How to Set Up OpenVPN on MikroTik: A Step-by-Step Guide to Secure Your Network

-

 

Step-by-Step Guide to Setting Up OpenVPN on MikroTik Router

The best way of create server in Mikrotik router to connect Ovpn clients as below, Here we have described every step very easily and all CLI command clearly described. I have already discussed Ipsec VPN in my another Youtube video content you can also IPsec VPN configuration.  


A.    Generate Certificates for secure connection of Ovpn clients.

Creating certificates is crucial for establishing a secure and encrypted VPN connection. We'll generate certificates for the Certificate Authority (CA), server, and client.

  1. Create Certificate Templates:

 

    • Command:

/certificate add name=ca-template common-name=myCA key-usage=key-cert-sign,crl-sign

/certificate add name=server-template common-name=server

/certificate add name=client-template common-name=client

These commands create certificate templates for the CA, server, and client. The ca-template is used to sign other certificates, while server-template and client-template are for the server and client respectively.

  1. Sign Certificates:

 

    • Command:

/certificate sign ca-template name=myCA

/certificate sign server-template ca=myCA name=server

/certificate sign client-template ca=myCA name=client

Signing the certificates with the CA establishes trust. The CA certificate (myCA) signs the server (server) and client (client) certificates, verifying their authenticity and enabling encrypted communication.

B.                         Configure OVPN Server in MikroTik Router.

         Set up the OpenVPN server on the MikroTik router to accept incoming connections securely.

  1. Enable OVPN Server:

 

    • Command:

/interface ovpn-server server set enabled=yes certificate=server require-client-certificate=yes auth=sha1,sha256 cipher=aes128,aes256

This command enables the OVPN server and specifies the server certificate, requiring client certificates for authentication. It sets SHA1 and SHA256 as authentication methods and AES128 and AES256 as encryption ciphers for enhanced security.


Create IP Pool for OVPN Users or Clients :

 

    1. Command:

/ip pool add name=ovpn-pool ranges=192.168.10.2-192.168.10.100

The IP pool provides a range of IP addresses (192.168.10.2-192.168.10.100) for VPN clients, ensuring each client gets a unique address when connecting. Because every individual client has to tracked in server side.

C.                                 Ceate PPP Profile for User:

    1. Command:

/ppp profile add name=ovpn-profile local-address=192.168.10.1 dns-server=192.168.10.1 remote-address=ovpn-pool

The PPP profile defines connection parameters for VPN clients. It assigns the local IP address (192.168.10.1) and DNS server, and specifies an IP pool (ovpn-pool) for remote clients.

 

  1. Create PPP Secret for each user :

 

    1. Command:

/ppp secret add name=ovpn-user password=ovpn-pass profile=ovpn-profile service=ovpn

This command creates a user (ovpn-user) with a specified password (ovpn-pass) for authenticating VPN clients. It links the user to the ovpn-profile and designates the service type as OVPN.

 

            Configure OVPN Client Mikrotik.

        Set up the OpenVPN client to connect securely to the OVPN server.

1.      Import Certificates:

Transfer the necessary certificate files (.crt and .key) to the client device. These certificates authenticate the client to the server and establish a secure connection.

2.      Configure OVPN Client:

 

o    Command:

/interface ovpn-client add name=ovpn-client connect-to=<server-ip> user=ovpn-user password=ovpn-pass profile=default-encryption certificate=client auth=sha1,sha256 cipher=aes128,aes256

This command configures the OVPN client with the server's IP address (<server-ip>), user credentials (ovpn-user and ovpn-pass), and client certificate (client). It specifies the authentication and encryption methods to match the server configuration.

Configure Firewall in MikroTik

Ensure the necessary ports are open on the firewall to allow OVPN traffic, securing and enabling VPN connections.

Open OVPN Port (TCP 1194):

    • Command:

/ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept place-before=0

This command opens port 1194 on the firewall, allowing OVPN traffic to pass through. It ensures the VPN server can accept incoming connections. OVPN use 1194 port to communicate so this port has to be open at Server side.


If anyone has any issue to setup this Ovpn please hit me up and can leave your comment below. Have a nice time. 

Comments

Post a Comment

Popular posts from this blog

🔓 Complete Guide to AndroRAT: Hack Android Devices Over LAN & Internet Using Python - Educational Purposes Only

-
Image
 ⚠️ Disclaimer : This tutorial is intended for educational and ethical hacking purposes only. Unauthorized access to devices is illegal. Use this tool only in a controlled environment or with explicit permission . 📌 What is AndroRAT? AndroRAT (Android Remote Administration Tool) is a powerful open-source tool that allows you to remotely access and control Android devices. It is commonly used by cybersecurity learners and ethical hackers to understand how remote access works on Android. AndroRAT is written in Python and works by creating a malicious APK file that, when installed on a target device, gives the attacker full control via a remote shell. 🎯 Features of AndroRAT           AndroRAT offers an impressive range of features once connected to a victim's phone: Access call logs, SMS, contacts Capture camera photos or record audio/video Track GPS location in real-time Send fake messages or toasts Even reboot the phone remotel...
Read more

How to Use Bettercap for ARP Spoofing & MITM Attacks and its Prevention: Being Expert of MITM

-
Image
  ARP Spoofing and MITM Attacks with Bettercap In the world of cybersecurity, one of the most common attack techniques used by hackers is the Man-in-the-Middle (MITM) attack, often combined with ARP (Address Resolution Protocol) spoofing. This article will explain the concepts of ARP spoofing, MITM attacks, why attackers use these methods, and how to use the Bettercap tool to perform these attacks effectively. I have made a youtube Video - Network hacking for this penetration attack. This is only for education purpose so please don't use this for any harmful activities. The author will not be liable for any bad activities.  What is ARP Spoofing? ARP spoofing, also known as ARP poisoning, is a method of attacking a local area network (LAN) by sending fake ARP messages to associate an attacker’s MAC address with the IP address of another device (such as a router or another user’s machine). This trick allows the attacker to intercept or alter traffic between devices on the...
Read more

How to protect ARP spoofing & DNS Spoofing in a Mikrotik Network.

-
Image
  MikroTik Network Security: How to Prevent ARP Spoofing and DNS Attacks   Understanding ARP Spoofing and DNS Spoofing        ·         ARP Spoofing: Attackers send fake ARP messages on the network to associate their MAC address               with an IP address (e.g., your gateway). This allows them to intercept, modify, or block network traffic (man-in-the-middle attacks). ·          DNS Spoofing: Attackers alter DNS queries to redirect users to malicious websites by sending false DNS responses or poisoning the DNS cache.  Here we divide the topic for best understanding and point out those Attacks prevention techniques step by step I have made a description youtube video for this if you like can watch this too. Click link   1. Steps to Protect Against ARP Spoofing        Enable ARP Filtering and ...
Read more