I try to add cyberghost vpn client for my hAP lite. I want to use it as my portable router for connecting to it when I need to be behind VPN. I tried to find a proper configuration but no luck so far. I found old topic http://forum.mikrotik.com/t/vpn-cyberghostvpn/136724/1 but coun’t solve my problem. When I try to import open VPN config file:
[admin@MikroTik] > /interface/ovpn-client/import-ovpn-configuration file-name=ope
nvpn.ovpn
progress: non-inline certificate/key 'ca' is not supported
my firmware version is smips / hAP lite / 7.18.1 (stable) but seems open vpn is not supported? (I removed inline certs but then I’m getting progress: configuration error - missing ca certificate)
Therefore, I created it manually
1 name="ovpn-cyberghost2" mac-address=*** max-mtu=1500
connect-to=***-dialup.net port=443 mode=ip protocol=udp
user="***" password="***" profile=default
certificate=client.crt_0 verify-server-certificate=yes tls-version=any
auth=sha256 cipher=aes256-cbc use-peer-dns=no add-default-route=no
route-nopull=no disconnect-notify=yes
getting
ovpn-cyberghost: disconnected <TLS error: no key for certificate found (6)>
Looks like configuration issue? I think I’ll need to import client.key and client.crt but not sure where I should add that or if my configuration is even correct?
I think it’s something on my side. I set certificates to none and connection is working. No idea yet why certificates don’t work but I’ll dig into that.
One more thing is I’m trying to implement “kill switch” that will block any trafic if VPN is unreachable. My solution seems to be working but can someone take a look if it’s correct or how it can be improved:
/ip firewall mangle add chain=forward out-interface=ovpn-cyberghost action=mark-connection new-connection-mark=vpn-connection
/ip firewall mangle add chain=prerouting in-interface=!ovpn-cyberghost action=mark-connection new-connection-mark=vpn-required
/ip firewall filter add chain=forward connection-mark=vpn-required connection-mark=!vpn-connection action=drop comment="Kill Switch - Block when VPN is down"
//edit
The certificates issue was related to domain case sensitivity in connect-to argument. Silly but it works now 
Hi Tomasz, I have been struggling with this exact problem last couple of days on a Mikrotik router.
I had it working with ovpn before, but this time something is not working. The trick with small letters in the hostname didn’t do the trick ether.
I am running firmware 7.18.1 / tilegx
Can you please post your config’s related to the ovpn client and cert, minus the user/pass of course 
Ps. are you the Tomasz I worked with in Denmark some years back?
Cheers,
Frank
No unfortunatelly it wasn’t me
Actually in my case it was capital country letters, here is the config:
/interface bridge
add admin-mac=** auto-mac=no comment=defconf name=bridge
/interface ovpn-client
add auth=sha256 certificate=client.crt_0 cipher=aes256-cbc connect-to=\
**.dialup.net mac-address=** name=ovpn-cyberghost \
port=443 protocol=udp user=** verify-server-certificate=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment=defconf \
disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk comment=defconf disable-pmkid=yes mode=\
dynamic-keys name=profile1 supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto mode=ap-bridge \
security-profile=profile1 ssid="ssid" wireless-protocol=802.11
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=\
none
/ip pool
add name=default-dhcp ranges=192.168.20.10-192.168.20.20
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
...
Let me know if you need anything more and if that worked for you?
If it worked before that suggests some issues with cert file or something on VPN server side? Are you sure that cert is still valid and not expired?