In this tutorial we will look at how to set up a site to site VPN between a pfSense server and a Mikrotik client using OpenVPN the proper way. We’ll be taking advantage of pfSenses superb certificate management features to do SSL/TLS instead of just a pre-shared key.
Our client will be a Routerboard RB2011 detailed in a earlier post that connects to a pfSense server. Only the local networks will be shared between the two sites, sharing the external address of the server with the client is out of scope of this tutorial. In my scenario the client’s local network will be 192.168.11.0/24 and the server’s 192.168.0.0/24. Out encryption will be AES with a key size of 256bit (the maximum that RouterOS supports on this router as of now).
Let’s first connect to our router and set up the bare minimum. If you don’t know how to do that please refer to this tutorial to get you started. After we connect via winbox go to Quick Set:
And change the defaults to suit our needs:
Of course after applying the settings it will disconnect because of the network change:
Now to the server side of things. Log in to pfSense and go to System -> Cert. Manager:
The Certificate Manager screen will default to the CAs, where u can see your Certificate Authorities. If you don’t already have a dedicated CA for site to site VPNs than I highly suggest setting up one here. In my case we will be using the one that starts with bb (it stands for Back-Bone):
Navigating to Certificates we will see our certificates. At the very least there will be the webConfigurator present:
In my case I have a lot, so i scroll to the bottom to Add a new one:
The Add a New Certificate screen will appear:
We don’t wan’t to import but rather create a new one, so let’s start by creating a server certificate. Give it a descriptive name, in my case it will be bb-server-SOMETHING, where SOMETHING is the remote locations name. Set the Digest to sha256, the type to Server Certificate and fill in the rest of the required fields as applicable:
Now let’s add another one but here we will set the descriptive name to bb-client-SOMETHING and the certificate type to User Certificate, the digest remains sha256:
Now that we have our certificates we are ready to create our VPN server. Go to VPN -> OpenVPN:
Stay on the Servers tab, cause we want to create a server. Scroll to the bottom of the page and click the green Add button:
The OpenVPN server creation screen will appear:
Let’s change some of its settings. RouterOS (as of now) doesn’t support some OpenVPN features, so we need to adjust our server to be compatible with it.If this changes (hopefully in RouterOS 7) I will update the blog accordingly.
Let’s leave the Server mode on Peer to Peer (SSL/TLS) cause we want to do site-to-site. We need to change the Protocol to TCP, the Device mode is good as it is on tun. I prefer to set the Interface to Localhost, cause if there are more interfaces on the server or more than one external IP I will have more control over it later in the Firewall -> NAT section. I usually let the Local port auto increment as pfSense want’s it, but in this case I set it to 1196. Please note that the default port for OpenVPN is 1194, I usually reserve that for Remote Access type of servers (for the Road Warrior users). Let’s give it a nice Description so that later we can identify it.
Under TLS authentication we need to DISABLE Enable authentication of TLS packets. Change the Peer Certificate Authority to the one that contains our keys and set the Server certificate to the one we created earlier. Everything else you can leave at it’s default values, but I prefer to use AES-256-CBC instead of the default AES-128-CBC.
Let’s set the IPv4 Tunnel Network to something sensible, that no one uses. Any type of internal network is fine, but I prefer to use networks from the B class for my VPNing needs. In this example the network is 172.28.12.4/30. Make sure to use a /30 netmask, since we are connecting only two IPs together. Leave IPv6 Tunnel Network empty and Redirect Gateway unchecked. Under IPv4 Local netowork(s) we need to input the local (server’s) CIDR, in my case it is 192.168.0.0/24 and under IPv4 Remote network(s) the remote (client’s) CIDR, that would be 192.168.11.0/24 for me. I leave both IPv6 Local network(s) and IPv6 Remote network(s) empty, since we are only working with IPv4 here. We can safely set the Concurrent connections to 1, for obvious reasons. Leave Compression on No Preference, cause RouterOS 6 doesn’t support LZO compression, but if you disable it it won’t work either (maybe a bug?). Lastly I check Disable IPv6.
Let’s leave this section as is, if you know what you are doing and need to do additional OpenVPN options than this article clearly isn’t for you.
Now lets make NAT rule to allow our VPN server to be reachable from the outside. Go to Firewall -> NAT
Scroll to the bottom of the page and click Add, the following screen will appear:
We leave the Interface on WAN, the Protocol on TCP, the Destination on WAN address, in the Destination port range field we input 33311 (in my case, but it can be anything you want to use, for example it could be 1196 to match the target port). For the Redirect target IP we enter 127.0.0.1 and we set Redirect target port to 1196 (the port and address our OpenVPN server listens on). Finally we give it a proper Description and click Save:
Now we are ready to set up the VPN on the client side, but first let’s export the certificates. Go to System -> Cert. Manager:
Let’s export the CA’s Certificate by pressing the dot/star button next to the CA that we used:
Now on the Certificates tab let’s export the client certificate that we created by pressing dot/star button next to it:
And also the client key for that certificate by pressing the key button next to it:
You should have 3 files:
- CA cert (here: bb.crt)
- client cert (here: bb-client.crt)
- client key (here: bb-client.key)
Let’s upload those files to our Mikrotik device. You can just simply drag and drop the 3 files from explorer directly into winbox. It will upload it and the File List window will popup showing where it was stored:
First let’s install our certificates. Go to System -> Certificates:
The certificates window will pop up:
Click on the Import button:
Select your client certificate from the drop down list, don’t enter a password and hit Import:
Now click Import a second time, to import the key as well. Notice that the certificate is imported (under the Import window):
After you added the key to the certificate it will show you KT instead of just a T. That means that you successfully added the key as well:
And finally using the Import button let’s add our CA cert as well:
The certificates are properly installed, let’s close the window and go to PPP on the left side menu:
The PPP window will appear, defaulting to the Interface tab:
First let’s go and create a profile for our PPP interface on the Profiles tab:
Click the + button to add a new one and enter the Local Address and Remote Address. This should be the first usable address in your network for the remote address and the second for the local address. (Remember this is the client, it’s inverted here). In my case I input 172.28.12.6 for Local and 172.28.12.5 for Remote. Don’t forget to give it a proper Name:
After we hit OK it should look somewhat similar to this:
Now let’s go back to the Inferface tab and click on the + button to add a new interface. There will be a drop down menu (that I could not screenshot) with a lot of different type of PPP interfaces, but we will be using OpenVPN and in client mode, so click OVPN Client. The new interface dialog will appear. Under the General tab leave everything on default, but give it a proper Name:
Under the Dial Out tab we need to enter the external IP address or host name of our server (redacted in the below screenshot) in the Connect To field, the external Port that we set (in my case 33311), leave the Mode on IP, enter any random Username (I usually like to enter my certificates name here). Leave the Password field unused and select the Profile that we just created. Select the client (not the CA) certificate in the Certificate field, leave Auth on sha1, but change the Ciper to aes 256 to match our servers configuration After all that is set up hit OK:
This is our VPN interface:
Now to test it out. I just did some pings (Tools -> Ping) to the remote site:
And the same on the server side:
That’s pretty much it. Enjoy your VPN! You also might want to read my OpenVPN performance of Mikrotik devices article where I tested a wide range of routers to find out which router might fit your needs.