Goal : 

- Create OpenVPN Server using MikroTik

- Generate self sign certificate  for OpenVPN server and client in MikroTik

- Connect client PC & Android Device to OpenVPN MikroTik Server


/ip address

add address=xxx.xxx.x64.10 interface=ether5 network=xxx.xxx.x64.0

add address= interface=bridge1 network=


/ip pool

add name=OpenVPN_Pool ranges=


/ppp secret

add name=user1 password=secret1 profile=default-encryption service=ovpn

add name=user2 password=secret2 profile=default-encryption service=ovpn


/ppp profile

 set *FFFFFFFE local-address= remote-address=OpenVPN_Pool


Create & Sign CA


/certificate add name=CA-tpl country="ID" state="ID" locality="Jakarta" organization="myComp" unit="RND" common-name="openv-at.id" key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign

/certificate sign CA-tpl ca-crl-host= name="CA"


Create & Sign Cert Server


/certificate add name=server-tpl country="ID" locality="Jakarta" organization="myComp" unit="RND" common-name="xxx.xxx.x64.10" key-size=4096 days-valid=700 key-usage=digital-signature,key-enchiperment,tls-server

/certificate sign server-tpl ca="CA" name="SERVER"


Create Client Template Cert  -> This is template for create users certificates.


/certificate add name=client-tpl country="ID" locality="Jakarta" organization="myComp" unit="RND" common-name="CLIENT" key-size=4096 days-valid=700 key-usage=tls-client


Create & Sign Client1 Cert  -> Next time you want to create another access for user, just change CLIENT1 to appropriate name client cert.


/certificate add name=CLIENT1 copy-from="client-tpl" common-name="CLIENT1"


/certificate sign CLIENT1 ca="CA" name="CLIENT1"



Export to Mikrotik File


/certificate export-certificate CA export-passphrase=""

/certificate export-certificate CLIENT1 export-passphrase=securepassphrase


- Download file certificate from mikrotik files.


- Enable OVPN Server

/interface ovpn-server server

set auth=sha1 certificate=SERVER cipher=aes256 default-profile=\

    default-encryption enabled=yes require-client-certificate=yes


- For PC (Windows7), download openvpn client (for this lab, i used openvpn community edition).

- Create .ovpn profile, for sample please see in here. (make sure CA,Cert, key & .ovpn profile in the same directory)

- Copy CA,Cert,key from mikrotik and .opvn profile to C:\Program Files\OpenVPN\config

- Open command prompt 'cd' to C:\Program Files\OpenVPN\config

- Type this to command prompt

"c:\Program Files\OpenVPN\bin\openssl.exe" rsa -in cert_export_CLIENT4.key -out cert_export_CLIENT4.key --> change CLIENT4 with appropriate name.

- If you ask passphrase, you can get from mikrotik terminal when you created before.

- Then Open the  Open VPN GUI, Connect! (Windows system tray)

OpenVPN Client Windows 7


- For Android, download in playstore.

- Create .ovpn profile, (actually theres no different between profile for PC, except secret key)

- Copy CA,Cert,key from mikrotik and .opvn profile to SD Card

- Choose menu Import> Import Profile from SD Card

- Application automatically read profile in SD Card, then Connect!

OpenVPN Client Android



Note : CA,Cert and key can convert to unified form (like XML syntax) by pasting content of each file to single .ovpn profile, for the refference you can see here.