Configure OpenVPN Server with RouterOS compatibility

RouterOS has nothing to do with security, so this article will focus on usability rather than security. All configurations related to security will be marked as optional.

First of all, let’s review all the limitations we have on the OpenVPN client on RouterOS 6.x:

  • Supported protocol: TCP (TLS mode) only, no UDP, no static key
  • Supported ciphers: none BF-CBC AES-128-CBC AES-192-CBC AES-256-CBC
  • Supported digest algorithms: none MD5 SHA1
  • Supported authentication methods: username, password and optional client certificate
  • Does not support MPLS even if running in TAP mode

Server Configuration

We use Debian 10 as an example here.

Install OpenVPN

Create CA and Server Certificate

For the sake of simplicity, we directly generate the CA certificate on the same server. This is not safe and is not recommended for production; you should generate the CA private key on an air-gapped computer and generate the server private key and the CSR on the server.

Create Server Configuration

Create Username Password Authentication Script

OpenVPN does not support username/password database natively. Either you need to configure PAM (which means you need a corresponding Linux user for every VPN user or mess up with PAM configuration), or you write your own program to deal with username and password on each login. We’ll use the latter. When the program is invoked, it have a filename as an argument; the first line of the file will be the username and the second line will be the password. If the program returns 0 then it is a successful login. Let’s just quickly write a bash script and hardcode everything:

Save this file as and give it execute permission.

(Optional) Add Interface to VRF

Client Config on RouterOS

(Optional) Create Client Certificate

  1. Generate private key and CSR on the client
  2. Copy the CSR to the CA server
  3. CA server signs the CSR to generate the certificate
  4. Import the certificate back to the client

(Optional) Import CA

  1. Import the CA on the client

Create the Interface

If you’ve imported the CA (recommended), then tick “Verify Server Certificate”. If you created a client certificate, choose it in the “Certificate” dropdown.