OpenVPN on MikroTik routers

OpenVPN on MikroTik routers

If you have a smart-home, NAS, etc., it's a good idea to think about safe access to your network when you are not at home. Currently I recommend commercial router like Turris or a cheaper option of MikroTik routers. In the other hand, Raspberry Pi can be used as OpenVPN server too. In this article, we will show how to set up secure access to your home network from the internet using OpenVPN on MikroTik routers.


Today's is much more easier to setting Wireguard VPN on MikroTik routers (from Router OS 7). Wireguard is faster, easy to setup with high security. Wireguard client is available for Linux, Android, iOS and Windows. You can find tutorial in left menu on this blog.


Connect to MikroTik via the web interface. You can use the Router OS web interface, which includes the following screens, or the Winbox app.

Default port for OpenVPN is 1194. You can customize it as you want, but do not forget to allow port on your firewall. In section IP-> Firewall, add row as below::


Chain: input

Protocol: (6) tcp

Dst.Port: 1194

Action: accept


1) Certificates

First, we create ca, server and client certificates (you can use any name). In System -> Certificates, click Add new and, after completing the fields, sign it immediately using the Sign option. Put your Public IP address to CA CRL Host field as on picture below.

CA certificate

Mikrotik - add CA certificate Mikrotik - add CA certificate

Server certificate

Mikrotik - add server certificate Mikrotik - add server certificate

Client certificate

Mikrotik - add client certificate Mikrotik - add client certificate


The whole settings under certificates should looks like this:

OpenVPN Mikrotik - Certifikáty


Next, download the certificates to your computer. You can find it in the Files section from the left menu.

MikroTik - stažení certifikátu


2) Address range

We create our own address range for VPN. If you have a primary "Pool" range, such as, you can create another or use some part of the existing range, such as, etc. The settings can be done in menu IP -> Pool

MikroTik - rozsah pro VPN


3) Profile creation and VPN service launch

In PPP -> Profiles, create a new profile using "Add new." Fill in any name and set Local Address to an address that is not occupied and not in any range. In this example, In the Remote address, select the range from the previous point.

MikroTik - VPN Profile

Then, in the PPP -> Interface -> OVPN server tab, click "Enabled," choose the port (default image), and VPN profile and server certificate. Select Auth and Cipher section as shown below:

MikroTik - Enable OpenVPN


4) VPN Accounts

In the PPP -> Secrets tab, use "Add new" to add a new user. In this example, we can see how account for Paul might look like. Be sure to choose a strong password, select a service and profile created earlier.

MikroTik - uživatelský účet pro VPN přístup

That's all!!!

Tip: To allow users to access your primary range via VPN, where you have such as smart home, NAS, etc., you still need to make last setting, in Interfaces on "bridge" set in the ARP section - proxy-ARP

MikroTik - Proxy ARP


5) Configuration file

To make it as easy as possible for the users you give access to, create a configuration file, such as VPN.ovpn, where the following data will be available. Replace the orange text with your external address and your certificate contents generated on MikroTik.


remote YourPublicIPAddress 1194
cipher AES-256-CBC
dev tun
proto tcp
script-security 2
user nobody
group nobody

push "redirect-gateway autolocal def1"
push "redirect-gateway def1"

//paste content of your CA downloaded file

//paste content of your Client CRT downloaded file

//paste content of your Client key downloaded file

Send configuration file by email to user and share credentials via mobile phone separately. You can also find how to connect to existing OpenVPN from Android or iOS in this blog.

Rate the article:

Average: 3.3 (22 votes)

Support Us:

Add comment:


Your profile picture

Unfortunately you don't explain the order the  certificates have to be inserted in the file. While it seem obvious to insert CA in <ca></ca>, it is totally unclear which goes ib <cert> </cert> and wich in <key> </key>! 

Your profile picture

Hi! Thank you for reply. I see. I edited the article and tried to explain it more specifically. It goes from the names of the downloaded files. <ca> - ca.crt file, <cert> client.crt file and <key> .key file

Add comment

Newest articles in blog

Tailscale - remote access without public IP
Tailscale - remote access without public IPRating: 

The Tailscale service solves access between individual devices if you don't have a public IP address. It's free for one user with support for up to 100 devices. We'll show you how to install Tailscale on a Raspberry Pi that you'll have at home and on a client (Android, iPhone) from which you'll want to access the home Raspberry Pi. Our example will be remote access to OpenHAB running on a Raspberry Pi. However, the same setup applies to many other applications - home NAS, PiHole, Home Assistant, Domoticz, NextCloud, and others.

Shelly OpenHAB MQTT
Shelly vs OpenHABRating: 

The Shelly brand is known for its products that primarily communicate over WiFi, including smart plugs, relay switches, blinds control relays, and many other devices. One of the advantages for deployment is the ability to both read and control these devices using the universal MQTT protocol. Across existing add-ons for both OpenHAB and Home Assistant, we will demonstrate how to use Shelly devices without installing any additional extensions.

Victron & OpenHAB
Victron vs Smart HomeRating: 

In this post, we will show you how to retrieve information from a photovoltaic power plant by Victron. We will connect to the Cerbo unit via MQTT. Based on these values, we can control various appliances (heating, boiler, etc.) and prevent the battery from being drained when they don't need to be.

Smart Home GoodWe inverter
Smart Home vs GoodWeRating: 

In the post, we will demonstrate step by step how to communicate directly with the GoodWe inverter in a smart home setup and obtain real-time information (unlike the SEMS portal). This information is essential if we want to react to current parameters in a smart home, such as activating additional cooling or controlling a socket with a various load.

Voice control smart home
Voice control of the houseRating: 

In this article, we will connect the Amazon Echo Dot voice assistant with open source home automation. We won't be using OpenHAB Cloud, so everything runs locally. In this case, a few additional settings are necessary, but the result is worth it!

MikroTik - Winbox, DHCP, Ranges
Basics - Winbox, DHCPRating: 

In this series, we will look at the step-by-step setup of MikroTik devices for home users or a small business (up to 25 people). In the first article, we will focus on the initial setup - we will download Winbox and set up DHCP for the primary network and guest network. Similarly, we will also adjust the WiFi settings.

Alarm Smart Home PIR
Alarm from existing PIR sensors in a smart home.Rating: 

In a your smart home, PIR sensors may not only be used to switch lights on and off based on motion, it is possible to utilize these sensors to detect the presence of motion in a particular room. This information can be used to create a relatively reliable uncertified home security system. In this guide, you will find the logic for how this can work in the OpenHAB software in our model smart home.

NFC Tag Example in Smart Home
NFC tags in smart homeRating: 

NFC (Near Field Communication) tags are small plastic or paper stickers that can be used to automate various functions in the smart home. In this article, we will show you examples of use and a guide on how to write an action on an NFC tag using a mobile phone.

WireGuard iOS
WireGuard on iOS devicesRating: 

In this article, you will find a detailed guide on how to connect to WireGuard VPN from iOS.

WireGuard on Android device
WireGuard on Android devicesRating: 

In this article, you will find a detailed guide on how to connect to WireGuard VPN from Android.