we need server and client certificates
assuming you got a LocalCA already
/certificate add name=openvpn common-name=FQDN-HERE sign openvpn ca=LocalCA add name=ovpn-client-USER common-name=ovpn-client-USER sign ovpn-client-USER ca=LocalCA
THEN EXPORT AND GRAB THE CERTS FROM THE UI (WebFig) - note you need to set a passphrase to grab the private key
ALSO GRAB LOCALCA CRT (public key)
System / Certificates / Certificates USER (with privkey) localca (just pubkey) Files / File
/interface bridge add name=openvpn
static ip of the bridge
/ip address add address=192.168.87.254/24 interface=openvpn
ip range for the vpn users
/ip pool add name=openvpn ranges=192.168.87.10-192.168.87.20
define users for the vpn and disable compression
/ppp profile add name=openvpn local-address=192.168.87.254 remote-address=openvpn address-list=192.168.87.10-192.168.87.20 use-ipv6=no use-upnp=no only-one=no use-mpls=no bridge=bridgeLocal use-compression=no use-encryption=required
setup a password for the ovpn client user
/ppp secret add name=openvpn-USER disabled=no profile=openvpn password=PASSWORD-HERE
needs ca and server ssl certificates
needs ppp profile
enable the OpenVPN server.
default port is 1194.
/interface ovpn-server server set auth=sha1 default-profile=openvpn certificate=openvpn enabled=yes require-client-certificate=yes cipher=aes256,aes192,aes128
make sure that tcp port is reachable from the outside.
/ip firewall filter add chain=input action=accept protocol=tcp dst-port=1194 comment="allow openvpn tcp"
make sure you do not filter-in traffic from the VPN (so WebFig becomes available).
note <ovpn-openvpn-USER> is an active connection and disapears thereafter: you cannot use it.
add chain=input action=accept protocol=tcp in-interface=all-ppp dst-port=2222,80,8443 log=yes comment="allow openvpn to reach webfig and ssh"
AND PLACE THOSE RULES ABOVE THE DROP
print move XX destination=XX move XX destination=XX
check status
/interface ovpn-server monitor 0
openvpn mikrotik "error duplicate packet, dropping"
==> USER.ovpn: cipher AES-256-CBC
OpenVPN with Mikrotik RouterBOARD https://mum.mikrotik.com/presentations/VN17/presentation_4102_1493726768.pdf
Manual:Interface/OVPN https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN
MikroTik CHR: How to set up OpenVPN server for your IoT devices (+ video) https://www.bgocloud.com/knowledgebase/73/mikrotik-chr-how-to-set-up-openvpn-server-for-your-iot-devices-video.html –> best guide that didn’t forget any step
Mikrotik – Configuring OpenVPN Server + Linux client https://gryzli.info/2014/10/05/mikrotik-configuring-openvpn-server-linux-client/
OpenVPN https://help.mikrotik.com/docs/display/ROS/OpenVPN
Manual:Interface/OVPN https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN –> client config sample
ПОДНИМАЕМ НА MIKROTIK OPENVPN СЕРВЕР https://adminway.ru/podnimaem-na-mikrotik-openvpn-server
Configuring OpenVPN https://forum.mikrotik.com/viewtopic.php?t=17788
Port forwarding to OpenVPN Server https://forum.mikrotik.com/viewtopic.php?t=178541
how open port 1194 in mikrotik? https://forum.mikrotik.com/viewtopic.php?t=138448
OpenVPN over TCP vs. UDP https://proprivacy.com/vpn/guides/openvpn-tcp-vs-udp-difference-choose
Forward Ports for OpenVPN https://forum.mikrotik.com/viewtopic.php?t=114348
Manual:PPP AAA https://wiki.mikrotik.com/wiki/Manual:PPP_AAA
Manual:Interface/SSTP https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
VPN over SSTP setup [SOLVED] https://forum.mikrotik.com/viewtopic.php?t=178330
allow VPN client to request specific IP address? https://forum.mikrotik.com/viewtopic.php?t=182504 –> client ACL
OpenVPN Access - Can only reach the gateway https://forum.mikrotik.com/viewtopic.php?t=178756 –> proxy-arp
https://forum.mikrotik.com/viewtopic.php?t=100449
http://trustore.ru/article/complex/podnimaem-openvpn-server-na-mikrotik.html