MikroTik CHR: Setup Secure VPN access between client and server using OpenVPN

In this article, we will show you how to set up secure VPN access to your server using OpenVPN. We have already set up an OpenVPN server in this article

IMPORTANT: The date on the router must be within the range of the installed certificates valid period. To prevent certificate verification issues, enable NTP synchronization on both the server and the client.

First we need VPN accounts for the server and client. Go to PPP>Secret, click on “+” and enter:
User credentials of your choice
Service: OVPN
Profile: default-encryption
Local IP Address:
192.168.34.100(for the server)
192.168.34.102(for the client)
Remote IP Address:
192.168.34.101(for the server)
192.168.34.103(for the client)

Server VPN account
VPN CLIENT ACCOUNT

Then go to System>Certificates. Make 2 client certificates(CLIENT2 and CLIENT3) by copying the Client template and sign them with the CA you made.
Double clicking the template
copying the template
Making the first Client certificate
Signing the certificate
Repeat the steps for the second client certificate

RouterOS Command:

[admin@MikroTik] >  /certificate add name=CLIENT2 copy-from="CLIENT-tpl" common-name="CLIENT2"
[admin@MikroTik] >  /certificate sign CLIENT2 ca="LMTCA" name="CLIENT2"
[admin@MikroTik] >  /certificate add name=CLIENT3 copy-from="CLIENT-tpl" common-name="CLIENT3"
[admin@MikroTik] >  /certificate sign CLIENT3 ca="LMTCA" name="CLIENT3"


Export both client certificates with a passphrase and the CA certificate without a passphrase.
selecting export
Exporting the certificate with passphrase
Repeat the steps for the second client certificate

RouterOS Command:

[admin@MikroTik] >  /certificate export-certificate CLIENT2 export-passphrase=12345678
[admin@MikroTik] >  /certificate export-certificate CLIENT3 export-passphrase=12345678 
[admin@MikroTik] >  /certificate export-certificate LMTCA export-passphrase="" 


Go to Files and download all the exported certificates by dragging them to a folder.
Dragging the certificates and keys to a folder


Open your favorite text editor app and paste the example .OVPN configuration. Make configuration and secret files for the server and client.

Example .OVPN configuration file:

client
dev tun
proto tcp-client
remote IP address of your Mikrotik CHR
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca LMTCA.crt #CA certificate file
cert CLIENT1.crt #CLIENT certificate file
key  CLIENT1.key #CLIENT certificate key
verb 4
mute 10
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth SHA1
auth-user-pass secret #File with user/password for VPN
auth-nocache
;redirect-gateway def1 #remove semicolon for full redirect

 

Example secret file:

BGOcloud VPN
P@ssworD!#

 

Put all the files for the server in SERVER\mikrotik folder.
In the end, the files should look like this:
OVPN files

Now we need to set up our Debian VPS

All commands are executed with the root user, you can also use sudo

  1. Update the system

    apt-get update
    apt-get upgrade

  2. Install the OpenVPN Client

    wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add -
    echo "deb http://build.openvpn.net/debian/openvpn/release/2.5 buster main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
    apt-get update
    apt-get install openvpn

    You can change the “release/2.5” to your needed OpenVPN Version and “buster” to your linux distro.

  3. On your PC, open the Server folder in a terminal(e.g. Windows Terminal, Powershell).

    Windows 10(Shift + Right-click)
    Windows 10 opening powershell

    Windows 11(Right-click)
    Windows 11 opening Windows Terminal
  4. Send all the files with SCP

    SCP -r *.* root@server:/etc/openvpn/client

    with the -r option, it copies the whole file structure within the current directory.
    If this is your first connection through SCP to the server, it will ask you if you want to add it to the Trusted Servers list. Accept it and enter your VPS root password.

  5. On your server, go to /etc/openvpn/client/mikrotik

    cd /etc/openvpn/client/mikrotik

  6. Check /etc/openvpn/client/mikrotik contents. You should have the CA and Client certificates, the key for the client certificate, the .ovpn configuration file, and the secrets file.
  7. Decrypt the key for automation purposes using OpenSSL:

    openssl rsa -in CLIENT2.key -out CLIENT2.key

  8. Restart the OpenVPN services

    service openvpn restart

  9. Change the file permissions for the key and secrets file.

    chmod 400 /etc/openvpn/client/Mikrotik/CLIENT2.key
    chmod 400 /etc/openvpn/client/Mikrotik/secret

  10. Test the connection with the OpenVPN server.

    openvpn –config MikrotikVPN.ovpn

    The connection may reset 1-2 times. However, if it shows “Connection reset, restarting” many times, or you get a “General transport failure” error, you need to recheck the secrets file and see if the credentials are right. If that doesn’t help, check your OpenVPN server configuration file.

    When it shows Initialization Sequence Completed, then you’ve successfully connected to your OpenVPN. Now we can configure it to connect automatically when the VPS is powered on.

  11. Copy the OpenVPN configuration file to the root directory of OpenVPN

    cp MikrotikVPN.ovpn /etc/openvpn

  12. Open the copied configuration file in a text editor.

    nano /etc/openvpn/MikrotikVPN.ovpn

  13. Append client/mikrotik to your file path for ca, cert, key, and auth-user-pass. Remove the semicolon in redirect-gateway to make your server accessible only from your OpenVPN Server.

    client
    dev tun
    proto tcp-client
    remote IP address of your Mikrotik CHR
    port 1194
    nobind
    persist-key
    persist-tun
    tls-client
    remote-cert-tls server
    ca client/mikrotik/LMTCA.crt #CA certificate file
    cert client/mikrotik/CLIENT1.crt #CLIENT certificate file
    key  client/mikrotik/CLIENT1.key #CLIENT certificate key
    verb 4
    mute 10
    cipher AES-256-CBC
    data-ciphers AES-256-CBC
    auth SHA1
    auth-user-pass client/mikrotik/secret #File with user/password for VPN
    auth-nocache
    redirect-gateway def1 #remove semicolon for full redirect

  14. Save the configuration file and rename it to client.conf

    mv MikrotikVPN.ovpn client.conf

  15. Open the /etc/default/OpenVPN file in a text editor

    nano /etc/default/openvpn

  16. Remove the # in line AUTOSTART="all" save it

  17. Enable the OpenVPN service, reload the daemons and start the service.

    systemctl enable [email protected]
    systemctl daemon-reload
    systemctl start [email protected]


    If you need to stop OpenVPN, use service openvpn stop or systemctl stop [email protected]


And that’s it. You should now access your server only when you are connected to the VPN.

Check our powerful Mikrotik Cloud Hosted routers

Expertly create, route, and secure your bespoke virtual network with our MikroTik solutions.

Get Started!
icon knowledge

Related Articles

Set up OpenVPN in Windows

In this article, we will show you how to connect your Windows PC to your OpenVPN Server. We have...

OpenVPN Access Server: Setting Up Multi-Factor Authentication

In this guide, we will show you how to set up Multi-Factor Authentication(MFA) for your OpenVPN...

How to: Connecting MacBooks and other Apple computers to OpenVPN Access Server

Hello, in this guide we will show you how to connect your MacBooks and other Apple computers to...

Setup OpenVPN Connect Client in Android

In this article, we will show you how to connect your Android phone to your OpenVPN Server. We...