Step 1 - Configure Mikrotik router
The best guide I’ve found is here
Note: You should correct all values: Location, usernames, etc. to values relevant to your install.
You need three sections of this guide:
-
Setup OpenVPN server and generate certificates
NOTE: Use this INSTEAD OF the command in the link above:
/interface ovpn-server server
set auth=sha1 certificate="server@$CN" cipher=aes256 \
default-profile=OVPN-Profile enabled=yes keepalive-timeout=60 \
max-mtu=1450 require-client-certificate=yes
- Add a new user
-
Decrypt private key to avoid password asking
You need OpenSSL to decrypt the client key file. If needed, you can find binaries here.
Step 2 - Configure UCM
Add the subnet offered to OVPN clients (in scripts linked above, it’s 192.168.68.0/24, but correct to your environment) in the UCM:
- WebUI->PBX Settings->SIP Settings->NAT->Local Network Address
- WebUI->Value-added Features->Zero Config->Zero Config Settings->Subnet Whitelist
Step 3 - Configure phone
WebUI->Network->OpenVPN Settings:
- OpenVPN Server Address: [External IP of the Mikrotik router]
- OpenVPN Transport: TCP
- OpenVPN Cipher Method: AES-256
- OpenVPN Username: [username used in Step1]
- OpenVPN Password: [password used in Step1]
- OpenVPN Comp-lzo: NO
Upload the three certificate files you created in Step1. NOTE: Upload ONLY the decrypted Key. - OpenVPN CA Certificate
- OpenVPN Client Certificate
- OpenVPN Client Key (decrypted version)
- Additional Options:
route 192.168.x.0 255.255.255.0
NOTE: This is the internal subnet and mask of the UCM. Change to your values. - Save And Apply
WebUI->Account1->Basic Settings
Configure this page as you would any normal extension in your environment.
Use the internal IP of the UCM for SIP Server
WebUI->Account1->Network Settings
- NAT Traversal: VPN
REBOOT the phone. OpenVPN changes don’t take effect until reboot.
NOTES:
- Mikrotik router uses TCP encapsulation for OVPN. You MUST use TCP on the phone.
- If
cipher
allows multiple encryption types, the connection will establish, but won’t work.
Pick one and make that the only option for both server and client. - The phone’s OpenVPN
Additional options
route is necessary to get the phone to push traffic through the tunnel. In my opinion, it shouldn’t be… but, whatever it takes!
If you have suggestions or need additional details let me know…