Setup Mikrotik OpenVPN Server using CAcert with Linux Client

Creating Mikrotik OpenVPN Server Certificates

OpenVPN works with SSL certificates. You can either use to issue these or use the easy-rsa scripts, that come with most OpenVPN distributions. On RouterOS, all you have to do is to upload them via ftp (ca certificate and router certificate and private key) and import them with /certificate import .

Creating Certificates with

Make sure you have created an account at Login to your account and define your domain (Domains > Add). Note: You will need access to a root, postmaster, webmaster or other authoritive e-mail account to do this.
In RouterOS, open a New Terminal window and create a certificate request with the following command:

/certificate create-certificate-request

You will be asked a number of questions:

select name for certificate request file. it will be created after you finish
entering all required information. 

certificate request file name: certificate-request.pem
select name of private key file. if such file does not exist, it will be
created later. 

file name: private-key.pem
private key file already exists and will be overwritten if you continue.
please enter passphrase that will be used to encrypt generated private key
file. you must enter it twice to be sure you have not made any typing errors. 

passphrase: ****  [IMPORTANT]
verify passphrase: ****   [IMPORTANT]
enter number of bits for RSA key. longer keys take more time to generate. 

rsa key bits: 1024  [Default]
now you will be asked to enter values that make up distnguished name of your
certificate. you can leave some of them empty. CA may reject your certificate
request if some of these values are incorrect or missing, so please check what
are the requirements of your CA. 

enter two character coutry code. 

country name: [NOT IMPORTANT]
enter full name of state or province. 

state or province name: [NOT IMPORTANT]
enter locality (e.g. city) name 

locality name: [NOT IMPORTANT]

enter name of the organization 

organization name: [NOT IMPORTANT]
enter organizational unit name 

organization unit name: [NOT IMPORTANT]

enter common name. for ssl web servers this must be the fully qualified domain
name (FQDN) of the server that will use this certificate (like . this is checked by browsers. 

common name:  [IMPORTANT]
enter email address 

email address: [NOT IMPORTANT]

now you can enter challenge password. it's use depends on your CA. it may be
used to revoke this certificate. 

challenge password: [NOT IMPORTANT]

you can enter unstructured address, if your CA accepts or requires it. 

unstructured address: [NOT IMPORTANT]

now private rsa key will be generated. no other certificate operations are
possible while generating key. 4096 bit key takes about 30 seconds on Celeron
800 system to generate. you will receive log message when it is done. download
by ftp from this router both private key and certificate request files. after
you receive your certificate from CA, upload it and the private key that will
be made now to a router and use "/certificate import" command to install it.

As you can see, the only important fields are the Passphrase and Common Name fields, everything else can be left empty or default. This howto assumes you used “server” as common name. If not, you will have to replace it also in the command for the vpn server! After a few seconds you will receive notification that the Certificate Request file was created:

echo: system,info,critical certificate request file certificate-request.pem and private key file private-key.pem created

Copy the certificate-request.pem file to your desktop and open it with Wordpad, Textpad, or any other text editor (except Notepad). Now go back to your account, and create a new Server Certificate (Server Certificates > New). Copy the entire contents of the certificate-request.pem file and Paste them into the “Paste Your CSR(Certificate Signing Request) below…” box on the site. Submit the form and if all goes well, you should be presented with a “Below is your Server Certificate” page with a bunch of text. Copy/Paste this text into a text file using Wordpad/Textpad (or anything except Notepad), and save it as certificate-response.pem. Upload this file to the router, and import it.

Now this is the tricky part… without this next part you will get the dreaded “Couldn’t change OVPN Server – no certificate found (6)” error as soon as you choose the certificate in OVPN Server!

Once you have successfully imported the certificate-response.pem file and can see it listed in the Certificate list, you have to import theprivate-key.pem you generated earlier. Import the private key file in the same way and your certificate should get a “KR” written next to it (K: decrypted-private-key, R: RSA). Now you will be able to use this key for OVPN.


Server configuration

Seperate segment for VPN and destination network

The network configuration of your box:
/ip address add address= interface=ether1 comment=Lan
/ip address add address= interface=ether2 comment=Internet
/ip route add dst-address= gateway= comment=Wan
/ip route add gateway= comment=Internet

Lan and Wan are the internal networks, Internet is obviously the Internet.
Altough it was explained here I still was confused since I didn’t expect Internet on ether2. If your router is already working and online, all you need is the first line ( /ip address add address= interface=ether1 comment=Lan ) and replace interface=ether1 with your Lan interface) If NAT/masquerading is needed, this will do the job:

/ip firewall nat add chain=srcnat  out-interface=ether2 action=masquerade
Define an IP pool:
 /ip pool add name=ovpn-pool ranges=

This pool is used for the OpenVPN clients.

Define a profile:
/ppp profile
add change-tcp-mss=default comment="" local-address= \
name="your_profile" only-one=default remote-address=ovpn-pool \
use-compression=default use-encryption=required use-vj-compression=default
ppp profil
Tambahkan perubahan-tcp-MSS = default comment = "" lokal-address = \
nama = "your_profile" hanya-satu = default remote-address = ovpn-kolam \
default menggunakan menggunakan kompresi =-enkripsi = harus diisi menggunakan-VJ-compression = default
Add a vpn user:
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="username" password="password" \
routes="" service=any

Some might want to set service to ovpn to allow connection by this username only to openvpn server, not pppoe or pptp.

OpenVPN server configuration:
/interface ovpn-server server
set auth=sha1,md5 certificate=router_cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
port=1194 require-client-certificate=no


If you have a firewall defined, that denies access, you would want to allow access to OpenVPN:

/ip firewall filter
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp

Default Route

I haven’t figured out, how to redistribute the default route from the OpenVPN server, so you’ll have to add it yourself on the client by specifying the add-default-route option (if you have a RouterOS client).
If you have a Linux or a Windows client, you can use the route-up directive. Place it on your OpenVPN configuration (client) file with a command in append, and OpenVPN will execute it when the default route comes up.
For example, if you want to add a static route for (obviously this net are on the remote side) through your OpenVPN gateway (IP, you have to add for Linux:
route-up “route add -net netmask gw”
or, for Windows:
route-up “route add mask”

Now it’s time for the client

  • get root.crt into the client’s config directory or create it later from your certificate-store (see below)
  • create and verify the email-address at CAcert
  • create a client-certificate with 1024 bit and store the cert in your browsers certificate store
  • export the cert from your browser to the file ‘client-cacert.p12’ (pkcs#12-format), set your export-password (needed later!)
  • extract the client certificate and client key into one file ‘client-cacert.pem’ (this should even work on a Win-Box )
 openssl pkcs12 -in client-cacert.p12 -clcerts -out client-cacert.pem -nodes
  • The pksc12-export asks first for your import-password (set on the export before) and then for a ‘PEM pass phrase’ (with confirmation). It will protect your private key and will again to be entered (‘private key password’) to start your openvpn tunnel!
  • if you didn’t fetch the root.crt from the CAcert-Website, your can extract it from your export file by
 openssl pkcs12 -in client-cacert.p12 -nokeys -cacerts -out root.crt

client of a routed server (tun)

dev tun
proto tcp-client

remote 1194 # Remote OpenVPN Servername or IP address

ca   root.crt
cert client-cacert.pem
key  client-cacert.pem

port 1194 

user nobody
group nogroup

#comp-lzo # Do not use compression. It doesn't work with RouterOS (at least up to RouterOS 3.0rc9)

# More reliable detection when a system loses its connection.
ping 15
ping-restart 45

# Silence  the output of replay warnings, which are a common false
# alarm on WiFi networks.  This option preserves the  security  of
# the replay protection code without the verbosity associated with
# warnings about duplicate packets.

# Verbosity level.
# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
verb 3

cipher AES-256-CBC
auth SHA1

auth-user-pass auth.cfg

The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password.


client of a bridged server (tap)

Please replace dev tun with dev tap. Otherwise the configuration on the bridged client is exactly the same as the routed client.

Sample OpenWRT Config useful for adapting


config openvpn nettraptor
        option enable 1
        option client 1
        option dev tun1
        option proto tcp
        list remote " 1194"
        option resolv_retry infinite
        option nobind 1
        option persist_key 1
        option persist_tun 1
        option pkcs12 /etc/openvpn/keys/nettraptor.p12
#       option ns_cert_type server
        option comp_lzo 1
        option verb 3
        option keepalive "10 120"
        option auth SHA1
        option auth_user_pass /etc/openvpn/auth.cfg

Comments are closed.