¶ VPN
¶ Overview
Here you can configure a VPN server that you prefer (either WireGuard or OpenVPN) and set up a range of IP addresses for routing within the OpenVPN network space (Cloud).
¶ WireGuard
To begin configuring the WireGuard server, navigate to Config → Tools → VPN (the Wireguard tab) and click the Configuration button. In the new window for WireGuard server configuration, ensure that the toggle is enabled. The port and network settings are preconfigured by default. Finally, click Save.
Sometimes, you might need to click Restart to update the changes:
By clicking the Status button, you can check the server status. If it's active, it will be indicated in the newly opened window as shown below:
When the initial setup is complete, proceed to add a WireGuard client. Enable the toggle in the new window, enter the Connection name, specify the IP, and write the allowed IPs (if necessary):
By clicking the info icon 
next to the allowed IPs, you'll find information about the IP format:
This GitHub repository contains detailed information about the allowed IPs for WireGuard: https://github.com/pirate/wireguard-docs#allowedips
When the WireGuard client is added, you can see its Connection name, Public key, IP, and Status in the table. You can then edit it, delete it, or download its configuration files by clicking the respective icon. To complete the server setup, download the configuration files as shown below:
Two files, with extensions .conf and .rsc, will be downloaded to your computer in a zip archive:
The .rsc file is a script for the Mikrotik router. Please find below the information about WireGuard configuration on the Mikrotik router.
The .conf file is used for WireGuard configuration on systems other than Mikrotik (e.g., Ubuntu, Windows, etc.).
After installing WireGuard on Windows, the .conf file is added to its interface in Add Tunnel:
When the connection with the WireGuard server is established, you'll see the client's status change to Connected. By hovering over the status, you can view the details about the connection displayed beneath it:
¶ WireGuard client configuration on Mikrotik router
The downloaded .rsc file from your newly created WireGuard client in Splynx (as described above) contains a set of commands for the Mikrotik router.
- Open the Mikrotik router software and enter the commands in its Terminal to create the WireGuard interface:
- Open the WireGuard interface to view details about the client and peers in their respective tabs:
- Add NAT rules for the WireGuard interface in IP - Firewall - NAT:
Clicking on a rule allows you to configure it and view details:
- In IP - Addresses List, you can see the IP adresses of your WireGuard client:
To check the Route List, open IP - Routes:
¶ OpenVPN
If an OpenVPN server isn't configured yet, the page will look as follows:
By clicking on Generate certificates, OpenVPN server certificates will be generated, and you will be able to use it.
The following parameters need to be specified:
Country - there is the 2-character ISO format country code in this field. For example, GB is the valid country code for Great Britain, and US is the valid code for the United States. To locate a specific country code, visit Country Codes;
Province/state - U.S. and Canadian customers need to enter a State or Province name. Do not abbreviate. In the United States, if your organization is incorporated, for instance, in the state of Delaware, but is operating within California, use California;
City/Locality - Mandatory field, usually denotes the city in which the organization is located. Do not use abbreviations. For example, spell "Saint Louis", instead of "St. Louis". If the organization is registered only locally, for example, its business license is registered with the City Clerk; the Locality/City field must contain the name of the city where it is registered. International customers need to enter either a City/Locality or a State/Province field;
Organization - The Organization Name (corporation, limited partnership, university, or government agency) need to be registered with some authority at the national, state, or city level. Use the legal name under which your organization is registered. Do not abbreviate or use any of these symbols: ! @ # $ % ^ * ( ) ~ ? > < / ;
Email - email address of the organization;
Organization Unit (OU) - Mandatory field to differentiate between divisions within an organization, for example, "Electronic Commerce Pilot" or "Human Resources". If your organization is doing business as (DBA) a trade name, you may specify the trade or DBA name in this field.
Source: https://knowledge.digicert.com/solution/SO16317.html
After specifying the needed parameters, click on Generate and wait:
Now the OpenVPN server needs to be configured and enabled:
The port, mode (TCP or UDP), network, cipher, auth (hash function SHA1 or MD5) and authentication method can be configured here.
Once the server is configured, let's add a client:
Specify the connection name, IP and routes if needed. You can also write a comment. By clicking on the "i" (info) next to Routes, a list with the syntax of routes will appear:
Once the client connection is created, let's download credentials (Download config):
After this, a "zip" archive will be downloaded with the following files:
We're going to create a VPN connection between Splynx (with OpenVPN server) and a desktop using Ubuntu.
¶ OpenVPN client configuration on Mikrotik router
Let's add a new client and configure a Mikrotik router as an OpenVPN client.
To be able to enter Username and Password for OpenVPN connections, click the Configuration button and choose Certificate & Key + Username & Password in the Authentication method field:
Once added and files are downloaded, we have to upload the certificates to the Mikrotik under Files:
Once the files are uploaded to the Mikrotik, we have to import these certificates under System - Certificates:
More detailed information on how to import certificates can be found here: Mikrotik wiki
After all certificates are imported, let's create an OpenVPN client interface:
Once the interface has been added, this should be sufficient to establish a link between Splynx and the Mikrotik router.
Pay Attention!
Sometime it is necessary to add default routers using the OpenVPN client interface, in that case, you can enable the option to "Add default route" under the interface but make sure that it is entirely needed before you enable this, as it can break/cause problems in your routing. If you do enable this option, new routes will be created under IP - Routes
A PPP profile on the Mikrotik should be used that's not already used by another service (in case it has an IP assigned, it will use this IP from the profile and will not receive the correct IP from the server)
The next step is also necessary in only some cases. Therefore, please make sure that this is needed before creating the NAT rule, as this too can break/cause problem in your routing.
If you need this NAT rule, we can add it under IP - Firewall - NAT with a "srcnat" chain and "Out.Interface" = your OpenVPN client interface:
and "Action" = masquerade
Now you can ping the network that was unreachable before:
After a connection has been established to Splynx, the status of the connection will change to "Connected". By clicking on Status, you can see details about active connections:
By clicking on Log, the logs of the VPN server can be checked.
¶ OpenVPN client configuration on Ubuntu
Let's add the VPN connection in Ubuntu:
Here we can specify the gateway (IP of server), type and certificates + keys which are required. User key password in this setup can be skipped. The next step is to click on "Advanced":
Here we specify TCP connection (depending on the server configuration).
And here we have to specify the Cipher (depending on the server configuration).
Once that's done, let's enable the VPN connection and test it:
The interface with given IP was created.
And the network specified in routes (when we configured client) is accessible.
¶ Cloud
¶ Format:
IP [netmask] [gateway] [metric]
One route per line
¶ Example
192.168.76.1
192.168.77.0 255.255.255.0
192.168.78.0 255.255.255.0 192.168.78.1
192.168.79.0 255.255.255.0 192.168.79.1 10
¶ Description
192.0.2.1 #route to host 192.0.2.1 via OpenVPN remote side
192.0.2.0 255.255.255.0 #route to network 192.0.2.0/24 via OpenVPN remote side
192.0.2.0 255.255.255.0 198.51.100.1 #route to network 192.0.2.0/24 via router 198.51.100.1 available on the OpenVPN remote side
192.0.2.0 255.255.255.0 198.51.100.1 10 #route to network 192.0.2.0/24 via router 198.51.100.1 available on the OpenVPN remote side. Route metric 10. Default metric is 0.
Default netmask is 255.255.255.255