Simple OpenVPN Server on Mikrotik

Having OpenVPN server on your router is a nifty feature. However, as often with Mirotik, not all is straight forward.

This guide is going to assume you are to enter commands into the New Terminal window from WinBox. That way I will simply repeat commands needed instead of going through the screens. Commands are actually quite descriptive and easy to “translate” into GUI actions if that is your preference.

Prerequisite for any VPN server is to get certificates sorted. For OpenVPN we need main Certificate Authority, server, and client certificate. Yes, strictly speaking, client certificate is optional but let’s not skimp on security.

First we create all the certificate templates (10 years validity) we’ll need:

/certificate
add name=ca-template common-name=^^example.com^^ days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=^^*.example.com^^ days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=^^client.example.com^^ days-valid=3650 key-size=2048 key-usage=tls-client

For the purpose of OpenVPN server common name can be really anything. However, some other VPNs are not as forgiving (yes SSTP, I am looking at you) so it might be best to have either your external IP or host name as the common-name text. Any yes, if you have dynamic IP and you are not using your own domain, you can put *.dyndns.org there - no worries.

Created certificates will need signing:

/certificate
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate

Depending on your router’s speed, that sign command might time-out - nothing to worry about - just wait for CPU to drop below 100%. Or alternatively check name of certificate - template part will disappear once signing is completed.

With this we need to export a few files:

/certificate
export-certificate ca-certificate export-passphrase=""
export-certificate client-certificate export-passphrase=^^12345678^^

This should give you three files: cert_export_ca-certificate.crt, cert_export_client-certificate.crt, and cert_export_client-certificate.key. After copying this on computer for later I like to rename them to ca.crt, client.crt, and client.key respectively.

Next we need a separate pool of IP addresses for clients. I will assume you have your clients in some other network (e.g. 192.168.1.x) and this new network is just for VPN:

/ip
pool add name="vpn-pool" ranges=192.168.8.10-192.168.8.99

Instead of editing the default encrypted profile, we can create a new one. Assumption is your Mikrotik will also be a DNS server. And while at it, you can create a bit more imaginative user/password:

/ppp
profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool
secret add name=^^user^^ profile=vpn-profile password=^^password^^

Finally, we can enable OpenVPN server interface:

/interface ovpn-server server
set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes

Now finally we can copy both ca.crt and client.crt to C:\Program Files\OpenVPN\config\ directory alongside client.ovpn.

You don’t have client.ovpn? Well, one is in sample-config directory and we just need to change/add highlighted items:

client
dev tun
proto ^^tcp^^
remote ^^example.com^^ 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
^^auth SHA1^^
^^auth-user-pass^^
^^redirect-gateway def1^^
verb 3

A bit annoying step is being asked for the private key passphrase (in the addition to username/password). Mikrotik doesn’t allow export without it but fortunately we can use OpenSSL to change that:

openssl.exe rsa -in client.key -out client.key
 Enter pass phrase for client.key: 12345678
 writing RSA key

With this, your VPN connection should work like a charm.

PS: Do not forget to adjust firewall if necessary (TCP port 1194).

/ip firewall filter
add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN"

PPS: Do check SSTP guide too.

PPPS: If you’re on RouterOS 7 you might want to check this guide for UDP.

[2017-01-26: Adjusted certificate creation to work on RouterOS 6.38 and later] [2017-01-26: Changed key size to 2048 (instead of 4096) so it doesn’t take ages to generate certificates. :)] [2017-02-25: Changed example to use AES-128 for lower CPU usage on router.]

Local Host Name Resolving Under Windows With Mikrotik's DNS

As I switched all DNS resolving to my Mikrotik router, a curious problem appeared. I couldn’t access my main file server using its short name anymore.

That is fine, I thought. If I go to IP -> DNS and I add Static entry for it. And so I did and everything worked when I tested it. From Linux machine. From Windows 10 machine you ask? Nope - I couldn’t access it still. I try ping and it complains. I try nslookup and it works. Interestingly, an entry with a domain (e.g. server.thing) would work with both. It was just short names that wouldn’t behave.

To make long story short, fix is to force Windows to use longer names even for single word lookups. To do this, we can employ magic of DHCP’s domain-name setting conveniently available under DHCP network setup. If this is provided to Windows host upon IP address assignment, it will append all single word host names with that DNS suffix and, provided you defined static DNS host entry with that full name, Windows will work happily ever after.

Downside of this solution is that you need to have both long and short form (e.g. server and server.network) defined for mixed Windows/Linux environments. Yes, you can create a regex to cover both but it will look ugly (e.g. ^server(.network)?$). I personally simply define host two times - looks nicer. ;)

Root issue is just another leftover from NBNS/WINS resolver era - something nobody uses on any normal network but somehow Windows still thinks of it as an appropriate default behavior. Annoyingly some components are built smarter so, depending which tool you use, you can chase damn Schrödinger’s cat all day long…

Remote Passwordless SSH/RSA Login Into Mikrotik

It all started with the need for backup. I had to do two things. First create a backup user with read-only access and then to automate gathering of exported configuration using SSH. And, as a twist, SSH would need to use RSA - something WinBox started supporting only recently (since 6.31).

The easiest way to configure this is to enter commands into New Terminal from WinBox. I will simply repeat commands needed instead of going through the screens. Commands are actually quite descriptive and easy to “translate” into GUI actions if that is your preference.

Before creating user itself we need to create a group without any rights, followed by user creation:

/user
group add name=backup policy=
add name=backup group=backup

With the user in hand, we should get key authentication going. Do notice that key.txt contents should be the public key for use with login. How to generate it is out of scope but just google PuttyGen and you can find a lot of information about this. In any case, we can set publick key for user by using the following commands:

/file
print file=key.txt
set key.txt contents="^^ssh-rsa ...^^"

/user
ssh-keys import public-key-file=key.txt user=backup

After assigning key to a user, we can give it appropriate rights - in my case those were ssh and read. Do notice that policy could have been set while creating group but that would allow user to login without any password until SSH key was set. While window is short and chance is really remote, I prefer to avoid it:

/user
group set [find name=backup] policy=ssh,read

If everything has been done correctly, you can log into router using your RSA keys and you can run export command to gather current configuration.

PS: If you are limiting MACs to be used with SSH beware that Mikrotik supports only hmac-sha1.

Isolating Mikrotik LAN Ports With Queue Support

When I last time did LAN port isolation, it seemingly ended with a success. And yes, I have ran with that config for a while without problems. However, at one point, I decided to implement bandwidth limits per port using queues. However, a speed test has shown that while download speed looking from WAN side was throttled, my maximum upload speed wasn’t observed.

I won’t get too much into why it is so. It’s sufficient to say you cannot set upload speed on interface if it is a slave. Guess what, interfaces belonging to a bridge are slaves. It doesn’t matter if you place each interface in its separate bridge - as was my first attempt - while your upload will be throttled, your download limiting will not work.

The only configuration I’ve found working was to have each interface manage its own network - thus each being the master.

The easiest way to configure this is to enter commands into New Terminal from WinBox. I will write commands assuming all bridges, their ports, and each mentioned section are completely empty as we start.

First we need to give a separate IP to each interface facing our internal LAN:

/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0 disabled=no
add address=192.168.2.1/24 interface=ether3 network=192.168.2.0 disabled=no
add address=192.168.3.1/24 interface=ether4 network=192.168.3.0 disabled=no
add address=192.168.4.1/24 interface=ether5 network=192.168.4.0 disabled=no

Next we define multiple DHCP pools - in this case 4 of them:

/ip pool
add name=pool1 ranges=192.168.1.10-192.168.1.99
add name=pool2 ranges=192.168.2.10-192.168.2.99
add name=pool3 ranges=192.168.3.10-192.168.3.99
add name=pool4 ranges=192.168.4.10-192.168.4.99

Of course, adding a separate DHCP server for each of these pools is needed:

/ip dhcp-server
add name=server1 interface=ether2 address-pool=pool1 disabled=no
add name=server2 interface=ether3 address-pool=pool2 disabled=no
add name=server3 interface=ether4 address-pool=pool3 disabled=no
add name=server4 interface=ether5 address-pool=pool4 disabled=no

DHCP network for each follows:

/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 gateway=192.168.2.1 netmask=24
add address=192.168.3.0/24 gateway=192.168.3.1 netmask=24
add address=192.168.4.0/24 gateway=192.168.4.1 netmask=24

Quick stop to verify routes is in order. Assuming you all is done correctly four new dynamic routes should appear (it is ok for disconnected ports to have distance 255):

/ip route print
 Flags: X - disabled, A - active, D - dynamic,
 C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
 B - blackhole, U - unreachable, P - prohibit
  #      DST-ADDRESS     PREF-SRC         GATEWAY      DISTANCE
  0 ADS  0.0.0.0/0                        192.168.0.1         1
  1 ADC  192.168.1.0/24  192.168.101.250  ether2              0
  2  DC  192.168.2.0/24  192.168.102.250  ether3            255
  3 ADC  192.168.3.0/24  192.168.103.250  ether4              0
  4 ADC  192.168.4.0/24  192.168.104.250  ether5              0
  5 ADC  192.168.0.0/24  192.168.0.14     ether1              0

Assuming you don’t have NAT masquarade setup from before, let’s setup one now. If you do have it already in IP Firewall NAT, simply skip this step:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 disabled=no               

After all this we can finally add traffic limiting queues. In my case the first two ports didn’t have any limits, third had 1 Mbit/s upload and download, and the last interface had 128 kbits/s upload and 256 kbits/s download:

/queue simple
add name=queue1 target=ether2 max-limit=0/0
add name=queue2 target=ether3 max-limit=0/0
add name=queue3 target=ether4 max-limit=1M/1M
add name=queue4 target=ether5 max-limit=128k/256k

To isolate LAN ports we again use the firewall rules allowing the new connections only toward ether1 (WAN) interface:

/ip firewall filter
add action=accept chain=forward connection-state=established comment="Allow established"
add action=accept chain=forward connection-state=related comment="Allow related"
add action=accept chain=forward out-interface=ether1 comment="Allow WAN"
add action=drop chain=forward comment="Drop everything else"

PS: There is quite nice guide at Networking For Integrators. They use a quite similar approach for the purpose of segregating multiple networks.

Enabling HTTPS on MikroTik

Mikrotik and its WinBox interface are virtually inseparable. Most people use it without thinking of any other option. However, Mikrotik supports also has (quite a good) HTTP interface and it also supports a (disabled by default) HTTPS access.

Enabling HTTPS is unfortunately not a straightforward experience.

The easiest way to configure this is to enter commands into New Terminal from WinBox. I will simply repeat commands needed instead of going through the screens. Commands are actually quite descriptive and easy to “translate” into GUI actions if that is your preference.

For HTTPS to work we need to create two certificates, master and apprentice. Ok, actually we need root and HTTPS certificate but master and apprentice sounds much cooler ;):

/certificate
add name=root-cert common-name=MyRouter days-valid=3650 key-usage=key-cert-sign,crl-sign
sign root-cert
add name=https-cert common-name=MyRouter days-valid=3650
sign ca=root-cert https-cert

With certificate signed, we just need to assign it to www-ssl service and enable it, while disabling non-https variant:

/ip service
set www-ssl certificate=https-cert disabled=no
set www disabled=yes

And that’s it. Now you can access your router via HTTPS.

PS: Never use unencrypted interface like HTTP or FTP toward your router. Your password will travel plain-text and risk is not worth 5 minutes it takes to enable TLS encryption.

Adding Mikrotik DDSN as a Subdomain

If you need remote access, one of things you’ll notice about Mikrotik devices is there is no support for DDNS. Yes, you could always create a script for it but there is nothing built-in.

However, Mikrotik does offer quite similar functionality out-of-box for a year now. In Cloud menu you just select DDNS enabled and Mikrotik your public IP will be located at <serial>.sn.mynetname.net. It is not as nice as having custom name with DynDNS, but usable nonetheless.

However, if you have your own domain, you can make it a bit more friendlier. Find where you can edit DNS entries at your registrar (Manage Domain with DreamHost) and add a new CNAME entry. For name you can put whatever you want and for value put Mikrotik’s DNS name (<serial>.sn.mynetname.net).

After a few minutes (damn DNS propagation :)) you’ll see your DNS entry working.

PS: You can verify status with nslookup myname.mydomain.com.

Isolating Mikrotik LAN Ports

For a home project of mine, I have decided on Mikrotik’s hEX PoE lite due to its awesome capability to power other devices.

Outside of PoE, I needed a standard Internet router - WAN on port 1 and LAN on other ports - but with a twist. I wanted to have LAN ports isolated from each other while still being able to access WAN. Something that on almost any wireless box you get as a checkbox turned out to be a actually non-existent.

However, beauty of a bit more manageable and complicated device is that you can define a lot of functionality yourself. For this particular scenario, solution was in adjusting the firewall.

To setup firewall, the easiest way is to connect via WinBox and go into New Terminal. There we can just execute following commands:

/ip firewall filter
add action=accept chain=forward connection-state=established comment="Allow established"  
add action=accept chain=forward connection-state=related comment="Allow related"
add action=accept chain=forward out-interface=ether1 comment="Allow WAN"
add action=drop chain=forward comment="Drop everything else"

First two allow any established and related connection unconditionally. Third one allows anything going out to WAN interface. Packets coming into that interface will have to be either established or related so there is no reason for another accept there. Final rule is to drop all other traffic.

With just these four rules, all LAN ports are isolated while still being capable of Internet acess.

Limiting Bandwidth on MAP Lite

As I wanted to have a separate wireless network for few of my IoT experiments and taking into consideration how secure IoT devices are (hint: not secure at all), I decided to go with a mini access point. Securing IoT gets much easier with a separate physical device.

Device had to be 2.4 GHz AP, allow for remote management, and cheap. One beautiful device matching all criteria was MikroTik mAP lite. Mikrotik devices are usually more of an European thing and, compared to other wireless devices, a bit harder to obtain in States. For example, I bought mine from ICD Group because Amazon didn’t carry any.

I haven’t used MikroTik for a while now but I remembered its WinBox interface fast enough. And I remembered how it saves its settings immediately thus punishing you for any error. It is definitely not the most friendly user interface nor I can call it excellent for beginners. But it is powerful enough to be worth learning.

Anyhow, with basic configuration done I wanted to limit upstream bandwidth toward my main router. From Queues menu I just added new queue, set Target to “ether1”, and assigned Max limit for both upload (256 kbit/s) and download (64 kbit/s). Short speed test later and I was confused. Speed wasn’t being restricted at all. And traffic figures were unreasonably low. Something weird was going on.

A bit of troubleshooting and I found the culprit. Once I changed in IP->Firewall the defcon entry from “fasttrack connection” to “accept”, my queue started limiting as it should.