MikroTik CHR: How to set up OpenVPN server for your IoT devices (+ video)

This guide walks you through setting up a fully working OpenVPN server on a MikroTik Cloud Hosted Router — step by step, nothing skipped. Whether you're running RouterOS v6 or v7, you can follow along using WinBox, Webfig, or the MikroTik mobile app on Android or iOS. Throughout this tutorial we'll use 192.168.34.0/24 as our OpenVPN network range.

Here's a short video overview of the whole process before we dive in:

Table of Contents

Enable NTP on the CHR (important)
Update RouterOS to the latest stable version
Create a bridge interface for the OpenVPN network
Assign an IP address to the VPN bridge
Create an IP pool for OpenVPN clients
Add a firewall rule to allow OpenVPN traffic
Enable NAT masquerading for internet access
Create and sign the TLS certificates
Enable the OpenVPN server
Configure the default-encryption PPP profile
Create a PPP user account

Enable NTP on the CHR (important)

OpenVPN authenticates connections using TLS certificates, and TLS certificates have validity windows defined by dates. If your CHR's clock is wrong — even by a few hours in the wrong direction — those certificates will look expired or not-yet-valid, and every connection attempt will fail. Get this right before anything else.

In WinBox, go to System > NTP Client, enable it, and add your NTP servers. We're using 0.pool.ntp.org and 1.pool.ntp.org — free, reliable public servers that work globally.

RouterOS NTP Client configuration in WinBox — System > NTP Client dialog with 0.pool.ntp.org and 1.pool.ntp.org added and Enabled checkbox checked

RouterOS CLIsystem ntp client servers add address=0.pool.ntp.org
system ntp client servers add address=1.pool.ntp.org
system ntp client set enabled=yes

While you're in this area, set the correct timezone too. Go to System > Clock and pick your region from the dropdown. MikroTik uses the standard Linux timezone identifiers, so the format is things like Europe/Sofia, US/Central, or just UTC.

RouterOS Clock settings in WinBox — System > Clock dialog showing timezone set to Europe/Sofia with Time Zone Autodetect enabled

RouterOS CLIsystem clock set time-zone-name="Europe/Sofia"

Update RouterOS to the latest stable version (optional, but recommended)

If your CHR is already on a recent build, skip this. If not, it's worth a few minutes — MikroTik has made significant OpenVPN improvements with nearly every major release:

v7.1: UDP transport support for OpenVPN tunnels; modern encryption algorithms added
v7.2: Hardware acceleration for AES traffic over OpenVPN
v7.3: IPv6 support in OpenVPN tunnels
v7.9: One-click .ovpn profile export for easy client sharing
v7.12: TLS-AUTH support
v7.17: Multiple concurrent OpenVPN server instances via the new OVPN Servers tab; additional cipher options

Before updating: Always create a configuration backup first. If you're still on RouterOS v6, upgrade to v7.12 via the upgrade channel, then update one more time to reach the latest version.

In WinBox, go to System > Packages and click Check for Updates. If a newer version shows up, click Download and Install — the router will reboot automatically to apply it.

RouterOS Package Manager in WinBox — System > Packages window showing routeros 7.20.6 installed and the Check For Updates button highlighted

RouterOS CLIsystem package update check-for-updates
system package update download 
system reboot

Create a bridge interface for the OpenVPN network

Open Bridge in the sidebar and click New. Give it a clear name — OVPN-bridge works well. You can also create it from Interfaces > + > Bridge if you prefer working from there.

Creating a new bridge interface named OVPN-bridge in MikroTik WinBox — Bridge > New dialog with name field filled in

RouterOS CLIinterface bridge add name=OVPN-bridge

Assign an IP address to the VPN bridge

Go to IP > Addresses and click New. Set the address to 192.168.34.1/24 and assign it to the OVPN-bridge interface you just created. This becomes the gateway address for all VPN clients.

Assigning IP address 192.168.34.1/24 to the OVPN-bridge interface in RouterOS via IP > Addresses > New dialog

RouterOS CLIip address add address=192.168.34.1/24 interface=OVPN-bridge

Create an IP pool for OpenVPN clients

Go to IP > Pools and click New. Name it OVPN-pool and set the range to 192.168.34.100–192.168.34.200. That's room for up to 100 simultaneous VPN clients — more than enough for most setups.

Creating an IP Pool named OVPN-pool in RouterOS — IP > Pool > New with address range 192.168.34.100-192.168.34.200

RouterOS CLIip pool add name=OVPN-pool ranges=192.168.34.100-192.168.34.200

Add a firewall rule to allow OpenVPN traffic

If your CHR has a restrictive firewall — like the setup described in our basic CHR security guide — you need an explicit accept rule for OpenVPN traffic. Without it, inbound VPN connections will be silently dropped.

Go to IP > Firewall and create a new filter rule with these settings:

Chain: input
Protocol: TCP (switch to UDP if you plan to run OpenVPN in UDP mode)
Dst. Port: 1194
Action: accept
Comment: OVPN pass

New firewall filter rule in RouterOS WinBox — chain input, TCP protocol, destination port 1194, action accept, comment OVPN pass

Once saved, drag the rule above any drop/reject rules in the list so it's evaluated first:

Animation showing the OpenVPN accept firewall rule being dragged above the drop-all rule in MikroTik WinBox firewall filter list

CLI users: print the existing rules first, identify where the drop rules start, then use place-before to insert above them:

RouterOS CLIip firewall filter print
--- Firewall rules output ---
ip firewall filter add chain=input comment="OVPN pass" dst-port=1194 protocol=tcp place-before=X

Replace X with the rule number of the first drop rule from the print output.

Enable NAT masquerading for internet access

Without a masquerade NAT rule, VPN clients can only communicate with each other and with the CHR itself — they won't have outbound internet access. Go to IP > Firewall > NAT, click New, and create this rule:

Chain: srcnat
Out. Interface: ether1 (or whichever interface faces your WAN)
Action: masquerade

NAT masquerade rule in RouterOS WinBox — IP > Firewall > NAT with chain srcnat, out-interface ether1 and action masquerade to give VPN clients internet access

RouterOS CLIip firewall nat add chain=srcnat out-interface=ether1 action=masquerade

Create and sign the TLS certificates

This is the step that trips people up most often, but MikroTik actually makes it quite painless. You'll create your own Certificate Authority directly on the CHR and use it to sign both the server and client certificates — no external tools, no separate CA server needed.

One of the underrated advantages of running OpenVPN on a MikroTik CHR is that you get a fully functional built-in CA. The same CA can issue certificates for SSTP VPN, other CHR instances, or really any other PKI purpose on your network.

Important: Verify that your CHR's date and time are correct before creating any certificates. If the clock is off, your certificates may appear expired or invalid the moment you create them.

Go to System > Certificates and click New to get started.

System > Certificates window in MikroTik WinBox showing an empty certificate list and the New button

8a. Create and sign the Certificate Authority (CA)

Fill in the new certificate form as follows:

Name: LMTCA
Country, State, Locality, Organization, Unit: your own details
Common Name: LMTCA
Key Size: 4096
Days Valid: 3650 (drop to 365 for tighter security, at the cost of annual renewals)

Switch to the Key Usage tab and check only crl sign and key cert sign.

Creating the LMTCA Certificate Authority in RouterOS — General tab showing name, country and organization fields alongside the Key Usage tab with crl sign and key cert sign checked

RouterOS CLIcertificate add name=LMTCA country="BG" state="BG" locality="Sofia" organization="Company" unit="SysAdmin" common-name="LMTCA" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign

Click Apply, then click Sign. In the signing dialog, optionally set the CRL Host to your CHR's public IP in the format http://XX.XX.XX.XX. This isn't required for basic use, but it enables proper certificate revocation if you ever use this CA across multiple MikroTik devices.

Signing the LMTCA Certificate Authority in RouterOS — Sign dialog with CA-CRL Host field set to the CHR public IP address

RouterOS CLIcertificate sign LMTCA ca-crl-host="http://YourCHRPublicIP"

8b. Create and sign the OpenVPN server certificate

Create a second certificate with these settings:

Name: SERVER
Common Name: your CHR's public IP address
Key Size: 4096
Days Valid: 3650

On the Key Usage tab, check only digital signature, key encipherment, and tls server.

Creating the OpenVPN SERVER certificate in RouterOS — Key Usage tab with digital-signature, key-encipherment and tls-server selected and 4096-bit RSA key size

RouterOS CLIcertificate add name=SERVER country="BG" state="BG" locality="Sofia" organization="Company" unit="SysAdmin" common-name="YourCHRPublicIP" key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server

Click Apply, then sign it with the LMTCA authority you just created:

Signing the OpenVPN SERVER certificate using the LMTCA Certificate Authority in RouterOS WinBox — Sign dialog with ca field set to LMTCA

After signing, open the certificate again and tick the Trusted checkbox on the General tab:

Marking the SERVER certificate as Trusted in MikroTik RouterOS WinBox — certificate General tab with the Trusted checkbox enabled

RouterOS CLIcertificate sign SERVER ca="LMTCA"
certificate set SERVER trusted=yes

8c. Create a client certificate template and issue client certs (optional but strongly recommended)

Client certificates add a proper second authentication factor on top of username/password. When you enable Require Client Certificate on the OpenVPN server, anyone connecting without a valid, CA-signed certificate gets rejected before they even reach the login prompt.

Start with a template to make future certificate generation faster:

Name: CLIENT-tpl
Common Name: CLIENT
Key Size: 4096
Days Valid: 3650

On the Key Usage tab, check only tls client.

Creating a client certificate template named CLIENT-tpl in RouterOS — Key Usage tab with only tls-client checked and 4096-bit key size

RouterOS CLIcertificate add name=CLIENT-tpl country="BG" state="BG" locality="Sofia" organization="Company" unit="SysAdmin" common-name="CLIENT" key-size=4096 days-valid=3650 key-usage=tls-client

To create a client certificate, double-click the template and copy it. Change the name and common name to something like CLIENT1, CLIENT2, etc., then sign it with the CA. Give each device or user a dedicated certificate — that way, revoking access for one client doesn't affect anyone else.

Creating CLIENT1 certificate by copying the CLIENT-tpl template in RouterOS — name and common name changed to CLIENT1 before signing with LMTCA

RouterOS CLIcertificate add name=CLIENT1 copy-from="CLIENT-tpl" common-name="CLIENT1"
certificate sign CLIENT1 ca="LMTCA"

When everything is correctly signed and trusted, the certificates in the list should show the following flags:

K, L, A, T — Certificate Authority (LMTCA)
K, I, T — Server certificate (SERVER)
K, I — Client certificates (CLIENT1, CLIENT2, etc.)

RouterOS certificate list showing correct flags: K L A T for the CA, K I T for the server certificate, and K I for each client certificate

8d. Export and download the certificates

Right-click each certificate and choose Export. Give them meaningful file names so you don't mix them up later. When exporting a client certificate, always set a passphrase — the client will need it when importing the cert file on their device.

Right-clicking the LMTCA certificate in MikroTik WinBox and selecting Export from the context menu to download it

RouterOS CLIcertificate export-certificate LMTCA export-passphrase=""
certificate export-certificate CLIENT1 export-passphrase=12345678

The exported files land in Files on the CHR. Download them from there via WinBox (select all > drag-and-drop to your desktop), or transfer them with SFTP using a tool like WinSCP.

MikroTik WinBox Files window showing exported certificate files — CA cert, server cert and client cert listed and ready to download

Enable the OpenVPN server

Upgrading from pre-7.17? After updating to RouterOS 7.17 or newer, your previous OpenVPN configuration is preserved as the first entry in the OVPN Servers list. Double-click it to edit, or use the CLI: interface ovpn-server server set name="ovpn-server1" <settings> disabled=no

In WinBox, go to PPP > OVPN Servers (RouterOS 7.17+) or click Interface > OVPN Server and check Enabled (older versions). You must set the default-encryption profile, or another profile if you have multiple OVPN servers, and choose the SERVER certificate you have made in step 8b. We highly reccommend you enabling Require Client Certificate for even higher security, as it will block any user without one or with an wrong/revoked one.
After that you can choose any auth/cipher encryptions and port/protocol depending on your environment and needs, If available, you can use the newer and faster AES GCM ciphers.

The following is an example configuration:

Port: 1194
Protocol: TCP
Default Profile: default-encryption
Certificate: SERVER
Require Client Certificate: enabled
Auth: sha1, md5, sha256, sha512
Cipher: blowfish128, aes128-cbc, aes192-cbc, aes256-cbc

RouterOS 7.17 and newer — new OVPN Servers tab:

OpenVPN server configuration in RouterOS 7.17+ — PPP > OVPN Servers > New dialog with port 1194, TCP protocol, SERVER certificate, Require Client Certificate enabled and cipher selections

RouterOS older than 7.17 — single OVPN Server dialog:

OpenVPN server configuration in RouterOS pre-7.17 — PPP > Interface > OVPN Server single dialog with Enabled checkbox, port 1194, TCP protocol, SERVER certificate and auth/cipher settings

RouterOS CLI(ROS v6) interface ovpn-server server set default-profile=default-encryption certificate=SERVER require-client-certificate=yes auth=sha1,md5 cipher=aes128,aes192,aes256,blowfish128 enabled=yes
(ROS <7.17) interface ovpn-server server set default-profile=default-encryption certificate=SERVER require-client-certificate=yes auth=sha1,md5 cipher=aes128-cbc,aes192-cbc,aes256-cbc,blowfish128 enabled=yes
(ROS >=7.17) interface ovpn-server server add name="ovpn-server1" default-profile=default-encryption certificate=SERVER require-client-certificate=yes auth=sha1,md5 cipher=aes128-cbc,aes192-cbc,aes256-cbc,blowfish128 disabled=no

RouterOS 7.17+ note: The CLI argument for enabling the server is disabled=no, not enabled=yes — the logic is inverted from what you might expect. Set disabled=no to turn it on, disabled=yes to turn it off.

Configure the default-encryption PPP profile

Go to PPP > Profiles, double-click default-encryption, and set the following:

Local Address: 192.168.34.1
Remote Address: OVPN-pool
DNS Servers: 1.1.1.1, 1.0.0.1 (Cloudflare — or your preferred servers)
Bridge: OVPN-bridge

Editing the default-encryption PPP profile in RouterOS — local address 192.168.34.1, remote address OVPN-pool, bridge OVPN-bridge and DNS servers 1.1.1.1 and 1.0.0.1 configured

RouterOS CLIppp profile set default-encryption local-address=192.168.34.1 remote-address=OVPN-pool dns-server=1.1.1.1,1.0.0.1 bridge=OVPN-bridge

On the Limits tab, you can also toggle Only One to restrict each PPP secret to a single concurrent session — useful if you want to prevent shared credentials from being used from multiple places at once.

Create a PPP user account

Go to PPP > Secrets, click +, and add your first VPN user. Set a username and a strong password, then make sure the profile is assigned to default-encryption.

Creating a new PPP Secret in RouterOS for OpenVPN — PPP > Secrets > New dialog with username BGOCloud-OVPN, password field and default-encryption profile selected

RouterOS CLIppp secret add name=BGOCloud-OVPN password=bgocloud profile=default-encryption comment="our first account"

That's the full setup. Your MikroTik CHR is now running an OpenVPN server and ready to accept connections. Time to connect some clients.

Connect your devices using these guides:

Need a MikroTik CHR to run this on? BGOCloud's MikroTik VPS plans give you full RouterOS access, SSD-backed performance, and unlimited traffic options — deployed in under a minute. Everything in this guide works out of the box on our CHR instances.

If this is more than you want to manage yourself, check out our ready-to-use OpenVPN Hosting plans(upgrade in progress). Or if you're after a faster, more modern VPN protocol, take a look at our guide for setting up WireGuard on MikroTik CHR — it's noticeably quicker than OpenVPN for most use cases and is quicker to set up without the need to create new certificates.

Set up OpenVPN in Windows

This guide shows you how to connect a Windows PC or Mac to an OpenVPN server running on a...

How to: Connecting MacBooks and other Apple computers to OpenVPN Access Server

Hello, in this guide we will show you how to connect your MacBooks and other Apple computers to...

Setup OpenVPN Connect Client in iPhone iOS

This guide walks you through connecting your iPhone or iPad to an OpenVPN server running on a...

How to: Connecting Windows Device to OpenVPN Access Server

In this guide we will show you all the steps for connecting your Windows device to your new...