In this post, you will find the basic commands to set up OpenVPN on a Mikrotik router.
OVPN – setup
/certificate add name=ovpn_ca common-name="ovpn_ca" days-valid=3650 key-usage=crl-sign,key-cert-sign
sign ovpn_ca ca
:delay 5
/certificate
add name=ovpn_server common-name="ovpn_server" days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign ovpn_server ca=ovpn_ca
:delay 5
/certificate
add name=ovpn_client common-name="ovpn_client" days-valid=3650 key-usage=tls-client
sign ovpn_client ca=ovpn_ca
:delay 5
/ip/pool
add name=vpn-pool ranges=192.168.252.128-192.168.252.224
/ppp profile
add dns-server=192.168.252.1 local-address=192.168.252.1 name=vpn-profile \
remote-address=vpn-pool use-encryption=yes
/interface/ovpn-server/server
set certificate="ovpn_server" cipher=aes256 auth=sha256 \
default-profile=vpn-profile mode=ip netmask=24 port="1194" \
enabled=yes require-client-certificate=yes
OVPN – config example
client
dev tun
proto tcp-client
remote ;ip of server
server-poll-timeout 3
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
<ca>
</ca>
<cert>
</cert>
<key>
</key>
verb 4
mute 10
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth SHA256
auth-user-pass
auth-nocache
reneg-sec 0
redirect-gateway def1
RSA – certificate decrypt for Windows
Find the openssl.exe, standard location is C:\Program Files\openvpn\bin
openssl.exe rsa -passin pass:[export pass] -in client_cert.key -out client_cert.key