mkdir mikrotik_certs
  cd mikrotik_certs
  openssl genrsa -des3 -out mikrotik_ca.key 4096

Use different Common name (CN) for ca.crt here then for server.crt below:

  openssl req -new -x509 -days 3650 -key mikrotik_ca.key -out mikrotik_ca.crt -config openssl.cnf

Generate server.key and .crt and sign with mikrotik_ca.crt:

  openssl genrsa -des3 -out server.key 4096
  openssl req -new -key server.key -out server.csr
  openssl x509 -req -days 3650 -in server.csr -CA mikrotik_ca.crt -CAkey mikrotik_ca.key -set_serial 01 -out server.crt

Then upload server.crt and server.key to Mikrotik.

  /ip pool add name=openvpn-pool range=10.21.21.2-10.21.21.254
  /ppp profile add name=openvpn local-address=10.21.21.1 remote-address=openvpn-pool

Add desired users and passwords:

  /ppp secret add name=user1 password=pwd1234 profile=openvpn
  /ppp secret add name=user2 password=pwd5678 profile=openvpn
  ...

Import cert and key:

  /certificate> import file-name=server.crt
  /certificate> import file-name=server.key

  /interface ovpn-server server set enabled=yes certificate=server.crt_0
  /ip firewall filter add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp

For linux config (i.e. ovpn file) copy the mikrotik_ca.crt at end of file inside <ca></ca> fields. Also change the “remote” and “route” lines to match the created config above.

• Access device on different subnet on Mikrotik
• Mikrotik limit traffic with burst
• Mikrotik website blocking

• https://wiki.mikrotik.com/wiki/Manual:Create_Certificates#Generate_certificates_on_RouterOS
• https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN
• https://www.micu.eu/ovpn-server/