Ir al contenido principal

MikroTik: OpenVPN Server Setup

Configuring an OpenVPN server on a MikroTik router can be a complex task, especially for beginners with limited experience in networking.

Below you will find how to setup the OpenVPN server on your MikroTik router from a command-line (terminal) quickly and easily, and how to connect to it using an OpenVPN client.

Cool Tip: Minimize risks by using a MikroTik’s safe mode feature! 

MikroTik OpenVPN Server Setup

SSH into a Mikrotik router:

C:\> ssh admin@

1️⃣ Create Certificates

OpenVPN is based on TLS/SSL technology, in which a server and clients can verify each other’s identities using certificates 📜.

To setup the MikroTik OpenVPN server you should generate the following certificates:

  • Certificate Authority (CA) – a master (root) certificate that will be used to sign server and client certificates. Clients receive a copy of the public part of the CA certificate to verify the validity of the server certificate. The server in its turn verifies the validity of the client certificates.
  • Server – provides the proof of identity for the server and what the OpenVPN daemon runs on. The private key and public key stay on the server and the server sends the public key to clients for identity purposes.
  • Client – a private key and public key generated for each new user account. The client has a copy of its private key and the public key that is in the connection profile. The public key is sent to the server for identity purposes.

Certificate Template: To create a certificate in MikroTik, firstly it is required to create a certificate template that will be automatically removed right after the certificate is signed.

⏳ It may take some time! The time of the key signing process depends on a certificate key-size and a CPU power of a MikroTik router.

1️⃣.1️⃣ ─ Create the CA key pair:

[admin@MikroTik] > /certificate add name=ca-template \
                                    common-name=ovpn-ca \
                                    days-valid=36500 \
                                    key-size=2048 \

[admin@MikroTik] > /certificate sign ca-template name=ovpn-ca

1️⃣.2️⃣ ─ Create the OpenVPN server key pair and sign it with the CA key:

[admin@MikroTik] > /certificate add name=server-template \
                                    days-valid=36500 \
                                    key-size=2048 \

[admin@MikroTik] > /certificate sign server-template name=ovpn-server \

1️⃣.3️⃣ ─ Create the OpenVPN client key pair and sign it with the CA key:

[admin@MikroTik] > /certificate add name=client-template \
                                    common-name=ovpn-client1 \
                                    days-valid=36500 \
                                    key-size=2048 \

[admin@MikroTik] >  /certificate sign client-template name=ovpn-client1 \

Individual Client Keys: For each OpenVPN client it is recommended to create an individual key pair to avoid an impact on the other users if one of the private keys is compromised.

To list the certificates:

[admin@MikroTik] > /certificate print
- sample output -
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued,
       R - revoked, E - expired, T - trusted 
 0 K  A  T ovpn-ca          ovpn-ca                              be0...
 1 K   I   ovpn-server      ovpn-server                          f89...
 2 K   I   ovpn-client1     ovpn-client1                         d92...

Cool Tip: How to backup and restore a MikroTik router!

2️⃣ Configure OpenVPN Server

2️⃣.1️⃣ ─ Create a pool of IP addresses for OpenVPN clients:

[admin@MikroTik] > /ip pool add name=ovpn-dhcp-pool \

2️⃣.2️⃣ ─ Configure and start the OpenVPN server:

[admin@MikroTik] > /ppp profile add name=ovpn-server \
                                    use-encryption=yes \
                                    local-address= \
                                    dns-server= \

[admin@MikroTik] > /interface ovpn-server server set default-profile=ovpn-server \
                                                     certificate=ovpn-server \
                                                     require-client-certificate=yes \
                                                     auth=sha1 \
                                                     cipher=aes128-gcm,aes192-gcm,aes256-gcm \
                                                     port=443 \
  • dns-server= – Configures the Mikrotik router to be also a DNS server for the OpenVPN clients.
  • port=443 – Starts the OpenVPN server on the port 443 (by default: 1194) to avoid an Internet service provider (ISP) from detecting and blocking the VPN traffic.

Cool Tip: How to setup DNS servers on a MikroTik router! Read more →

2️⃣.3️⃣ ─ Enable a dynamic DNS (DDNS) service to connect to the OpenVPN server by a permanent domain name (very useful when your ISP provides a dynamic IP address that changes periodically):

[admin@MikroTik] > /ip cloud set ddns-enabled=yes
[admin@MikroTik] > /ip cloud print
- sample output -
          ddns-enabled: yes
  ddns-update-interval: none
           update-time: yes
        public-address: XXX.XXX.XXX.XXX
              dns-name: <uniqAddress>
                status: updated
               warning: Router is behind a NAT. Remote connection might not work.

If you get the “warning: Router is behind a NAT. Remote connection might not work.“, you should configure a port forwarding on an ISP’s router which your MikroTik router is connected to.

For this, login to the ISP’s router through a user interface (UI) and configure the port forwarding in the NAT settings, for example, as follows:

If the ISP’s router issues a dynamic IP address to your MikroTik router, it is better to go to DHCP settings and make it static:

To get the IP and MAC addresses of the MikroTik’s interface connected to the ISP’s router (usually ether1), execute:

[admin@MikroTik] > /ip address print
- sample output -
Flags: D - DYNAMIC
;;; defconf
0  bridge
1 D   ether1

[admin@MikroTik] > :put [/interface ethernet get \
                        [/interface ethernet find default-name=ether1] mac-address ]
- sample output -

Cool Tip: A default MikroTik firewall config for dummies! Read more →

3️⃣ Configure Firewall

The firewall rules, that have to be created, should be moved above the DROP rules, otherwise you will get the “Connection reset, restarting [-1]” error while trying to connect to your OpenVPN server.

3️⃣.1️⃣ ─ List the firewall rules and note a number of the “drop all not coming from LAN” rule (in the example below it is 5):

[admin@MikroTik] > /ip firewall filter print all without-paging
- sample output -
Flags: X - disabled, I - invalid; D - dynamic
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN


3️⃣.2️⃣ ─ Create firewall rules to allow incoming connections to the VPN server and to allow OpenVPN clients from the network to access a LAN (by default, and the MikroTik router itself (to use it as a DNS server and to be able to login to it):

[admin@MikroTik] > /ip firewall filter add chain=input \
                                           action=accept \
                                           protocol=tcp \
                                           dst-port=443 \
                                           disabled=no \
                                           comment="Allow incoming connections to OpenVPN" \

[admin@MikroTik] > /ip firewall filter add chain=input \
                                           action=accept \
                                           src-address= \
                                           disabled=no \
                                           comment="Allow OpenVPN clients to access MikroTik" \

[admin@MikroTik] > /ip firewall nat add action=masquerade \
                                        chain=srcnat \
                                        src-address= \
                                        comment="Allow OpenVPN clients to access LAN"

ℹ️ Replace X and X+1 according to the number of the “drop all not coming from LAN” rule, i.e. 5 and 6 respectively, in my case.

The resulting order of the firewall rules in my case looks like as follows:

[admin@MikroTik] > /ip firewall filter print all without-paging
- sample output -
Flags: X - disabled, I - invalid; D - dynamic
 5    ;;; Allow incoming connections to OpenVPN
      chain=input action=accept protocol=tcp dst-port=443

 6    ;;; Allow OpenVPN clients to access MikroTik
      chain=input action=accept src-address=

 7    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN

[admin@MikroTik] > /ip nat filter print all without-paging
- sample output -
Flags: X - disabled, I - invalid; D - dynamic
 1    ;;; Allow OpenVPN clients to access LAN
      chain=srcnat action=masquerade src-address= log=no log-prefix=""

Cool Tip: Configure an OpenVPN client as a systemd service in Linux! Read more →

4️⃣ Configure OpenVPN Client

4️⃣.1️⃣ ─ Export the CA certificate and client keys, generated earlier (copy to the “Files” folder on the MikroTik router from which they can then be downloaded):

[admin@MikroTik] > /certificate export-certificate ovpn-ca export-passphrase=""
[admin@MikroTik] > /certificate export-certificate ovpn-client1 export-passphrase="12345678"

Export Passphrase: MikroTik doesn’t allow to export a private key without protecting it with a passphrase. Fortunately the passphrase can be removed using the OpenSSL and i will show how to do this in the later steps.

To list the exported files:

[admin@MikroTik] > /file print
- sample output -
 # NAME                             TYPE          SIZE     CREATION-TIME       
 0 cert_export_ovpn-ca.crt          .crt file     1119     oct/25/2022 14:31:40
 1 cert_export_ovpn-client1.crt     .crt file     1155     oct/25/2022 14:32:57
 2 cert_export_ovpn-client1.key     .key file     1858     oct/25/2022 14:32:58

4️⃣.2️⃣ ─ Copy the exported files from the MikroTik router to your computer:

C:\> sftp admin@*

Alternatively, you can download the files from the WinBox/WebFig interface by going to the “Files” menu:

4️⃣.3️⃣ ─ After copying the CA certificate and the client key pair to the computer, I prefer to rename them to ca.crt, client1.crt and client1.key respectively:

C:\> rename cert_export_ovpn-ca.crt ca.crt
C:\> rename cert_export_ovpn-client1.crt client1.crt
C:\> rename cert_export_ovpn-client1.key client1.key

4️⃣.4️⃣ ─ Remove the passphrase from the client’s private key using the OpenSSL:

C:\> openssl rsa -in client1.key -out client1.key
- sample output -
Enter pass phrase for client1.key: 12345678
writing RSA key

As the OpenSSL is not installed on a Windows system by default, you may receive the following error:

‘openssl’ is not recognized as an internal or external command, operable program or batch file.

Unfortunately there is no official version of the OpenSSL for Windows but it is easy and secure to use the one that comes with a Git for Windows.

Once you have installed the Git for Windows, you can run the openssl command by providing the full path to the executable, for example:

C:\> "C:\Program Files\Git\usr\bin\openssl.exe" rsa -in client1.key -out client1.key
- sample output -
Enter pass phrase for client1.key: 12345678
writing RSA key

4️⃣.5️⃣ ─ In the MikroTik router, create an OpenVPN user and set the password:

[admin@MikroTik] > /ppp secret add name=client1 profile=ovpn-server password="passw0rd"

4️⃣.6️⃣ ─ Download and install the OpenVPN client.

4️⃣.7️⃣ ─ Change the current directory to %USERPROFILE%\OpenVPN\config (create if doesn’t exist) and copy the ca.crt, client1.crt and client1.key files into it:

C:\> mkdir "%USERPROFILE%\OpenVPN\config"
C:\> chdir "%USERPROFILE%\OpenVPN\config"
C:\> copy %USERPROFILE%\ca.crt .
C:\> copy %USERPROFILE%\client1.crt .
C:\> copy %USERPROFILE%\client1.key .

4️⃣.8️⃣ ─ Create a file with the OpenVPN user credentials:

C:\> notepad client1-creds.conf
- sample output -
C:\> type client1-creds.conf

4️⃣.9️⃣ ─ Create an OpenVPN client configuration file:

C:\> notepad client1.ovpn
C:\> type client1.ovpn
- sample output -
dev tun
proto tcp
remote <uniqAddress> 443
resolv-retry infinite
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-128-GCM
auth SHA1
--auth-user-pass client1-creds.conf
redirect-gateway def1
verb 3

The final content of the %USERPROFILE%\OpenVPN\config folder should look like as follows:

C:\> dir
- sample output -
 Volume in drive C is Windows
 Volume Serial Number is 9AFA-3990

 Directory of %USERPROFILE%\OpenVPN\config

05/02/2023  10:35 PM    <DIR>          .
05/02/2023  10:35 PM    <DIR>          ..
05/02/2023  09:10 PM             1,070 ca.crt
05/02/2023  10:31 PM                17 client1-creds.conf
05/02/2023  09:10 PM             1,103 client1.crt
05/02/2023  09:13 PM             1,679 client1.key
05/02/2023  10:34 PM               293 client1.ovpn
05/31/2022  09:20 AM               226 README.txt
               6 File(s)          4,388 bytes
               2 Dir(s)  159,665,164,288 bytes free

4️⃣.1️⃣0️⃣ ─ Connect to the OpenVPN Server

Right-click on an OpenVPN GUI tray icon and select “Connect”:

If everything is all right, the VPN connection will be established:

Voilà! The MikroTik OpenVPN server configuration is done! 😎

Was it useful? Share this post with the world!

Preparing and importing the OpenVPN configuration file
Next step is to provide the OpenVPN app with a configuration file. When you use the client.ovpn extension, you can easily import it later on. But let’s start with setting up the configuration file.


dev tun
proto udp
remote 1194
# other options (mostly defaults)
user nobody
group nogroup
resolv-retry infinite
 openssl pkcs12 -export -in client1.crt -inkey client1.key -certfile ca.crt -name certphone -out certphone.p12
move certphone.p12 on your phone and install certificate 

Now copy on your phone or for email send
use the password to installed...
Original Blog



Entradas más populares de este blog

BBS - Boletin Board Sistem

Antes de que Internet fuera tan grande y Google todavía no existía! Teníamos los BBS Eran Personas que tenían sus computadoras prendidas con sistemas para recibir llamadas. Te contestaba por medio de tu modem Dial UP uff tenia un 9600 en ese tiempo y una 8086 con DOS me conectaba a FileGallery para poder pegar al Internet que tiempos... En Puerto Rico tuvimos 42 BBS de los que visite por Dial-UP Ya casi no existen pero me gustaria algundia toparme con alguno de los sysop. BBS Existentes en Puerto Rico tiene DIALUPy trabaja:)

DOH cloudflare dns on Mikrotik V7

Protecting home Internet connections from malware With home Internet usage on the rise, it’s never been more important to protect your family from dangerous and malicious sites. for Families is built on top of the same site categorization and filtering technology that powers Cloudflare’s enterprise products. It uses Cloudflare’s Internet intelligence to filter content on your home Internet network.