MikroTik Site to Site OpenVPN Server Setup (RouterOS Client)
VPN (Virtual Private Network) technology provides a secure and encrypted tunnel across a public network. So, a
private network user can send and receive data to any remote private network through VPN tunnel as if his/her
network device was directly connected to that private network.
MikroTik OpenVPN Server provides a secure and encrypted tunnel across public network for transporting IP traffic
using PPP. OpenVPN Server uses SSL Certificates. So, OpenVPN Tunnel is a trusted tunnel to send and receive data
across public network. MikroTik OpenVPN Server can be applied in two methods.
Connecting remote workstation/client with OpenVPN: In this method, OpenVPN client software, installed any
operating system such as Windows, can communicate with MikroTik OpenVPN server through OpenVPN
tunnel whenever required and can access remote private network as if it was directly connected to the remote
private network.
Site to Site OpenVPN: This method is also known as VPN between routers. In this method, an OpenVPN client
supported router always establishes an OpenVPN tunnel with MikroTik OpenVPN Server. So, private
networks of these routers can communicate with each other as if they were directly connected to the same
router.
The goal of this article is to create a site to site OpenVPN Tunnel across public network. So, in this article I will
show how to configure OpenVPN Tunnel between two MikroTik RouterOS so that local networks of these routers
can communicate with each other as if they were directly connected to the same router.
Network Diagram
To configure a site to site OpenVPN Tunnel between two MikroTik RouterOS, I am following a network diagram
like below image.
Site to Site OpenVPN Tunnel
In this network, Office1 Router is connected to internet through ether1 interface having IP address 192.168.70.2/30.
In your real network, this IP address should be replaced with public IP address. Office1 Router’s ether2 interface is
connected to local network having IP network 10.10.11.0/24. We will configure OpenVPN Server in this router and
after OpenVPN configuration the router will create a virtual interface (OVPN Tunnel) across public network whose
IP address will be 172.22.22.1.
On the other hand, Office2 Router is a remote router and can access Office1 Router’s WAN IP. Office2 Router’s
ether1 interface is connected to internet having IP address 192.168.40.2/30 and ether2 has a local IP network
10.10.12.0/24. We will configure OpenVPN client in this router and after OpenVPN client configuration the router
will have a virtual interface (OVPN Tunnel) across public network whose IP address will be 172.22.22.2.
�Core Devices and IP Information
To configure a site to site OpenVPN between two Routers, I am using two MikroTik RouterOS v6.38.1. IP
information that I am using for this network configuration are given below.
Office 1 Router WAN IP: 192.168.70.2/30, LAN IP Block 10.10.11.0/24 and Tunnel interface IP 172.22.22.1/30
Office 2 Router WAN IP: 192.168.80.2/30, LAN IP Block 10.10.12.0/24 and Tunnel interface IP
172.22.22.2/30
This IP information is just for my RND purpose. Change this information according to your network requirements.
Site to Site OpenVPN Configuration
We will now start Site to Site OpenVPN configuration with MikroTik Router according to the above network
diagram. Complete site to site OpenVPN configuration can be divided into two parts.
Part 1: Office1 Router Configuration for OpenVPN Server
Part 2: Office2 Router Configuration for OpenVPN Client
Part 1: Office1 Router Configuration for OpenVPN Server
We will configure OpenVPN Server in Office1 RouterOS. Complete RouterOS configuration for OpenVPN Server
can be divided into four steps.
Step 1: MikroTik RouterOS basic configuration
Step 2: Creating SSL certificate for OpenVPN server
Step 3: OpenVPN Server configuration
Step 4: PPP Secret creation for OpenVPN
Step 1: MikroTik RouterOS Basic Configuration
In MikroTik RouterOS basic configuration, we will assign WAN, LAN and DNS IP and perform NAT and Route
configuration. The following steps will show how to do these topics in your RouterOS.
Login to MikroTik RouterOS using winbox and go to IP > Addresses. In Address List window, click on PLUS
SIGN (+). In New Address window, put WAN IP address (192.168.70.2/30) in Address input field and choose
WAN interface (ether1) from Interface dropdown menu and click on Apply and OK button. Click on PLUS
SIGN again and put LAN IP (10.10.11.1/24) in Address input field and choose LAN interface (ether2) from
Interface dropdown menu and click on Apply and OK button.
Go to IP > DNS and put DNS servers IP (8.8.8.8 or 8.8.4.4) in Servers input field and click on Apply and OK
button.
Go to IP > Firewall and click on NAT tab and then click on PLUS SIGN (+). Under General tab,
choose srcnat from Chain dropdown menu and click on Action tab and then choose masquerade from Action
dropdown menu. Click on Apply and OK button.
Go to IP > Routes and click on PLUS SIGN (+). In New Route window, click on Gateway input field and put
WAN Gateway address (192.168.70.1) in Gateway input field and click on Apply and OK button.
Basic RouterOS configuration has been completed. Now we will Create SSL certificate for OpenVPN Server.
Step 2: Creating SSL certificate for OpenVPN Server
OpenVPN Server configuration requires SSL certificate because OpenVPN uses SSL certificate for secure
communication. MikroTik RouterOS version 6 gives ability to create, store and manage certificates in certificate
store. So, we will create required OpenVPN certificate from our RouterOS. OpenVPN Server requires the following
certificates:
1. CA (Certification Authority) certificate and
2. Server certificate
Creating CA certificate
The following steps will show how to create CA certificate in MikroTik RouterOS.
Go to System > Certificates menu item from winbox and click on Certificates tab and then click on PLUS SIGN
(+). New Certificate window will appear.
� Put your CA certificate name (for example: ca) in Name input field. Also put a certificate common name (for
example: ca) in Common Name input field.
You will find some optional fields in General tab. You can fill if you wish. All fields are self-defined.
Click on Key Usage tab and uncheck all checkboxes except crl sign and key cert. sign
Click on Apply button and then click on Sign button. Sign window will appear now.
Your newly created certificate template will appear in certificate dropdown menu. Select your newly created
certificate template if it is not selected.
Put MikroTik Router’s WAN IP address (192.168.70.2) in CA CRL Host input field.
Click on Sign button. Your Sign certificate will be created within few seconds.
Click on OK button to close New Certificate window.
If newly created CA certificate does not show T flag or Trusted property shows no value, double click on your
CA certificate and click on Trusted checkbox located at the bottom of General tab and then click on Apply and
OK button.
CA certificate has been created successfully. Now we will create server certificate.
Creating Server Certificate
The following steps will show how to create server certificate in MikroTik RouterOS.
Click on PLUS SIGN (+) again. New Certificate window will appear.
Put your server certificate name (for example: server) in Name input field. Also put a certificate common
name (for example: server) in Common Name input field.
If you have put any optional field for CA certificate, put them here also.
Click on Key Usage tab and uncheck all checkboxes.
Click on Apply button and then click on Sign button. Sign window will appear now.
Your newly server created certificate template will appear in certificate dropdown menu. Select your newly
created certificate template if it is not selected.
Also select CA certificate from CA dropdown menu.
Click on Sign button. Your Sign certificate will be created within few seconds.
Click on OK button to close New Certificate window.
If newly created server certificate does not show T flag or Trusted property shows no value, double click on
your server certificate and click on Trusted checkbox located at the bottom of General tab and then click on
Apply and OK button.
Server certificate has been created successfully. Now we will enable and configure OpenVPN Server in MikroTik
RouterOS.
Step 3: OpenVPN Server Configuration in MikroTik Router
After creating SSL certificate, we are now eligible to enable OpenVPN Server in MikroTik Router. The following
steps will show how to enable OpenVPN Server in your MikroTik Router with proper configuration.
Click on PPP menu item from winbox and then click on Interface tab.
Click on OVPN Server button. OVPN Server window will appear.
Click on Enabled checkbox.
From Certificate dropdown menu, choose server certificate that we created before.
From Auth. Panel, uncheck all checkboxes except sha1.
From Cipher panel, uncheck all checkboxes except aes 256.
Now click on Apply and OK button.
OpenVPN Server is now running in MikroTik Router. Now we will create OpenVPN user who will be connected to
this server.
Step 4: PPP Secret creation for OpenVPN
After OpenVPN Server setup, we need to create OpenVPN user who will be connected to OpenVPN Server.
OpenVPN Server uses PPP user for authentication. So, we will now create PPP secret (username and password) for
OpenVPN client. The following steps will show how to create PPP secret in MikroTik Router.
Click on PPP menu item from winbox and then click on Secrets tab.
Click on PLUS SIGN (+). New PPP Secret window will appear.
� Put username (For example: sayeed) in Name input and password in Password input field. This username and
password will be required at the time of OpenVPN client configuration.
Choose ovpn from Service dropdown menu.
Put Office 1 Router’s virtual interface IP (172.22.22.1) in Local Address input field and put Office 2 Router’s
virtual interface IP (172.22.22.2) in Remote Address input field.
Put static routes to reach Office2 Router’s local network in Routes input filed. This route will be added in
Office1 Router’s routing table when OpenVPN user will be connected from Office2 Router. The route format
is: dst-address gateway metric (example for this configuration: 10.10.12.0/24 172.22.22.2 1). Several routes may
be specified separated with commas.
Click on Apply and OK button.
PPP user who will be connected from remote client machine has been created. Whenever your created user will be
connected from OpenVPN client router (Office2 Router), the Remote Address IP will be assigned for its virtual
interface and the routes will be created in Office1 Router’s routing table so that Office1 Router’s local network can
reach remote router’s (Office2 Router) local network.
Office1 Router configuration for OpenVPN Server has been completed. Now Office1 Router is ready to create
OpenVPN Tunnel for its OpenVPN user. In the next part, we will configure our Office2 Router so that it can connect
to Office1 Router through OVPN Tunnel to reach Office1 Router’s local network.
Part 2: Office2 Router Configuration for OpenVPN Client
According to our network diagram, Office2 Router is working as an OpenVPN client router. So, we will configure
OpenVPN client in Office2 Router. Complete RouterOS configuration can be divided into three steps.
Basic RouterOS Configuration
OpenVPN client configuration
Static route configuration
Step 1: Basic RouterOS Configuration
Basic RouterOS configuration includes assigning WAN, LAN and DNS IP as well as NAT and Route configuration.
The following steps will guide you about basic RouterOS configuration.
Login to Office2 RouterOS using winbox and go to IP > Addresses. In Address List window, click on PLUS
SIGN (+). In New Address window, put WAN IP address (192.168.80.2/30) in Address input field and choose
WAN interface (ether1) from Interface dropdown menu and click on Apply and OK button. Click on PLUS
SIGN again and put LAN IP (10.10.12.1/24) in Address input field and choose LAN interface (ether2) from
Interface dropdown menu and click on Apply and OK button.
Go to IP > DNS and put DNS servers IP (8.8.8.8 or 8.8.4.4) in Servers input field and click on Apply and OK
button.
Go to IP > Firewall and click on NAT tab and then click on PLUS SIGN (+). Under General tab, choose srcnat
from Chain dropdown menu and click on Action tab and then choose masquerade from Action dropdown
menu. Click on Apply and OK button.
Go to IP > Routes and click on PLUS SIGN (+). In New Route window, click on Gateway input field and put
WAN Gateway address (192.168.80.1) in Gateway input field and click on Apply and OK button.
Basic RouterOS configuration in Office2 Router has been completed. Now it is time to create OpenVPN Client in
our MikroTik Router.
Step 2: OpenVPN Client Configuration
After completing RouterOS basic configuration, we will now configure OpenVPN client in Office2 Router. The
following steps will show you how to create OVPN client in your MikroTik Router.
Click on Interfaces menu item from winbox and then click on Interface tab. Click on PLUS SIGN (+)
dropdown menu and then choose OVPN Client option. New Interface window will appear.
Click on General tab and put OpenVPN interface name (openvpn-server) in Name input field.
Click on Dial Out tab and put Office1 Router’s WAN IP (192.168.70.2) in Connect To input field. This IP must
be reachable from Office2 Router.
Put username (sayeed) and password that you have provided in Office1 Router’s PPP user configuration, in
User and Password input field respectively.
From dropdown menu, choose sha1 encryption method.
� From Cipher dropdown menu, choose aes 256
Click on Apply and OK button.
As soon as you provide the above information, an OVPN Tunnel will be created between Office1 and Office2 Router
and provided local and remote IP address will be assigned in office1 and Office2 Router’s virtual interface
respectively. At this stage, Office1 Router as well as its local network will be able to reach Office2 Router and its
local network but Office2 Router and its local network will only be able to reach Office1 Router but not its local
network. To reach Office1 Router’s local network, a static route must be added in Office2 Router’s routing table.
Step 3: Static Route Configuration
After configuring OVPN Client in Office2 Router, Office 2 Router can only access Office 1 Router but not its local
network. To solve this issue, a route is required in Office2 Router’s routing table. The following steps will show how
to add a route in Office2 Router’s routing table statically.
Go to IP > Routes and then click on PLUS SIGN (+).
In New Route window, provide Office1 Router’s local network (10.10.11.0/24) where you want to reach, in Dst.
Address input field.
Click on Gateway input field and then choose OpenVPN client interface (openvpn-server) that you have
created at the of OVPN client configuration, from Gateway dropdown menu.
Click on Apply and OK button.
Now Office 2 Router and its local network will be able to access Office 1 Router’s local network.
Office1 Router and Office2 Router Configuration for establishing an OVPN Tunnel between them has been
completed. Now both router’s local networks are eligible to access each other. To check your configuration, do a
ping request from any local network machine to other local network machine. If everything is OK, your ping request
will be success.
