OpenVPN Windows Client with MikroTik

In a previous tutorial, we discussed the configuration of an OpenVPN Server on a Mikrotik hAP ac³ router and successfully tested the OpenVPN client configuration on Debian. Building on that, we will explore the process of installing and configuring the OpenVPN client on Windows 10.

Configuring the OpenVPN client on Windows 10 is a relatively simple process that involves installing the client software, modifying the configuration file, and initiating a connection to the OpenVPN server. With this tutorial, we hope to have provided a clear understanding of the process involved in setting up the OpenVPN client on Windows 10.

Our OpenVPN server is currently running on Mikrotik RouterOS version 7.7. It is important to note that since RouterOS version 7.1, Mikrotik has started supporting UDP for OpenVPN servers. As a result, we will switch from TCP to UDP in the OpenVPN config file, and make other changes necessary to configure the OpenVPN client on Windows.

1. Download OpenVPN and Install OpenVPN Client for Windows

The OpenVPN client software for Windows is available for download from the official OpenVPN website. Once the client software is downloaded, we can proceed with the installation process, which is straightforward.

Figure 1 - OpenVPN-2.6.0-1005-amd64 Installed

After OpenVPN Client installation, make sure that TAP Virtual Ethernet Adapter has been installed. If it is installed successfully, you will find a new Network Adapter named as TAP-Windows Adapter in Network Connections window.

Select Win - X-> Network Connection -> and click "Change adapter options"

Figure 2 - TAP-Windows Adapter Presented After OpenVPN Client Installation

2. OpenVPN Client Configuration

Once the installation is complete, we can proceed with configuring the OpenVPN client. Edit the server and port in configuration file and copy the following files to C:\Program Files\OpenVPN\config:

Figure 3 - OpenVPN Client Config Directory

I have created a configuration client.ovpn that can be modified according to your specific needs. After modifying the configuration file, we can proceed to start the OpenVPN client software and import the modified configuration file. Once the configuration is imported, we can initiate a secure connection to the OpenVPN server.

To initiate the connection, we right-click on the OpenVPN Server GUI icon in the panel and select "Connect." This will prompt us to enter our login and password details (as shown in Figure 4).

Figure 4 - Connecting to OpenVPN Server from Windows

Once we have entered the login and password details, the OpenVPN client will establish a connection to the OpenVPN server. During this process, we will be prompted to enter the Private key password for client.crt. It is a security measure to ensure that only authorized users can access the OpenVPN server.

2.1 TLS handshake Error

it's important to note that we must use the line "data-ciphers AES-256-CBC" to ensure that we don't encounter any issues when connecting to the OpenVPN server on Mikrotik.

data-ciphers AES-256-CBC

During my testing, I found that this parameter is required specifically for the OpenVPN client on Windows. The OpenVPN client on Linux does not require this parameter to connect to the OpenVPN server on Mikrotik.

By ensuring that the configuration file includes the "data-ciphers AES-256-CBC" line, we can prevent the occurrence of the "TLS key negotiation failed - TLS handshake failed".

2.2 Credentials

If you would like to avoid the inconvenience of typing in your username and password every time you start up the OpenVPN client, you can create a file called "secret.cfg" and place it in the directory C:\Program Files\OpenVPN\config. Then, you can add the following line to the client.ovpn configuration file:

auth-user-pass secret.cfg

By doing this, the OpenVPN client will read your login credentials from the secret.cfg file and automatically enter them when you initiate a connection to the OpenVPN server. This can save time and hassle, especially if you need to connect to the OpenVPN server frequently.

2.3 Routing

Once we establish a tunnel, the OpenVPN server assigns an IP address from the subnet 192.168.100.0/24 to the interface OpenVPN TAP-Windows6 on the Windows client (Figure 5). However, to access the clients and Mikrotik IP 192.168.88.1 on the LAN subnet 192.168.88.0/24, we need to set up a route. There are two ways to achieve this.

Figure 5 - IP Address for OpenVPN TAP-Windows6 Interface Assigned from OpenVPN Server

2.3.1 Default Route 0.0.0.0 128.0.0

The first method involves using the "redirect-gateway def1" option in the OpenVPN config file, which pushes the default route 0.0.0.0 128.0.0.0 via 192.168.100.1 to the client. This allows all Windows traffic to be routed through Mikrotik, enabling access to hosts on the LAN subnet 192.168.88.0/24. However, this also means that the client's Internet traffic is also routed through Mikrotik (as shown in Figure 6).

To view the current routing table on Windows, we can use the command "route PRINT".

> route PRINT

Figure 6 - Windows Routing Table with a Default Route Received from OpenVPN Server

Note: OpenVPN default route 0.0.0.0 128.0.0.0 is more specific than a standard default route. It gets used in preference, so we do not have to either delete the existing default route, nor do we have to play games with routing metrics to get our OpenVPN route preferred [1].

2.3.2 Specific route 192.168.88.0/24

Alternatively, if we want to reach clients on the LAN subnet 192.168.88.0/24 without routing Internet traffic through Mikrotik, we need to comment out the "redirect-gateway def1" line in the OpenVPN config. Use the either ";" or "#" character to do so. We also need to add a specific route for the LAN subnet by including the following line in the config file:

route 192.168.88.0 255.255.255.0 192.168.100.1

This ensures that the route 192.168.88.0/24 is pushed to the client (as shown in Figure 7), allowing access to clients on the LAN subnet while still preserving the default Internet route.

> route PRINT

Figure 7 - Windows Routing Table with a Default Route Received from OpenVPN Server

Conclusion

In conclusion, configuring an OpenVPN client on Windows 10 to connect to an OpenVPN server running on a MikroTik router can be a useful way to remotely access resources on a local network. With the modifications to the configuration file discussed in this tutorial, users can establish a secure connection and access resources on the network without compromising their privacy or security.

The ability to set up specific routes depending on the user's needs also allows for greater flexibility and control over the network traffic. Overall, by following the steps outlined in this tutorial, users can successfully set up and use an OpenVPN client on Windows 10 to connect to an OpenVPN server on a MikroTik router.

5 thoughts on “OpenVPN Windows Client with MikroTik

  1. Hello, i think you can add the route config to the server instead of add route in the client, so the server pushes the route to the client, don't know how to do this on mikrotik but done it with another router, and for more easy config to the client you can also provide the cert files within the ovpn file, with some tags. Like this one:

    client
    dev tun0
    proto udp
    remote hostname 1194
    float
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    verb 3

    -----BEGIN CERTIFICATE-----
    MIIDsjCCApqgAwIBAgIJAL5nDmbK6RtCMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNV
    ...

    -----BEGIN CERTIFICATE-----
    MIID8TCCAtmgAwIBAgIJAL5nDmbK6RtEMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNV
    ...

    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAxM/xIRhR3+YOawuqYRpGhz/2171NxXFG4w60SCmAtL2nxLln
    ...

  2. I followed your setup but keep getting a "Peer Certificate verification failure".

    What would cause this?

    1. Sorry
      This forum just delete the tags that should also be there.
      Don't know how to add the tags characters "lesser than" and "bigger than" to this forum.
      But say you have to add a line before BEGIN with just "(ca)" and end with a line with "(/ca)", in the first -----BEGIN CERTIFICATE-----
      and the second you have (cert) and add (/cert) at the end of the block.
      And the last block (key) and end with (/key),

      So you have to replace the left and the right parentheses with lesser than and bigger than characters.
      Like this with out parentheses and with lesser than and bigger than characters.
      (ca)
      -----BEGIN CERTIFICATE-----
      MIIDujCCAqKgAwIBAgIJAJSnnNKBlPk1MA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
      BAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xDzANBgNVBAoMBlRvcnBldDELMAkG
      ...
      (/ca)

  3. And for more fun, if you using networkmanager you can install it with
    sudo apt-get install network-manager-openvpn, and having the ca cert, client cert, and the key in the ovpn file, the networkmanager creates all files for you in your system. When importing the file when creating the vpn connection.
    So it's very simple with just one file, and if you using the openvpn in the phone, you only need to transfer one file over. And this also support's in another clients, like Windows as well.

  4. 0.0.0.0 128.0.0.0 ?
    Don't you need to push also 128.0.0.0 128.0.0.0 in order to reach the other half of Internet ? :)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.