OpenVPN server on Mikrotik with IOS13 client

Mikrotik OS6.47

Generate a Self-Signed CA certificate

/certificate add name=mt.ca common-name=mt.ca key-usage=key-cert-sign,crl-sign trusted=yes
/certificate sign mt.ca

Generate a certificate for the vpn server (mikrotik router), sign it and trust it.

/certificate add name=ovpn.server common-name=ovpn.server
/certificate sign ovpn.server ca=mt.ca

/certificate set trusted=yes ovpn.server

Generate a certificate for the vpn client (ipad or phone) and sign it.

/certificate add name=iosvpn.client common-name=iosvpn.client
/certificate sign iosvpn.client ca=mt.ca

/certificate set trusted=yes iosvpn.client

Export CA certificate

/certificate export-certificate mt.ca

Export client certificate to pcks12 file type (required for ios)

/certificate export-certificate iosvpn.client export-passphrase=12345678 type=pkcs12

Exported client key pair is now in files with the filename `cert_export_iosvpn.client.p12`

Import it to OpenVPN connect with iTunes

`cert_export_mt.ca.crt`

Content of this file has to be placed at the end of .ovpn config file

.ovpn configuration file for IOS

client
dev tun                             
proto tcp          #### Mikrotik uses TCP only
remote mynetname.net  ### or IP address
port 1194     ####If you use defult port     
resolv-retry infinite
nobind
persist-key
persist-tun

tun-mtu 1492
mssfix 1400

auth SHA1
auth-user-pass
verb 5
;comp-lzo  ###(disable compression)
remote-cert-tls server
cipher AES-256-CBC

redirect-gateway def1   ### ios wont work without this
;remote-gateway 192.168.6.1
;dhcp-options DNS .8.8.8.8

;route 192.168.6.0 255.255.255.0 192.168.6.1


<ca>
-----BEGIN CERTIFICATE-----

### CONTENT OF mt.ca.crt FILE ###
 
-----END CERTIFICATE-----
</ca>

Save as iosclient.ovpn and import to OpenVPN connect on ios

Mikrotik OpenVPM server config

/ip/pool

/ppp/profile

/ppp/secrets

/ppp

Open TCP port 1194 on firewall

/ip firewall filter add action=accept chain=input comment="allow OpenVPN" disabled=no dst-port=1194 protocol=tcp

Mikrotik – selfsign SSL certificate – ROS 5.25

On Mikrotik terminal:

[admin@MikroTik] /certificate> create-certificate-request

Fill all data. Country, state, city, mail, domain, organisation…etc.

It will create 2 files:

certificate-request.pem

private-key.pem

On linux box:

openssl rsa -in private-key.pem -text > certificate-request2.pem
openssl x509 -req -days 9999 -in certificate-request.pem -signkey certificate-request2.pem -out mikrotik_ssl.crt

Then back on Mikrotik:

/certificate import file-name=mikrotik_ssl.crt
/certificate import file-name=certificate-request2.pem
/ip service set www-ssl certificate=cert1

L2TP + IPsec VPN on Mikrotik router (IOS 10 support)

PPTP is not supported anymore by Apple. In order to connect to your vpn with iPhone or iPad you have to use different protocol.

This is how to do it on Mikrotik router.

1. IP > Addresses

Assign IP addresses for each interface, public on ether1-gateway and private on ether2.

2. IP > Pool

Set range of IP addresses for your remote devices.

192.168.16.10-192.168.16.20 for example.

3. PPP > Interface – Enable L2TP Server

4. PPP > Profiles (make one)

5. PPP > Secrets (set user name and password)

6. IP > IPsec > Peers

(make new peer, set secret)

7. IP > IPsec > Proposals

That’s should be all.

Make sure you select MS-CHAP v2 on connecting.

And put your IPsec secret here.

On IOS 10