Home About System Zone Terms of Use Privacy Policy Contact Sitemap Join System Zone

Forum

Networking Server OS Virtualization Tips & Tricks Services & Solutions Search

Home » Networking Tutorials & Guides » MikroTik Router Tutorials & Guides » MikroTik OpenVPN Setup
with Windows Client

What are you loo 

MikroTik OpenVPN Setup with Windows
Client
 April 2, 2018  Abu Sayeed  MikroTik Router Tutorials &
Guides, MikroTik VPN Configuration with Winbox GalaxyRAD
há cerca de 5
meses
VPN (Virtual Private Network) technology provides a secure and
Hotspot Automation
encrypted tunnel across a public network. So, a private network and Billing Software
user can send and receive data to any remote private network ================
through VPN tunnel as if his/her network device was directly
connected to that private network.
1K people are fol
MikroTik OpenVPN Server provides a secure and encrypted tunnel Follow Share Be the first of you
across public network for transporting IP traffic using PPP.
OpenVPN uses SSL Certificates. So, OpenVPN Tunnel is a trusted
tunnel to send and receive data across public network. MikroTik
  
OpenVPN Server can be applied in two methods.

Connecting remote workstation/client: In this  

method, OpenVPN client software installed any operating
system such as Windows can communicate with MikroTik
OpenVPN server through OpenVPN tunnel whenever required
and can access remote private network as if it was directly
connected to the remote private network.
Site to Site OpenVPN: This method is also known as
VPN between routers. In this method, an OpenVPN client
supported router always establishes an OpenVPN tunnel with
MikroTik OpenVPN Server. So, private networks of these
 routers can communicate with each other as if they were MikroTik
directly connected to the same router. Hotspot
Customized
The goal of this article is to connect a remote client using OpenVPN Login Template
Tunnel across public network. So, in this article I will only show
Hotspot user cannot
how to configure MikroTik OpenVPN Server for connecting a
get access without login
remote workstation/client (Windows Client). page. So, login page can
Network Diagram be a vital source for
branding. Make login
To configure a MikroTik OpenVPN Tunnel for connecting a remote template eye catching
workstation/client, I am following a network diagram like below with our exprienced
image. team.

Get More Topics

MikroTik Router 103

Red Hat/CentOS 26
Linux

VPN 21
Configuration
OpenVPN Remote Office Network
RADIUS Server 20

Hotspot 18
In this network, MikroTik Router (RouterOS v6.38.1) is
Configuration
connected to internet through ether1 interface having IP address
192.168.30.2/30. In your real network, this IP address should be Linux System 14
replaced with public IP address. MikroTik Router’s ether2 interface Administration
is connected to local network having IP network 10.10.11.0/24. We Linux Server 13
will configure OpenVPN server in this router and after OpenVPN Configuration
configuration the router will create a virtual interface (OpenVPN
Ubuntu Server 9
Tunnel) across public network whose IP address will be 10.10.11.1.
On the other hand, a remote laptop (workstation/client) is MikroTik Load 9
connected to internet and wants to connect to our OpenVPN server Balancing
for accessing local network resources. We will configure OpenVPN FreeRADIUS 8
client in this laptop and after establishing an OpenVPN Tunnel Server
across public network, this laptop will get a MikroTik Router’s local
MikroTik Firewall 8
IP 10.10.11.10 and will be able to access MikroTik Router’s private
network. MikroTik WiFi 7
Configuration
MikroTik OpenVPN Server RouterOS v7 7
Configuration
Windows Tips & 7
We will now start OpenVPN Server configuration. Complete
Tricks
OpenVPN configuration can be divided into two parts.
MikroTik DHCP 6
Part 1: OpenVPN Server Configuration in MikroTik Router Server
 Part 2: OpenVPN Client Configuration in Windows OS VMware vSphere 6

WiFi AP 5
Part 1: OpenVPN Server Configuration in
MikroTik Router Configuration

According to our network diagram, MikroTik Router is our Networking 4

OpenVPN Server. So, we will setup and configure OpenVPN Server Fundamental

in MikroTik Router. Complete MikroTik RouterOS configuration PPPoE Server 4

for OpenVPN Server can be divided into five steps. Configuration

Step 1: MikroTik Router basic configuration Firefox Tips & 4

Step 2: Creating SSL certificate for OpenVPN server and Tricks
client MikroTik User 4
Step 3: OpenVPN Server configuration Manager
Step 4: PPP Secret creation for OpenVPN client
Hardening 3
Step 5: Enabling Proxy ARP on LAN interface
MikroTik
RouterOS
Step 1: MikroTik Router basic configuration
Internet Tips & 3
In MikroTik Router basic configuration, we will assign WAN, LAN Tricks
and DNS IP and perform NAT and Route configuration. The
WiFi 3
following steps will show how to do these topics in your RouterOS.
Configuration
Login to MikroTik RouterOS using winbox and go to IP >
Tech Tips 3
Addresses. In Address List window, click on PLUS SIGN (+).
In New Address window, put WAN IP address Google Chrome 3
(192.168.30.2/30) in Address input field and choose WAN Tips & Tricks
interface (ether1) from Interface dropdown menu and click on VLAN 3
Apply and OK button. Click on PLUS SIGN again and put LAN Configuration
IP (10.10.11.1/24) in Address input field and choose LAN
MikroTik Tools 3
interface (ether2) from Interface dropdown menu and click on
Apply and OK button. WiFi Router 2
Go to IP > DNS and put DNS servers IP (8.8.8.8 or 8.8.4.4) MikroTik 2
in Servers input field and click on Apply and OK button. CAPsMAN
Go to IP > Firewall and click on NAT tab and then click on Configuration
PLUS SIGN (+). Under General tab, choose srcnat from Chain
GNS3 2
dropdown menu and click on Action tab and then choose
masquerade from Action dropdown menu. Click on Apply and WiFi Repeater 1
OK button. Configuration
Go to IP > Routes and click on PLUS SIGN (+). In New Routing 1
Route window, click on Gateway input field and put WAN Configuration
Gateway address (192.168.30.1) in Gateway input field and
click on Apply and OK button.

Basic RouterOS configuration has been completed. Now we will

Create SSL certificate for OpenVPN server and client.

Step 2: Creating SSL certificate for OpenVPN Server and

Client
OpenVPN server and client configuration requires SSL certificate
because OpenVPN uses SSL certificate for secure communication.
MikroTik RouterOS version 6 gives ability to create, store and
manage certificates in certificate store. So, we will create required
OpenVPN certificate from our RouterOS. OpenVPN server and
client configuration requires three types of certificates:

1. CA (Certification Authority) certificate

2. Server certificate and
3. Client certificate

Creating CA certificate

The following steps will show how to create CA certificate in

MikroTik RouterOS.

Go to System > Certificates menu item from winbox and

click on Certificates tab and then click on PLUS SIGN (+). New
Certificate window will appear.
Put your CA certificate name (for example: ca) in Name
input field. Also put a certificate common name (for example:
ca) in Common Name input field.
You will find some optional fields in General tab. You can
fill if you wish. All fields are self-defined.
Click on Key Usage tab and uncheck all checkboxes except
crl sign and key cert. sign
Click on Apply button and then click on Sign button. Sign
window will appear now.
Your newly created certificate template will appear in
certificate dropdown menu. Select your newly created
certificate template if it is not selected.
Put MikroTik Router’s WAN IP address (192.168.30.2) in
CA CRL Host input field.
Click on Sign button. Your Sign certificate will be created
within few seconds.
Click on OK button to close New Certificate window.
If newly created CA certificate does not show T flag or
Trusted property shows no value, double click on your CA
certificate and click on Trusted checkbox located at the bottom
of General tab and then click on Apply and OK button.

CA certificate has been created successfully. Now we will create

server certificate.

Creating Server Certificate

The following steps will show how to create server certificate in

MikroTik RouterOS.
 Click on PLUS SIGN (+) again. New Certificate window will
appear.
Put your server certificate name (for example: server) in
Name input field. Also put a certificate common name (for
example: server) in Common Name input field.
If you have put any optional field for CA certificate, put
them here also.
Click on Key Usage tab and uncheck all checkboxes except
digital signature, key encipherment and tls server
Click on Apply button and then click on Sign button. Sign
window will appear now.
Your newly server created certificate template will appear in
certificate dropdown menu. Select your newly created
certificate template if it is not selected.
Also select CA certificate from CA dropdown menu.
Click on Sign button. Your Sign certificate will be created
within few seconds.
Click on OK button to close New Certificate window.
If newly created server certificate does not show T flag or
Trusted property shows no value, double click on your server
certificate and click on Trusted checkbox located at the bottom
of General tab and then click on Apply and OK button.

Server certificate has been created successfully. Now we will create

client certificate.

Creating Client Certificate

The following steps will show how to create client certificate in

MikroTik RouterOS.

Click on PLUS SIGN (+) again. New Certificate window will

appear.
Put your client certificate name (for example: client) in
Name input field. Also put a certificate common name (for
example: client) in Common Name input field.
If you have put any optional field for CA certificate, put
them here also.
Click on Key Usage tab and uncheck all checkboxes except
tls client
Click on Apply button and then click on Sign button. Sign
window will appear now.
Your newly created client certificate template will appear in
certificate dropdown menu. Select your newly created
certificate template if it is not selected.
Also select CA certificate from CA dropdown menu.
Click on Sign button. Your Sign certificate will be created
within few seconds.
Click on OK button to close New Certificate window.
 Client certificate does not require T flag.

Client certificate has been created successfully. Now we will export

CA and Client certificates so that OpenVPN client can use this
certificate.

Exporting CA and Client Certificates

OpenVPN server will use server certificate from MikroTik

RouterOS certificate store. But client certificate has to supply to the
OpenVPN client. So, we need to export client certificate as well as
CA certificate from RouterOS certificate store. The following steps
will show how to export CA certificate and client certificate from
MikroTik certificate store.

Click twice on your CA certificate and then click on Export

button from right button panel. Export window will appear.
Choose your CA certificate from Certificate dropdown
menu.
Click on Export button now. Your CA certificate will be
exported and Export window will be closed. Your exported CA
certificate will be stored in File List.
Again, click on Export button from right button panel and
choose your client certificate from Certificate dropdown menu.
Put a password in Export Passphrase input field. The
password must be at least 8 characters and this password has
to provide when OpenVPN client will be connected.
Click on Export button now. Your client certificate and key
file will be exported in File List.
Now click on Files menu from winbox left menu panel. You
will find two certificate file (.crt) and one key (.key) are
exported here.
Drag and Drop these three files in a folder on your Desktop.
We will use these files when OpenVPN client will be
configured.

Creating SSL certificate for OpenVPN server and client has been
completed. Now we will configure our OpenVPN Server in
MikroTik Router.

Step 3: OpenVPN Server Configuration in MikroTik

Router

After creating SSL certificate, we are now eligible to enable

OpenVPN Server in MikroTik Router. The following steps will show
how to enable OpenVPN Server in your MikroTik Router with
proper configuration.
 Click on PPP menu item from winbox and then click on
Interface tab.
Click on OVPN Server button. OVPN Server window will
appear.
Click on Enabled checkbox.
From Certificate dropdown menu, choose server certificate
that we created before. Also click on Require Client Certificate
checkbox.
From Auth. Panel, uncheck all checkboxes except sha1.
From Cipher panel, uncheck all checkboxes except aes 256.
Now click on Apply and OK button.

OpenVPN Server is now running in MikroTik Router. Now we will

create OpenVPN user who will be connected to this server.

Step 4: PPP Secret creation for OpenVPN client

After OpenVPN Server setup, we need to create OpenVPN user who

will be connected to OpenVPN Server. OpenVPN Server uses PPP
user for authentication. So, we will now create PPP secret
(username and password) for OpenVPN client. The following steps
will show how to create PPP secret in MikroTik Router.

Click on PPP menu item from winbox and then click on

Secrets tab.
Click on PLUS SIGN (+). New PPP Secret window will
appear.
Put username (For example: sayeed) in Name input and
password in Password input field. This username and
password will be required at the time of OpenVPN client
configuration.
Choose ovpn from Service dropdown menu.
Put the gateway IP (10.10.11.1) in Local Address input field
and put a LAN IP (10.10.11.10) that will be assigned in client
workstation when this user will be connected, in Remote
Address input field.
Click on Apply and OK button.

PPP user who will be connected from remote client machine has
been created. At this point, if the user gets connected from the
remote client machine and try to ping any workstation from the
remote machine, the ping will time out because the remote client is
unable to get ARPs from workstations. The solution is to set
up proxy-arp on the LAN interface.

Step 4: Enabling Proxy ARP on LAN Interface

The following steps will show how to enable proxy-arp on the LAN
interface.
 Click on Interfacesmenu item from winbox and then click
on interface tab.
Click twice on your LAN interface (ether2). Interface
property window will appear.
Under General tab, choose proxy-arp from ARP dropdown
menu.
Click Apply and OK button.

After enabling proxy-arp, the remote client can successfully reach

all workstations in the local network behind the router.

MikroTik OpenVPN Server is now completely ready to accept

OpenVPN client. So, we will now configure OpenVPN client in
Windows Operating System.

Part 2: OpenVPN Client configuration in Windows

OS
OpenVPN.net provides OpenVPN client software for all the
operating systems. You can visit to download page and download
your OpenVPN client that is matched with your system
requirement. I am using Windows 7, 64-bit operating system. So, I
have downloaded Installer (64-bit), Windows Vista and later
package. At the time of this article, the OpenVPN client version was
2.3.18.

After downloading, install OpenVPN client in your operating

system following the instruction. Installation process is as simple
as installing other software in Windows operating system.

After OpenVPN client installation, go to configuration file location

(by default: C:\Program Files\OpenVPN\config or C:\Program
Files (x86)\OpenVPN\config depending on your operating system)
and follow my below steps to configure OpenVPN client.

Create a file having (.ovpn) extension (for example:

client.ovpn) and copy and paste below property and its value in
this file and then save your file.

#Template client.ovpnclient

dev tun

proto tcp-client

remote 192.168.30.2

port 1194

nobind

persist-key

persist-tun
 tls-client

remote-cert-tls server

ca ca.crt

cert client.crt

key client.key

verb 4

mute 10

cipher AES-256-CBC

auth SHA1

auth-user-pass secret

auth-nocache

Here, change remote IP Address according to your MikroTik

WAN IP.
Now copy and paste your exported CA and Client certificate
files that you saved in your Desktop by dragging and dropping
from MikroTik File List, in this location and rename CA file as
ca.crt, client certificate file as client.crt and key file as
client.key because we have used these names in our
configuration file.
Create another file named secret (because we have put
auth-user-pass file is secret) without any extension and put
OpenVPN PPP username at first line and password in second
line and then save this file.
Now run OpenVPN client software. You will find a new icon
in your Taskbar or System tray like below image.

Click mouse right button on this icon and then click

Connect option. OpenVPN Connection window will appear and
it will ask to put your client certificate password that you have
entered at the time of client certificate exportation.
If you put correct password and if everything is OK, your OpenVPN
client will be connected and an OpenVPN tunnel will be created
between OpenVPN client and server.To check your configuration,
do a ping request to any remote network workstation or server. If
everything is OK, your ping request will be success.

If you face any confusion to follow above steps properly, watch my

video about MikroTik OpenVPN Server Configuration with
Windows Client carefully. I hope it will reduce your any confusion.

MikroTik OpenVPN Server Configuratio…

Configuratio…

MikroTik OpenVPN Server configuration with Windows

Client has been explained in this article. I hope you will be able to
configure your OpenVPN Server and Client if you follow the
explanation carefully. However, if you face any confusion to follow
above steps properly, feel free to discuss in comment or contact
with me from Contact page. I will try my best to stay with you.
Why not a Cup of COFFEE if the solution?

Buy Me a Coffee

If You Find This Article

Helpful, We May Expect:
Share on Facebook | because your friends may
also be benefited with this article.

Like Facebook Page | so that we can reach you

with new topics by social media.

Subscribe to System Zone | so that we can

reach you with new arrival by the email.

Subscribe to YouTube Channel | so that

we can reach you with new video topics.
 System Zone's Offer:
Ask for New Topic | which will be researched
and published with step by step guide.

Join System Zone as Author | so that we

can share your experience with thousand of loyal
readers.

« Previous Post Next Post »

MikroTik Site to Site OpenVPN MikroTik OpenVPN

Server Setup (RouterOS Client) Configuration on TCP Port 443
with Windows OS

 9 comments  mikrotik create certificate, mikrotik openvpn

certificate, mikrotik openvpn server, mikrotik openvpn server
configuration, mikrotik openvpn setup, MikroTik VPN Configuration,
openvpn certificate maker, openvpn connect windows client, openvpn in
mikrotik router, openvpn mikrotik server, openvpn server, openvpn
server and windows client, openvpn server configuration, ovpn server
mikrotik, routeros openvpn, setup openvpn server in mikrotik, simple
openvpn mikrotik

ABU SAYEED
I am a system administrator and like to share
knowledge that I am learning from my daily
experience. I usually work on MikroTik,
Redhat/CentOS Linux, Windows Server, physical server and
storage, virtual technology and other system related topics. Follow
Me: Facebook, Twitter and Linkedin.

Your name can also be listed here. Have an IT

topic? Submit it here to become a System
Zone author.
9 comments

Sayeed
January 13, 2019 at 11:37 am

Follow my video instruction, hope no issue will occur. If any

issue occur, please describe here.

Reply

Sayeed
January 13, 2019 at 11:43 am

Follow my video. Hope you will be success.

Reply

Monica
March 22, 2019 at 1:04 pm

Hi Md. Abu Sayeed

I am a regular reader of your blog and always find something
interesting about technology while I stuck with my college
projects.

Thanks for posting this such understandable post about VPN,

actually i was looking for a long time for my project.

Reply

Bonito
April 28, 2019 at 12:09 am

I would also like to ask if this is how I can access my router

remotely from anywhere in the world?

Reply

Abu Sayeed
August 31, 2019 at 4:31 pm

You can access your router via Winbox.

Reply

Andrej
December 16, 2019 at 6:03 am

I had to do two changes for this to work:

1. In “client.ovpn” file I added line “client”

#Template client.ovpnclient
client
dev tun
proto tcp-client
remote xxx.xxx.xxx.xxx
port 1194
…

2. Add firewall rule in Mikrotik:

/ip firewall filter add action=accept chain=input
 comment=”allow OpenVPN” disabled=no dst-port=1194
protocol=tcp
https://forum.mikrotik.com/viewtopic.php?t=138448
Reply

Deyvisson Breno Veras Meireles

January 7, 2020 at 10:46 pm

You guys can use this site to generate the .ovpn config faster:
https://ovpnconfig.com.br

Reply

Bruce
February 23, 2021 at 10:14 pm

I get the following errors:

————————————————————
Tue Feb 23 11:10:59 2021 us=188149 disabling NCP mode (–
ncp-disable) because not in P2MP client or server mode
Options error: –auth-user-pass requires –pull
Use –help for more information.
————————————————————

The –pull error breaks it. Any advise?

Thanks,

Reply

Abu Sayeed
March 12, 2021 at 4:07 pm

Follow this article for more step by step guide:

https://systemzone.net/mikrotik-openvpn-
configuration-on-tcp-port-443-with-windows-os/

Reply

Leave a Reply

Your email address will not be published. Required fields are

marked *
Comment *
 Name *

Email *

Website

Save my name, email, and website in this browser for the next time
I comment.

CAPTCHA Code
*

Post Comment

Home Networking Tutorials & Guides MikroTik Router Tutorials & Guides Tips & Tricks
About System Zone Contact Sitemap Terms of Use Privacy Policy
System Zone Copyright © 2023