*** UPDATED ON 26 NOV 2019 ***
As time goes by and as social sites becomes more and more pervasive in our life, I’ve decided to make fewer posts on my own blogs but keeping them relevant (at least to me).
This new one is about my recent home network improvement:
- Vodafone Fiber Link (with Vodafone Station Revolution)
- Firewall replacement from my old glorious Stonesoft hardware+PFSense with a brand new shining Mikrotik RouterBoard RB2011UiAS
I needed to build VPN access from outer space to my own network, mainly using my two preferred tools: iOS device and OS X on my Mac.
It took me a while to find the right combination of configurations, given the constraints of what I was aiming to. Which was this (naturally IP info has been sanitized 😎 ):
I started by setting the Vodafone Station Revolution (VFR) to forward port TCP 1194 from the public IP to The Mighty Mikrotik (TMM) external net IP address.
I choose OpenVPN since IMHO it allows the greater flexibility, requiring only one port to be forwarded. I tried L2TP but had issues with the very few settings allowed by the VFR.
Then I started dealing with the Mikrotik part: although enormously flexible, Mikrotik configuration might seem a bit dispersed at first… which is the main reason why I’ve decided to write this post 🙂
Ready? Set… GO!
First, be aware of two limitations of OpenVPN Support in Mikrotik as I’m writing (RouterOS 6.45.7):
- No support for UDP
- No support for lzo compression
Otherwise the support is perfect for what I wanted: certificate based authentication and TCP, VPN in routed mode (tun).
I’ll mostly go with CLI commands here, showing the outcome in Mikrotik Webfig for your reference
Setup the certificates
To start, you need three certificates:
- one is the CA (Certificate Authority), to sign the VPN server and the VPN client ones
- the other is the VPN server certificate, which you will use to authenticate the Mikrotik to your client when it will attempt to connect
- the third is the VPN client certificate, which your client will use to authenticate to the Mikrotik VPN server when it will attempt to connect. This one is safer to protect with a passphrase.
The CA certificate
To generate what you need for the CA, SSH into Mikrotik and issue the following commands:
/certificate add name=RoarinCA common-name=RoarinCA key-usage=key-cert-sign,crl-sign
As you noticed, we ensured that the certificate will allow signing operations. Now we’ll sign the certificate we just created with the following command:
sign RoarinCA ca-crl-host=192.168.20.254 name=RoarinCA
Last, we export the certificate to make it available externally as a file (in the Files WebFig menu) using the command:
The VPN Server certificate
To generate the VPN Server certificate use the command:
add name=VPNserver common-name=tikvpn.mydomain.com
and sign it with command:
sign VPNserver ca=RoarinCA name=tikvpn.mydomain.com
The VPN Client certificate
To generate the VPN certificate use the command:
add name=VPNclient1 common-name=vpnclient.mydomain.com
and sign it with the command:
sign VPNclient1 ca=RoarinCA name=vpnclient.mydomain.com
Please note that the name used as a common name above is the username that you will need to type in when defining the OpenVPN client.
Now we need to export also this certificate for later import into OpenVPN Client; to play safe, we’ll protect this client certificate with a password.
Use the command:
export-certificate export-passphrase=Pass1234 vpnclient.mydomain.com
To summarise, if you access WebFig – System – Certificates menu you should see something similar to the picture below:
Please check in the second column that the KLAT acronym is present for CA row.
Define the IP Address Pool
When the remote client will connect, we will assign him an IP address from a pool that is different from the one we use, for example, to set DHCP leases in our internal LAN.
This is not mandatory, you can also set it ip to use the same IP space used in your internal LAN. Just remember to enable the Proxy-Arp on the interface facing your Internal Lan, in my case the Bridge interface:
For this configuration we’ll use 192.168.2.0/24 network with a range of addresses from .10 to .19.
Let’s define such pool in the IP configuration. On the Mikrotik console, switch to IP configuration with the command:
Then issue the command:
pool add name=ovpn-pool range=192.168.2.10-192.168.2.19
Now we need to configure the Point to Point Protocol used to encapsulate the transported traffic between the VPN client and the VPN server. As part of this configuration we will define also OpenVPN Server listener and encryption to be used.
Setup the profile
On the Mikrotik console, issue the following command (which includes changing the context to PPP configuration):
/ppp profile add name=roarinovpn local-address=ovpn-pool remote-address=ovpn-pool
This command basically says that once the remote client will connect, he will receive an IP address from the pool we previously setup (let’s say 192.168.2.10) and it will terminate the VPN tunnel on our Mikrotik-based OpenVPN server on the IP address from the same pool.
Create the Secret
For user authentication purposes, we setup a user profile with the command:
/ppp secret add name=vpnclient.mydomain.com password=Pass1234 profile=roarinovpn
These are the name and password to use when setting up the OpenVPN client.
OpenVPN Server Settings
In WebFig – PPP – Interface tab, ensure that OVPN Server button shows the following settings:
To improve security, you may want to flag the Require Client Certificate option.
We’re set on server side!
Now let’s create the configuration file to install on the client…
The OpenVPN Client configuration
To simplify operations, we’ll create one single OpenVPN configuration file including the certificates for CA validation and client certificate and private key.
This is a good idea especially for iOS devices since it eases the installation process.
Create a text file named myclient.ovpn and copy/paste the contents below:
client # this is a layer 3 (IP) VPN dev tun topology subnet # Mikrotik only supports TCP at the moment proto tcp # put your VPN Server's routable (WAN or Internet-accessible) IP address here remote mydomain.dyndns.org 1194 resolv-retry infinite nobind # Mikrotik does not support link compression at the moment #comp-lzo persist-key persist-tun #mute-replay-warnings # OpenVPN client debug log verbosity verb 1 #verb 3 #verb 6 #cipher BF-CBC #cipher AES-128-CBC #cipher AES-192-CBC cipher AES-256-CBC #auth MD5 auth SHA1 # Mikrotik's PPP server requires username/password authentication # at the moment and it uses this in conjunction with both client and # server-side x.509v3 certificate authentication auth-user-pass # domain name for home LAN (replace with your own) dhcp-option DOMAIN mydomain.com # DNS server (replace with your own) dhcp-option DNS 22.214.171.124 # SMB WINS name server if you have one #dhcp-option WINS 192.168.1.1 # route to reach the encryption domain, that is our internal LAN route 192.168.20.0 255.255.255.0 192.168.2.254 # Mikrotik accepts a CA cert <ca> -----BEGIN CERTIFICATE----- <here you paste the content of your CA certificate file, which you can retrieve from the Files menu in Mikrotik WebFig> -----END CERTIFICATE----- </ca> # Mikrotik expects a VPN Client Certificate <cert> -----BEGIN CERTIFICATE----- <here you paste the content of your client certificate file, which you can retrieve from the Files menu in Mikrotik WebFig> -----END CERTIFICATE----- </cert> # OpenVPN Client needs the VPN Client Private Key to decrypt # info sent by the server during the SSL/TLS handshake <key> -----BEGIN RSA PRIVATE KEY----- <here you paste the content of your client private key file, which you can retrieve from the Files menu in Mikrotik WebFig> -----END RSA PRIVATE KEY----- </key>
NOTABENE: some users in comments reported issues in interpreting the client private key. The solution to this issue is to ensure that Private Key is in PKCS#8 format, in which case the BEGIN and END will become
—–BEGIN ENCRYPTED PRIVATE KEY—–
—–END ENCRYPTED PRIVATE KEY—–
You can use several free and commercial software to convert the key.
Below the example with openssl from a Linux command line.
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in pkcs5.key -out pkcs8.key
Installing the OpenVPN configuration on iOS
Once you’re set with your client configuration, send the client.ovpn file via mail to an account you can open on your iOS device or use cloud storages such as Dropbox.
Once you tap on the file, select Open in… and OpenVPN app and you should have a screen similar to the one reported below:
On OSX, double click on the client.ovpn file to import it into TunnelBlick.
Please use the comments to let me know if you found this post useful, I’ll do my best to correct any mistake I might have done in reporting my experience.