Mikrotik – Configuring OpenVPN Server + Linux client

Published on Author gryzli

The first thing we must assure is the following:

– We have working configuration on our Mikrotik router (internet access + local network)

– We have generated SSL certfificate/key pair for the OpenVPN server


Import SSL Certificates + Root CA on the router

We can use FTP to upload the following files:

cacert.pem (  Root CA certificate)

openvpn.crt ( The certificate for openvpn serve)

openvpn_key.pem ( The private key )

After we upload the files through FTP (or another preferred method)  we must import them.

1.1 Login to mikrotik web inteface

1.2 Navigate to [System] -> [Certificates]

1.3 Choose “Import” for all of the files

Make dedicated IP pool for the VPN clients

Login to the router, and navigate to the following  menu:

[IP] –> [Pool] –> [Add New] :

Name:  openvpn-pool1

Addresses: -

Next pool: none



Create OpenVPN PPP Profile

Navigate to:

[PPP] –> [Profiles] –> [ Create New]:


{Name} = "OpenVPN Profile"

{Local Address}     = ""

{Remote Address} = "openvpn-pool1"

{Address List}        = ""

{DNS Server} = ""

{DNS Server} = ""


Create OpenVPN Client credentials

Navigate to:

[PPP] –> [Secrets] –> [Add New]

{Enabled} = "yes"

{user} = "some_vpn_user"

{pass} = "some_pass"

{profile} = "OpenVPN Profile"


 Enable OpenVpn server

Navigate to:

[PPP] –> [OVPN Server]

{Mode} = {ip}   (ip is for TUN , ether is for TAP interface)

{Default Profile}  = "OpenVPN Profile" # This is the name of the profile we have created earlier

{Certificate} = "cert1"   # Or whatever is the name of the newly added certificate



Linux openvpn client configuration

Make sure to copy “cacert.pem” to the current directory.

If you use the client under Windows OS, you must change the “dev tun1” line to “dev tap

ca cacert.pem
dev tun1
proto tcp-client
remote mysite.com  1194
resolv-retry infinite
cipher BF-CBC        # Blowfish (default)
auth SHA1
verb 4
keepalive 10 15


Activate Masquarading on Mikrotik

This step is necessary for us to be able, to access internet through the VPN.

Navigate to: [IP] –> [Firewall] –> [Nat] 

Add srcnat rule, for network: [] with action [masquarading]


OpenVPN Step by step configuration