It has been a loooong time since I’ve posted…a lot has happened, but finally back on the blog!
I’ve been working a lot with Mikrotik devices lately, and I’ve written up a few bits and bobs to make my life easier.
Below is the snippet I’ve written to quickly set up an OpenVPN server on a Mikrotik router.
#### VARIABLES
#### UPDATE BEFORE RUNNING SCRIPT
# This variable sets the DNS server that will be used by the clients on the VPN
:global netVPNDNSServer 8.8.8.8
# Sets the company and export passphrase that will be used for the cert
:global Company "YOUR COMPANY"
:global CertExportPassphrase YOURPASSPHRASE
# Sets up a user and password for the VPN
:global vpnuser joebloggs
:global vpnpass bloggsvpn
## Certificate Setup
/log info "generating certs"
## You may want to update your country, state, etc, but it's not necessary
/certificate add name=CA country=AU state=WA locality=WA organization=$Company unit=IT common-name=CA trusted=yes key-usage=key-cert-sign,crl-sign days-valid=3650
/certificate add name=server country=AU state=WA locality=WA organization=$Company unit=IT common-name=server trusted=yes key-usage=digital-signature,key-encipherment,tls-server days-valid=3650
/certificate add name=client country=AU state=WA locality=WA organization=$Company unit=IT common-name=client key-usage=tls-client days-valid=3650
# If you're copy and pasting this into terminal, paste each certificate sign line separately, and ignore the delay lines
/log info "signing certs"
/certificate sign CA name=CA
/log info "30 sec wait"
/delay 30000ms
/certificate sign server ca=CA
/log info "30 sec wait"
/delay 30000ms
/certificate set server trusted=yes
/certificate sign client ca=CA
/log info "30 sec wait"
/delay 30000ms
/log info "exporting certs"
/certificate export-certificate CA
/certificate export-certificate client export-passphrase=$CertExportPassphrase
## OpenVPN Config
# This is where the IP addresses are set for the OpenVPN Clients.
# If you need to change them, this is the spot.
/ip pool add comment="OVPN Pool" name=Pool-VPN ranges=10.0.100.10-10.0.100.200
/ppp profile add dns-server=$netVPNDNSServer local-address=10.0.100.1 name=Profile-VPN only-one=no remote-address=Pool-VPN use-encryption=required
/interface ovpn-server server set auth=sha1 certificate=server cipher=aes256 default-profile=Profile-VPN enabled=yes require-client-certificate=yes
/ppp secret add name=$vpnuser password=$vpnpass profile=Profile-VPN service=ovpn