Setting Up an OpenVPN Server on MikroTik RouterOS: A Complete Practical Guide

OpenVPN is a reliable and time-tested VPN protocol that allows organizing secure remote access to a local network. MikroTik RouterOS supports OpenVPN in server mode starting from version 6.x (TCP), and from version 7+ — also UDP, but with a number of architectural limitations:

• mandatory authentication by username/password even when using certificates;
• limited list of ciphers and algorithms;
• absence of some features of “classic” OpenVPN.

Despite this, OpenVPN on MikroTik remains a popular solution — especially in scenarios where clients do not support WireGuard or compatibility with legacy systems is required.

This article covers the complete setup of an OpenVPN server on MikroTik RouterOS:

• using your own CA and client certificates;
• with support for UDP and TCP;
• with isolation of VPN clients from each other;
• with access to the local network;
• with examples of diagnostics and troubleshooting.

⚠️ All IP addresses, usernames and passwords shown below are test. Never use them in production.

Assumed topology

• Local network (LAN): 192.168.11.0/24

• Address pool for VPN clients: 10.222.60.0/24

• OpenVPN server:

  • port 1199
  • protocols: UDP and TCP

Step 1: Creating certificates

OpenVPN uses TLS encryption, so a Certificate Authority (CA), a server certificate and client certificates are required.

/certificate
add name=ovpn-ca common-name=ovpn-ca key-size=4096 days-valid=3650 key-usage=key-cert-sign,crl-sign
sign ovpn-ca ca-crl-host=127.0.0.1

add name=ovpn-server common-name=ovpn-server key-size=4096 days-valid=1825 \
    key-usage=digital-signature,key-encipherment,tls-server
sign ovpn-server ca=ovpn-ca

# Клиентские сертификаты
add name=testuser1-cert common-name=testuser1 key-usage=tls-client days-valid=365
sign testuser1-cert ca=ovpn-ca

add name=testuser2-cert common-name=testuser2 key-usage=tls-client days-valid=365
sign testuser2-cert ca=ovpn-ca

Exporting certificates:

# Export CA
export-certificate ovpn-ca

# Export clients certificate with pass
export-certificate testuser1-cert export-passphrase="TestExportPass2025!"
export-certificate testuser2-cert export-passphrase="TestExportPass2025!"

Files will appear in /files. You can download them via Winbox → Files or by FTP.

Step 2: Creating an IP pool for VPN clients

/ip pool
add name=ovpn-pool ranges=10.222.60.10-10.222.60.200

Step 3: PPP profile for OpenVPN

/ppp profile
add name=ovpn-profile \
    local-address=10.222.60.1 \
    remote-address=ovpn-pool \
    use-encryption=required \
    only-one=yes

• local-address — MikroTik’s IP inside the VPN;
• remote-address — pool of client addresses;
• only-one=yes — one active session per user.

Step 4: Configuring the OpenVPN server (UDP and TCP)

In RouterOS v7+ OpenVPN is configured as an interface.

/interface ovpn-server server
add name=ovpn-udp \
    auth=sha1,md5,sha256,sha512 \
    certificate=ovpn-server \
    cipher=aes128-cbc,blowfish128 \
    default-profile=ovpn-profile \
    disabled=no \
    port=1199 \
    protocol=udp \
    require-client-certificate=yes \
    netmask=24 \
    mode=ip \
    keepalive-timeout=60 \
    max-mtu=1500 \
    push-routes=192.168.11.0/24

add name=ovpn-tcp \
    auth=sha1,md5,sha256,sha512 \
    certificate=ovpn-server \
    cipher=aes128-cbc,blowfish128 \
    default-profile=ovpn-profile \
    disabled=no \
    port=1199 \
    protocol=tcp \
    require-client-certificate=yes \
    netmask=24 \
    mode=ip \
    keepalive-timeout=60 \
    max-mtu=1500 \
    push-routes=192.168.11.0/24

Step 5: Firewall configuration

Allowing incoming connections

/ip firewall filter
add chain=input protocol=udp dst-port=1199 action=accept comment="OpenVPN UDP"
add chain=input protocol=tcp dst-port=1199 action=accept comment="OpenVPN TCP"

Forward rules and client isolation

/ip firewall filter
add chain=forward connection-state=established,related action=accept comment="Established/Related"

add chain=forward src-address=10.222.60.0/24 dst-address=192.168.11.0/24 \
    action=accept comment="VPN -> LAN"

add chain=forward src-address=192.168.11.0/24 dst-address=10.222.60.0/24 \
    action=accept comment="LAN -> VPN"

add chain=forward src-address=10.222.60.0/24 dst-address=10.222.60.0/24 \
    action=drop comment="Изоляция VPN-клиентов"

Step 6: Creating users (PPP secrets)

⚠️ RouterOS always requires a username/password for OpenVPN.

/ppp secret
add name=testuser1 password="TestPass#2025!" profile=ovpn-profile service=ovpn
add name=testuser2 password="TestPass#2025!" profile=ovpn-profile service=ovpn

Step 7: Revoking a certificate and removing a user

/certificate revoke testuser1-cert
/ppp secret remove [find name="testuser1"]

Client configuration (.ovpn)

client
dev tun
proto udp        # или tcp
remote YOUR_PUBLIC_IP 1199
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA512
verb 3

<ca>
--- ovpn-ca.crt ---
</ca>

<cert>
--- testuser1-cert.crt ---
</cert>

<key>
--- testuser1-cert.key ---
</key>

auth-user-pass

Supported by clients:

• OpenVPN Connect
• Viscosity
• Tunnelblick

Diagnostics and troubleshooting

Enabling logging

/system logging
add topics=ovpn action=memory
add topics=ovpn,debug action=memory

/log print where topics~"ovpn"

Checking connections

/interface ovpn-server print
/ppp active print

Network testing

/ping 10.222.60.XX
/tool traceroute 8.8.8.8 interface=ovpn-udp

From the client:

• ping 10.222.60.1
• ping 192.168.11.1

Common issues

• No connection — firewall, port, NAT, router time (NTP).
• Authentication error — certificate or password.
• No access to the LAN — push-routes and forward.
• Clients cannot see each other — the isolation rule is working as intended.

Conclusion

This configuration implements dual authentication (certificate + username/password), client segmentation and controlled access to the LAN. For maximum performance, it is recommended to use UDP.

If more modern cryptography and lower CPU load are required, it makes sense to consider WireGuard as an alternative.

Good luck with the setup and stable tunnels.