How to Set Up and Connect to an OpenVPN Server on MikroTik RouterOS 7

Prerequisites

For this tutorial, you will need a MikroTik with the following:

  • RouterOS v7.x
  • DHCP server
  • Firewall
  • NAT
  • A public IP address
  • A domain name (optional)

Make sure that your router has the correct time setting, either by connecting to an NTP server or by setting it manually.

Creating Certificates

You will need to generate three certificates: a CA certificate, a client certificate, and a server certificate.

1. Create CA Certificate

/certificate add name=ca-cert common-name=ca-cert days-valid=365 key-size=2048 key-usage=crl-sign,key-cert-sign

Open the System -> Certificates menu and create a certificate called ca-cert. Set the common name to ca-cert, the key size to 2048 bits, and the days valid to 365.

Open the Key Usage tab and check “key cert. sign” and “crl sign”.

Open the Key Usage tab and check “key cert. sign” and “crl sign”

2. Create Server Certificate

/certificate add name=server-cert common-name=server-cert days-valid=365 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server

Open the System -> Certificates menu and create a certificate called server-cert. Set the common name to server-cert, the key size to 2048 bits, and the days valid to 365.

Navigate to the Key Usage tab and check “digital signature”, “key encipherment”, and “tls server”

3. Create System Certificate

/certificate add name=client-cert common-name=client-cert days-valid=365 key-size=2048 key-usage=tls-client

Open System -> Certificates and create a certificate called client-cert. Set the common name to client-cert, the key size to 2048 bits, and the days valid to 365.

Navigate to the Key Usage tab and check “tls client”


Signing the Certificates

1. Signing the CA Certificate

/certificate sign ca-cert name=ca-cert ca-crl-host="[your public IP or hostname]"

Click on your CA certificate in the menu and click the Sign button in the pane on the right. Change the CA CRL Host to your domain name or public IP address. Click Start and wait for it to be signed. This may take a little while depending on which model of MikroTik you have.

2. Signing the Client and Server Certificates

/certificate sign server-cert name=server-cert ca=ca-cert
/certificate sign client-cert name=client-cert ca=ca-cert

Open the server certificate and click the Sign button. Change the CA to your CA certificate and then click Start. Once it has finished, repeat this for the client certificate.

3. Trusting the Server Certificate

/certificate set server-cert trusted=yes

Click on the server-cert and check the Trusted box

Exporting the Certificates

1. Exporting the CA Certificate

/certificate export-certificate ca-cert export-passphrase=""

Click on the CA certificate and click the Export button. Leave the export passphrase blank.

2. Exporting the Client Certificate

/certificate export-certificate client-cert export-passphrase="[your password]"

Click on the client certificate and click the Export button. Type in your desired password (must be at least 8 characters) into the Export Passphrase box, then press Export.

3. Transferring the Files

You should now have 3 files – the CA certificate, the client certificate, and the client key.

Copy the 3 files to your computer and rename them to “ca.crt”, “client.crt”, and “client.key”

Create a PPP Profile

/ppp profile add name="VPN-Profile" use-encryption=yes local-address=[MikroTik's LAN IP] dns-server=[MikroTik's LAN IP] remote-address="[LAN IP pool name]" bridge="[LAN bridge name]"

Open the PPP window and navigate to the Profiles tab. Create a new profile called “VPN-Profile”. Set the local address to your MikroTik’s LAN IP address and choose your VPN IP address pool for the remote address. Set the bridge to your LAN bridge, then navigate to the Protocols tab and change Use Encryption to yes.

Create a VPN User

/ppp secret add name=username password="[your password]" service=ovpn profile="VPN-Profile"

Open the PPP window and navigate to the Secrets tab. Add a new entry with the name set to the desired username and the password set to the desired password. Set the service to ovpn and change the profile to your PPP profile.

Set up the OpenVPN Server Interface

/interface ovpn-server server set default-profile=VPN-Profile certificate=server-cert require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes port=[port–default 1194] protocol=[tcp/udp] mode=[ethernet/ip]
  1. Open the PPP window and navigate to the Interface tab. Click the OVPN Server button in the bar at the top to edit the OpenVPN server interface.
  2. Check the enabled box and set the port to the desired port number. The default is 1194, but you may want to use an alternative port.
  3. Set the mode to ip for a layer 3 VPN or ethernet for a layer 2 VPN. Layer 3 is the recommended option.
  4. Set the protocol to either UDP or TCP, depending on which one you want to use. UDP is the recommended option.
  5. Set the netmask to the CIDR netmask for your LAN subnet (usually 24)
  6. Change the default profile to the PPP profile you created earlier
  7. Change the certificate to your server certificate and check the “Require Client Certificate” button
  8. In the Auth section, check the box that says sha1 and uncheck all other boxes
  9. In the Cipher section, check the boxes for AES 128, 192, and 256. Uncheck all other boxes.

Add a Firewall Rule

/ip firewall filter add action=accept chain=input dst-port=1194 in-interface=BR_WAN protocol=udp

Open the IP -> Firewall window and navigate to the Filter Rules tab. Create a new rule on the input chain that allows incoming traffic from the WAN on the TCP or UDP port you used for your OpenVPN server interface. The specifics of this rule may differ depending on your firewall configuration.

Create Logging Rules

/system logging add topics=ovpn,debug action=memory
/system logging add topics=ovpn,info action=memory

You can tell the router to save OpenVPN logs into the log buffer. In the System -> Logging menu, create two new rules. The first rule should match the ovpn and info topics and send them to memory. The second rule should match the ovpn and debug topics and send them to memory. You can remove these later if desired, but it is recommended to leave these enabled while trying out the VPN server for the first time.

Enable Proxy ARP

/interface bridge set BR_LAN arp=proxy-arp

Open the Bridge window and edit your LAN bridge. Change ARP from enabled to proxy-arp. This will allow VPN clients to communicate with other devices on the LAN.

Connecting to the VPN

You must be on a separate network when connecting to the VPN server.

Connecting from Ubuntu Linux

  1. Open the Settings application
  2. Click on Network in the menu on the left
  3. In the VPN section, click the plus icon to set up a new VPN connection
  4. Click OpenVPN in the menu
  5. Set the name to your desired name for the VPN connection
  6. Set the gateway to the domain name or public IP address. If you used a nonstandard port number, add a colon followed by the port number
  7. In the Authentication section, change the type to Password with Certificates (TLS)
  8. Fill in your username and password
  9. Choose ca.crt for the CA certificate, client.crt for the user certificate, and client.key for the user private key
  10. Fill in the password you set for the client certificate in the user key password box
  1. Click the button at the bottom that says Advanced
  2. If you used a port other than 1194, check the box that says “Use custom gateway port” and fill in the port number
  3. If you set up a TCP VPN, check the box that says “Use a TCP connection”. Otherwise, leave it unchecked.
  4. Check the box that says “Set virtual device type”.
    1. If you set up a layer 3 (IP) VPN, choose TUN in the dropdown and set the name to “tun”
    2. If you set up a layer 2 (ethernet) VPN, choose TAP in the dropdown and set the name to “tap
  5. Navigate to the Security tab and change the cipher to AES-256-CBC

Connecting from Android

Please note that the Android VPN API does not support layer 2 VPN connections, so you must be using a layer 3 VPN in order for this to work.

Start by creating a file called client.ovpn:

client
dev tun
proto [udp/tcp]
remote [IP address]:[port]
port [port]
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca ca-cert.crt
cert client-cert.crt
key client-cert.key
verb 4
mut 10
cipher AES-256-CBC
auth SHA1
auth-nocache
connection-type password-tls
dev-type tap
password-flags 1
username [username]
  1. Fill in the relevant information in the config file.
  2. Create a file called pass.txt. On the first line, write your username. On the second line, write your password
  3. Copy client.ovpn, pass.txt, ca-cert.crt, client-cert.crt, and client-cert.key to your phone
  4. Download and install the OpenVPN Connect app
  5. Open the app and click the plus button at the bottom
  6. Click File at the top and navigate to the location of your files
  7. Import the VPN profile and connect to it

Troubleshooting Connection Issues

Use the logs that you enabled earlier to help narrow down the causes of the issue.

No Logs

  • Did you configure your VPN client to use the correct protocol (TCP/UDP) and port number?
  • Is your firewall blocking the connection? Try using firewall logs/counters to trace down the issue, or temporarily disable the firewall if you feel comfortable doing so.

“Connection Established” logs, but no “<ovpn-username>: connected” logs

  • Does the MikroTik have the correct clock time? If not, you will need to set it and then regenerate your certificates.
  • Did you select the server-cert in the OpenVPN server interface?
  • Are you using the correct username and password?
  • Are you using the correct password for your client certificate?
  • Is your OpenVPN client using the correct cipher?
  • Are you seeing log messages that say “TLS failed” or “User authentication failed”?

Connected but unable to pass traffic

  • Does the network you are connecting from use the same IP address range as the VPN server?
  • If you are using a layer 2 VPN and get the error “could not add bridge port: device already added as bridge port”, you need to remove the entry from the bridge ports section for all interfaces
  • Try disabling and re-enabling spanning tree on the bridge

OneNote vs. Evernote vs. Dropbox Paper vs. Google Docs

OneNote, Evernote, Dropbox Paper, and Google Docs are four of the biggest note-taking programs. There are a ton more – Simplenote, Google Keep, and a lot I haven’t listed. However, I chose these three because they are very popular, sync across all of your devices, and support more formatting than others like Google Keep.

OneNote

OneNote is Microsoft’s note-taking program. If you like lots of features, such as password protection, advanced reviewing, drawing, built-in integration with Microsoft Excel, and a lot more, OneNote is definitely for you.

If you haven’t tried OneNote yet, OneNote is grouped into “notebooks” which have “sections”, which have “pages”. For instance, I have a School notebook, with a Math section, and then my notes from today are in a page.

One of the biggest reasons to choose OneNote is for the equation editor. The equation editor lets you type equations, including, but not limited to, fractions, square/cubed/etc roots, exponents, Pi, and a lot other mathematical symbols.

Another big reason to choose OneNote is for the built-in drawing feature. You can draw with your mouse, your finger (on touchscreen devices), or a pen (either a stylus on touchscreen devices or using a special pen, like the ThinkPad Pen Pro, the Surface Pen, or the Apple Pencil. The drawing tool supports lasso selection, erasing, typing, a lot of different colors and thicknesses, highlighting, and shapes drawing. It also supports Ink to Math, which lets you see your drawings be automatically be converted to equations.

Unfortunately, while OneNote supports a plethora of features, it does have some downsides, also. The biggest downside (for me) is the lack of equation editor support in the web version. You can view equations, but not create or edit new ones. The OneNote mobile app lets you edit equations, but I don’t think it lets you create new ones. This rules out OneNote for Chromebook users who want to use equations.

Another big downside is the large amount of bugs in the OneNote equation editor. For instance, if you have a bunch of equations, one on each line, if you press Shift+Home (select until the start of the current line), OneNote will select the entire group of equations. That is just one out of the many bugs in the OneNote equation editor.

Another thing I dislike about OneNote is the inability to delete notebooks. Yes, you heard me right. There is no easy way to delete a notebook. You can “close” a notebook, but it will still be there; it will just not be synced (sunk?) with your computer. Something else I dislike about OneNote – you can’t crop images. At all. Whaaaat?

One last thing I dislike about OneNote: syncing. Microsoft just can’t seem to get real-time updating right. OneNote syncs automatically with the cloud, but you can’t see someone (or yourself) updating in real time like you can in other programs like Google Docs. This can be annoying and cause sync conflicts.

Overall, OneNote is a good choice if you want lots of features, but I would turn it down in favor of better programs.

Evernote

Evernote is one of the most popular note-taking programs out there. Evernote is very similar to OneNote in many ways. It is laid out the same way as OneNote, except you only have “Notebooks” and “Pages” – no “Sections”. The desktop version of Evernote supports quite a few features, although unfortunately, equations are not one of the included features.

Evernote includes quite a few useful features, such as note reminders, meeting notes, work chat, and tags. However, most of these features seem geared more towards large organizations than towards consumers.

Unfortunately, Evernote has quite a few downsides, the biggest being the price. Evernote is the only application in this article that you have to pay for – the other three are free, and I would probably choose one of them over Evernote. While Evernote has a nice user interface and has more features than Dropbox Paper, it does not have anywhere near as many features as OneNote, which is free. Because of the price, I would probably recommend one of the other three over Evernote.

Dropbox Paper

I love Dropbox Paper. Considering the fact that I’m currently writing this article in Dropbox Paper, I might be a bit biased, but Dropbox Paper is definitely very nice.

At first glance, Dropbox Paper looks very simple, and you might decline it in favor of one that seems to have more features. Dropbox Paper has quite a few useful features, although not quite as many as OneNote, Evernote, or Google Docs. I think Dropbox Paper is the perfect balance of simplicity and features.

One thing about Dropbox Paper is that it isn’t setup like OneNote and Evernote. Instead of notebooks/sections/pages, you create folders. You can nest as many folders as you want, or you could put a document in a folder, but also have another folder in that folder. I like this a lot, because you can set it up however you want to.

Dropbox Paper supports semi-full formatting – bold, strikethrough, italics, highlighting (but only in blue), links, headers, bulleted and numbered lists (but no lettered lists… ???), checkboxes, and comments. That’s a full list of the formatting features, which seems pretty small at first, but is actually just the right amount.

Dropbox Paper also supports equations using LaTeX, which is very nice. Dropbox Paper makes it easy to write equations without confusion or glitches. One of my favorite things about Dropbox Paper is that when you click on an equation, it shows it in code form instead of the way OneNote or Google Docs do it (by trying to show it in equation format but making it editable, which is pretty terrible).

However, Dropbox Paper definitely could use a few more features, most notably drawing. I would use Dropbox Paper for my math notes, but unfortunately, I need to be able to draw, which Dropbox Paper doesn’t support.

Another downside of Dropbox Paper is that it doesn’t support offline editing/viewing on the desktop version (actually the web version; there is no desktop version).

Overall, I really like Dropbox Paper. If they added a few more features (cough drawing and more colors cough), it would be the perfect note-taking application.

Google Docs

If Google made a version of Google Docs that was more suited for note-taking – perhaps if they gave it a notebook/page structure like OneNote and Evernote – it would be my absolute favorite.

You might be wondering why I put Google Docs in here – isn’t Google Docs for documents, not notes? That’s correct, but I find Google Docs is actually pretty good (but not great) for note-taking. Google Docs has all the features I like in a note-taking program – full formatting, easy cloud integration, equations, and drawing. I find that you can use Google Docs pretty easily if you create a different document in place of each notebook/section.

Now that I’ve told you I put Google Docs in here, you might ask – why not Word? To which I answer: Word is not good at cloud integration. You can put a Word doc in your OneDrive/Google Drive/Dropbox/whatever and let it sync that way, but it’s not the same as turning off your laptop, turning on your desktop, and seeing the document there – no waiting for your OneDrive/Google Drive/Dropbox/whatever to sync, no browsing through folders: it’s just there.

However, Google Docs isn’t perfect. It wasn’t designed as a note-taking program, so there are a few things that can get annoying there – like the fact that if you fill up a whole 8.5 x 11 page, you’ll go onto the next page, whereas the other three don’t work like that. Another annoying thing about Google Docs is that all your docs go in your Google Drive root folder. You can’t set a default location; you just have to remember to tell Google Docs to save your document in a different Google Drive location.

Round Up

  1. Dropbox Paper
  2. Google Docs
  3. OneNote
  4. Evernote

Dropbox Paper is my favorite note-taking program by far. It’s the perfect mix of simple but powerful.

Google Docs is my second favorite. It supports all the features I want – Chromebook support, equations, drawing, and a lot more. It would get first place if they built a version with a structure like OneNote or Evernote.

OneNote is my third favorite. It supports a lot of features, so it’s very unlikely that you’ll be like “Aw, I wish it had that”.

Evernote is my fourth favorite. Evernote has a nice user interface, but it is expensive and doesn’t do anything special.

Would You Pay $3 Million for 1GB of Data?

Pay-as-you-go phone plans sound pretty nice. You only pay for how many minutes you call, how many text messages you send, and how much data you use. The text message fees (usually $0.20/message) are a bit high, but not too unreasonable. Until you do the math:

Text messages are limited to 160 characters. The average text message is probably around 80-90 characters. SMS messages use 7-bit characters. Therefore, the average text message is around 595 bits, or 74 bytes. You are paying $0.20/74 bytes, or $0.003/byte. We can then multiply that by 1,073,741,824 (how many bytes in a gigabyte) to get $2,902,004 / 1 gigabyte.

How to Set Up a Drive in a Windows PC as Network Storage

My server has a 4TB drive that I use for video archival and media storage. I have been using FileZilla Server to access the files stored on there, but I have been searching for a more seamless way to access the storage on the server for months and haven’t been able to find anything! I finally figured out how to do it, so I thought it might be a good idea to write up a tutorial on how to do it.

Step 1

Allow network discovery and file sharing on both the client and server computers. I’m not sure if you need a FileZilla server to be running on the server computer. If this tutorial doesn’t work without FileZilla, setup FileZilla Server and then try it again.

Step 2

On the server computer, use the net share command to choose which folders/drives are shared with the network.

Syntax:

net share Name=C:\Path
net share Name /delete

Step 3

On the client computer, right click on This PC and click “Map network drive”. Choose a drive letter and, under Folder, type the following:

\Computer-Name\Folder\Name

Windows might ask you for credentials. If it does, type in the following:

Username (substitute NAME for your Windows username on the server computer): Computer-Name\NAME
Password: The password you type in to login to the server computer.

Step 4 (optional)

If you want, right click on the network drive(s) you mounted and rename them to something you like. 

How to Schedule Zipped Backups of a Folder on Windows

I own and operate a public Minecraft server and one of the things I struggle with is backups. I want to make sure that if the server gets griefed or hacked, my house burns down, or my hard drive dies, my world is still safe. Here is a tutorial on how to build a batch file that will copy and zip those files and move them to Google Drive to be synced to the cloud.

Create a file with the extension of “.bat”. I called mine “backup.bat” and open it with your preferred text editing software (I used Notepad)

On the first line, type the following:

@echo off

This means to not display every command that is being run in the command prompt window.

Now, create a directory on your hard drive. I used the directory “D:\tmp.backup” but you can use anything that works for you. This is where your batch file and temporary files will be stored.

On the next line in your batch file, type the text below, replacing my directory with your directory.

cd D:\tmp.backup

This tells the program where to look for and place the temporary files.

Now, type this code, replacing the first path in quotes with the directory you want to copy, and the second path in quotes with your temporary directory, but add a backslash and the name of the folder you are copying.

echo d | xcopy “DIRECTORY TO COPY” “TEMPORARY DIRECTORY\FOLDER NAME”

If the directory you are copying has subfolders, add a new line for each of those subdirectories.

echo d | xcopy “DIRECTORY TO COPY\SUBDIRECTORY” “TEMPORARY DIRECTORY\FOLDER NAME\SUBFOLDER”

The next two lines of code are used for adding a timestamp to the name of the file.

set hr=%time:~0,2%
if “%hr:~0,1%” equ “ ” set hr=0%hr:~1,1%

If you do not want the timestamp, do not add these lines to your batch file.

Go to http://www.7-zip.org/download.html and click the download that says “7-Zip Command Line Version”. Copy the executable file out of the downloaded zip folder and put it in your temporary directory. The code for zipping the folder will not work unless you download this!

7za a -tzip FOLDERNAME_%date:~-4,4%_%date:~-10,2%_%date:~-7,2%.zip “FOLDERNAME”

Use this code if you want the timestamp. The name of the zip folder will look something like “FOLDERNAME_2017_02_20.zip”.

If you do not want the timestamp, use this code:

7za a -tzip “FOLDERNAME.zip” “world”

Paste the below code in your batch file to copy the zipped directory to Google Drive, or whatever backup service you are using.

echo yes | xcopy FOLDERNAME_%date:~-4,4%_%date:~-10,2%_%date:~-7,2%.zip “FOLDER-IN-BACKUP-SERVICE\FOLDERNAME"

If you didn’t use the timestamp, use this code:

echo yes | xcopy FOLDERNAME.zip “FOLDER-IN-BACKUP-SERVICE\FOLDERNAME"

Now, use this code to delete the zipped folder that still remains in the temporary folder

echo yes | del FOLDERNAME_%date:~-4,4%_%date:~-10,2%_%date:~-7,2%.zip

Again, if you didn’t use the timestamp, use this code:

echo yes | del FOLDERNAME.zip

Use this code to delete the copy of the folder in the temporary directory

echo yes | rmdir /s “TEMPORARY DIRECTORY\FOLDER NAME”

Last but not least, type the word ‘pause’ in on the last line. This tells Windows not to close the window after it finishes

pause

Here is a copy of the code file with the timestamps”

@echo off
cd TEMPORARY DIRECTORY

echo d | xcopy “PATH OF FOLDER TO COPY” “TEMPORARY DIRECTORY\NAME OF FOLDER TO COPY”
echo d | xcopy “PATH OF FOLDER TO COPY\SUBDIRECTORY” “TEMPORARY DIRECTORY\NAME OF FOLDER TO COPY\SUBDIRECTORY”

set hr=%time:~0,2%
if “%hr:~0,1%” equ “ ” set hr=0%hr:~1,1%

7za a -tzip FOLDERNAME_%date:~-4,4%_%date:~-10,2%_%date:~-7,2%.zip “FOLDER NAME”

echo yes | xcopy FOLDERNAME_%date:~-4,4%_%date:~-10,2%_%date:~-7,2%.zip “FOLDER IN BACKUP SERVICE”

echo yes | del FOLDERNAME_%date:~-4,4%_%date:~-10,2%_%date:~-7,2%.zip

echo yes | rmdir /s “TEMPORARY DIRECTORY\FOLDER NAME”

pause

Here is a copy without the timestamps:

@echo off
cd TEMPORARY DIRECTORY

echo d | xcopy "PATH OF FOLDER TO COPY” “TEMPORARY DIRECTORY\NAME OF FOLDER TO COPY”
echo d | xcopy “PATH OF FOLDER TO COPY\SUBDIRECTORY” “TEMPORARY DIRECTORY\NAME OF FOLDER TO COPY\SUBDIRECTORY”

7za a -tzip FOLDERNAME.zip “FOLDER NAME”

echo yes | xcopy FOLDERNAME.zip “FOLDER IN BACKUP SERVICE”

echo yes | del FOLDERNAME.zip

echo yes | rmdir /s “TEMPORARY DIRECTORY\FOLDER NAME”

pause

Now, open Task Scheduler and click “Create Basic Task” on the left. Type in a name and description, and choose how often you want the backup to happen.

When you get to Action, click “Start a program”. Click Browse, and find your batch file. Click Next and Finish. Enjoy your backups!