OpenVPN Client with NordVPN

AS66 · May 27, 2026, 8:32pm

Hello,

I have trouble configuring an OpenVPN Client on my Mikrotik Router. I want it to connect to my NordVPN account, so I can use it as VPN gateway.

All the instructions I found online advised to just import the .ovpn file and add masquerading in the firewall. But that does not work me. Also I disabled all block rules in firewall, just to make it work once.

I can't ping 8.8.8.8 and have no internet connection. The upstream router does not capture any packets either.

Here is my configuration:

[admin@MikroTik] > /export

2026-05-27 20:29:26 by RouterOS 7.22.3

model = RB962UiGS-5HacT2HnT

/interface bridge
add admin-mac=6C:3B:6B:19:C4:99 auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface ovpn-client
add auth=sha512 cipher=aes256-cbc connect-to= mac-address= name=ovpn-import1779901690 protocol=udp user= verify-server-certificate=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=germany disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-19C49F
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=germany distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-19C49E
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.98.10-192.168.98.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.98.1/24 comment=defconf interface=bridge network=192.168.98.0
/ip dhcp-client
add comment=defconf default-route-tables=main interface=ether1 name=ether1
/ip dhcp-server network
add address=192.168.98.0/24 comment=defconf dns-server=8.8.8.8 gateway=192.168.98.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.98.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ovpn-import1779901690
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Here is the dynamic route table:

[admin@MikroTik] > /ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, v - VPN
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
DAd 0.0.0.0/0 192.168.88.1 main 1
DAv 0.0.0.0/1 10.100.0.1 main 0
DAc 10.100.0.0/20 ovpn-import1779901690 main 0
DAv <ip/32> 192.168.88.1 main 0
DAv 128.0.0.0/1 10.100.0.1 main 0
DAc 192.168.88.0/24 ether1 main 0
DAc 192.168.98.0/24 bridge main 0

Here is the OVPN Konfig:

client
dev tun
proto udp
remote 1194
resolv-retry infinite
nobind
tun-mtu 1500
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem

remote-cert-tls server

auth-user-pass
verb 3
pull
cipher AES-256-CBC
auth SHA512

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

key-direction 1

2048 bit OpenVPN static key

-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----

I read that Mikrotik is not very good with OpenVPN and you should use Wireguard. But sometimes OpenVPN just works better for my usecase. Also I like learning new stuff and would like to know if I do some stupid mistake. If it's just a bug in Mikrotik ROS, that's fine for me

Any help is appreciated and best regards
Andy

pe1chl · May 27, 2026, 8:38pm

It is correct that RouterOS OpenVPN is not very good. It is a re-implementation of a subset of the original protocol, which is being extended in the opensource version all the time. So when you connect between RouterOS and some existing OpenVPN server, there always is some option that isn't working...

AS66 · May 28, 2026, 4:52am

Thanks for the reply. Well I think I did some errors while testing because now all the packets leave my router and upstream routers. The strange part: Sometimes I get response from OVPN Server, sometimes not. But I get 100% timeouts on ping. I guess my routing from lan interface to ovpn interface is still wrong. But your point is valid. Could still not be compatible for usage.

I need to do some troubleshooting first.

pe1chl · May 28, 2026, 7:10am

The OpenVPN server can "push routes" but that is the first thing that is going to fail. It is tricky anyway to have a VPN that has the default route set to it, because the VPN packets themselves must not go into the VPN. Often tricks are used like setting a /32 route to the VPN server, but in theory route marks could be used as well.

Anyway, impossible to debug from the forum, you will need to fiddle with it yourself. First try the provided OVPN file on a computer, and see what happens. Look in the route table as well.

AS66 · May 28, 2026, 7:41pm

Yeah that took me some time to understand how the routing works in theory for configured OVPN Client. The configured routes are indeed pushed routes, including the /32 route I have. So maybe it's better to do it manually.
Of course I will debug it myself, but your hints are really helpful. Trying the OVPN file on a computer - alternatively i could also test it on my upstream router, which is another brand and working there - is a great suggestion. Hopefully I find some time for deep debugging on the weekend.

One last question for now: The 10.100.0.1 remote IP in /20 subnet can't be changed right. It isn't stated in the OVPN Konfig, nor did I add it manually. I guess it came with pushed routes. So that is the interface of the tunnel endpoint in OVPN and set by server?

pe1chl · May 28, 2026, 8:28pm

The configured network on the server is normally also added as a route, yes. That is not one of the pushed routes.

There is configuration on the server side that determines if this happens, but of course that isn't under your control.

AS66 · June 1, 2026, 12:32pm

Did some more debugging yesterday. There is no chance to get it work i guess. To sum it up:

When importing the .ovpn configuration file, the router warns that some of the parameters are unsupported
If you delete these parameters from .ovpn file, the import is successful.
In either of both cases the interface constantly disconnects and reconnects. Could be because of no traffic, but still a little bit odd.
Traffic was definitely going out of my router and was send towards internet by my upstream router. But i only got very rare response packets (may 1 in 30-50 pings), which also went through my ovpn interface. But of course that's not enough for reliable connection.
I can only guess that the OVPN Implementation in ROS is sending the packets in a way, which is incompatible with NordVPN, thus the missing responses.
There is a reason why NordVPN only has documentation for IPsec with Mikrotik, i guess
Another user in this forum had a similar post and the also gave up because of the missing rx packets. He also seen all the tx, but no rx.

Thx for the help anyway, pe1chl

pe1chl · June 1, 2026, 1:20pm

Does the OVPN file work when you use it with a Windows or Linux computer, or on an Android phone when the "Arne Schwabe" OpenVPN app? (not the "official" one)

AS66 · June 1, 2026, 4:09pm

I did not try on a PC or phone yet, but still worth a try. I have a GL Inet Router, though. It can read the .ovpn file without an issue and VPN is working. Will try a IPsec Configuration on MT now and the OVPN over Android later.

AS66 · June 1, 2026, 5:35pm

New findings...Tried a basic IPsec config with NordVPN and it just did not work. Thankfully someone stated a problem with MTU:

After changing the mangling the mss by:
/ip firewall mangle add action=change-mss chain=forward new-mss=1300 out-interface=sfp1 protocol=tcp tcp-flags=syn tcp-mss=1301-65535
the IPsec is working.
I guess it has something to do with my 5G internet connection.

Now I will also test OVPN with different MTU settings. Maybe I'm lucky and it affects OVPN, too.

pe1chl · June 1, 2026, 6:28pm

That could be, but it is not very likely because OpenVPN supports fragmentation. Usually it would work with wrong MTU, only a bit less efficient. Only when other mistakes are made (like blocking all ICMP traffic in the firewall) it could cause an issue.

AS66 · June 1, 2026, 9:27pm

Unfortunately you are right. OVPN just does not work, all traffic goes out, nearly nothing comes in.
I also tested the .ovpn config on my phone with the app from Arne. Works just fine. Connected immediately and was very fast. Even the "limited" config, where I removed some parameters for ROS, worked perfectly.
I'm out of ideas for OVPN. If you have some things I could test, I'll gladly try it. If not, I'm focusing on IPsec config. It kind of works but the connection is very slow and unrealiable. I need to research a bit first, because in terms of IPsec I'm completely novice.