VPN

OpenVPN is a reliable and time-tested VPN protocol that allows organizing secure remote access to a local network. MikroTik RouterOS supports OpenVPN in server mode starting from version 6.x (TCP), and from version 7+ — also UDP, but with a number of architectural limitations:

• mandatory authentication by username/password even when using certificates;
• limited list of ciphers and algorithms;
• absence of some features of “classic” OpenVPN.

Despite this, OpenVPN on MikroTik remains a popular solution — especially in scenarios where clients do not support WireGuard or compatibility with legacy systems is required.

pfSense — a tank in the world of firewalls.
Is updated less often, but runs for years without surprises.

🏢 Who pfSense is for

• Corporation with 100+ users
• Needs official support
• Has old but reliable hardware
• Value stability

📚 pfSense Features

• Multi-WAN and automatic failover
• Traffic Shaping — bandwidth management
• Captive Portal — guest authentication
• OpenVPN and IPsec — encrypted tunnels

⚙️ Installation

1. ISO → USB
2. Install → configure WAN/LAN
3. In about 10 minutes — a ready firewall

Example HAProxy config:

OPNsense — it’s like pfSense, but prettier, faster, and with an API.
Want an office firewall you wouldn’t be embarrassed to show your boss? Here it is.

💼 Who OPNsense is for

• Office of 10–50 people
• VPN for all employees
• Backup internet connection
• Modern web interface

🎨 Apple-like interface

• Dark theme
• Real-time graphs
• REST API for automation
• WireGuard out of the box

⚙️ Installation in 5 minutes

1. Download the ISO from opnsense.org
2. Write it to a USB stick (dd or Rufus)
3. Boot → assign interfaces → done!

Auto-update via API:

Imagine: an old router for 2000 ₽ blocks ads, shares a VPN, works as a Mesh system and doesn’t slow down even with 50 devices.
This is not magic — this is OpenWRT.

🏠 Who needs OpenWRT

OpenWRT turns an ordinary router into a mini-server. If you have at least one item from the list — it’s definitely time to try it:

• Want AdBlock for the whole house
• Need a VPN without a subscription
• Have an old router lying around
• Like to tinker with settings

90% of users install OpenWRT — and forget about the router forever.

This guide will show how to configure two Linux servers so that all the Internet traffic from a specific local subnet (for example, 10.100.10.0/24) is routed not via its default gateway but through an IPIP tunnel to a remote server, which will then put that traffic onto the Internet.

This is useful if you need services in one subnet to go out to the world with the IP address of another server — for example, to bypass restrictions, centralize NAT, or hide the source.

The EoIP (Ethernet over IP) protocol from MikroTik is used to create an L2 tunnel over an IP network, allowing you to combine two remote local networks into a single broadcast domain.
If your EoIP tunnel does not establish (no “R” — Running flag), follow this step-by-step checklist.

1. Check IP connectivity (L3)

Before starting, make sure the routers see each other at the IP level.

Ping the remote side:

This article is compiled as a “cheat sheet” for SOHO/SMB networks: common issues, their symptoms, causes, quick fixes, and diagnostic checklists. Suitable for both engineers and admins who maintain the MikroTik ↔ Keenetic bundle.

📑 Navigation

• EoIP “freezes” when transferring large files
• Site-to-Site VPN is up, but traffic doesn’t pass
• NAT breaks VPN/EoIP
• MTU/MSS: how to choose correctly
• Policy Routing (RouterOS 7)
• SMB from another subnet doesn’t work
• Quick diagnostics checklist
• Command cheat sheet
• Typical MTUs for tunnels
• NAT/Firewall exceptions matrix
• Common pitfalls
• Visualizations
• Resources and documentation

1) EoIP “freezes” when transferring large files

Symptoms: SMB/FTP hangs, speed fluctuates, RDP drops. Causes: incorrect MTU/MSS, fast-path with IPsec, NAT/Firewall errors.

In this guide, we’ll go through setting up an OpenVPN server on Ubuntu and connecting a Keenetic router to it. This setup is useful if you need to provide access to your home network or forward services (e.g., PBX or web server) through VPN.

1. Preparing the Ubuntu server

1.1 Installing packages

sudo apt update
sudo apt install -y openvpn easy-rsa iptables-persistent

1.2 Creating PKI (Easy-RSA v3)

make-cadir ~/easy-rsa
cd ~/easy-rsa
./easyrsa init-pki
./easyrsa build-ca nopass

Server keys

./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh

Client keys (for Keenetic)

./easyrsa gen-req keenetic nopass
./easyrsa sign-req client keenetic

TLS key (specifically tls-auth, not tls-crypt)

openvpn --genkey secret ta.key

1.3 Distribute keys

• In /etc/openvpn/server/:

  Read more

The Problem with Certificates at Scale

In previous articles, we discussed that OpenVPN uses certificates for authentication. This method is reliable but has significant drawbacks:

• Inconvenience for users: Each user must manually receive and install their own certificate.
• Complex management: When an employee leaves, their certificate must be revoked, which requires extra steps.
• Lack of centralization: Each service that requires access has its own authorization system.

The solution to this problem is using a centralized identity provider such as Keycloak.

VPN: Not Just an “On” Button

For many users, a VPN is simply an “On” button. However, when it comes to building your own secure tunnel, it’s important to understand its architecture. OpenVPN is based on two key ideas: the client-server model and Public Key Infrastructure (PKI).

The Client-Server Model

The concept is simple:

• Server — the entry point into your secure network. It constantly “listens” for incoming requests and is ready to accept connections.
• Client — your device (laptop, phone) that initiates the connection to the server.

Once the server and client “agree,” a secure tunnel is created between them, and all traffic passes through it.