Managing your Mikrotik with OpenVPN

Konten ini belum tersedia dalam bahasa Anda.

Summary
A practical guide to using OpenVPN with MikroTik and a VPS: how OpenVPN works, server setup on Ubuntu, MikroTik client configuration, access patterns, comparisons with modern solutions, and security best practices.

Remote MikroTik Management with OpenVPN

OpenVPN remains a solid, battle-tested way to reach routers and devices remotely.

It predates WireGuard and Tailscale, but its flexibility and compatibility keep it relevant today.

This post walks you through the how and why — and gives copy-paste commands for a VPS server and a MikroTik client.

What is OpenVPN?

OpenVPN is an open-source VPN implementation (since 2001) that builds encrypted tunnels over TCP or UDP.

It relies on OpenSSL for encryption and TLS-based authentication.

Key points:

Strong crypto (AES-256, SHA256, TLS).
Works with IPv4 and IPv6.
Supports routed (TUN) and bridged (TAP) modes.
Wide OS and appliance compatibility — including RouterOS.

Note: OpenVPN’s ecosystem and tooling make it a great fit for environments that need explicit certificate control and legacy device support.

How OpenVPN works (quick overview)

OpenVPN establishes an encrypted tunnel between a server (usually a public VPS) and one or more clients (MikroTik routers, laptops, etc.).

Authentication is done with a CA, certificates and optional TLS auth (ta.key).

Common modes:

TUN (routed): IP routing between networks (most common).
TAP (bridge): Layer‑2 bridging — useful for broadcast-dependent apps but heavier.

Pros and cons

Advantages

Proven security model (TLS + OpenSSL).
Extremely configurable (TCP/UDP, ports, routes, pushed options).
Broad compatibility — great for mixed fleets.
Native (though limited) support in RouterOS.

Drawbacks

Heavier than WireGuard on constrained hardware.
Setup requires PKI (CA, certs) and some manual steps.
MikroTik’s RouterOS supports OpenVPN only over TCP (server-side setups still usually use UDP).

Build an OpenVPN server on Ubuntu (VPS)

Below is a compact, practical setup. Adjust names, IPs and DNS to your environment.

1) Install packages

apt update && apt install -y openvpn easy-rsa

2) Create PKI and server keys

make-cadir ~/openvpn-ca
cd ~/openvpn-ca
source vars
./clean-all
./build-ca            # create CA
./build-key-server server
./build-dh
openvpn --genkey --secret keys/ta.key

Tip: Keep the CA private and back it up. Treat CA keys like production secrets.

3) Server configuration (/etc/openvpn/server.conf)

Create the file with this minimal content:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

4) Enable and start service

systemctl enable openvpn@server
systemctl start openvpn@server

5) Firewall: allow the port

ufw allow 1194/udp

Warning: If you expose port 1194 to the whole internet, secure the server (fail2ban, strict SSH keys, firewall rules to limit source IPs where possible).

Create client certs and configs

Use the easy-rsa scripts to generate a client certificate (for example: build-key client1).

Pack these files for the client:

ca.crt
client1.crt
client1.key
ta.key (if used)
client.ovpn (config file)

A minimal client.ovpn example (server IP replaced by your VPS):

client
dev tun
proto udp
remote YOUR.VPS.IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
verb 3

Configure MikroTik as an OpenVPN client

RouterOS supports OpenVPN client connections, but with a few RouterOS-specific limits.

Upload the client key and cert files (ca.crt, client.crt, client.key) to the MikroTik.
Create an OVPN client profile and start the connection.

/interface ovpn-client add name=ovpn-out1 \
    connect-to=YOUR.VPS.IP port=1194 \
    user=vpnuser password="yourpassword" \
    profile=default-encryption add-default-route=no

/interface ovpn-client print

Expected status sample:

status: connected
uptime: 00:01:03
remote-address: 10.8.0.1
local-address: 10.8.0.6

Note: RouterOS historically restricts OpenVPN to TCP in some versions — check your RouterOS release notes. If you need UDP on the router side, consider an intermediate solution (like a Linux host) or use a software client on a nearby machine.

Access an internal device across the tunnel

To reach an internal device (example: IP camera 192.168.88.100), you can use NAT on the MikroTik to expose a local port over the tunnel.

Add a dst-nat rule on the MikroTik:

/ip firewall nat add chain=dstnat protocol=tcp dst-port=8081 \
    action=dst-nat to-addresses=192.168.88.100 to-ports=80

From the server or another client connect to the routed address and port:

http://10.8.0.6:8081

Traffic flows through the OpenVPN tunnel and reaches the internal host.

Security and best practices

Use a unique certificate per client.
Combine TLS client certs with a user/password if you need dual-factor-like control.
Rotate keys and certificates on a schedule.
Limit source IPs in the VPS firewall where practical.
Prefer UDP for performance, but verify RouterOS compatibility.
Monitor connection health and logs (syslog, openvpn-status.log).

Tip: Automate certificate issuance for many devices with scripts, but keep the CA offline where possible.

Short comparison with modern alternatives

Solution	Strengths	When to pick it
OpenVPN	Compatibility, granular cert control	Mixed/legacy environments; ISP setups; corporate appliances
WireGuard	Speed, simplicity	Modern devices, small-footprint routers
Tailscale/ZeroTier	Mesh, identity, easy deployment	Laptops, servers, team collaboration

When to use OpenVPN

You need fine-grained certificate control.
Your fleet includes legacy devices or appliances without modern agents.
You must integrate with existing firewall rules and enterprise PKI.

If you want the lightest-possible overhead and modern cryptography, WireGuard (or Tailscale for user-friendly control plane) are excellent — but OpenVPN still wins on universal compatibility.

Where MKController helps: If you want to avoid manual tunneling and certificate hassles, MKController’s remote tools (NATCloud) let you access devices behind NAT/CGNAT with centralized governance, monitoring and auto-reconnect — no per-device PKI to manage.

Conclusion

OpenVPN is no relic.

It’s a reliable tool when you need compatibility and explicit control over authentication and routing.

Pair it with a VPS and a MikroTik client and you get a robust, auditable remote access path for cameras, routers and internal services.

About MKController

Hope the insights above helped you navigate your MikroTik and Internet universe a little better! 🚀
Whether you’re fine-tuning configs or just trying to bring some order to the network madness, MKController is here to make your life simpler.

With centralized cloud management, automated security updates, and a dashboard that anyone can master, we’ve got what it takes to upgrade your operation.

👉 Start your free 7-day trial now at mkcontroller.com — and see what effortless network control really looks like.