Skip to content

Instantly share code, notes, and snippets.

@c0m4r

c0m4r/_mikrotik_as_openvpn_client.md

Last active March 31, 2026 20:34
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save c0m4r/b389fb2754da7007e701ff2fe4ff3f6f to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save c0m4r/b389fb2754da7007e701ff2fe4ff3f6f to your computer and use it in GitHub Desktop.
Download ZIP
Mikrotik as OpenVPN client
Raw
_mikrotik_as_openvpn_client.md

Mikrotik as OpenVPN client

Table of Contents

VPS (OpenVPN Server) <=> Mikrotik (OpenVPN Client)

Mikrotik OVPN-Client configuration

https://help.mikrotik.com/docs/display/ROS/OpenVPN#OpenVPN-OVPNClient

  1. Copy the contents of each cert and key to the appropriate sections of the client.ovpn file
  2. Upload client.ovpn via FTP or WebFig -> Files
  3. Import client.ovpn using
/interface/ovpn-client/import-ovpn-configuration file-name=client.ovpn

or via WebFig -> PPP -> Import .ovpn

  1. You can ignore username / password (Mikrotik will set ovpnuser as a placeholder)
  2. Set the firewall appropriately, f.e.
/ip firewall filter add action=accept chain=input comment="openvpn client-to-client access" in-interface=openvpn-client src-address=10.0.0.0/24

NAT:

/ip firewall nat add action=masquerade chain=srcnat comment="ovpn masquerade" out-interface=openvpn-client

VPS configuration

Debian 12

OpenVPN Server

apt install openvpn easy-rsa
make-cadir /etc/easyrsa
cd /etc/easyrsa
./easyrsa init-pki
./easyrsa build-ca
./easyrsa build-server-full server
./easyrsa gen-dh
./easyrsa build-client-full mikrotik nopass
openvpn --genkey secret pki/ta.key
touch /etc/openvpn/server/server.conf
systemctl enable openvpn-server@server.service

PKI files breakdown

file server.conf client.ovpn
/etc/easyrsa/pki/issued/server.crt cert <path> -
/etc/easyrsa/pki/private/server.key key <path> -
/etc/easyrsa/pki/private/mikrotik.key - <key></key>
/etc/easyrsa/pki/issued/mikrotik.crt - <cert></cert>
/etc/easyrsa/pki/ca.crt ca <path> <ca></ca>
/etc/easyrsa/pki/ta.key tls-auth <path> 0 <tls-auth></tls-auth> + key-direction 1
/etc/easyrsa/pki/dh.pem dh <path> -

Mikrotik WIFI monitoring

mkdir /root/bin
touch /root/bin/wifi_monitor.sh

Cron:

*/5 * * * * /root/bin/wifi_monitor.sh > /dev/null

Whitelist DDNS Mikrotik IP iptables

https://gist.github.com/c0m4r/204298ccf8ffdeab8de9cad0388994dc

If you found this article helpful please check out my cool projects and leave a star. Thanks!

  • 🛡️ paranoya - Simple IOC and YARA scanner for Linux®
  • 🔮 kula - Lightweight, self-contained Linux® server monitoring tool
  • 🐣 kurczak - Minimal Ollama chat UI - no login, no heavy features.
Raw
client.ovpn
client
dev tun
proto tcp
remote <VPS_SERVER_IP> 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
data-ciphers AES-256-GCM
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
verb 3
<key>
-----BEGIN PRIVATE KEY-----
(...)
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
</cert>
<ca>
-----BEGIN CERTIFICATE-----
(...)
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
(...)
-----END OpenVPN Static key V1-----
</tls-auth>
Raw
server.conf
local <VPS_SERVER_IP>
port 1194
proto tcp
dev tun
client-to-client
ca /etc/easyrsa/pki/ca.crt
cert /etc/easyrsa/pki/issued/server.crt
key /etc/easyrsa/pki/private/server.key
dh /etc/easyrsa/pki/dh.pem
topology subnet
server 10.0.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/server/ipp.txt
keepalive 10 120
tls-auth /etc/easyrsa/pki/ta.key 0
data-ciphers AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
Raw
wifi_monitor.sh
#!/bin/bash
cd /root/bin
touch wifi_monitor.txt
ssh -o ConnectTimeout=10 admin@10.0.0.3 "/ip arp print" | grep ^[0-9].*\..*\: | awk '{print $4}' | while read -r MAC ; do
if [ -e wifi_monitor.lock ]; then
rm wifi_monitor.lock
# API call: mikrotik connection restored
fi
echo $MAC
KNOWN=$(grep "$MAC" wifi_monitor.txt)
if [ ! "$KNOWN" ]; then
echo "new connection from $MAC"
# API call: new WIFI connection with MAC: $MAC
echo $MAC >> wifi_monitor.txt
fi
done
if [ $PIPESTATUS -ne 0 ] && [ ! -e wifi_monitor.lock ]; then
# API call: mikrotik connection lost
touch wifi_monitor.lock
fi
@ivanjx
Copy link
Copy Markdown

ivanjx commented Mar 31, 2026

is it possible to prevent ovpn from forcibly adding dynamic routes as this kills my wireguard connections?

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment