Sep 292016

As time goes by and as social sites becomes more and more pervasive in our life, I’ve decided to make fewer posts on my own blogs but keeping them relevant (at least to me).

This new one is about my recent home network improvement:

  • Vodafone Fiber Link (with Vodafone Station Revolution)
  • Firewall replacement from my old glorious Stonesoft hardware+PFSense with a brand new shining Mikrotik RouterBoard RB2011UiAS

I needed to build VPN access from outer space to my own network, mainly using my two preferred tools: iOS device and OS X on my Mac.

It took me a while to find the right combination of configurations, given the constraints of what I was aiming to. Which was this (naturally IP info has been sanitized 😎 ):

what I was after

I started by setting the Vodafone Station Revolution (VFR) to forward port TCP 1194 from the public IP to The Mighty Mikrotik (TMM) external net IP address.

I choose OpenVPN since IMHO it allows the greater flexibility, requiring only one port to be forwarded. I tried L2TP but had issues with the very few settings allowed by the VFR.

Also, OpenVPN is available as App for iOS and on the Mac you have great software such as TunnelBlick.

Then I started dealing with the Mikrotik part: although enormously flexible, Mikrotik configuration might seem a bit dispersed at first… which is the main reason why I’ve decided to write this post 🙂

Ready? Set… GO!

First, be aware of two limitations of OpenVPN Support in Mikrotik as I’m writing (RouterOS 6.37):

  • No support for UDP
  • No support for lzo compression

Otherwise the support is perfect for what I wanted: certificate based authentication and TCP, VPN in routed mode (tun).

I’ll mostly go with CLI commands here, showing the outcome in Mikrotik Webfig for your reference

Setup the certificates

To start, you need three certificates:

  • one is the CA (Certificate Authority), to sign the VPN server and the VPN client ones
  • the other is the VPN server certificate, which you will use to authenticate the Mikrotik to your client when it will attempt to connect
  • the third is the VPN client certificate, which your client will use to authenticate to the Mikrotik VPN server when it will attempt to connect. This one is safer to protect with a passphrase.

The CA certificate

To generate what you need for the CA, SSH into Mikrotik and issue the following commands:

add name=RoarinCA common-name=RoarinCA key-usage=key-cert-sign,crl-sign 

As you noticed, we ensured that the certificate will allow signing operations. Now we’ll sign the certificate we just created with the following command:

sign RoarinCA ca-crl-host= name=RoarinCA

Last, we export the certificate to make it available externally as a file (in the Files WebFig menu) using the command:

export-certificate RoarinCA

The VPN Server certificate

To generate the VPN Server certificate use the command:

add name=VPNserver

and sign it with command:

sign VPNserver ca=RoarinCA

The VPN Client certificate

To generate the VPN certificate use the command:

add name=VPNclient1

and sign it with the command:

sign VPNclient1 ca=RoarinCA

Please note that the name used as a common name above is the username that you will need to type in when defining the OpenVPN client.

Now we need to export also this certificate for later import into OpenVPN Client; to play safe, we’ll protect this client certificate with a password.

Use the command:

export-certificate export-passphrase=Pass1234

To summarise, if you access WebFig – System – Certificates menu you should see something similar to the picture below:


Please check in the second column that the KLAT acronym is present for CA row.

Define the IP Address Pool

When the remote client will connect, we will assign him an IP address from a pool that is different from the one we use, for example, to set DHCP leases in our internal LAN.

For this configuration we’ll use network with a range of addresses from .10 to .19.

Let’s define such pool in the IP configuration. On the Mikrotik console, switch to IP configuration with the command:


Then issue the command:

pool add name=ovpn-pool range=

PPP Configuration

Now we need to configure the Point to Point Protocol used to encapsulate the transported traffic between the VPN client and the VPN server. As part of this configuration we will define also OpenVPN Server listener and encryption to be used.

Setup the profile

On the Mikrotik console, issue the following command (which includes changing the context to PPP configuration):

/ppp profile add name=roarinovpn local-address= remote-address=ovpn-pool

This command basically says that once the remote client will connect, he will receive an IP address from the pool we previously setup (let’s say and it will terminate the VPN tunnel on our Mikrotik-based OpenVPN server on the IP address

Create the Secret

For user authentication purposes, we setup a user profile with the command:

/ppp secret add password=Pass1234 profile=roarinovpn

These are the name and password to use when setting up the OpenVPN client.

OpenVPN Server Settings

In WebFig – PPP – Interface tab, ensure that OVPN Server button shows the following settings:


Click to zoom

We’re set on server side!

Now let’s create the configuration file to install on the client…

The OpenVPN Client configuration

To simplify operations, we’ll create one single OpenVPN configuration file including the certificates for CA validation and client certificate and private key.

This is a good idea especially for iOS devices since it eases the installation process.

Create a text file named myclient.ovpn and copy/paste the contents below:

# this is a layer 3 (IP) VPN
dev tun
topology subnet
# Mikrotik only supports TCP at the moment
proto tcp
# put your VPN Server's routable (WAN or Internet-accessible) IP address here
remote 1194
resolv-retry infinite
# Mikrotik does not support link compression at the moment
# OpenVPN client debug log verbosity
verb 1
#verb 3
#verb 6
#cipher BF-CBC
#cipher AES-128-CBC
#cipher AES-192-CBC
cipher AES-256-CBC
#auth MD5
auth SHA1
# Mikrotik's PPP server requires username/password authentication
# at the moment and it uses this in conjunction with both client and
# server-side x.509v3 certificate authentication
# domain name for home LAN
dhcp-option DOMAIN
# DNS server (replace with your own)
dhcp-option DNS
# SMB WINS name server if you have one
#dhcp-option WINS
# route to reach the encryption domain, that is our internal LAN
# Mikrotik accepts a CA cert
<here you paste the content of your CA certificate file, which you can retrieve from the Files menu in Mikrotik WebFig>

# Mikrotik expects a VPN Client Certificate
<here you paste the content of your client certificate file, which you can retrieve from the Files menu in Mikrotik WebFig>

# OpenVPN Client needs the VPN Client Private Key to decrypt
# info sent by the server during the SSL/TLS handshake
<here you paste the content of your client private key file, which you can retrieve from the Files menu in Mikrotik WebFig>

Installing the OpenVPN configuration on iOS

Once you’re set with your client configuration, send the client.ovpn file via mail to an account you can open on your iOS device or use cloud storages such as Dropbox.

Once you tap on the file, select Open in… and OpenVPN app and you should have a screen similar to the one reported below:


Click to Zoom

Slide the switch below the word Disconnected and in few seconds you should see the screen-shot-2016-09-29-at-05-10-36 icon on the top row in our iOS device.

On OSX, double click on the client.ovpn file to import it into TunnelBlick.

Please use the comments to let me know if you found this post useful, I’ll do my best to correct any mistake I might have done in reporting my experience.


  7 Responses to “Mikrotik OpenVPN with OSX, iOS and Vodafone Station Revolution”

  1. I have tried but not work (( BEGIN RSA PRIVATE KEY not is accepted, I must use —–BEGIN ENCRYPTED PRIVATE KEY—– But stil have other error with ovpn connect

  2. Thanks for the great explanation. It took me a while to create the ovpn file to be created: appearantly I had some spaces after , etc. After that, importing into Tunnelblick on my laptop worked smooth.

    However, importing the same ovpn file into my iPhone did NOT succeed. It complained on “PolarSSL: error parsing config private key: PKCS5 – Requested encryption on digest alg not available”

    Any ideas?

  3. Could you please be a bit more precise in what is the issue you are experiencing?

  4. Works nicely on my iPhone, using the latest OpenVPN App… what app are you using?

  5. i’m with the same issue. “PolarSSL: error parsing config private key: PKCS5 – Requested encryption on digest alg not available”. If remove



    it tries to reconect until timeout.
    in the log i can get the error:

    “Client exception in transport_recv_excode: PolarSSL: SSL read error: SSL – Processing of the Certificate handshake message falied.”
    “Client terminatedm restarting in 2000ms…

    the full log is:

    “2017-07-28 17:34:05 —– OpenVPN Start —–
    OpenVPN core 3.1.2 ios arm64 64-bit built on Dec 5 2016 12:50:25
    2017-07-28 17:34:05 Keychain Cert Extraction: 1 certificate(s) found
    2017-07-28 17:34:05 Frame=512/2048/512 mssfix-ctrl=1250
    2017-07-28 17:34:05 UNUSED OPTIONS
    5 [resolv-retry] [infinite]
    6 [nobind]
    7 [persist-key]
    8 [persist-tun]
    9 [verb] [1]
    2017-07-28 17:34:05 EVENT: RESOLVE
    2017-07-28 17:34:05 Contacting 200.XXX.XXX.XXX:1194 via TCP
    2017-07-28 17:34:05 EVENT: WAIT
    2017-07-28 17:34:05 SetTunnelSocket returned 1
    2017-07-28 17:34:05 Connecting to []:1194 (200.XXX.XXX.XXX) via TCPv4
    2017-07-28 17:34:05 EVENT: CONNECTING
    2017-07-28 17:34:05 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client
    2017-07-28 17:34:05 Creds: Username/Password
    2017-07-28 17:34:05 Peer Info:
    IV_GUI_VER=net.openvpn.connect.ios 1.1.1-212
    2017-07-28 17:34:06 VERIFY OK: depth=0
    cert. version : 3
    serial number : 5C:D3:E4:B4
    issuer name : C=BR, ST=XX, O=XXXXX, CN=Cert1
    subject name : C=BR, ST=XX, O=XXXXX, CN=Cert1
    issued on : 2016-10-10 20:28:43
    expires on : 2026-10-08 20:28:43
    signed using : RSA with SHA-256
    RSA key size : 1024 bits
    basic constraints : CA=true
    key usage : Key Cert Sign, CRL Sign
    2017-07-28 17:34:06 Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL – Processing of the Certificate handshake message failed
    2017-07-28 17:34:06 Client terminated, restarting in 2000 ms…
    2017-07-28 17:34:06 NET Internet:ReachableViaWiFi/-R t——”

    Pleese heeeellpp!!!

  6. same here as Harold. PKCS5 error and not connecting vpn

  7. I’ll retest soon and will post new update to this thread.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>