Set up OpenVPN in Windows

This guide shows you how to connect a Windows PC or Mac to an OpenVPN server running on a MikroTik Cloud Hosted Router. If you haven't set up your server yet, start with our OpenVPN server setup guide first.

Here's a short video overview of the process:

There are two OpenVPN clients available for Windows and macOS. Pick whichever suits you — both work with a MikroTik CHR OpenVPN server.

• OpenVPN Connect (official, cross-platform — Windows & macOS): https://openvpn.net/client/
• OpenVPN Community client (Windows only, open-source GUI): https://openvpn.net/community/

While Connect is simpler, the Community client gives you more control. Download and install your preferred client before continuing.

Before you can connect, you need a VPN user account on the server. Log in to your MikroTik CHR via WinBox or Webfig, go to PPP > Secrets, and click + NEW. Set a username and a strong password and make sure the profile is set to default-encryption.

Keep this username and password handy — you'll enter them in the OpenVPN client when connecting.

You'll need the following files from your CHR to build or receive an OpenVPN configuration:

• The CA certificate (.crt)
• The client certificate (.crt)
• The client certificate private key (.key)

In WinBox, go to System > Certificates. Right-click each certificate and choose Export. Give them clear names. When exporting the client certificate, always set a passphrase — you'll enter it in the OpenVPN client as the private key password.

The exported files appear in Files on the CHR. Select them all and drag-and-drop them to a folder on your computer, or right-click and choose Download.

There are two ways to get your .ovpn config: let RouterOS generate it for you (easiest, requires v7.9+), or build it manually from a template. Both methods produce a working config — the auto-export just saves a few steps.

4a. Auto-export from RouterOS (v7.9+) — easiest method

Since RouterOS v7.9, you can generate a complete .ovpn config directly from the CHR. It picks the best encryption settings automatically and embeds all the necessary certificates.

In WinBox, go to PPP > OVPN Servers and open any server(RouterOS 7.17+) or PPP > Interface > OVPN Server (older versions) and click Export .ovpn. Fill in your CHR's public IP address, then select the CA certificate, the client certificate, and its key.

The generated .ovpn file will appear in Files on the CHR. Right-click it and choose Download.

One thing to be aware of: the RouterOS-generated config doesn't enable full tunnel routing or credential cache clearing by default. Open the file in any text editor and add these two lines just before the embedded certificate block:

4b. Build the config from scratch

If you're on RouterOS older than v7.9, or want full control over the config, create a new file, give it a .ovpn extension, and open it in a text editor. Paste the template below, adjusting the IP address, port, protocol, cipher, and auth to match your server's settings. Then paste the contents of each certificate and key file into the matching section.

If you prefer to keep the certificates as separate files rather than embedding them, replace the <ca>, <cert>, and <key> blocks with filename references instead. In that case, keep all files in the same folder as the .ovpn config.

4c. Pre-saving VPN credentials in the config (optional, but insecure — not recommended for shared devices)

The safest approach is to enter your VPN username and password in the OpenVPN client each time, or save them in the client app itself. However, if you need to pre-embed them in the config, there are two ways to do it. The username and password must always be on separate lines.

Option A — embed directly in the config:

Option B — store credentials in a separate file and reference it. Create a plain text file named secret (no extension) with the username on the first line and password on the second:

Either double-click the .ovpn file or drag and drop it into the OpenVPN Connect window. A confirmation dialog will appear — click Import.

If you referenced certificate and credential(secret) files by filename rather than embedding them, make sure all files are in the same folder before importing.

Click Connect. The client will prompt for your Private Key Password (the passphrase you set when exporting the client certificate), your VPN username, and password. Enter the credentials from Step 2.

If the server doesn't have client certificate verification enabled, any warning about a missing certificate can be safely dismissed.

Once connected, you're in. To save your credentials so you don't have to re-enter them every time, open the burger menu (☰), go to My Profiles, and click the pencil icon next to your profile. Enter your credentials and click Save Changes.

On Windows, the connection can be controlled from the OpenVPN Connect icon in your system tray. Right-click it to quickly connect, disconnect, or switch profiles without opening the full app.

Find the OpenVPN GUI icon in your Windows system tray (it looks like a small monitor with a padlock). Right-click it, hover over Import, then choose Import file… and locate your .ovpn file.

Again, if you referenced certificate files and credentials(secret) by filename, keep them all in the same folder as the config.

Right-click the tray icon again and choose Connect (or go to your profile name and click Connect there if you have multiple profiles). The client will ask for your VPN username and password, and then for the private key password. Check Save password if you don't want to type them each time.

Your Windows PC or Mac is now connected to your MikroTik CHR OpenVPN network. If you run into problems getting connected, check our OpenVPN troubleshooting guide for common issues and fixes.