Creating an OpenVPN server with Mikrotik and Domain Authentication Using Domain CA

Recently I was asked by a client to create an openVPN server that utilizes their existing Active Directory and Key Infrastructure.

While this probably not the only way of implementing this solution here are the steps I followed to get it working

Some thing I am assume you already have in place

1. Mikrotik Router that is configured to give your LAN access to the internet
2. Public IP that can be used to connect remote users to (DynDNS hosts are acceptable)
3. Windows Domain Controller
4. NPS Server
5. CA Roll installed

Prepare the Active Directory Infrastructure

This includes configuring the NPS server to accept RADIUS request from the Mikrotik
CA is able to issue certificates
Users have been created in the AD

Configure the Mikrotik

Assuming that all the above are in place we can start to configure the Mikrotik.

• Configure RADIUS server on routerboard

/radius add address=ww.xx.yy.zz src-address=ww.xx.yy.ab secret=”somesupersecuresecret” service=ppp
/radius incoming set accept=yes

• Configure DNS (If not already in place)

/ip dns set servers=ww.xx.yy.zz

• Configure NTP

/system ntp client set primary-ntp=162.159.200.123 secondary-ntp=156.38.0.219

• Configure Certificate Store to Download CRL (Very important to check revocation)

/certificate settings set crl-download=yes crl-store=ram crl-use=yes

• Import Certificates

Transfer your CA certificate to the Mikrotik and import it

/certificate import file-name=CA.cer

You can verify the certificate is in place with

/certificate print

This should return:

# NAME COMMON-NAME SUBJECT-ALT-NAME FINGERPRINT
0 T CA.cer_0 XXXXX-CA 597d2636537

Create a certificate that we will use to create a CSR to use on the Domain CA

/certificate add name=oVPN-Server country=ZA state=GP locality=Pretoria organization=Novicus unit=Novicus common-name=rb760.novicus.local subject-alt-name=IP:ww.xx.yy.zz,IP:aa.bb.cc.dd days-valid=730 key-usage=tls-server

This will create two files you need to download the certificate-request.pem and use it to issue the certificate on your CA.

/certificate create-certificate-request template=oVPN-Server key-passphrase=SomeSecurePassword

Once the certificate is signed by your CA copy the new certificate to the Mikrotik so that you can import it

/certificate import file-name=certnew.cer
/certificate import file-name=certificate-request_key.pem

Both command will ask you to enter the passphrase you used in the previous step

Confirm the certificate is TRUSTED, HAS A CRL and has a KEY (KLT Flags)

/certificate print
/certificate crl print

When checking CRL list make sure that the CRL has been downloaded and is not “Invalid”

• Create an IP Pool for openVPN clients

/ip pool add name=oVPN ranges=1.2.3.4-1.2.3.50

• Create a PPP Profile for openVPN clients

/ppp profile add name=oVPN local-address=10.34.43.1 remote-address=oVPN only-one=yes use-encryption=required rate-limit=5M/10M

• Set PPP to use RADIUS authentication

/ppp aaa set use-radius=yes interim-update=10m

• Create openVPN server

/interface ovpn-server server set certificate=certnew.cer_0 default-profile=oVPN cipher=aes256 enabled=yes mode=ip netmask=24 port=1194 require-client-certificate=yes auth=sha1

Download and install openvpn client on the user’s device

Because I use Group policies to dump the ovpn config file in the user’s profile I like having my config in 1 file here is an example of my config file

client
dev tun
proto tcp-client
remote vpn-server-ip-or-dns-name
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass
auth-nocache
route 10.XX.YY.0
dhcp-option DNS 10.XX.YY.ZZ
<ca>
—–BEGIN CERTIFICATE—–
MIIDQTCCAimgAwIBAgIQe4JuGVuxSYxKSuUhAtyNEDANBgkqhkiG9w0BAQsFADAe
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
DEEjl1vWHyJkW62ASQML0my++OT9
—–END CERTIFICATE—–
</ca>
cryptoapicert “SUBJ:DOMAIN”

You need to change the following lines

1. remote
2. route
3. dhcp-option
4. the info between the <ca></ca> tags
5. cryptoapicert “DOMAIN” must match your domain name

Something to keep in mind

When a certificate is revoked you will need to wait for the new CRL to be published and downloaded by the Mikrotik in order for the revoked user to stop connecting this could depend on how your CA has been configured. You can speed this up by going to the CA and forcing it to publish the new CRL’s and for good measure rebooting the Mikrotik board.