Task

For secure remote connection to the installation site we have always recommended to use either EMBS cloud platform or make VPN tunnel to the router located on the site. Now it is also possible to make direct VPN tunnel from LogicMachine to external Mikrotik router over OpenVPN protocol.

Configuration of Mikrotik router (based on this example)

Create all the certificate templates (10 years validity). For the purpose of OpenVPN server common name can be anything

Source code    
  1. /certificate
  2. add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
  3. add name=server-template common-name=*.example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
  4. add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client

Created certificates will need signing

Source code    
  1. /certificate
  2. sign ca-template name=ca-certificate
  3. sign server-template name=server-certificate ca=ca-certificate
  4. sign client-template name=client-certificate ca=ca-certificate

With this we need to export a few files. This should give you three files: cert_export_ca-certificate.crt, cert_export_client-certificate.crt, and cert_export_client-certificate.key

Source code    
  1. /certificate
  2. export-certificate ca-certificate export-passphrase=""
  3. export-certificate client-certificate export-passphrase=12345678

Download the created files to your PC (drag&drop from Winbox -> Files)

Next we need a separate pool of IP addresses for clients. Let’s assume you have your clients in some other network (e.g. 192.168.1.x) and this new network is just for VPN

Source code    
  1. /ip
  2. pool add name="vpn-pool" ranges=192.168.8.10-192.168.8.99

Create separate  PPP profile. Assuming the Mikrotik router will be the DNS server for clients. Replace name/password with correct values. Local-address should be from the same address range as IP pool for OpenVPN

Source code    
  1. /ppp
  2. profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool
  3. secret add name=user profile=vpn-profile password=password

Finally, we can enable OpenVPN server interface:

Source code    
  1. /interface ovpn-server server
  2. set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes

OpenVPN client configuration on LogicMachine

Make sure your LM is running firmware equal or newer than 20200116. OpenVPN setting are located in System config –> Services –> OpenVPN client

Make sure to use username/password which you created on Mikrotik /ppp secret directory. In the configuration file paste the content of three certificate files which you downloaded from Mikrotik router. Please note to specify correct Mikrotik router public IP.