![openvpn mikrotik client openvpn mikrotik client](https://docs.splynx.com/images/get?path=en%2Fnetworking%2Fauthentication_of_customers%2Fmikrotik_openvpn_radius%2Fradius.png)
Make sure to use a /30 netmask, since we are connecting only two IPs together. Any type of internal network is fine, but I prefer to use networks from the B class for my VPNing needs. Let’s set the IPv4 Tunnel Network to something sensible, that no one uses. Change the Peer Certificate Authority to the one that contains our keys and set the Server certificate to the one we created earlier. Everything else you can leave at it’s default values, but I prefer to use AES-256-CBC instead of the default AES-128-CBC. Under TLS authentication we need to DISABLE Enable authentication of TLS packets. Let’s give it a nice Description so that later we can identify it. Please note that the default port for OpenVPN is 1194, I usually reserve that for Remote Access type of servers (for the Road Warrior users). I usually let the Local port auto increment as pfSense want’s it, but in this case I set it to 1196. I prefer to set the Interface to Localhost, cause if there are more interfaces on the server or more than one external IP I will have more control over it later in the Firewall -> NAT section. We need to change the Protocol to TCP, the Device mode is good as it is on tun. Let’s leave the Server mode on Peer to Peer (SSL/TLS) cause we want to do site-to-site.
Openvpn mikrotik client update#
RouterOS (as of now) doesn’t support some OpenVPN features, so we need to adjust our server to be compatible with it.If this changes (hopefully in RouterOS 7) I will update the blog accordingly. The OpenVPN server creation screen will appear:
![openvpn mikrotik client openvpn mikrotik client](https://i1.wp.com/rickfreyconsulting.com/wp-content/uploads/2020/08/WireGuard1.jpg)
Stay on the Servers tab, cause we want to create a server. Scroll to the bottom of the page and click the green Add button: Now that we have our certificates we are ready to create our VPN server.
![openvpn mikrotik client openvpn mikrotik client](https://mikrotrik.com/wp-content/uploads/2019/09/How-to-configure-a-PPTP-VPN-Server-on-Mikrotik-RouterOS.jpg)
Now let’s add another one but here we will set the descriptive name to bb-client-SOMETHING and the certificate type to User Certificate, the digest remains sha256: Set the Digest to sha256, the type to Server Certificate and fill in the rest of the required fields as applicable: We don’t wan’t to import but rather create a new one, so let’s start by creating a server certificate. Give it a descriptive name, in my case it will be bb-server-SOMETHING, where SOMETHING is the remote locations name. The Add a New Certificate screen will appear: In my case I have a lot, so i scroll to the bottom to Add a new one: At the very least there will be the webConfigurator present: Navigating to Certificates we will see our certificates. In my case we will be using the one that starts with bb (it stands for Back-Bone): If you don’t already have a dedicated CA for site to site VPNs than I highly suggest setting up one here. The Certificate Manager screen will default to the CAs, where u can see your Certificate Authorities. Log in to pfSense and go to System -> Cert. Of course after applying the settings it will disconnect because of the network change: After we connect via winbox go to Quick Set:Īnd change the defaults to suit our needs:
Openvpn mikrotik client how to#
If you don’t know how to do that please refer to this tutorial to get you started. Let’s first connect to our router and set up the bare minimum. In my scenario the client’s local network will be 192.168.11.0/24 and the server’s 192.168.0.0/24. Out encryption will be AES with a key size of 256bit (the maximum that RouterOS supports on this router as of now). Only the local networks will be shared between the two sites, sharing the external address of the server with the client is out of scope of this tutorial. Our client will be a Routerboard RB2011 detailed in a earlier post that connects to a pfSense server. We’ll be taking advantage of pfSenses superb certificate management features to do SSL/TLS instead of just a pre-shared key. In this tutorial we will look at how to set up a site to site VPN between a pfSense server and a Mikrotik client using OpenVPN the proper way.