*** UPDATED ON 26 NOV 2019 ***
As time goes by and as social sites becomes more and more pervasive in our life, I’ve decided to make fewer posts on my own blogs but keeping them relevant (at least to me).
This new one is about my recent home network improvement:
- Vodafone Fiber Link (with Vodafone Station Revolution)
- Firewall replacement from my old glorious Stonesoft hardware+PFSense with a brand new shining Mikrotik RouterBoard RB2011UiAS
I needed to build VPN access from outer space to my own network, mainly using my two preferred tools: iOS device and OS X on my Mac.
It took me a while to find the right combination of configurations, given the constraints of what I was aiming to. Which was this (naturally IP info has been sanitized 😎 ):
I started by setting the Vodafone Station Revolution (VFR) to forward port TCP 1194 from the public IP to The Mighty Mikrotik (TMM) external net IP address.
I choose OpenVPN since IMHO it allows the greater flexibility, requiring only one port to be forwarded. I tried L2TP but had issues with the very few settings allowed by the VFR.
Also, OpenVPN is available as App for iOS and on the Mac you have great software such as TunnelBlick.
Then I started dealing with the Mikrotik part: although enormously flexible, Mikrotik configuration might seem a bit dispersed at first… which is the main reason why I’ve decided to write this post 🙂
Ready? Set… GO!
First, be aware of two limitations of OpenVPN Support in Mikrotik as I’m writing (RouterOS 6.45.7):
- No support for UDP
- No support for lzo compression
Otherwise the support is perfect for what I wanted: certificate based authentication and TCP, VPN in routed mode (tun).
I’ll mostly go with CLI commands here, showing the outcome in Mikrotik Webfig for your reference
Setup the certificates
To start, you need three certificates:
- one is the CA (Certificate Authority), to sign the VPN server and the VPN client ones
- the other is the VPN server certificate, which you will use to authenticate the Mikrotik to your client when it will attempt to connect
- the third is the VPN client certificate, which your client will use to authenticate to the Mikrotik VPN server when it will attempt to connect. This one is safer to protect with a passphrase.
The CA certificate
To generate what you need for the CA, SSH into Mikrotik and issue the following commands:
/certificate add name=RoarinCA common-name=RoarinCA key-usage=key-cert-sign,crl-sign
As you noticed, we ensured that the certificate will allow signing operations. Now we’ll sign the certificate we just created with the following command:
sign RoarinCA ca-crl-host=192.168.20.254 name=RoarinCA
Last, we export the certificate to make it available externally as a file (in the Files WebFig menu) using the command:
export-certificate RoarinCA
The VPN Server certificate
To generate the VPN Server certificate use the command:
add name=VPNserver common-name=tikvpn.mydomain.com
and sign it with command:
sign VPNserver ca=RoarinCA name=tikvpn.mydomain.com
The VPN Client certificate
To generate the VPN certificate use the command:
add name=VPNclient1 common-name=vpnclient.mydomain.com
and sign it with the command:
sign VPNclient1 ca=RoarinCA name=vpnclient.mydomain.com
Please note that the name used as a common name above is the username that you will need to type in when defining the OpenVPN client.
Now we need to export also this certificate for later import into OpenVPN Client; to play safe, we’ll protect this client certificate with a password.
Use the command:
export-certificate export-passphrase=Pass1234 vpnclient.mydomain.com
To summarise, if you access WebFig – System – Certificates menu you should see something similar to the picture below:
Please check in the second column that the KLAT acronym is present for CA row.
Define the IP Address Pool
When the remote client will connect, we will assign him an IP address from a pool that is different from the one we use, for example, to set DHCP leases in our internal LAN.
This is not mandatory, you can also set it ip to use the same IP space used in your internal LAN. Just remember to enable the Proxy-Arp on the interface facing your Internal Lan, in my case the Bridge interface:
For this configuration we’ll use 192.168.2.0/24 network with a range of addresses from .10 to .19.
Let’s define such pool in the IP configuration. On the Mikrotik console, switch to IP configuration with the command:
/ip
Then issue the command:
pool add name=ovpn-pool range=192.168.2.10-192.168.2.19
PPP Configuration
Now we need to configure the Point to Point Protocol used to encapsulate the transported traffic between the VPN client and the VPN server. As part of this configuration we will define also OpenVPN Server listener and encryption to be used.
Setup the profile
On the Mikrotik console, issue the following command (which includes changing the context to PPP configuration):
/ppp profile add name=roarinovpn local-address=ovpn-pool remote-address=ovpn-pool
This command basically says that once the remote client will connect, he will receive an IP address from the pool we previously setup (let’s say 192.168.2.10) and it will terminate the VPN tunnel on our Mikrotik-based OpenVPN server on the IP address from the same pool.
Create the Secret
For user authentication purposes, we setup a user profile with the command:
/ppp secret add name=vpnclient.mydomain.com password=Pass1234 profile=roarinovpn
These are the name and password to use when setting up the OpenVPN client.
OpenVPN Server Settings
In WebFig – PPP – Interface tab, ensure that OVPN Server button shows the following settings:
To improve security, you may want to flag the Require Client Certificate option.
We’re set on server side!
Now let’s create the configuration file to install on the client…
The OpenVPN Client configuration
To simplify operations, we’ll create one single OpenVPN configuration file including the certificates for CA validation and client certificate and private key.
This is a good idea especially for iOS devices since it eases the installation process.
Create a text file named myclient.ovpn and copy/paste the contents below:
client # this is a layer 3 (IP) VPN dev tun topology subnet # Mikrotik only supports TCP at the moment proto tcp # put your VPN Server's routable (WAN or Internet-accessible) IP address here remote mydomain.dyndns.org 1194 resolv-retry infinite nobind # Mikrotik does not support link compression at the moment #comp-lzo persist-key persist-tun #mute-replay-warnings # OpenVPN client debug log verbosity verb 1 #verb 3 #verb 6 #cipher BF-CBC #cipher AES-128-CBC #cipher AES-192-CBC cipher AES-256-CBC #auth MD5 auth SHA1 # Mikrotik's PPP server requires username/password authentication # at the moment and it uses this in conjunction with both client and # server-side x.509v3 certificate authentication auth-user-pass # domain name for home LAN (replace with your own) dhcp-option DOMAIN mydomain.com # DNS server (replace with your own) dhcp-option DNS 8.8.8.8 # SMB WINS name server if you have one #dhcp-option WINS 192.168.1.1 # route to reach the encryption domain, that is our internal LAN route 192.168.20.0 255.255.255.0 192.168.2.254 # Mikrotik accepts a CA cert <ca> -----BEGIN CERTIFICATE----- <here you paste the content of your CA certificate file, which you can retrieve from the Files menu in Mikrotik WebFig> -----END CERTIFICATE----- </ca> # Mikrotik expects a VPN Client Certificate <cert> -----BEGIN CERTIFICATE----- <here you paste the content of your client certificate file, which you can retrieve from the Files menu in Mikrotik WebFig> -----END CERTIFICATE----- </cert> # OpenVPN Client needs the VPN Client Private Key to decrypt # info sent by the server during the SSL/TLS handshake <key> -----BEGIN RSA PRIVATE KEY----- <here you paste the content of your client private key file, which you can retrieve from the Files menu in Mikrotik WebFig> -----END RSA PRIVATE KEY----- </key>
NOTABENE: some users in comments reported issues in interpreting the client private key. The solution to this issue is to ensure that Private Key is in PKCS#8 format, in which case the BEGIN and END will become
—–BEGIN ENCRYPTED PRIVATE KEY—–
—–END ENCRYPTED PRIVATE KEY—–
You can use several free and commercial software to convert the key.
Below the example with openssl from a Linux command line.
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in pkcs5.key -out pkcs8.key
Installing the OpenVPN configuration on iOS
Once you’re set with your client configuration, send the client.ovpn file via mail to an account you can open on your iOS device or use cloud storages such as Dropbox.
Once you tap on the file, select Open in… and OpenVPN app and you should have a screen similar to the one reported below:
Slide the switch below the word Disconnected and in few seconds you should see the icon on the top row in our iOS device.
If you are using an updated version of the OpenVPN app on iOS 13, the VPN needs to be started from the app itself:
On OSX, double click on the client.ovpn file to import it into TunnelBlick.
Please use the comments to let me know if you found this post useful, I’ll do my best to correct any mistake I might have done in reporting my experience.
Enjoy!
I have tried but not work (( BEGIN RSA PRIVATE KEY not is accepted, I must use —–BEGIN ENCRYPTED PRIVATE KEY—– But stil have other error with ovpn connect
Thanks for the great explanation. It took me a while to create the ovpn file to be created: appearantly I had some spaces after , etc. After that, importing into Tunnelblick on my laptop worked smooth.
However, importing the same ovpn file into my iPhone did NOT succeed. It complained on “PolarSSL: error parsing config private key: PKCS5 – Requested encryption on digest alg not available”
Any ideas?
Could you please be a bit more precise in what is the issue you are experiencing?
Works nicely on my iPhone, using the latest OpenVPN App… what app are you using?
i’m with the same issue. “PolarSSL: error parsing config private key: PKCS5 – Requested encryption on digest alg not available”. If remove
—–BEGIN CERTIFICATE—–
—–END CERTIFICATE—–
it tries to reconect until timeout.
in the log i can get the error:
“Client exception in transport_recv_excode: PolarSSL: SSL read error: SSL – Processing of the Certificate handshake message falied.”
“Client terminatedm restarting in 2000ms…
EVENT: DISCONNECTED”
the full log is:
“2017-07-28 17:34:05 —– OpenVPN Start —–
OpenVPN core 3.1.2 ios arm64 64-bit built on Dec 5 2016 12:50:25
2017-07-28 17:34:05 Keychain Cert Extraction: 1 certificate(s) found
2017-07-28 17:34:05 Frame=512/2048/512 mssfix-ctrl=1250
2017-07-28 17:34:05 UNUSED OPTIONS
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
9 [verb] [1]
2017-07-28 17:34:05 EVENT: RESOLVE
2017-07-28 17:34:05 Contacting 200.XXX.XXX.XXX:1194 via TCP
2017-07-28 17:34:05 EVENT: WAIT
2017-07-28 17:34:05 SetTunnelSocket returned 1
2017-07-28 17:34:05 Connecting to [vpn.xxx.com.br]:1194 (200.XXX.XXX.XXX) via TCPv4
2017-07-28 17:34:05 EVENT: CONNECTING
2017-07-28 17:34:05 Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client
2017-07-28 17:34:05 Creds: Username/Password
2017-07-28 17:34:05 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.1.1-212
IV_VER=3.1.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
2017-07-28 17:34:06 VERIFY OK: depth=0
cert. version : 3
serial number : 5C:D3:E4:B4
issuer name : C=BR, ST=XX, O=XXXXX, CN=Cert1
subject name : C=BR, ST=XX, O=XXXXX, CN=Cert1
issued on : 2016-10-10 20:28:43
expires on : 2026-10-08 20:28:43
signed using : RSA with SHA-256
RSA key size : 1024 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign
2017-07-28 17:34:06 Client exception in transport_recv_excode: PolarSSL: SSL read error : SSL – Processing of the Certificate handshake message failed
2017-07-28 17:34:06 Client terminated, restarting in 2000 ms…
2017-07-28 17:34:06 NET Internet:ReachableViaWiFi/-R t——”
Pleese heeeellpp!!!
same here as Harold. PKCS5 error and not connecting vpn
I’ll retest soon and will post new update to this thread.
Same error: OpenVPN error: mbed TLS: error parsing config private key : PKCS5 – Requested encryption or digest alg not available.
Please help.
Thanks you 🙂
same problem: PKCS5 error and not connecting vpn
Please help us to solve this problem 😉
Thanks!
I was so excited to see this HowTo…. worked through everything… but I also get the error : PKCS5
2018-05021 08:00:00 EVENT : CORE_ERROR mbed TLS: error parsing config private key : PKCS5 – Requested encryption or digest alg not available [ERR]
All, I found the issue with PKCS5… you need to convert the client certificate private key into PKCS8 using whatever system you are comfortable with (e.g. openssl).
I am now troubleshooting another issue with connection, so if anyone got this working properly please ping.