Skip to content
MKController Blog
InstagramYouTubeFacebook

Remote Access

OpenVPN Remote MikroTik Management

Configure OpenVPN with a VPS server and a MikroTik client for remote management — PKI setup, certificate workflow, and security best practices.

MKController5 min read

Summary OpenVPN is a battle-tested TLS-based VPN that pairs cleanly with a VPS as the hub and MikroTik routers as clients for remote management. It predates WireGuard and Tailscale but stays relevant because of its broad compatibility, granular PKI control, and flexible routing options. This guide walks through the Ubuntu VPS server setup with easy-rsa, the client certificate workflow, the MikroTik OVPN-client configuration, and the security checklist that keeps the deployment auditable over time.

How does OpenVPN enable remote MikroTik management?

OpenVPN is an open-source VPN implementation built on OpenSSL that establishes encrypted tunnels over TCP or UDP. For MikroTik remote management, the typical topology pairs an Ubuntu VPS as the always-online server with one or more MikroTik routers as clients. The router initiates the tunnel outbound, so NAT and CGNAT on the customer side don’t matter, and the VPS holds the routes and NAT rules that let you reach the router (and devices behind it) through the tunnel.

OpenVPN’s strengths are mature crypto (AES-256, SHA-256, TLS), IPv4 and IPv6 support, both TUN (routed) and TAP (bridge) modes, and broad compatibility across vendors and operating systems including RouterOS. The trade-offs are heavier CPU consumption than WireGuard on small routers, a real PKI setup step (CA, certificates, keys), and a RouterOS-specific limit you need to know about — historically the MikroTik OVPN client only supports TCP transport on some versions. For comparison patterns, see our WireGuard remote management guide, SSTP guide, and Tailscale guide.

How OpenVPN works

OpenVPN establishes an encrypted tunnel between a server (typically a public VPS) and one or more clients. Authentication uses a CA, per-client certificates, and optional TLS-auth (ta.key). Two common modes:

  • TUN (routed) — IP routing between networks. The standard choice.
  • TAP (bridged) — Layer-2 bridging, useful for broadcast-dependent applications. Heavier and rarely needed.

Step 1: Install OpenVPN on the VPS

apt update && apt install -y openvpn easy-rsa

Step 2: Build the PKI and server keys

make-cadir ~/openvpn-ca
cd ~/openvpn-ca
./easyrsa init-pki
./easyrsa build-ca nopass
./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-dh
openvpn --genkey --secret ta.key

Keep the CA private and back it up. Treat CA keys like production secrets — anyone with the CA can forge legitimate client certificates.

Step 3: Write the server configuration

/etc/openvpn/server.conf (minimum):

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3

Step 4: Start the service and open the firewall

systemctl enable openvpn@server
systemctl start openvpn@server
ufw allow 1194/udp

If you expose port 1194 to the whole internet, secure the VPS — fail2ban, strict SSH keys, and source IP firewall restrictions where practical. Internet-exposed VPN endpoints are continuously probed.

Step 5: Create client certificates and config

Generate a client certificate with easy-rsa (./easyrsa build-client-full client1 nopass) and bundle these for the client:

  • ca.crt
  • client1.crt
  • client1.key
  • ta.key (if used)
  • client.ovpn — the client configuration file

A minimal client.ovpn:

client
dev tun
proto udp
remote YOUR.VPS.IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
remote-cert-tls server
cipher AES-256-CBC
verb 3

Step 6: Configure the MikroTik as OpenVPN client

RouterOS supports OpenVPN client connections with RouterOS-specific limits — notably that older versions restrict to TCP transport.

  1. Upload ca.crt, client1.crt, and client1.key to the MikroTik via Winbox’s Files window.
  2. In a terminal:
/interface ovpn-client add name=ovpn-out1 \
    connect-to=YOUR.VPS.IP port=1194 \
    user=vpnuser password="yourpassword" \
    profile=default-encryption add-default-route=no


/interface ovpn-client print

Expected status:

status: connected
uptime: 00:01:03
remote-address: 10.8.0.1
local-address: 10.8.0.6

Check your RouterOS release notes if the connection fails with UDP — if your version restricts the OVPN client to TCP, switch the server proto to tcp and the firewall rule accordingly. For a UDP-friendly alternative on RouterOS, WireGuard is the modern default.

Reach an internal device across the tunnel

To reach a device behind the MikroTik (e.g., a camera at 192.168.88.100), use dst-nat on the MikroTik to expose a local port over the tunnel:

/ip firewall nat add chain=dstnat protocol=tcp dst-port=8081 \
    action=dst-nat to-addresses=192.168.88.100 to-ports=80

From the server or another VPN client, connect via the routed address and port:

http://10.8.0.6:8081

Traffic flows through the OpenVPN tunnel and reaches the internal host.

Security best practices

  • Unique certificate per client. Never reuse keys across devices.
  • Combine TLS client certs with a username/password if you want dual-factor-like control.
  • Rotate keys and certificates on a schedule. Implement CRLs (certificate revocation lists) for lost devices.
  • Limit source IPs in the VPS firewall where practical.
  • Prefer UDP for performance; verify RouterOS compatibility per release.
  • Monitor connection health and logs (syslog, openvpn-status.log).
  • Automate certificate issuance for many devices with scripts, but keep the CA offline where possible — a CA on a connected server is one phishing email away from compromise.

For broader management-plane security context, see our Winbox security best practices article.

OpenVPN vs. modern alternatives

SolutionStrengthsWhen to pick it
OpenVPNCompatibility, granular cert controlMixed/legacy fleets; corporate appliances
WireGuardSpeed, simplicity, modern cryptoModern devices, small-footprint routers
SSTPTLS over port 443, firewall traversalNetworks that block UDP and other VPN ports
Tailscale / ZeroTierMesh, identity-based, easy deploymentLaptops, teams, cross-platform collaboration

When to use OpenVPN

Choose OpenVPN when fine-grained certificate control matters, your fleet includes legacy devices or appliances without modern VPN agents, or you need to integrate with existing firewall rules and enterprise PKI. If raw throughput and minimal CPU overhead matter more, WireGuard wins — see the WireGuard tutorial and the Tailscale guide.

Take the next step

OpenVPN is not a relic. It’s a reliable tool when you need compatibility and explicit control over authentication and routing. Pair it with a VPS and a MikroTik client and you get a robust, auditable remote-access path for cameras, routers, and internal services.

If you’d rather skip the per-device PKI ceremony, MKController’s NATCloud delivers remote access to devices behind NAT or CGNAT with centralized governance, monitoring, and auto-reconnect — no certificates to maintain per router.

Start your free MKController trial