Mikrotik Router

Hey kids!

So, I have a Mikrotik rb2011 router, which I flippin’ love.

  • It performs quite well at gigabit speeds
  • It’s much easier to configure than the Juniper router it replaced
  • Uses far less power than the Juniper
  • Is quieter than the Juniper (and sucks in less dust)
  • Has all of the features a home or small office user would ever need
  • Is pretty cheap for what you get!

It’s not as prosumer-slick as a Ubiquiti/Unifi setup. The web interface is far from perfect, but it’s certainly good enough for most things. If you need to do something the web interface won’t do, you’re probably getting advanced enough to learn the command line interface, anyway.

Anyway, enough of that.

Why are you doing this?

I have a bunch of networked things in my house, and I want to access some of them “on the go”. Most of them are things I don’t want anyone else to have access to though, so I don’t want to just forward ports and expose them. I don’t even want to expose my SSH server, because after doing that and looking at the logs, there are bots trying all day every day to hack into that. I find it irritating to look at the logs and see 50,000 failed login attempts from every variation of “admin” you can think of.

So, instead, I’d like to keep the attack surface as small as possible: One web server and one VPN server. Everything else must be accessed from the “trusted” side of the firewall. If I’m not at home, plugged into the LAN, I’ll have to connect to the VPN to get “inside”.


I’m going to give you instructions to do this completely from the web interface. There are a lot of command-line instructions out there, including the ones in the router manual. Let’s do something different.

Setting up the OpenVPN server

Create certificates


Create CA certificate template

  • Go to System -> Certificates -> Certificates Tab
  • Click Add New

Name: my.ca

Common Name: my.ca

(Fill in Country / Locality / Unit / Etc. if you want…)

Key Size: 4096

Days Valid: 3650

Key Usage: crl sign, key cert. sign

  • Click OK

CA certificate template is created!

Create server certificate template

  • Use the same steps to add another new certificate, identical except these options:

Name: server-template

Common Name: server

Key Usage: {uncheck everything}

Create client certificate template

  • Then do it again, exactly the same way but with a different name:

Name: client-template

Common Name: client

Server and Client templates are created!

Sign the templates to create certificate files

Why do I need to do this?

This step is essentially encrypting the information in the templates and creating certificate files out of them, along with ‘keys’. The public key can be used later to decrypt the client and server certificate files to ‘prove’ the certificate hasn’t been tampered with. Then, the information in each certificate file has a sort of pointer that says ‘you can trust me, because my.ca says I’m trustworthy’.

Then the key -> decryption process happens again to decrypt the my.ca file.

Now, normally my.ca would point to another ‘more trustworthy’ certificate and this process would on up the chain until we reach a ‘root’ certificate that’s hosted and maintained by one of the Internet’s “Trusted Certificate Authorities”. There are copies of these certificates on your phone or computer, and your OS vendor has marked them “super trustworthy”. You could pay to get certificates signed by one of these root CAs, which would make your VPN more plug-and-play for users.

That’s silly for our little home VPN.

Instead, what we’re going to do is set our my.ca certificate as “trusted” and then manually distribute it to clients, and tell our clients and server to trust it as if it were a root CA.

All of this will allow the client to identify itself to the server, the server to identify itself to the client, and both to know the identification presented is trustworthy according to the humans.

(By the way, I’m not an expert on encryption- if what I’m saying above is incorrect, please let me know!)

How to sign the templates

  • Go to System -> Certificates -> Certificates Tab

  • Click server-template to open it

  • Click Sign and choose these options:

Certificate: server-template

CA: my.ca

  • Click Start
  • When Progress says “done”, change the Certificate option:

Certificate: client-template

  • Click Start
  • When Progress says “done”, click Close
  • Check Trusted
  • Click OK
  • Click my.ca to open it
  • Check Trusted
  • Click OK

Export certificates

This is easy, so I won’t belabor it.

  • Open the server-template certificate and click Export.
  • Choose Type PKCS
  • Add a password (required!)
  • Give the file a name like “ovpn-server”.

Do the same thing for the client-template and my.ca certs with appropriate names.

Download server and client certificates

Go to Files

Click Download to the right of ovpn-client.p12

Do the same thing for ovpn-server.p12 and my.ca.p12.

Hang onto these files, you’re going to put them on your client iPhone later.

Create IP Address pool for VPN

You’ll need at least two IP addresses: one for the VPN interface, and one for each client that will be connecting simultaneously. I’m just going to set up a small block, since private IPs are free. I’m using a 192.168.1.x network on my LAN. You will have to adjust these if you’re doing something different. They must be valid IP addresses on your LAN subnet, but not overlapping with any range you’re using for DHCP.

  • Go to IP -> Pool
  • Click Add New

Name: pool-ovpn


  • Click OK

Set up a PPP profile

  • Go to PPP -> Profiles Tab
  • Click Add New

Name: profile-ovpn

Local Address:

Remote Address: pool-ovpn

Interface List: LAN

DNS Server: (the IP address of the DNS server on your LAN if you have one)

  • Click OK

Set up account(s) for client(s) to use

  • Go to PPP -> Secrets Tab
  • Click Add New
  • Create a username
  • Create a password

Profile: profile-ovpn

  • Click OK

Enable OVPN Server

  • Go to PPP -> Interface Tab -> OVPN Server

Enabled: Checked

Protocol: udp

Default Profile: profile-ovpn

Certificate: server-template

Auth: sha256, sha512

Cipher: blowfish 128, aes 128 cbc, aes 192 cbc, aes 256 cbc

  • Click OK

Create interface for OVPN

You don’t need to create an OVPN interface. The PPP service will do this automatically.

Open firewall ports

You do have your firewall locked down, right? You’ll need to open port 1194 to reach the VPN server from the internet.

  • Go to IP -> Firewall
  • Click Add New

Chain: Input

Protocol: 17 (udp)

Dst. Port: 1194

In. Interface List: WAN

Action: accept

Creating an OpenVPN profile for clients

OpenVPN Connect requires a special ‘profile’ file with all of the setup information in it. The client apps are designed to allow you to type in a URL and download the profile automatically, but I don’t think the Mikrotik supports that.

There’s an example of the file format here:


After trimming that down as much as I can, this is what works for me:

; [client.ovpn]
dev tun
proto udp
remote vpn.mydomain.com 1194
resolv-retry infinite
remote-cert-tls server
cipher AES-256-CBC
verb 3
mute 20

Put that in your favorite text editor, update the remote option on line 4 with your own host + domain name or IP address, and save it as client.ovpn

Copying the profile to your iPhone

  • Install OpenVPN Client on your iPhone and open it.
  • Connect your iPhone to your PC with an appropriate data cable.
  • Tap “Trust” or whatever it prompts you to do.
  • Your iPhone will show up in Finder under the Devices list. Select it. Click “Trust”.
  • You may have to disconnect and reconnect to make it work properly
  • In the “Files” category, find OpenVPN
  • Drag the *.p12 certificate files we created earlier and drop them onto OpenVPN
  • Click Sync

On your iPhone

  • Open OpenVPN Client
  • Tap the “FILE” tab
  • Tap Add on a certificate
  • Type in the password you used earlier when you exported the certs from the Mikrotik
  • Do that for both certs.
  • Tap Add on the .ovpn profile
  • Enter the Username and Password you used on the Mikrotik when creating the user (under PPP -> Secrets)
  • Tap OK

Now, if you tap the little switch on the new entry on the Profile screen, that should be enough to get connected.