Need help creating road warrior vpn on routerboard (Mikro-Tik)

tamray_tech
tamray_tech used Ask the Experts™
on
I am running routerboardOS 4.1 on a Mikro-Tik 450g router board. I am attempting to configure the vpn using openvpn. I have tried to follow a number of docs on this, but I either have something misconfigured, or am misunderstanding some instruction. From googling around I can see there are many others having the same difficulties, so a clear, line by line set of instructions would be appreciated by many.

In my first vpn I want to duplicate the road warrior vpn I had setup on my IPCop box ,and PFsense box. This configuration used openvpn with ipsec, but it seems the standard Mikro-Tik solution utilizes pppt. I would much prefer that users are NOT required to login.

In IPCop and PFsense, it was as simple as creating the vpn on the server, creating the certificates, and matching files, and importing them to the server. The client had the appropriate matching info in the .ovpn config, and that was all there was to it.

I would greatly appreciate step by step instructions to set up the same kind of vpn using my Mikro-Tik router.

Using the command line for the configuration  is fine.

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
This is the solution to the question:

The following link was the best I found to create a road warrior type
vpn connection between a desktop/laptop to a MT router. (I use a 450g board)

http://blog.who-els.co.za/2008/11/mikrotik-routeros-and-openvpn.html

I duplicated most of the MT configuration with the following command lines.
(Simply modify them, and paste into an ssh session on the MT router). My
home office subnet is 10.2.0.0/16. I assigned a 10.5.5.0/24 subnet to
the vpn connections, and created a route to the 10.2.0.0 network in the
workstation.ovpn file below. I ignored the instructions in the howto
about creating a ovpn-pool for dhcp addresses, because of the
utilization of a 29 bit subnetmask. I could not control if the address
assigned would be in the same subnet, so I assigned them per connection.
Works for me, but I suppose it would be a lot of work for someone
setting up a large number of vpns.

#################
/ppp profile
add change-tcp-mss=default comment="" local-address=10.5.5.1 \
name=openvpn only-one=default remote-address=10.5.5.2 \
use-compression=default use-encryption=required use-vj-compression=default

/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0  \
limit-bytes-out=0 name=goliath password=password profile=openvpn \
routes="" service=any



/interface ovpn-server server
set auth=sha1,md5 certificate=cert1 \
cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
port=1194 require-client-certificate=no

#############






Windows Workstation.ovpn config
###########################
dev tun
proto tcp-client
remote "public IP" 1194 # Remote OpenVPN Servername or IP address
route-up "route add 10.2.0.0 MASK 255.255.0.0 10.5.5.1"
ca ca.crt
cert client1.crt
key client1.key
tls-client
port 1194
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
mute-replay-warnings
verb 3
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass

#####################

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial