Creating Server Certificate
The following steps will show how to create server certificate in MikroTik RouterOS.
 Click on PLUS SIGN (+) again. New Certificate window will appear.
 Put your server certificate name (for example: server) in Name input field. Also put a
certificate common name (for example: server) in Common Name input field.
 If you have put any optional field for CA certificate, put them here also.
 Click on Key Usage tab and uncheck all checkboxes except digital signature, key
encipherment and tls server
 Click on Apply button and then click on Sign button. Sign window will appear now.
 Your newly server created certificate template will appear in certificate dropdown menu.
Select your newly created certificate template if it is not selected.
 Also select CA certificate from CA dropdown menu.
 Click on Sign button. Your Sign certificate will be created within few seconds.
 Click on OK button to close New Certificate window.
 If newly created server certificate does not show T flag or Trusted property shows no value,
double click on your server certificate and click on Trusted checkbox located at the bottom
of General tab and then click on Apply and OK button.
Server certificate has been created successfully. Now we will create client certificate.
Creating Client Certificate
The following steps will show how to create client certificate in MikroTik RouterOS.
 Click on PLUS SIGN (+) again. New Certificate window will appear.
 Put your client certificate name (for example: client) in Name input field. Also put a
certificate common name (for example: client) in Common Name input field.
 If you have put any optional field for CA certificate, put them here also.
 Click on Key Usage tab and uncheck all checkboxes except tls client
 Click on Apply button and then click on Sign button. Sign window will appear now.
 Your newly created client certificate template will appear in certificate dropdown menu.
Select your newly created certificate template if it is not selected.
 Also select CA certificate from CA dropdown menu.
 Click on Sign button. Your Sign certificate will be created within few seconds.
 Click on OK button to close New Certificate window.
  Client certificate does not require T flag.
Client certificate has been created successfully. Now we will export CA and Client certificates so
that OpenVPN client can use this certificate.
Exporting CA and Client Certificates
OpenVPN server will use server certificate from MikroTik RouterOS certificate store. But client
certificate has to supply to the OpenVPN client. So, we need to export client certificate as well as
CA certificate from RouterOS certificate store. The following steps will show how to export CA
certificate and client certificate from MikroTik certificate store.
 Click twice on your CA certificate and then click on Export button from right button panel.
Export window will appear.
 Choose your CA certificate from Certificate dropdown menu.
 Click on Export button now. Your CA certificate will be exported and Export window will be
closed. Your exported CA certificate will be stored in File List.
 Again, click on Export button from right button panel and choose your client certificate
from Certificate dropdown menu.
 Put a password in Export Passphrase input field. The password must be at least 8
characters and this password has to provide when OpenVPN client will be connected.
 Click on Export button now. Your client certificate and key file will be exported in File List.
 Now click on Files menu from winbox left menu panel. You will find two certificate file (.crt)
and one key (.key) are exported here.
 Drag and Drop these three files in a folder on your Desktop. We will use these files when
OpenVPN client will be configured.
Creating SSL certificate for OpenVPN server and client has been completed. Now we will
configure our OpenVPN Server in MikroTik Router.
Step 3: OpenVPN Server Configuration in MikroTik Router
After creating SSL certificate, we are now eligible to enable OpenVPN Server in MikroTik
Router. The following steps will show how to enable OpenVPN Server in your MikroTik Router
with proper configuration.
 Click on PPP menu item from winbox and then click on Interface tab.
 Click on OVPN Server button. OVPN Server window will appear.
 Click on Enabled checkbox.
 From Certificate dropdown menu, choose server certificate that we created before. Also
click on Require Client Certificate checkbox.
 From Auth. Panel, uncheck all checkboxes except sha1.
 From Cipher panel, uncheck all checkboxes except aes 256.
 Now click on Apply and OK button.
OpenVPN Server is now running in MikroTik Router. Now we will create OpenVPN user who
will be connected to this server.
Step 4: PPP Secret creation for OpenVPN client
After OpenVPN Server setup, we need to create OpenVPN user who will be connected to
OpenVPN Server. OpenVPN Server uses PPP user for authentication. So, we will now create PPP
secret (username and password) for OpenVPN client. The following steps will show how to
create PPP secret in MikroTik Router.
 Click on PPP menu item from winbox and then click on Secrets tab.
 Click on PLUS SIGN (+). New PPP Secret window will appear.
 Put username (For example: sayeed) in Name input and password in Password input field.
This username and password will be required at the time of OpenVPN client configuration.
 Choose ovpn from Service dropdown menu.
  Put the gateway IP (10.10.11.1) in Local Address input field and put a LAN IP (10.10.11.10)
that will be assigned in client workstation when this user will be connected, in Remote
Address input field.
 Click on Apply and OK button.
PPP user who will be connected from remote client machine has been created. At this point, if
the user gets connected from the remote client machine and try to ping any workstation from
the remote machine, the ping will time out because the remote client is unable to get ARPs from
workstations. The solution is to set up proxy-arp on the LAN interface.
Step 4: Enabling Proxy ARP on LAN Interface
The following steps will show how to enable proxy-arp on the LAN interface.
 Click on Interfacesmenu item from winbox and then click on interface tab.
 Click twice on your LAN interface (ether2). Interface property window will appear.
 Under General tab, choose proxy-arp from ARP dropdown menu.
 Click Apply and OK button.
After enabling proxy-arp, the remote client can successfully reach all workstations in the local
network behind the router.
MikroTik OpenVPN Server is now completely ready to accept OpenVPN client. So, we will now
configure OpenVPN client in Windows Operating System.

Part 2: OpenVPN Client configuration in Windows OS

OpenVPN.net provides OpenVPN client software for all the operating systems. You can visit
to download page and download your OpenVPN client that is matched with your system
requirement. I am using Windows 7, 64-bit operating system. So, I have downloaded Installer
(64-bit), Windows Vista and later package. At the time of this article, the OpenVPN client version
was 2.3.18.
After downloading, install OpenVPN client in your operating system following the instruction.
Installation process is as simple as installing other software in Windows operating system.
After OpenVPN client installation, go to configuration file location (by default: C:\Program Files\
OpenVPN\config or C:\Program Files (x86)\OpenVPN\config depending on your operating system)
and follow my below steps to configure OpenVPN client.
 Create a file having (.ovpn) extension (for example: client.ovpn) and copy and paste below
property and its value in this file and then save your file.
#Template client.ovpnclient
dev tun
proto tcp-client
remote 192.168.30.2
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca ca.crt
 cert client.crt
key client.key
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass secret
auth-nocache
Here, change remote IP Address according to your MikroTik WAN IP.
 Now copy and paste your exported CA and Client certificate files that you saved in your
Desktop by dragging and dropping from MikroTik File List, in this location and rename CA
file as ca.crt, client certificate file as client.crt and key file as client.key because we have
used these names in our configuration file.
 Create another file named secret (because we have put auth-user-pass file is secret) without
any extension and put OpenVPN PPP username at first line and password in second line
and then save this file.
 Now run OpenVPN client software. You will find a new icon in your Taskbar or System tray
like below image.

 Click mouse right button on this icon and then click Connect option. OpenVPN Connection
window will appear and it will ask to put your client certificate password that you have
entered at the time of client certificate exportation.
If you put correct password and if everything is OK, your OpenVPN client will be connected and
an OpenVPN tunnel will be created between OpenVPN client and server.To check your
configuration, do a ping request to any remote network workstation or server. If everything is
OK, your ping request will be success.