camscape - for excellent IT solutions itkb.ro - IT knowledge base
knowledge base | Contact rss feeds noutati itkb.ro
BASH Configurare email Configurare software Hardware Linux Linux Mint Linux Ubuntu MIKROTIK Pentru tonti Securitate VMWARE Windows
Instaleaza itkb.ro search

mikrotik :: mikrotik openvpn client to linux server


. 		TitleMikrotik OpenVPN Client to Linux Server
Tagsmikrotik,openvpn,linux
Desc.Mikrotik OpenVPN Client to Linux Server
CodeKBMIK0004 v1.0
Date12 mai 2025

How to connect a Mikrotik and a Linux routers with site-to-site VPN using OpenVPN.

 

On Linux, create a tun connection using client certificates. It is the same as a normal bridging setup, except for the tun interface replacing tap and the no support for LZO compression that Mikrotik does not support. OVPN config on Linux:


 

# IP Settings
port 1194
proto tcp
dev tun0

# Compression
#comp-lzo

# UID
user nobody
group nobody

# Certificates
#
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/robuhsrv001.camscape.ro.crt
key /etc/openvpn/keys/robuhsrv001.camscape.ro.key
dh /etc/openvpn/keys/dh2048.pem

crl-verify /etc/openvpn/crl/crl.pem

# Route vpn tunnel IPs
server 172.18.3.0 255.255.255.0

# Assign specific settings to specific clients
client-config-dir /etc/openvpn/vpn-mikrotik/ccd

# Route remote LAN behind Mikrotik
route 10.254.3.0 255.255.255.0

ifconfig-pool-persist /etc/openvpn/vpn-mikrotik/ipp.txt

cipher AES-256-CBC

# The persist options
persist-key
persist-tun

# Log status. Use "log" to create a log file overwriting it each time
# you restart the vpn, otherwise, use "log-append"
log-append  /var/log/openvpn/mikrotik.log

# Verbosity
verb 3

 

Create a /etc/openvpn/vpn-mikrotik/ccd directory mentioned above and save inside a file named mikrotik (mikrotik will be the name of the user), containing:

 

# Set tunnel IP, local and remote
ifconfig-push 172.18.3.2 172.18.3.1
# Route remote LAN behind Mikrotik
iroute 10.254.3.0 255.255.255.0

 

Now, generate certificate for user "mikrotik". You will have 3 certificates:
mikrotik.crt
mikrotik.key
ca.crt

 

Copy the above files to Mikrotik router using SCP (asume router has LAN IP 10.254.3.1, user admin):

 

scp ca.crt admin@10.254.3.1:/
scp mikrotik.crt admin@10.254.3.1:/
scp mikrotik.key admin@10.254.3.1:/

 

SSH to the Mikrotik router and import certificates:

 

certificate import file-name=ca.crt passphrase=\"\"
certificate import file-name=mikrotik.crt passphrase=\"\"
certificate import file-name=mikrotik.key passphrase=\"\"

 

Create a PPP profile (or you will use default), using WebFig on PPP / Profiles / Add New 
Or use command line:

 

ppp profile add name=OVPN-client change-tcp-mss=yes \
    only-one=yes use-encryption=required use-mpls=no

 

Create OpenVPN interface using WebFig on Interfaces / Add New / OVPN Client
Or use command line:

 

interface ovpn-client add connect-to=PUBLIC_IP_ADDRESS_OF_LINUX \
    add-default-route=no auth=sha1 certificate=mikrotik \
    disabled=no name=VPN-to-Linux profile=OVPN-client

 

Next, setup firewall according to your needs (in, out and forward) and at least setup routes. Using WebFig on IP / Routes / Add New
Or use command line:

 

ip route add disabled=no dst-address=LAN_BEHIND_LINUX_ROUTER \
    type=unicast gateway=VPN-to-Linux scope=30 target-scope=10