{"id":16731644,"url":"https://github.com/missinglink/mikrotik-openvpn-client","last_synced_at":"2025-03-17T01:31:39.716Z","repository":{"id":140480018,"uuid":"60474200","full_name":"missinglink/mikrotik-openvpn-client","owner":"missinglink","description":"configure your mikrotik routerboard as an openvpn client","archived":false,"fork":false,"pushed_at":"2019-11-06T10:31:22.000Z","size":14,"stargazers_count":191,"open_issues_count":3,"forks_count":41,"subscribers_count":19,"default_branch":"master","last_synced_at":"2025-03-16T07:11:25.516Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"http://missinglink.github.io/mikrotik-openvpn-client/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/missinglink.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["missinglink"]}},"created_at":"2016-06-05T18:19:06.000Z","updated_at":"2025-03-14T07:51:40.000Z","dependencies_parsed_at":null,"dependency_job_id":"1657c97a-ae22-4834-a8b2-7e79dbf87c5a","html_url":"https://github.com/missinglink/mikrotik-openvpn-client","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/missinglink%2Fmikrotik-openvpn-client","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/missinglink%2Fmikrotik-openvpn-client/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/missinglink%2Fmikrotik-openvpn-client/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/missinglink%2Fmikrotik-openvpn-client/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/missinglink","download_url":"https://codeload.github.com/missinglink/mikrotik-openvpn-client/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243958317,"owners_count":20374839,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-12T23:38:17.363Z","updated_at":"2025-03-17T01:31:39.710Z","avatar_url":"https://github.com/missinglink.png","language":"Shell","funding_links":["https://github.com/sponsors/missinglink"],"categories":[],"sub_categories":[],"readme":"# Mikrotik router as OpenVPN Client\n\nThere are a bunch of tutorials online about how to set up a Mikrotik routerboard as an OpenVPN *server*; this is not one of them, this repository contains information and code samples for configuring a Mikrotik router as a *client* to connect to your own OpenVPN server hosted elsewhere.\n\nAs of Jun '16 this is confirmed working on a Mikrotik 951Ui-2HnD routerboard, all traffic destined for the internet is routed via the VPN connection and I'm able to watch region-locked video streaming services while connected through this wifi network.\n\n## Gotchas!\n\nSourced from: http://wiki.mikrotik.com/wiki/OpenVPN\n\n- TCP is supported **UDP is not supported** (ie. the default setup is not supported)\n- username/passwords **are not mandatory**\n- certificates are supported\n- LZO compression **is not supported**\n\n## Setting up the server\n\nThis info applies to you if you are setting up the server for yourself, otherwise you best check with your server admin that they have configured the server for a Mikrotik client.\n\nFor the most part I followed [this tutorial](https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04) for installing OpenVPN server on Ubuntu 14.04.\n\n\u003e Be careful with this tutorial, if you are using any services other than OpenVPN and SSH; or if you use non-standard ports, make sure you add the corresponding firewall rules!\n\nI only made a couple changes to my `server.conf`:\n\n##### Change protocols from UDP to TCP\n\n```\n# TCP or UDP server?\nproto tcp\n;proto udp\n```\n\nadd the corresponding firewall rule:\n\n```bash\nsudo ufw allow 1194/tcp\n```\n\n##### Disable compression (optional)\n\nThis step is optional, if you're streaming video you can disable compression by commenting it out:\n\n```\n# comp-lzo\n```\n\n## Setting up the client\n\nThis section covers the steps required to set up your Mikrotik routerboard as an OpenVPN client.\n\n##### Copy files from server\n\nYou'll need some files from your OpenVPN server or VPN provider, only 3 files are required:\n\n```\n$ ls cert/\nca.crt  client.crt  client.key\n```\n\n\u003e If you're using the scripts in this repo then you'll need to create a directory called `cert` and put those files inside. You'll also need to rename your client keys to match the file names above.\n\n##### Establish a SSH session\n\nAll the commands are executed by SSH so you'll need SSH access to your routerboard before continuing, otherwise I guess you could read the commands and enter them in the GUI, up to you.\n\n```bash\nssh admin@192.168.88.1\n```\n\n```bash\n\nMMM      MMM       KKK                          TTTTTTTTTTT      KKK\nMMMM    MMMM       KKK                          TTTTTTTTTTT      KKK\nMMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK\nMMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK\nMMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK\nMMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK\n\nMikroTik RouterOS 6.35.2 (c) 1999-2016       http://www.mikrotik.com/\n\n[?]             Gives the list of available commands\ncommand [?]     Gives help on the command and list of arguments\n\n[Tab]           Completes the command/word. If the input is ambiguous,\n              a second [Tab] gives possible options\n\n/               Move up to base level\n..              Move up one level\n/command        Use command at the base level\n\n[admin@MikroTik] \u003e\n```\n\n\u003e Great you connected! the interface is a bit weird, all commands start with a ``/`` and you use `?` for help within each section. If you didn't manage to connect you're going to need to sort that out before continuing or give up and use a GUI.\n\nType `/quit` in to the console to exit.\n\n##### Check your OS version\n\nAll the code in this repo is hard-coded for version `6.35.2` (which was current at time of writing). If yours is older than that go ahead and upgrade first.\n\n```bash\nssh admin@192.168.88.1 system package update download\n```\n\n##### Upload your certificates\n\nYou'll need to upload those certificates that we downloaded earlier on to your Mikrotik.\n\n\u003e you'll need to do this for all 3 files, see ./task/cert.install.sh for more info.\n\n```bash\nscp ca.crt admin@192.168.88.1:/\nscp client.crt admin@192.168.88.1:/\nscp client.key admin@192.168.88.1:/\n```\n\n```bash\nssh admin@192.168.88.1 certificate import file-name=ca.crt passphrase=\\\"\\\"\nssh admin@192.168.88.1 certificate import file-name=client.crt passphrase=\\\"\\\"\nssh admin@192.168.88.1 certificate import file-name=client.key passphrase=\\\"\\\"\n```\n\nWe can confirm that worked:\n\n```bash\nssh admin@192.168.88.1 certificate print\n```\n\n```bash\nFlags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted\n #          NAME                        COMMON-NAME                     SUBJECT-ALT-NAME                                                  FINGERPRINT                    \n 0        T ca.crt_0                    Fort-Funston CA                                                                                   12911f9e101be5b3e15cd44e52cc...\n 1 K      T client.crt_0                missinglink1                    DNS:missinglink1                                                  8bd36e8431eef6c52151c8400ef0...\n```\n\n##### Rename your certificates\n\nThis is optional; if this if your first time, best do this so you can follow the rest of the steps:\n\n```bash\nssh admin@192.168.88.1 certificate set ca.crt_0 name=CA\n```\n\n```bash\nssh admin@192.168.88.1 certificate set client.crt_0 name=client\n```\n\nWe can confirm that worked:\n\n```bash\nssh admin@192.168.88.1 certificate print\n```\n\n##### Create a PPP profile\n\nThis section contains all the details of *how* you will connect to the server, the following worked for me, you may need to change some settings for your specific server configuration:\n\n```bash\nssh admin@192.168.88.1 ppp profile add name=OVPN-client change-tcp-mss=yes only-one=yes use-encryption=required use-mpls=no\n```\n\nWe can confirm that worked:\n\n```bash\nssh admin@192.168.88.1 ppp profile print\n```\n\n```bash\nFlags: * - default\n 0 * name=\"default\" remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=default\n     use-compression=default use-encryption=default only-one=default\n     change-tcp-mss=yes use-upnp=default address-list=\"\" on-up=\"\" on-down=\"\"\n\n 1   name=\"OVPN-client\" remote-ipv6-prefix-pool=none use-ipv6=yes use-mpls=no\n     use-compression=default use-encryption=required only-one=yes\n     change-tcp-mss=yes use-upnp=default address-list=\"\" on-up=\"\" on-down=\"\"\n\n 2 * name=\"default-encryption\" remote-ipv6-prefix-pool=none use-ipv6=yes\n     use-mpls=default use-compression=default use-encryption=yes\n     only-one=default change-tcp-mss=yes use-upnp=default address-list=\"\"\n     on-up=\"\" on-down=\"\"\n```\n\n##### Create an OpenVPN interface\n\nHere we actually create an interface for the VPN connection:\n\n\u003e IMPORTANT!! Change xxx.xxx.xxx.xxx to your own server address (ip address or domain name).\n\n```bash\nssh admin@192.168.88.1 interface ovpn-client add connect-to=xxx.xxx.xxx.xxx add-default-route=no auth=sha1 certificate=client disabled=no user=vpnuser password=vpnpass name=myvpn profile=OVPN-client\n```\n\nUser/password properties seem to be mandatory on the client even if the server doesn't have `auth-user-pass-verify` enabled.\n\n\n##### Test the VPN connection\n\nIf everything went according to plan you should now be connected:\n\n```bash\nssh admin@192.168.88.1 interface ovpn-client print\n```\n\nNote the `'R'` which shows the connection has been established (give it a few seconds):\n\n```bash\nFlags: X - disabled, R - running\n 0  R name=\"myvpn\" mac-address=FE:EE:75:8F:14:3D max-mtu=1500\n      connect-to=xxx.xxx.xxx.xxx port=1194 mode=ip user=\"vpnuser\" password=\"vpnpass\"\n      profile=OVPN-client certificate=client auth=sha1 cipher=blowfish128\n      add-default-route=no\n```\n\n```bash\nssh admin@192.168.88.1 interface ovpn-client monitor 0\n```\n\n```bash\nstatus: connected\nuptime: 1h35m45s\nencoding: BF-128-CBC/SHA1\n   mtu: 1500\n\nstatus: connected\nuptime: 1h35m46s\nencoding: BF-128-CBC/SHA1\n   mtu: 1500\n```\n\n##### Configure the firewall\n\nThis is explained [in this post](http://wiki.mikrotik.com/wiki/Policy_Base_Routing), basically we define some routes in our local network that **won't** go through the VPN (things in the 10.0.0.0, 172.16.0.0 \u0026 192.168.0.0 ranges) and we add them to a list called `local_traffic`:\n\n```bash\nssh admin@192.168.88.1 ip firewall address-list add address=10.0.0.0/8 disabled=no list=local_traffic\n```\n\n```bash\nssh admin@192.168.88.1 ip firewall address-list add address=172.16.0.0/12 disabled=no list=local_traffic\n```\n\n```bash\nssh admin@192.168.88.1 ip firewall address-list add address=192.168.0.0/16 disabled=no list=local_traffic\n```\n\nThen we set up a `'mangle'` rule which marks packets coming from the local network and destined for the internet with a mark named `vpn_traffic`:\n\n```bash\nssh admin@192.168.88.1 ip firewall mangle add disabled=no action=mark-routing chain=prerouting dst-address-list=\\!local_traffic new-routing-mark=vpn_traffic passthrough=yes src-address=192.168.88.2-192.168.88.254\n```\n\n##### Configure routing\n\nNext we tell the router that all traffic with the `vpn_traffic` mark should go through the VPN interface:\n\n```bash\nssh admin@192.168.88.1 ip route add disabled=no dst-address=0.0.0.0/0 type=unicast gateway=myvpn routing-mark=vpn_traffic scope=30 target-scope=10\n```\n\n##### Configure masquerade\n\nAnd finally we add a masquerade NAT rule:\n\n```bash\nssh admin@192.168.88.1 ip firewall nat add chain=srcnat src-address=192.168.88.0/24 out-interface=myvpn action=masquerade\n```\n\n## Finished!\n\nThat's it! your external traffic should now be routed through the VPN.\n\nIf this readme helped you out please star the repo; github stars are like crack cocaine to software developers :)\n\n## Credits / Resources\n\nBig thanks to all these people who wrote about this in the past.\n\n- https://lukas.dzunko.sk/index.php/MikrotTik:_OpenVPN\n- https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04\n\n## License\n\n```\nThis work ‘as-is’ we provide.\nNo warranty express or implied.\n  We’ve done our best,\n  to debug and test.\nLiability for damages denied.\n\nPermission is granted hereby,\nto copy, share, and modify.\n  Use as is fit,\n  free or for profit.\nThese rights, on this notice, rely.\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmissinglink%2Fmikrotik-openvpn-client","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmissinglink%2Fmikrotik-openvpn-client","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmissinglink%2Fmikrotik-openvpn-client/lists"}