MikroTik RouterOS VPN Site-to-Site And Remote Access Configuration
If you're looking for a way to set up a VPN tunnel for your MikroTik router, you're in the right place! In this post, I'll guide you through the process of setting up a Site-to-Site OpenVPN tunnel using RouterOS client to client. This is a great way to secure your network and protect your data, and it's easier than you might think.

Before we get started, let me explain a few things. Site-to-Site VPN allows you to connect two or more different networks together, enabling users in each network to communicate with each other. OpenVPN is a popular, open-source VPN solution that uses SSL/TLS to secure the connection. RouterOS is a powerful operating system developed by MikroTik.
1. Prerequisites
Before setting up the Site-to-Site VPN tunnel, you'll need to meet a few prerequisites. Firstly, make sure you have two MikroTik routers with RouterOS v6.0 or later installed. If you're not sure which version you're running, you can check by logging in to your MikroTik router and typing the following command:
/system package update check-for-updates
You'll also need a server running OpenVPN. You can use a cloud server or a dedicated server, as long as it meets the following requirements:
- Runs a Unix-based operating system such as Linux or FreeBSD
- Has a public IP address
- Has OpenVPN installed
If you don't have a server, you can easily spin up a cloud server using services like DigitalOcean, AWS, or Google Cloud.
2. Configuring the Server
Once you have a server set up with OpenVPN installed, you'll need to configure it. Firstly, create a directory to store the server configuration:
mkdir /etc/openvpn/serverconf
Next, create a server configuration file in the new directory:
nano /etc/openvpn/serverconf/server.conf
Edit the file with the following configuration:
port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.1.0 255.255.255.0" keepalive 10 120 tls-auth ta.key 0 cipher AES-256-CBC comp-lzo max-clients 5 user nobody group nogroup persist-key persist-tun status /var/log/openvpn-status.log verb 3
Save the file and exit. Here's what each line of the configuration does:
port 1194
- The port that OpenVPN uses to listen for incoming connectionsproto udp
- The protocol used by OpenVPN (UDP or TCP)dev tun
- The device used by OpenVPNca ca.crt
- The path to the root certificate authority filecert server.crt
- The path to the server certificate filekey server.key
- The path to the server key filedh dh.pem
- The path to the Diffie-Hellman parameters fileserver 10.8.0.0 255.255.255.0
- The VPN server's IP address and network maskifconfig-pool-persist ipp.txt
- A path to store client IP addressespush "route 192.168.1.0 255.255.255.0"
- Push a route to the client's routing table for the 192.168.1.0/24 networkkeepalive 10 120
- Send a keepalive packet every 10 seconds and close the connection if no response is received after 120 secondstls-auth ta.key 0
- Use a static pre-shared key to encrypt control channel packetscipher AES-256-CBC
- The encryption cipher used for data encryptioncomp-lzo
- Use LZO compression to reduce packet size and improve performancemax-clients 5
- Limit the number of simultaneous clients to 5user nobody
- Drop privileges to nobody after initializationgroup nogroup
- Do the same for the grouppersist-key
- Don't re-read key files across SIGUSR1 or --ping-restartpersist-tun
- Don't close and reopen the TUN devicestatus /var/log/openvpn-status.log
- Log openvpn status to this fileverb 3
- Set the log verbosity level to 3 (verbose)
Make sure to adjust the server IP address and network mask to fit your needs. You should also replace the certificate and key paths with the appropriate files on your server.
Once you're done editing the configuration, create a directory to store the server keys:
mkdir /etc/openvpn/keys
Generate the Diffie-Hellman parameters:
openssl dhparam -out /etc/openvpn/keys/dh.pem 2048
Generate the TLS pre-shared key:
openvpn --genkey --secret /etc/openvpn/keys/ta.key
Finally, start the OpenVPN server service:
systemctl start openvpn@server
You can check the OpenVPN server's status by running:
systemctl status openvpn@server
3. Configuring the Clients
Now that your OpenVPN server is up and running, it's time to configure the clients. Firstly, create a directory on your router to store the client configuration:
mkdir /etc/openvpn/clientconf
Next, create a client configuration file in the new directory:
nano /etc/openvpn/clientconf/client.conf
Edit the file with the following configuration:
client dev tun proto udp remote PUBLIC_IP_ADDRESS 1194 nobind persist-key persist-tun ca ca.crt cert client.crt key client.key ns-cert-type server comp-lzo tls-auth ta.key 1 cipher AES-256-CBC user nobody group nogroup verb 3
Here's what each line of the configuration does:
client
- Specifies that this is a client configurationdev tun
- The device used by OpenVPNproto udp
- The protocol used by OpenVPN (UDP or TCP)remote PUBLIC_IP_ADDRESS 1194
- The public IP address of your server and the port used by OpenVPNnobind
- Don't bind to a specific local portpersist-key
- Don't re-read key files across SIGUSR1 or --ping-restartpersist-tun
- Don't close and reopen the TUN deviceca ca.crt
- The path to the root certificate authority filecert client.crt
- The path to the client certificate filekey client.key
- The path to the client key filens-cert-type server
- Require the server certificate to have an exact match in the nsCertType fieldcomp-lzo
- Use LZO compression to reduce packet size and improve performancetls-auth ta.key 1
- Use a static pre-shared key to encrypt control channel packetscipher AES-256-CBC
- The encryption cipher used for data encryptionuser nobody
- Drop privileges to nobody after initializationgroup nogroup
- Do the same for the groupverb 3
- Set the log verbosity level to 3 (verbose)
Save the file and exit. Make sure to replace the public IP address with the IP address of your OpenVPN server.
Next, create a directory to store the client keys:
mkdir /etc/openvpn/keys
Generate a client certificate and key:
openssl req -nodes -newkey rsa:2048 -keyout /etc/openvpn/keys/client.key -out /etc/openvpn/keys/client.csr
openssl x509 -req -in /etc/openvpn/keys/client.csr -CA /etc/openvpn/keys/ca.crt -CAkey /etc/openvpn/keys/ca.key -CAcreateserial -out /etc/openvpn/keys/client.crt -days 365
Finally, start the OpenVPN client service:
systemctl start openvpn@client
You can check the OpenVPN client's status by running:
systemctl status openvpn@client
And that's it! You now have a secure Site-to-Site VPN tunnel between your MikroTik routers using OpenVPN.
Conclusion
In this post, I've shown you how to set up a Site-to-Site VPN tunnel for your MikroTik routers using OpenVPN with RouterOS client to client. By following these steps, you'll be able to secure your network and protect your data from prying eyes. Remember to keep your certificates and keys safe and secure, and always keep your software up to date.
If you have any questions or feedback, please feel free to leave them in the comments below. Thank you for reading!
Post a Comment for "MikroTik RouterOS VPN Site-to-Site And Remote Access Configuration"