Site icon System Zone

MikroTik Site to Site OpenVPN Server Setup (RouterOS Client)

VPN (Virtual Private Network) technology provides a secure and encrypted tunnel across a public network. So, a private network user can send and receive data to any remote private network through VPN tunnel as if his/her network device was directly connected to that private network.

MikroTik OpenVPN Server provides a secure and encrypted tunnel across public network for transporting IP traffic using PPP. OpenVPN Server uses SSL Certificates. So, OpenVPN Tunnel is a trusted tunnel to send and receive data across public network. MikroTik OpenVPN Server can be applied in two methods.

The goal of this article is to create a site to site OpenVPN Tunnel across public network. So, in this article I will show how to configure OpenVPN Tunnel between two MikroTik RouterOS so that local networks of these routers can communicate with each other as if they were directly connected to the same router.

Network Diagram

To configure a site to site OpenVPN Tunnel between two MikroTik RouterOS, I am following a network diagram like below image.

Site to Site OpenVPN Tunnel

In this network, Office1 Router is connected to internet through ether1 interface having IP address 192.168.70.2/30. In your real network, this IP address should be replaced with public IP address. Office1 Router’s ether2 interface is connected to local network having IP network 10.10.11.0/24. We will configure OpenVPN Server in this router and after OpenVPN configuration the router will create a virtual interface (OVPN Tunnel) across public network whose IP address will be 172.22.22.1.

On the other hand, Office2 Router is a remote router and can access Office1 Router’s WAN IP. Office2 Router’s ether1 interface is connected to internet having IP address 192.168.40.2/30 and ether2 has a local IP network 10.10.12.0/24. We will configure OpenVPN client in this router and after OpenVPN client configuration the router will have a virtual interface (OVPN Tunnel) across public network whose IP address will be 172.22.22.2.

Core Devices and IP Information

To configure a site to site OpenVPN between two Routers, I am using two MikroTik RouterOS v6.38.1. IP information that I am using for this network configuration are given below.

This IP information is just for my RND purpose. Change this information according to your network requirements.

Site to Site OpenVPN Configuration

We will now start Site to Site OpenVPN configuration with MikroTik Router according to the above network diagram. Complete site to site OpenVPN configuration can be divided into two parts.

Part 1: Office1 Router Configuration for OpenVPN Server

We will configure OpenVPN Server in Office1 RouterOS. Complete RouterOS configuration for OpenVPN Server can be divided into four steps.

Step 1: MikroTik RouterOS Basic Configuration

In MikroTik RouterOS basic configuration, we will assign WAN, LAN and DNS IP and perform NAT and Route configuration. The following steps will show how to do these topics in your RouterOS.

Basic RouterOS configuration has been completed. Now we will Create SSL certificate for OpenVPN Server.

Step 2: Creating SSL certificate for OpenVPN Server

OpenVPN Server configuration requires SSL certificate because OpenVPN uses SSL certificate for secure communication. MikroTik RouterOS version 6 gives ability to create, store and manage certificates in certificate store. So, we will create required OpenVPN certificate from our RouterOS. OpenVPN Server requires the following certificates:

  1. CA (Certification Authority) certificate and
  2. Server certificate

Creating CA certificate

The following steps will show how to create CA certificate in MikroTik RouterOS.

CA certificate has been created successfully. Now we will create server certificate.

Creating Server Certificate

The following steps will show how to create server certificate in MikroTik RouterOS.

Server certificate has been created successfully. Now we will enable and configure OpenVPN Server in MikroTik RouterOS.

Step 3: OpenVPN Server Configuration in MikroTik Router

After creating SSL certificate, we are now eligible to enable OpenVPN Server in MikroTik Router. The following steps will show how to enable OpenVPN Server in your MikroTik Router with proper configuration.

OpenVPN Server is now running in MikroTik Router. Now we will create OpenVPN user who will be connected to this server.

Step 4: PPP Secret creation for OpenVPN

After OpenVPN Server setup, we need to create OpenVPN user who will be connected to OpenVPN Server. OpenVPN Server uses PPP user for authentication. So, we will now create PPP secret (username and password) for OpenVPN client. The following steps will show how to create PPP secret in MikroTik Router.

PPP user who will be connected from remote client machine has been created. Whenever your created user will be connected from OpenVPN client router (Office2 Router), the Remote Address IP will be assigned for its virtual interface and the routes will be created in Office1 Router’s routing table so that Office1 Router’s local network can reach remote router’s (Office2 Router) local network.

Office1 Router configuration for OpenVPN Server has been completed. Now Office1 Router is ready to create OpenVPN Tunnel for its OpenVPN user. In the next part, we will configure our Office2 Router so that it can connect to Office1 Router through OVPN Tunnel to reach Office1 Router’s local network.

Part 2: Office2 Router Configuration for OpenVPN Client

According to our network diagram, Office2 Router is working as an OpenVPN client router. So, we will configure OpenVPN client in Office2 Router. Complete RouterOS configuration can be divided into three steps.

Step 1: Basic RouterOS Configuration

Basic RouterOS configuration includes assigning WAN, LAN and DNS IP as well as NAT and Route configuration. The following steps will guide you about basic RouterOS configuration.

Basic RouterOS configuration in Office2 Router has been completed. Now it is time to create OpenVPN Client in our MikroTik Router.

Step 2: OpenVPN Client Configuration

After completing RouterOS basic configuration, we will now configure OpenVPN client in Office2 Router. The following steps will show you how to create OVPN client in your MikroTik Router.

As soon as you provide the above information, an OVPN Tunnel will be created between Office1 and Office2 Router and provided local and remote IP address will be assigned in office1 and Office2 Router’s virtual interface respectively. At this stage, Office1 Router as well as its local network will be able to reach Office2 Router and its local network but Office2 Router and its local network will only be able to reach Office1 Router but not its local network. To reach Office1 Router’s local network, a static route must be added in Office2 Router’s routing table.

Step 3:  Static Route Configuration  

After configuring OVPN Client in Office2 Router, Office 2 Router can only access Office 1 Router but not its local network. To solve this issue, a route is required in Office2 Router’s routing table. The following steps will show how to add a route in Office2 Router’s routing table statically.

Now Office 2 Router and its local network will be able to access Office 1 Router’s local network.

Office1 Router and Office2 Router Configuration for establishing an OVPN Tunnel between them has been completed. Now both router’s local networks are eligible to access each other. To check your configuration, do a ping request from any local network machine to other local network machine. If everything is OK, your ping request will be success.

Follow below video if you face any confusion to configure site to site OpenVPN in MikroTik Router. I think it will reduce your any confusion.

MikroTik VPN Configuration with Site to Site OpenVPN Service has been explained in this article. I hope you will be able to configure your Site to Site VPN with MikroTik OpenVPN service if you follow the above explanation carefully. However, if you face any confusion to do above steps properly, feel free to discuss in comment or contact with me from Contact page. I will try my best to stay with you.

Exit mobile version