Certificates & Config for OVPN in Mikrotik
To Create a OVPN server over mikrotik we will nee to:
- Get Certificates
- Set user profiles
- Add users (secrets)
First lets create the Cert Authority
Optionally we can set the common-name to the router's hostname and add an alt-name with the DDNS parameters (this only a good practice but not mandatory)
certificate add name=CA common-name=CA days-valid=3650 key-usage=crl-sign,key-cert-sign
We sign it
cert sign ca-crl-host=DNS [find name=CA]
The Create the SSL Cert for the Server (will be a CA child cert)
cert add name=OVPN-Server common-name=RouterALPHA subject-alt-name=DNS:dns.com key-usage=digital-signature,key-encipherment,tls-server
We sign it using the CA Available
cert sign ca=CA ca-crl-host=DNS [find name=OVPN-Server]
Then we need to get SSL Client Certs
cert add name=Client1 common-name=user1 key-usage=tls-client
To make a SSL user we add new using the same template and use username as common-name, and then sign it using.
cert add name=username common-name=username key-usage=tls-client
cert sign ca=CA ca-crl-host=DNS [find name=username]
Then we go to ppp and enable the ovpn server, and use the secrets to add a new user.
For more options under the ovpn approach read https://wiki.mikrotik.com/wiki/OpenVPN
For Ovpn file Making use https://github.com/OpenVPN/openvpn/blob/master/sample/sample-config-files/client.conf
The laboratory to test it https://www.youtube.com/watch?v=6l1sYGLrlz0&t=291s
Summary:
#Define Vars
:local name=DNS val=mynetname.net
:local name=Hostname val=Router
#Create Certs
certificate add name=CA common-name=CA days-valid=3650 key-usage=crl-sign,key-cert-sign
cert add name=OVPN-Server common-name=$Hostname subject-alt-name=DNS:$DNS key-usage=digital-signature,key-encipherment,tls-server
cert add name=Client1 common-name=user1 key-usage=tls-client
#Sign
cert sign ca-crl-host=$DNS [find name=CA]
cert sign ca=CA ca-crl-host=$DNS [find name=OVPN-Server]
This enable us the L3 services betwen routers or routers and remote laptops or smartphones.