Looking to manage your MikroTik Router remotely? Having difficulty accessing devices behind a firewall? Here is a really neat tool for aggregating and managing devices via AWS and a Cloud Hosted Router instance.

First, we will start with the server side configuration. It assumes the following:

  • You have a basically configured server side device which can be any of the following:
    • An AWS EC2 RouterOS Cloud Hosted Router (CHR) instance.
    • A RouterOS Cloud Hosted Router (CHR) instance on another x86 platform.
    • A dedicated RouterBoard device with L5-L6 license and Static Public IP.
    • A dedicated RouterBoard device with L5-L6 license and Public IP + DDNS.

The MikroTik Cloud Management Server Configuration

#Create self signed certificates for OpenVPN
/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=server
add name=client1-template common-name=client1
add name=client2-template common-name=client2
/certificate 
sign ca-template ca-crl-host=YOURHOSTORIPADDRESS name=myCa
sign server-template ca=myCa name=server
sign client1-template ca=myCa name=client1
sign client2-template ca=myCa name=client2
#Create OpenVPN Bridge
/interface bridge
add arp=proxy-arp fast-forward=no name=ovpn-bridge
#Set ether1 to Proxy-ARP
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
#Add IP addresses for Core Devices & Customer Routers
/ip address
add address=172.16.112.1/20 interface=ovpn-bridge network=172.16.112.0
add address=172.16.128.1/20 interface=ovpn-bridge network=172.16.128.0
#Create IP pools for core & client devices
/ip pool
add name=ovpn-pool1 ranges=172.16.112.10-172.16.127.253
add name=ovpn-pool2 ranges=172.16.128.10-172.16.143.253
#Create PPP profiles for Customer Routers & Core Devices
/ppp profile
add bridge=ovpn-bridge local-address=ovpn-pool1 name=customer-routers remote-address=ovpn-pool1 use-encryption=yes
add bridge=ovpn-bridge local-address=ovpn-pool2 name=core-devices remote-address=ovpn-pool2 use-encryption=yes
#Enable OpenVPN Server
/interface ovpn-server server
set auth=sha1 certificate=myCa cipher=aes128 default-profile=customer-routers enabled=yes

Create the Individual OpenVPN Remote Access Users

The following values need to be replaced:

  • DEVICEUSERNAME – By default the client configuration script is designed to use the system serial number as the username. It is up to you if you keep that the same, but each device will need to be added via command line or Winbox.
  • DEVICEACCESSKEY – This is either created on a per-device basis or all devices share the same key. It’s personal preference — obviously faster and easier to deploy if all share the same key however it is more secure to each have a unique key.
#Create OpenVPN users
/ppp secret
add name=DEVICEUSERNAME password=DEVICEACCESSKEY profile=core-devices service=ovpn

 

The MikroTik Cloud Management Client Configuration

The following values need to be replaced:

  • SUPERLONGTOUGHTOCRACKKEY – This is either created on a per-device basis or all devices share the same key. It’s personal preference — obviously faster and easier to deploy if all share the same key however it is more secure to each have a unique key.
  • YOUR.CLOUDROUTER.HOSTNAME – This is the hostname/IP address which your client devices will phone home to.

This script assumes the following:

  • $systemhostname – The username for access to the cloud management VPN is created from your RouterBoard serial number. If you’d prefer to have more human readable names you can remove the local value binding and create your own username. I 100% recommend each username be unique and standardized. After having deployed ~1,000 devices I certainly am thankful they are.
#Setup Remote Access OVPN Client
:local systemhostname [:put ([/system routerboard get serial-number]) ]

/terminal style none;
:if ([:tonum [:pick [[system resource get version] 1 1]]]>=6) do={
/ppp profile add name=remote-backend use-encryption=yes;
/interface ovpn-client add name=remote-backend port=1194 mode=ip \
user=$systemhostname password=SUPERLONGTOUGHTOCRACKKEY \
profile=remote-backend certificate=none auth=sha1 \
cipher=aes128 connect-to=YOUR.CLOUDROUTER.HOSTNAME;
} else={
ppp profile add name=remote-backend use-encryption=yes;
/interface ovpn-client add name=remote-backend port=1194 mode=ip \
user=$systemhostname password=SUPERLONGTOUGHTOCRACKKEY \
profile=remote-backend certificate=none auth=sha1 \
cipher=aes128 connect-to=YOUR.CLOUDROUTER.HOSTNAME;
};

#Setup Remote Access OVPN Firewall Rules
/ip firewall filter add src-address=172.16.112.1 dst-port=8728,22,23 chain=input protocol=tcp \
action=accept in-interface=remote-backend place-before=0;
/ip firewall filter add chain=input in-interface=remote-backend connection-state=established \
action=accept place-before=0;
/terminal style none;

 

There are still aspects of this script that I am fine tuning but the principle works. I’m definitely open to improving this so please comment if you have suggestions or trouble implementing.