Sep 292016

As time goes by and as social sites becomes more and more pervasive in our life, I’ve decided to make fewer posts on my own blogs but keeping them relevant (at least to me).

This new one is about my recent home network improvement:

  • Vodafone Fiber Link (with Vodafone Station Revolution)
  • Firewall replacement from my old glorious Stonesoft hardware+PFSense with a brand new shining Mikrotik RouterBoard RB2011UiAS

I needed to build VPN access from outer space to my own network, mainly using my two preferred tools: iOS device and OS X on my Mac.

It took me a while to find the right combination of configurations, given the constraints of what I was aiming to. Which was this (naturally IP info has been sanitized ūüėé ):

what I was after

I started by setting the Vodafone Station Revolution (VFR) to forward port TCP 1194 from the public IP to The Mighty Mikrotik (TMM) external net IP address.

I choose OpenVPN since IMHO it allows the greater flexibility, requiring only one port to be forwarded. I tried L2TP but had issues with the very few settings allowed by the VFR.

Also, OpenVPN is available as App for iOS and on the Mac you have great software such as TunnelBlick.

Then I started dealing with the Mikrotik part: although enormously flexible, Mikrotik configuration might seem a bit dispersed at first… which is the main reason why I’ve decided to write this post ūüôā

Ready? Set… GO!

First, be aware of two¬†limitations of OpenVPN Support in Mikrotik as I’m writing (RouterOS 6.37):

  • No support for UDP
  • No support for lzo compression

Otherwise the support is perfect for what I wanted: certificate based authentication and TCP, VPN in routed mode (tun).

I’ll mostly go with CLI commands here, showing the outcome in Mikrotik Webfig for your reference

Setup the certificates

To start, you need three certificates:

  • one is the CA (Certificate Authority), to sign the VPN server and the VPN client ones
  • the other is the VPN server certificate, which you will use to authenticate the Mikrotik to your client when it will attempt to connect
  • the third is the VPN client certificate, which your client will use to authenticate to the Mikrotik VPN server when it will attempt to connect. This one is safer to protect with a passphrase.

The CA certificate

To generate what you need for the CA, SSH into Mikrotik and issue the following commands:

add name=RoarinCA common-name=RoarinCA key-usage=key-cert-sign,crl-sign 

As you noticed, we ensured that the certificate will allow signing operations. Now we’ll sign the certificate we just created with the following command:

sign RoarinCA ca-crl-host= name=RoarinCA

Last, we export the certificate to make it available externally as a file (in the Files WebFig menu) using the command:

export-certificate RoarinCA

The VPN Server certificate

To generate the VPN Server certificate use the command:

add name=VPNserver

and sign it with command:

sign VPNserver ca=RoarinCA

The VPN Client certificate

To generate the VPN certificate use the command:

add name=VPNclient1

and sign it with the command:

sign VPNclient1 ca=RoarinCA

Please note that the name used as a common name above is the username that you will need to type in when defining the OpenVPN client.

Now we need to export also this certificate for later import into OpenVPN Client; to play safe, we’ll protect this client certificate with a password.

Use the command:

export-certificate export-passphrase=Pass1234

To summarise, if you access WebFig – System – Certificates menu you should see something similar to the picture below:


Please check in the second column that the KLAT acronym is present for CA row.

Define the IP Address Pool

When the remote client will connect, we will assign him an IP address from a pool that is different from the one we use, for example, to set DHCP leases in our internal LAN.

For this configuration we’ll use network with a range of addresses from .10 to .19.

Let’s define such pool in the IP configuration.¬†On the Mikrotik console, switch to IP configuration with the command:


Then issue the command:

pool add name=ovpn-pool range=

PPP Configuration

Now we need to configure the Point to Point Protocol used to encapsulate the transported traffic between the VPN client and the VPN server. As part of this configuration we will define also OpenVPN Server listener and encryption to be used.

Setup the profile

On the Mikrotik console, issue the following command (which includes changing the context to PPP configuration):

/ppp profile add name=roarinovpn local-address= remote-address=ovpn-pool

This command basically says that once the remote client will connect, he will receive an IP address from the pool we previously setup (let’s say and it will terminate the VPN tunnel on our Mikrotik-based OpenVPN server on the IP address

Create the Secret

For user authentication purposes, we setup a user profile with the command:

/ppp secret add password=Pass1234 profile=roarinovpn

These are the name and password to use when setting up the OpenVPN client.

OpenVPN Server Settings

In WebFig – PPP – Interface tab, ensure that OVPN Server button shows the following settings:


Click to zoom

We’re set on server side!

Now let’s create the configuration file to install on the client…

The OpenVPN Client configuration

To simplify operations, we’ll create one single OpenVPN configuration file including the certificates for CA validation and client certificate and private key.

This is a good idea especially for iOS devices since it eases the installation process.

Create a text file named myclient.ovpn and copy/paste the contents below:

# this is a layer 3 (IP) VPN
dev tun
topology subnet
# Mikrotik only supports TCP at the moment
proto tcp
# put your VPN Server's routable (WAN or Internet-accessible) IP address here
remote 1194
resolv-retry infinite
# Mikrotik does not support link compression at the moment
# OpenVPN client debug log verbosity
verb 1
#verb 3
#verb 6
#cipher BF-CBC
#cipher AES-128-CBC
#cipher AES-192-CBC
cipher AES-256-CBC
#auth MD5
auth SHA1
# Mikrotik's PPP server requires username/password authentication
# at the moment and it uses this in conjunction with both client and
# server-side x.509v3 certificate authentication
# domain name for home LAN
dhcp-option DOMAIN
# DNS server (replace with your own)
dhcp-option DNS
# SMB WINS name server if you have one
#dhcp-option WINS
# route to reach the encryption domain, that is our internal LAN
# Mikrotik accepts a CA cert
<here you paste the content of your CA certificate file, which you can retrieve from the Files menu in Mikrotik WebFig>

# Mikrotik expects a VPN Client Certificate
<here you paste the content of your client certificate file, which you can retrieve from the Files menu in Mikrotik WebFig>

# OpenVPN Client needs the VPN Client Private Key to decrypt
# info sent by the server during the SSL/TLS handshake
<here you paste the content of your client private key file, which you can retrieve from the Files menu in Mikrotik WebFig>

Installing the OpenVPN configuration on iOS

Once you’re set with your client configuration, send the client.ovpn file via mail to an account you can open on your iOS device or use cloud storages such as Dropbox.

Once you tap on the¬†file, select Open in… and OpenVPN app and you should have a screen similar to the one reported below:


Click to Zoom

Slide the switch below the word Disconnected and in few seconds you should see the screen-shot-2016-09-29-at-05-10-36 icon on the top row in our iOS device.

On OSX, double click on the client.ovpn file to import it into TunnelBlick.

Please use the comments to let me know if you found this post useful, I’ll do my best to correct any mistake I might have done in reporting my experience.


 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>