This article does not discuss why you should use VPN, or specifically OpenVPN – just how to implement OpenVPN server on Mikrotik RouterOS.

Change these to fit your setup:

  • This router’s local address:
  • Local certificate authority name: myCa
  • Name for the VPN server in the certificate: server
  • Name for the VPN client in the certificate: client1
  • Passphrase for the client’s key file: mysecret
  • Name of the IP address pool to give to the VPN clients: ovpn-pool
  • IP addresses to give to the VPN clients:
  • Port number: 1194. You’re free to change this to something else.
  • OpenVPN username: vpnuser
  • OpenVPN password: mypassword

Add a certificate authority in RouterOS:

add name=myCa common-name=myCa key-usage=key-cert-sign,crl-sign
sign myCa ca-crl-host= name=myCa

Export the certificate authority:

/certificate export-certificate myCa

We now have the certificate authority file in /file print. We can copy it out via many methods: SFTP, Winbox, FTP and others.

Generate certificates for both server and client:

add name=server common-name=server
add name=client1 common-name=client1
sign server ca=myCa name=server
sign client1 ca=myCa name=client1

Export the certificate for the client (no need to export the server’s certificate):

/certificate export-certificate export-passphrase=mysecret client1

We can then transfer both the .key and .crt files out by many methods. Next, create a pool, PPP profile, and login credentials:

/ip pool add name=ovpn-pool range=
/ppp profile add name=ovpn local-address= remote-address=ovpn-pool dns-server=
/ppp secret add name=vpnuser password=mypassword profile=ovpn

Enable the OpenVPN server, select the server’s certificate, and use this new PPP profile:

/interface ovpn-server server set enabled=yes certificate=server auth=sha1 cipher=aes128 port=1194 netmask=24 require-client-certificate=yes mode=ip

The following is a sample configuration file for the client. Before using it, replace the following:

  • Public address and port number (default is 1194) in the line remote.
  • Use the correct cipher. This configuration uses SHA1 with AES 128 bits.
  • Domain name in the line dhcp-option DOMAIN. You can put a fictional one if you don’t have one.
  • DNS server in the line dhcp-option DNS.
  • Route to the local network at the VPN side in the line route
  • Content from the export of the certificate authority in the <ca> section.
  • Content of the client’s certificate file in the <cert> section.
  • Content of the client’s key file in the <key> section. If the key file has a passphrase, generate a decrypted version of it on a UNIX/Linux box:
    openssl rsa -in /path/to/client1.key -text

# this is a layer 3 (IP) VPN
dev tun

# Mikrotik only supports TCP at the moment
proto tcp

# put your VPN Server's routable (WAN or Internet-accessible) IP address here
remote 1149

resolv-retry infinite

# Mikrotik does not support link compression at the moment


# OpenVPN client debug log verbosity
verb 1

#cipher BF-CBC
cipher AES-128-CBC
#cipher AES-192-CBC
#cipher AES-256-CBC

#auth MD5
auth SHA1

# Mikrotik's PPP server requires username/password authentication
# at the moment and it uses this in conjunction with both client and
# server-side x.509v3 certificate authentication

# domain name for home LAN
dhcp-option DOMAIN mydomain.tld

# DNS server (replace with your own)
dhcp-option DNS

# SMB WINS name server if you have one
#dhcp-option WINS

# route to multiple networks
redirect-gateway def1
route 1

# Mikrotik accepts a CA cert
...content goes here...

# Mikrotik expects a VPN Client Certificate
...content goes here...

# OpenVPN Client needs the VPN Client Private Key to decrypt
# info sent by the server during the SSL/TLS handshake
...content goes here...

Once we have the configuration file for the VPN client ready, simply import it and connect to our new OpenVPN server!

3 comments on “OpenVPN Server on Mikrotik RouterOS

  • Hello,
    I have a problem. I generated all certificates, all find but on the iPhone with OpenVPN Connect i have a error: mbed TLS: error parsing config private key: PKCS5 – Requested encryption or digest alg not available.

    Help me.
    Thank you 🙂

    • Check your log file, does it throw the error even before trying to connect? If yes, check your client configuration file, you may have messed up the certificate part. Copy only the encrypted values and paste them at their own places.

Comments are closed.