Skip to content Skip to sidebar Skip to footer

MikroTik RouterOS VPN Site-to-Site And Remote Access Configuration

If you're looking for a way to set up a VPN tunnel for your MikroTik router, you're in the right place! In this post, I'll guide you through the process of setting up a Site-to-Site OpenVPN tunnel using RouterOS client to client. This is a great way to secure your network and protect your data, and it's easier than you might think.

MikroTik Site-to-Site OpenVPN Server Setup

Before we get started, let me explain a few things. Site-to-Site VPN allows you to connect two or more different networks together, enabling users in each network to communicate with each other. OpenVPN is a popular, open-source VPN solution that uses SSL/TLS to secure the connection. RouterOS is a powerful operating system developed by MikroTik.

1. Prerequisites

Before setting up the Site-to-Site VPN tunnel, you'll need to meet a few prerequisites. Firstly, make sure you have two MikroTik routers with RouterOS v6.0 or later installed. If you're not sure which version you're running, you can check by logging in to your MikroTik router and typing the following command:

/system package update check-for-updates

You'll also need a server running OpenVPN. You can use a cloud server or a dedicated server, as long as it meets the following requirements:

  • Runs a Unix-based operating system such as Linux or FreeBSD
  • Has a public IP address
  • Has OpenVPN installed

If you don't have a server, you can easily spin up a cloud server using services like DigitalOcean, AWS, or Google Cloud.

2. Configuring the Server

Once you have a server set up with OpenVPN installed, you'll need to configure it. Firstly, create a directory to store the server configuration:

mkdir /etc/openvpn/serverconf

Next, create a server configuration file in the new directory:

nano /etc/openvpn/serverconf/server.conf

Edit the file with the following configuration:

 port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.1.0 255.255.255.0" keepalive 10 120 tls-auth ta.key 0 cipher AES-256-CBC comp-lzo max-clients 5 user nobody group nogroup persist-key persist-tun status /var/log/openvpn-status.log verb 3 

Save the file and exit. Here's what each line of the configuration does:

  • port 1194 - The port that OpenVPN uses to listen for incoming connections
  • proto udp - The protocol used by OpenVPN (UDP or TCP)
  • dev tun - The device used by OpenVPN
  • ca ca.crt - The path to the root certificate authority file
  • cert server.crt - The path to the server certificate file
  • key server.key - The path to the server key file
  • dh dh.pem - The path to the Diffie-Hellman parameters file
  • server 10.8.0.0 255.255.255.0 - The VPN server's IP address and network mask
  • ifconfig-pool-persist ipp.txt - A path to store client IP addresses
  • push "route 192.168.1.0 255.255.255.0" - Push a route to the client's routing table for the 192.168.1.0/24 network
  • keepalive 10 120 - Send a keepalive packet every 10 seconds and close the connection if no response is received after 120 seconds
  • tls-auth ta.key 0 - Use a static pre-shared key to encrypt control channel packets
  • cipher AES-256-CBC - The encryption cipher used for data encryption
  • comp-lzo - Use LZO compression to reduce packet size and improve performance
  • max-clients 5 - Limit the number of simultaneous clients to 5
  • user nobody - Drop privileges to nobody after initialization
  • group nogroup - Do the same for the group
  • persist-key - Don't re-read key files across SIGUSR1 or --ping-restart
  • persist-tun - Don't close and reopen the TUN device
  • status /var/log/openvpn-status.log - Log openvpn status to this file
  • verb 3 - Set the log verbosity level to 3 (verbose)

Make sure to adjust the server IP address and network mask to fit your needs. You should also replace the certificate and key paths with the appropriate files on your server.

Once you're done editing the configuration, create a directory to store the server keys:

mkdir /etc/openvpn/keys

Generate the Diffie-Hellman parameters:

openssl dhparam -out /etc/openvpn/keys/dh.pem 2048

Generate the TLS pre-shared key:

openvpn --genkey --secret /etc/openvpn/keys/ta.key

Finally, start the OpenVPN server service:

systemctl start openvpn@server

You can check the OpenVPN server's status by running:

systemctl status openvpn@server

3. Configuring the Clients

Now that your OpenVPN server is up and running, it's time to configure the clients. Firstly, create a directory on your router to store the client configuration:

mkdir /etc/openvpn/clientconf

Next, create a client configuration file in the new directory:

nano /etc/openvpn/clientconf/client.conf

Edit the file with the following configuration:

 client dev tun proto udp remote PUBLIC_IP_ADDRESS 1194 nobind persist-key persist-tun ca ca.crt cert client.crt key client.key ns-cert-type server comp-lzo tls-auth ta.key 1 cipher AES-256-CBC user nobody group nogroup verb 3 

Here's what each line of the configuration does:

  • client - Specifies that this is a client configuration
  • dev tun - The device used by OpenVPN
  • proto udp - The protocol used by OpenVPN (UDP or TCP)
  • remote PUBLIC_IP_ADDRESS 1194 - The public IP address of your server and the port used by OpenVPN
  • nobind - Don't bind to a specific local port
  • persist-key - Don't re-read key files across SIGUSR1 or --ping-restart
  • persist-tun - Don't close and reopen the TUN device
  • ca ca.crt - The path to the root certificate authority file
  • cert client.crt - The path to the client certificate file
  • key client.key - The path to the client key file
  • ns-cert-type server - Require the server certificate to have an exact match in the nsCertType field
  • comp-lzo - Use LZO compression to reduce packet size and improve performance
  • tls-auth ta.key 1 - Use a static pre-shared key to encrypt control channel packets
  • cipher AES-256-CBC - The encryption cipher used for data encryption
  • user nobody - Drop privileges to nobody after initialization
  • group nogroup - Do the same for the group
  • verb 3 - Set the log verbosity level to 3 (verbose)

Save the file and exit. Make sure to replace the public IP address with the IP address of your OpenVPN server.

Next, create a directory to store the client keys:

mkdir /etc/openvpn/keys

Generate a client certificate and key:

openssl req -nodes -newkey rsa:2048 -keyout /etc/openvpn/keys/client.key -out /etc/openvpn/keys/client.csr
openssl x509 -req -in /etc/openvpn/keys/client.csr -CA /etc/openvpn/keys/ca.crt -CAkey /etc/openvpn/keys/ca.key -CAcreateserial -out /etc/openvpn/keys/client.crt -days 365

Finally, start the OpenVPN client service:

systemctl start openvpn@client

You can check the OpenVPN client's status by running:

systemctl status openvpn@client

And that's it! You now have a secure Site-to-Site VPN tunnel between your MikroTik routers using OpenVPN.

Conclusion

In this post, I've shown you how to set up a Site-to-Site VPN tunnel for your MikroTik routers using OpenVPN with RouterOS client to client. By following these steps, you'll be able to secure your network and protect your data from prying eyes. Remember to keep your certificates and keys safe and secure, and always keep your software up to date.

If you have any questions or feedback, please feel free to leave them in the comments below. Thank you for reading!

MikroTik Site to Site OpenVPN Server Setup (RouterOS Client) - System Zone
ipsec openvpn mikrotik vpn eoip ipip routeros gre routers configure nordvpn ikev2 howto konfiguracja anonima navigazione systemzone elektroda blogamico



Post a Comment for "MikroTik RouterOS VPN Site-to-Site And Remote Access Configuration"