Mikrotik OpenVPN with OSX, iOS and Vodafone Station Revolution

*** UPDATED ON 26 NOV 2019 ***

As time goes by and as social sites becomes more and more pervasive in our life, I’ve decided to make fewer posts on my own blogs but keeping them relevant (at least to me).

This new one is about my recent home network improvement:

• Vodafone Fiber Link (with Vodafone Station Revolution)
• Firewall replacement from my old glorious Stonesoft hardware+PFSense with a brand new shining Mikrotik RouterBoard RB2011UiAS

I needed to build VPN access from outer space to my own network, mainly using my two preferred tools: iOS device and OS X on my Mac.

It took me a while to find the right combination of configurations, given the constraints of what I was aiming to. Which was this (naturally IP info has been sanitized 😎 ):

I started by setting the Vodafone Station Revolution (VFR) to forward port TCP 1194 from the public IP to The Mighty Mikrotik (TMM) external net IP address.

I choose OpenVPN since IMHO it allows the greater flexibility, requiring only one port to be forwarded. I tried L2TP but had issues with the very few settings allowed by the VFR.

Also, OpenVPN is available as App for iOS and on the Mac you have great software such as TunnelBlick.

Then I started dealing with the Mikrotik part: although enormously flexible, Mikrotik configuration might seem a bit dispersed at first… which is the main reason why I’ve decided to write this post 🙂

Ready? Set… GO!

First, be aware of two limitations of OpenVPN Support in Mikrotik as I’m writing (RouterOS 6.45.7):

• No support for UDP
• No support for lzo compression

Otherwise the support is perfect for what I wanted: certificate based authentication and TCP, VPN in routed mode (tun).

I’ll mostly go with CLI commands here, showing the outcome in Mikrotik Webfig for your reference

Setup the certificates

To start, you need three certificates:

• one is the CA (Certificate Authority), to sign the VPN server and the VPN client ones
• the other is the VPN server certificate, which you will use to authenticate the Mikrotik to your client when it will attempt to connect
• the third is the VPN client certificate, which your client will use to authenticate to the Mikrotik VPN server when it will attempt to connect. This one is safer to protect with a passphrase.

The CA certificate

To generate what you need for the CA, SSH into Mikrotik and issue the following commands:

/certificate
add name=RoarinCA common-name=RoarinCA key-usage=key-cert-sign,crl-sign 

As you noticed, we ensured that the certificate will allow signing operations. Now we’ll sign the certificate we just created with the following command:

sign RoarinCA ca-crl-host=192.168.20.254 name=RoarinCA

Last, we export the certificate to make it available externally as a file (in the Files WebFig menu) using the command:

export-certificate RoarinCA

The VPN Server certificate

To generate the VPN Server certificate use the command:

add name=VPNserver common-name=tikvpn.mydomain.com

and sign it with command:

sign VPNserver ca=RoarinCA name=tikvpn.mydomain.com

The VPN Client certificate

To generate the VPN certificate use the command:

add name=VPNclient1 common-name=vpnclient.mydomain.com

and sign it with the command:

sign VPNclient1 ca=RoarinCA name=vpnclient.mydomain.com

Please note that the name used as a common name above is the username that you will need to type in when defining the OpenVPN client.

Now we need to export also this certificate for later import into OpenVPN Client; to play safe, we’ll protect this client certificate with a password.

Use the command:

export-certificate export-passphrase=Pass1234 vpnclient.mydomain.com

To summarise, if you access WebFig – System – Certificates menu you should see something similar to the picture below:

Please check in the second column that the KLAT acronym is present for CA row.

Define the IP Address Pool

When the remote client will connect, we will assign him an IP address from a pool that is different from the one we use, for example, to set DHCP leases in our internal LAN.

This is not mandatory, you can also set it ip to use the same IP space used in your internal LAN. Just remember to enable the Proxy-Arp on the interface facing your Internal Lan, in my case the Bridge interface:

For this configuration we’ll use 192.168.2.0/24 network with a range of addresses from .10 to .19.

Let’s define such pool in the IP configuration. On the Mikrotik console, switch to IP configuration with the command:

/ip

Then issue the command:

pool add name=ovpn-pool range=192.168.2.10-192.168.2.19

PPP Configuration

Now we need to configure the Point to Point Protocol used to encapsulate the transported traffic between the VPN client and the VPN server. As part of this configuration we will define also OpenVPN Server listener and encryption to be used.

Setup the profile

On the Mikrotik console, issue the following command (which includes changing the context to PPP configuration):

/ppp profile add name=roarinovpn local-address=ovpn-pool remote-address=ovpn-pool

This command basically says that once the remote client will connect, he will receive an IP address from the pool we previously setup (let’s say 192.168.2.10) and it will terminate the VPN tunnel on our Mikrotik-based OpenVPN server on the IP address from the same pool.

Create the Secret

For user authentication purposes, we setup a user profile with the command:

/ppp secret add name=vpnclient.mydomain.com password=Pass1234 profile=roarinovpn

These are the name and password to use when setting up the OpenVPN client.

OpenVPN Server Settings

In WebFig – PPP – Interface tab, ensure that OVPN Server button shows the following settings:

To improve security, you may want to flag the Require Client Certificate option.

We’re set on server side!

Now let’s create the configuration file to install on the client…

The OpenVPN Client configuration

To simplify operations, we’ll create one single OpenVPN configuration file including the certificates for CA validation and client certificate and private key.

This is a good idea especially for iOS devices since it eases the installation process.

Create a text file named myclient.ovpn and copy/paste the contents below:

client
# this is a layer 3 (IP) VPN
dev tun
topology subnet
# Mikrotik only supports TCP at the moment
proto tcp
# put your VPN Server's routable (WAN or Internet-accessible) IP address here
remote mydomain.dyndns.org 1194
resolv-retry infinite
nobind
# Mikrotik does not support link compression at the moment
#comp-lzo
persist-key
persist-tun
#mute-replay-warnings
# OpenVPN client debug log verbosity
verb 1
#verb 3
#verb 6
#cipher BF-CBC
#cipher AES-128-CBC
#cipher AES-192-CBC
cipher AES-256-CBC
#auth MD5
auth SHA1
# Mikrotik's PPP server requires username/password authentication
# at the moment and it uses this in conjunction with both client and
# server-side x.509v3 certificate authentication
auth-user-pass
# domain name for home LAN (replace with your own)
dhcp-option DOMAIN mydomain.com
# DNS server (replace with your own)
dhcp-option DNS 8.8.8.8
# SMB WINS name server if you have one
#dhcp-option WINS 192.168.1.1
# route to reach the encryption domain, that is our internal LAN
route 192.168.20.0 255.255.255.0 192.168.2.254
# Mikrotik accepts a CA cert
<ca>
-----BEGIN CERTIFICATE-----
<here you paste the content of your CA certificate file, which you can retrieve from the Files menu in Mikrotik WebFig>
-----END CERTIFICATE-----
</ca>

# Mikrotik expects a VPN Client Certificate
<cert>
-----BEGIN CERTIFICATE-----
<here you paste the content of your client certificate file, which you can retrieve from the Files menu in Mikrotik WebFig>
-----END CERTIFICATE-----
</cert>

# OpenVPN Client needs the VPN Client Private Key to decrypt
# info sent by the server during the SSL/TLS handshake
<key>
-----BEGIN RSA PRIVATE KEY-----
<here you paste the content of your client private key file, which you can retrieve from the Files menu in Mikrotik WebFig>
-----END RSA PRIVATE KEY-----
</key>

NOTABENE: some users in comments reported issues in interpreting the client private key. The solution to this issue is to ensure that Private Key is in PKCS#8 format, in which case the BEGIN and END will become 

—–BEGIN ENCRYPTED PRIVATE KEY—–

—–END ENCRYPTED PRIVATE KEY—–

You can use several free and commercial software to convert the key.
Below the example with openssl from a Linux command line.

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in pkcs5.key -out pkcs8.key

Installing the OpenVPN configuration on iOS

Once you’re set with your client configuration, send the client.ovpn file via mail to an account you can open on your iOS device or use cloud storages such as Dropbox.

Once you tap on the file, select Open in… and OpenVPN app and you should have a screen similar to the one reported below:

Slide the switch below the word Disconnected and in few seconds you should see the  icon on the top row in our iOS device.

If you are using an updated version of the OpenVPN app on iOS 13, the VPN needs to be started from the app itself:

On OSX, double click on the client.ovpn file to import it into TunnelBlick.

Please use the comments to let me know if you found this post useful, I’ll do my best to correct any mistake I might have done in reporting my experience.

Enjoy!