MikroTik CHR: How to set up OpenVPN server for your IoT devices (+ video)

In this article, we will show you how to configure an OpenVPN server in your MikroTik Cloud Hosted Router using WinBox and RouterOS CLI.

IMPORTANT: The date on the router must be within the range of the installed certificates valid period. To prevent certificate verification issues, enable NTP synchronization on both the server and the client.

Here’s a small video explaining the process:

 

1. Updating RouterOS to the latest stable version

You can skip this if your router is already up to date. Make sure you have a backup of your configuration before proceeding.
To update your router, go to System>Packages and click on “Check for updates”,

If your MikroTik router is not updated, you will be presented with the new version and a changelog for it. Click on "Download and Install" or "Download", if you plan to reboot and apply the update later. After it’s downloaded, your router will reboot to apply the update.

 

In this article, we will use 192.168.34.0/24 as our OpenVPN Network.

 

2. Creating a bridge for the OpenVPN network

Go to Bridge and click on "+". Name the bridge as you like(e.g. OVPN-Bridge) and click on "OK".

Alternatively, you can create a bridge through "Interfaces". After clicking on "+" select bridge.

RouterOS CLI Command:

 

3. Setting an IP address for your VPN Network

Go to IP>Addresses and click on "+". Set 192.168.34.1/24 as the аddress and select the new bridge you’ve created(in our case OVPN-Bridge).

RouterOS CLI Command:

 

4. Creating an IP pool for your OpenVPN network

Go to IP>Pools and click on "+". Set the range to 192.168.34.100-192.168.34.200 and name the pool as you like(e.g. OVPN-pool).

RouterOS CLI Command:

 

5. Creating a firewall filter rule

Go to IP>Firewall and create a new rule with these settings:
Chain: input
Protocol: TCP
Dst. Port: 1194(or 443)
Action: accept
Comment: OVPN pass
 

Then move the rule to higher priority by dragging it above drop rules.

In RouterOS CLI you need to list all the rules, you can do that by using this command:

It should output something like this:

Enter these two commands, where X is the number of the first drop rule:

In the end, it should look like this:

 

6. Enabling the NAT for the OpenVPN

Go to the NAT tab and click on "+".
Input: srcnat
Out. Interface: ether1
Action: masquerade
 

RouterOS CLI Command:

 

7. Making and signing the certificates

In this article, we will create and use self-signed ones.
Go to System > certificates and click on "+".

7a. Creating and signing the Certificate Authority

You can name it as you like, in our example, we will name it LMTCA(Local MikroTik Certificate Authority). Enter:
Name: LMTCA
Your Location/Organization data
Common Name: LMTCA
Key size: 4096
Days valid: e.g. 3650
Then go to the Key Usage tab and select only crl sign and key cert sign
 

RouterOS CLI Command:

 

Now save the certificate and sign it with CRL host set to the public IP of your MikroTik CHR.

RouterOS CLI Command:

 

7b. Creating and signing the OpenVPN Server Certificate

Name: SERVER
Your Location/Organization data
Common Name: Your public IP of your MikroTik CHR
Key size: 4096
Days valid: e.g. 3650
Then go to the Key Usage tab and select only digital signature, key encipherment, and tls server
 

RouterOS CLI Command:

 

Now save the certificate and sign it with the newly created CA. 

After that, go to the General tab(or double-click the server certificate if you closed it) and mark "Trusted"
 

RouterOS CLI Command:

 

7c. Creating a template and making the Client certificates from it

Name: CLIENT-tpl
Your Location/Organization data
Common Name: CLIENT
Key size: 4096
Days valid: e.g. 3650
Then go to the Key Usage tab and select only tls-client
 

RouterOS CLI Command:

 

Save it. From this template, we will be making the certificates for the clients. This is done by clicking on “Copy”.
Now rename both the name and common name to CLIENT1 (for other clients you can name them CLIENT2, CLIENT3, etc.)

RouterOS CLI Command:

 

Now save it and sign it with the CA you’ve created.

RouterOS CLI Command:

 

In the end, the certificate flags should be:
K, L, A, T - for the Certificate Authority
K, I, T - for the OpenVPN Server Certificate
K, I - for the Client certificates

 

7d. Exporting and Downloading the certificates

This is done by right-clicking them and selecting export. When you export the client certificate, make sure that you export it with a password.

RouterOS CLI Command:

 

After you export them, you can easily download them using WinBox or other file transfer programs like WINSCP(via FTP/SFTP).
For WinBox, go to Files to locate your certificate files.

Then download them by dragging them into a folder on your computer.

8. Enabling the OVPN Server

Go to PPP, click on “OVPN Server”, Check "Enabled", and set:
Port: 1194(or 443)
Certificate: SERVER
Require Client Certificate: true
Auth: sha1, md5
Cipher: Blowfish 128, aes 128, aes 192, aes 256

RouterOS CLI Command:

9. Editing the default-encryption PPP profile

Go to Profiles, double-click the default-encryption profile, and set:
Local IP address: 192.168.34.1
Remote IP address: OVPN-pool
DNS servers: (e.g. Quad9) 9.9.9.9 and 149.112.112.112

RouterOS CLI Command:

10. Creating a PPP account for the OpenVPN network
Click on the "Secrets" tab and then on "+". Set with credentials of your choice and select the default-encryption profile.

RouterOS CLI Command:

 

And that's it. You've created an OpenVPN Server on your MikroTik Cloud Hosted Router, ready to accept OVPN connections.

You can now connect some devices to your OpenVPN network, using these tutorials:
Set up OpenVPN Client in Windows and Mac
Set up OpenVPN Client in Android
Set up OpenVPN Client in iPhone iOS

Take a look at our powerful MikroTik VPS servers and choose a suitable plan to get started.

If setting up this server is hard for you, you can take a look at our fast and secure OpenVPN Hosting plans. Easier and quicker to set up, more secure and it's ready in 5 minutes.