Mikrotik router as OpenVPN Client

configure your mikrotik routerboard as an openvpn client

Mikrotik router as OpenVPN Client

There are a bunch of tutorials online about how to set up a Mikrotik routerboard as an OpenVPN server; this is not one of them, this repository contains information and code samples for configuring a Mikrotik router as a client to connect to your own OpenVPN server hosted elsewhere.

As of Jun ‘16 this is confirmed working on a Mikrotik 951Ui-2HnD routerboard, all traffic destined for the internet is routed via the VPN connection and I’m able to watch region-locked video streaming services while connected through this wifi network.

Gotchas!

Sourced from: http://wiki.mikrotik.com/wiki/OpenVPN

  • TCP is supported UDP is not supported (ie. the default setup is not supported)
  • username/passwords are not mandatory
  • certificates are supported
  • LZO compression is not supported

Setting up the server

This info applies to you if you are setting up the server for yourself, otherwise you best check with your server admin that they have configured the server for a Mikrotik client.

For the most part I followed this tutorial for installing OpenVPN server on Ubuntu 14.04.

Be careful with this tutorial, if you are using any services other than OpenVPN and SSH; or if you use non-standard ports, make sure you add the corresponding firewall rules!

I only made a couple changes to my server.conf:

Change protocols from UDP to TCP
# TCP or UDP server?
proto tcp
;proto udp

add the corresponding firewall rule:

sudo ufw allow 1194/tcp
Disable compression (optional)

This step is optional, if you’re streaming video you can disable compression by commenting it out:

# comp-lzo

Setting up the client

This section covers the steps required to set up your Mikrotik routerboard as an OpenVPN client.

Copy files from server

You’ll need some files from your OpenVPN server or VPN provider, only 3 files are required:

$ ls cert/
ca.crt  client.crt  client.key

If you’re using the scripts in this repo then you’ll need to create a directory called cert and put those files inside. You’ll also need to rename your client keys to match the file names above.

Establish a SSH session

All the commands are executed by SSH so you’ll need SSH access to your routerboard before continuing, otherwise I guess you could read the commands and enter them in the GUI, up to you.

ssh admin@192.168.88.1


MMM      MMM       KKK                          TTTTTTTTTTT      KKK
MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

MikroTik RouterOS 6.35.2 (c) 1999-2016       http://www.mikrotik.com/

[?]             Gives the list of available commands
command [?]     Gives help on the command and list of arguments

[Tab]           Completes the command/word. If the input is ambiguous,
              a second [Tab] gives possible options

/               Move up to base level
..              Move up one level
/command        Use command at the base level

[admin@MikroTik] >

Great you connected! the interface is a bit weird, all commands start with a / and you use ? for help within each section. If you didn’t manage to connect you’re going to need to sort that out before continuing or give up and use a GUI.

Type /quit in to the console to exit.

Check your OS version

All the code in this repo is hard-coded for version 6.35.2 (which was current at time of writing). If yours is older than that go ahead and upgrade first.

ssh admin@192.168.88.1 system package update download
Upload your certificates

You’ll need to upload those certificates that we downloaded earlier on to your Mikrotik.

you’ll need to do this for all 3 files, see ./task/cert.install.sh for more info.

scp ca.crt admin@192.168.88.1:/
scp client.crt admin@192.168.88.1:/
scp client.key admin@192.168.88.1:/

ssh admin@192.168.88.1 certificate import file-name=ca.crt passphrase=\"\"
ssh admin@192.168.88.1 certificate import file-name=client.crt passphrase=\"\"
ssh admin@192.168.88.1 certificate import file-name=client.key passphrase=\"\"

We can confirm that worked:

ssh admin@192.168.88.1 certificate print

Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #          NAME                        COMMON-NAME                     SUBJECT-ALT-NAME                                                  FINGERPRINT                    
 0        T ca.crt_0                    Fort-Funston CA                                                                                   12911f9e101be5b3e15cd44e52cc...
 1 K      T client.crt_0                missinglink1                    DNS:missinglink1                                                  8bd36e8431eef6c52151c8400ef0...
Rename your certificates

This is optional; if this if your first time, best do this so you can follow the rest of the steps:

ssh admin@192.168.88.1 certificate set ca.crt_0 name=CA

ssh admin@192.168.88.1 certificate set client.crt_0 name=client

We can confirm that worked:

ssh admin@192.168.88.1 certificate print
Create a PPP profile

This section contains all the details of how you will connect to the server, the following worked for me, you may need to change some settings for your specific server configuration:

ssh admin@192.168.88.1 ppp profile add name=OVPN-client change-tcp-mss=yes only-one=yes use-encryption=required use-mpls=no

We can confirm that worked:

ssh admin@192.168.88.1 ppp profile print

Flags: * - default
 0 * name="default" remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=default
     use-compression=default use-encryption=default only-one=default
     change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down=""

 1   name="OVPN-client" remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=no
     use-compression=default use-encryption=required only-one=yes
     change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down=""

 2 * name="default-encryption" remote-ipv6-prefix-pool=none use-ipv6=yes
     use-mpls=default use-compression=default use-encryption=yes
     only-one=default change-tcp-mss=yes use-upnp=default address-list=""
     on-up="" on-down=""
Create an OpenVPN interface

Here we actually create an interface for the VPN connection:

IMPORTANT!! Change xxx.xxx.xxx.xxx to your own server address (ip address or domain name).

ssh admin@192.168.88.1 interface ovpn-client add connect-to=xxx.xxx.xxx.xxx add-default-route=no auth=sha1 certificate=client disabled=no user=vpnuser password=vpnpass name=myvpn profile=OVPN-client

User/password properties seem to be mandatory on the client even if the server doesn’t have auth-user-pass-verify enabled.

Test the VPN connection

If everything went according to plan you should now be connected:

ssh admin@192.168.88.1 interface ovpn-client print

Note the 'R' which shows the connection has been established (give it a few seconds):

Flags: X - disabled, R - running
 0  R name="myvpn" mac-address=FE:EE:75:8F:14:3D max-mtu=1500
      connect-to=xxx.xxx.xxx.xxx port=1194 mode=ip user="vpnuser" password="vpnpass"
      profile=OVPN-client certificate=client auth=sha1 cipher=blowfish128
      add-default-route=no

ssh admin@192.168.88.1 interface ovpn-client monitor 0

status: connected
uptime: 1h35m45s
encoding: BF-128-CBC/SHA1
   mtu: 1500

status: connected
uptime: 1h35m46s
encoding: BF-128-CBC/SHA1
   mtu: 1500
Configure the firewall

This is explained in this post, basically we define some routes in our local network that won’t go through the VPN (things in the 10.0.0.0, 172.16.0.0 & 192.168.0.0 ranges) and we add them to a list called local_traffic:

ssh admin@192.168.88.1 ip firewall address-list add address=10.0.0.0/8 disabled=no list=local_traffic

ssh admin@192.168.88.1 ip firewall address-list add address=172.16.0.0/12 disabled=no list=local_traffic

ssh admin@192.168.88.1 ip firewall address-list add address=192.168.0.0/16 disabled=no list=local_traffic

Then we set up a 'mangle' rule which marks packets coming from the local network and destined for the internet with a mark named vpn_traffic:

ssh admin@192.168.88.1 ip firewall mangle add disabled=no action=mark-routing chain=prerouting dst-address-list=\!local_traffic new-routing-mark=vpn_traffic passthrough=yes src-address=192.168.88.2-192.168.88.254
Configure routing

Next we tell the router that all traffic with the vpn_traffic mark should go through the VPN interface:

ssh admin@192.168.88.1 ip route add disabled=no dst-address=0.0.0.0/0 type=unicast gateway=myvpn routing-mark=vpn_traffic scope=30 target-scope=10
Configure masquerade

And finally we add a masquerade NAT rule:

ssh admin@192.168.88.1 ip firewall nat add chain=srcnat src-address=192.168.88.0/24 out-interface=myvpn action=masquerade

Finished!

That’s it! your external traffic should now be routed through the VPN.

If this readme helped you out please star the repo; github stars are like crack cocaine to software developers :)

Credits / Resources

Big thanks to all these people who wrote about this in the past.

  • https://lukas.dzunko.sk/index.php/MikrotTik:_OpenVPN
  • https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04

License

This work ‘as-is’ we provide.
No warranty express or implied.
  We’ve done our best,
  to debug and test.
Liability for damages denied.

Permission is granted hereby,
to copy, share, and modify.
  Use as is fit,
  free or for profit.
These rights, on this notice, rely.