Skip to content

Generate CA and Certificates
To use OpenVPN securely, we’ll need certificates. Make sure to change the values (my_ca_name and 10.0.0.1) below to match your desired configuration! First, we’ll generate the certificate authority (CA):

/certificate
add name=my_ca_name common-name=my_ca_name key-usage=cert-sign,crl-sign
sign my_ca_name ca-crl-host=my_router_ip_address name=my_ca_name
export-certificate my_ca_name

The above commands will do the following:

Add a new CA certificate called my_ca_name
Sign the certificate
Export the certificate as my_ca_name
Next we’ll generate the certificate for our VPN (change the values my_vpn_server, my_user, my_ca_name and please_use_a_good_passphrase):

/certificate
add name=my_vpn_server common-name=my_vpn_server
add name=my_user common-name=my_user
sign my_vpn_server ca=my_ca_name name=my_vpn_server
sign my_user ca=my_ca_name name=my_user
export-certificate export-passphrase=please_use_a_good_passphrase my_user

These commands will:

Add a new server certificate called my_vpn_server
Add a new user certificate called my_user
Sign both certificates
Export the user certificate as my_user, with the passphrase: please_use_a_good_passphrase – change this!
Configure IP Pool, PPP Profile and Login Credentials
Create an IP pool called ovpn-pool with a range of IP addresses, here we’ll use 10.0.1.100-10.0.1.200:

/ip
pool add name=ovpn-pool range=10.0.1.100-10.0.1.200

Create a PPP profile with associated PPP credentials (don’t forget to change these values: my_ppp_profile, 10.0.0.1, my_ppp_user, please_use_a_good_password to match your configuration):

/ppp
profile add name=my_ppp_profile local-address=10.0.0.1 remote-address=ovpn-pool dns-server=10.0.0.1
secret add name=my_ppp_user password=please_use_a_good_password profile=my_ppp_profile

Create OpenVPN Server Interface
The following command will cerate an OpenVPN server interface in RouterOS, with your server certificate (my_vpn_server), sha1 authentication, aes256 encryption, running on port 1194 (default):

/interface
ovpn-server server set enabled=yes certificate=my_vpn_server auth=sha1 cipher=aes256 port=1194 netmask=24 require-client-certificate=yes mode=ip

Configure Firewall to Allow OpenVPN Connections
Make sure your router allows incoming TCP connections on port (1194 below matches your configuration above):

/ip firewall filter
add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN"

Let’s clear the console history to get rid of sensitive information:

/console clear-history

Now we have a working OpenVPN server running on MikroTik RouterOS!

Client Configuration
To connect to your newly configured OpenVPN server, you need to configure your clients as well. A sample OpenVPN client configuration can look like this, based on the values we have entered earlier (example.com, 10.0.0.1, 1194, and you’ll also need to paste the CA certificate, user certificate and private keys generated earlier in this tutorial where it says so below):

client
dev tun
proto tcp
remote example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
verb 1 
cipher AES-256-CBC
auth SHA1
auth-user-pass
dhcp-option DOMAIN example.com
dhcp-option DNS 10.0.0.1
redirect-gateway def1
route 0.0.0.0 0.0.0.0 10.0.0.1 1
route 10.0.0.0 255.255.255.0


<ca>
-----BEGIN CERTIFICATE-----
# paste your CA certificate here #
-----END CERTIFICATE-----
</ca>
````


-----BEGIN CERTIFICATE-----

paste your user certificate here

-----END CERTIFICATE-----


-----BEGIN RSA PRIVATE KEY-----

paste your user private key here

-----END RSA PRIVATE KEY-----

```