Dec 292016

Having OpenVPN server on your router is a nifty feature. However, as often with Mirotik, not all is straight forward.

This guide is going to assume you are to enter commands into the New Terminal window from WinBox. That way I will simply repeat commands needed instead of going through the screens. Commands are actually quite descriptive and easy to “translate” into GUI actions if that is your preference.

Prerequisite for any VPN server is to get certificates sorted. For OpenVPN we need main Certificate Authority, server, and client certificate. Yes, strictly speaking, client certificate is optional but let’s not skimp on security.

First we create all the certificate templates (10 years validity) we’ll need:

add name=ca-template days-valid=3650 key-size=4096 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=* days-valid=3650 key-size=4096 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template days-valid=3650 key-size=4096 key-usage=tls-client

For the purpose of OpenVPN server common name can be really anything. However, some other VPNs are not as forgiving (yes SSTP, I am looking at you) so it might be best to have either your external IP or host name as the common-name text. Any yes, if you have dynamic IP and you are not using your own domain, you can put * there – no worries.

Created certificates will need signing:

sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate

Depending on your router’s speed, that sign command might time-out – nothing to worry about – just wait for CPU to drop below 100%. Or alternatively check name of certificate – template part will disappear once signing is completed.

With this we need to export a few files:

export-certificate ca-certificate export-passphrase=""
export-certificate client-certificate export-passphrase=12345678

This should give you three files: cert_export_ca-certificate.crt, cert_export_client-certificate.crt, and cert_export_client-certificate.key. After copying this on computer for later I like to rename them to ca.crt, client.crt, and client.key respectively.

Next we need a separate pool of IP addresses for clients. I will assume you have your clients in some other network (e.g. 192.168.1.x) and this new network is just for VPN:

pool add name="vpn-pool" ranges=

Instead of editing the default encrypted profile, we can create a new one. Assumption is your Mikrotik will also be a DNS server. And while at it, you can create a bit more imaginative user/password:

profile add name="vpn-profile" use-encryption=yes local-address= dns-server= remote-address=vpn-pool
secret add name=user profile=vpn-profile password=password

Finally, we can enable OpenVPN server interface:

/interface ovpn-server server
set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes

Now finally we can copy both ca.crt and client.crt to C:\Program Files\OpenVPN\config\ directory alongside client.ovpn.

You don’t have client.ovpn? Well, one is in sample-config directory and we just need to change/add highlighted items:

dev tun
proto tcp
remote 1194
resolv-retry infinite
ca ca.crt
cert client.crt
key client.key
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
redirect-gateway def1
verb 3

A bit annoying step is being asked for the private key passphrase (in the addition to username/password). Mikrotik doesn’t allow export without it but fortunately we can use OpenSSL to change that:

> openssl.exe rsa -in client.key -out client.key
Enter pass phrase for client.key: 12345678
writing RSA key

With this, your VPN connection should work like a charm.

PS: Do not forget to adjust firewall if necessary (TCP port 1194).

/ip firewall filter
add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OpenVPN"

PPS: Do check SSTP guide too.

[2017-01-26: Adjusted certificate creation to work on RouterOS 6.38 and later]
[2017-01-26: Changed key size to 2048 (instead of 4096) so it doesn’t take ages to generate certificates. :)]
[2017-02-25: Changed example to use AES-128 for lower CPU usage on router.]

  19 Responses to “Simple OpenVPN server on Mikrotik”

Comments (19)
  1. Because i had problems with TSL i added the following line to the .ovpn file
    tls-cipher DEFAULT

  2. Thanks! Worked perfectly.
    I just suggest to replace the port 1194 to 443 to bypass some firewall blocks.

  3. you are the best. may god be with you.

  4. “A bit annoying step is being asked for the private key passphrase (in the addition to username/password). Mikrotik doesn’t allow export without it but fortunately we can use OpenSSL to change that:

    > openssl.exe rsa -in client.key -out client.key
    Enter pass phrase for client.key: 12345678
    writing RSA key”

    Where do you do this step? On any linux system?

  5. Hi Josip,

    Is it possible to revoke the user certificate and block their vpn access on mikrotik side, instead of resetting the PPP Secret password? I tryed to revoke the user certificate on mikrotik but the user continue accessing the VPN!

    Thank you!

  6. Great OpenVPN tutorial. Thx

    I had run in to a problem regarding clients subnet. On widows client in log:

    There is a problem in your selection of –ifconfig endpoints [local=, remote=]. The local and remote VPN endpoints must exist within the same subnet. This is a limitation of –dev tun when used with the TAP-WIN32 driver. Try ‘openvpn –show-valid-subnets’ option for more info.

    Problem was solved by moving pool to
    pool add name=”vpn-pool” ranges=

  7. Thanks for the tutorial.

    Could I ask whether local-address= is the address of the Mikrotik box?

    My Mikrotik box is behind a router. The Router is 192.668.1.1, the Mokrotik box is 192.668.1.15. What local-address do I use?


    • mistake…. should have been: The Router is, the Mikrotik box is

  8. Can someone help me please?
    I got this err message

    *input does not match any value of certificate*

    when running

    */interface ovpn-server server
    set default-profile=vpn-profile certificate=server-certificate require-client-certificate=yes auth=sha1 cipher=aes128,aes192,aes256 enabled=yes*

    What could be wrong ??

  9. Awesome, thank you ;)

  10. Hi Josip,

    I’m having issue with port 443, i can connect using other port (465 or 587) but for reason, 443 just kept getting rejected.

    Any ideas ?

    This is the error msg
    2017-11-09 13:49:19: TCP/UDP: Preserving recently used remote address: [AF_INET]
    2017-11-09 13:49:19: Attempting to establish TCP connection with [AF_INET] [nonblock]
    2017-11-09 13:49:20: State changed to Disconnecting
    2017-11-09 13:49:20: SIGTERM[hard,init_instance] received, process exiting
    2017-11-09 13:49:20: State changed to Disconnected

  11. Hi, how about:

    Connection reset, restarting [0]
    Sun Nov 12 22:31:19 2017 us=380382 TCP/UDP: Closing socket
    Sun Nov 12 22:31:19 2017 us=380498 SIGUSR1[soft,connection-reset] received, process restarting

    : terminating… – could not add address list: empty list name not allowed (6)

  12. Thanks for the guide, I’m relatively inexperienced and have been trying to get OpenVPN to work and this is the closest I’ve come so far.

    I’ve set it all up and I can connect, but my Internet on the remote computer is being routed through the Mikrotik and I cannot access/ping the Mikrotik or any computers on the Mikrotik’s network. I want it to be the other way around.

    The Mikrotik manages the network and the OpenVPN server is set up to give out address on When I dial in via VPN, I only want traffic to to be routed over the VPN, the rest (i.e. Internet) must NOT go through the VPN. How do I change your configuration to achieve this?

    • I don’t believe you can do it with Mikrotik’s configuration.

      What you want is split tunneling and that must be configured on connecting machine (afaik). There are a few guides about it on internet, e.g. this one.

      In short, you must set your computer to route only subset of addresses via VPN while all other are going over normal connection; e.g. via VPN; via Normal.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>