OpenVPN Import in ROSv7

RouterOS Beginner Basics
1

I’m following instructions on page OpenVPN. I have a client.ovpnfile which I can import successfully by executing

/interface/ovpn-client/import-ovpn-configuration file-name=client.ovpn ovpn-user=<user> ovpn-password=<pw> skip-cert-import=no

Then, via WinBox, I select the newly created interface and on the Dial Out tab I select Add Default Route, click Apply and Enable.

Everything seems to be running fine:

/interface/ovpn-client/print detail
Flags: X - disabled; R - running; H - hw-crypto; Ta - tls-auth; Tc - tls-crypt
 0  R Ta   name="ovpn-import1763121518" mac-address=<mac-address> max-mtu=1500
           connect-to=italy-cosenza-ca-version-2.expressnetw.com port=1195 mode=ip protocol=udp
           user=<user> password=<pw> profile=default
           certificate=cert_ovpn-import1763121518 verify-server-certificate=yes tls-version=only-1.2 auth=sha512
           cipher=aes256-cbc use-peer-dns=yes add-default-route=yes route-nopull=no disconnect-notify=yes

However now I’m unable to access any internet page. What am I missing?

2

Check the routing if is correct...

Guarda che la rotta automatica sia corretta e che non interferisca con la rotta normale...

1 Like
3

In other words, post the output of:
/ip route print

1 Like
4

Before enabling I have

/ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
    DST-ADDRESS      GATEWAY      ROUTING-TABLE  DISTANCE
DAd 0.0.0.0/0        192.168.1.1  main                  1
DAc 192.168.1.0/24   ether1       main                  0
DAc 192.168.88.0/24  bridge       main                  0

After enabling ovpn-import1763121518 I’m seeing

/ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, v - VPN; + - ECMP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
     DST-ADDRESS      GATEWAY                ROUTING-TABLE  DISTANCE
DAd+ 0.0.0.0/0        192.168.1.1            main                  1
DAv+ 0.0.0.0/0        10.20.0.1              main                  1
DAv  0.0.0.0/1        10.20.0.1              main                  0
DAc  10.20.0.0/16     ovpn-import1763121518  main                  0
DAv  128.0.0.0/1      10.20.0.1              main                  0
DAc  192.168.1.0/24   ether1                 main                  0
DAc  192.168.88.0/24  bridge                 main                  0

Does this look right? I'm not sure.

5

What does the VPN provider say?

Do they have some documentation how to use their VPN on a computer and/or router?

It is a bit strange that they send both a 0.0.0.0/0 route and a 0.0.0.0/1 + 128.0.0.0/1 but maybe they do that because lots of environments could not handle an extra default route correctly. In your case you should have increased the distance of your default route, e.g. in DHCP client.

Try (on the router) a traceroute to some public IP, e.g. 1.1.1.1, and see how that flows.

The reason you cannot visit a webpage could be as simple as a wrong NAT rule in the firewall config.

6

The DAv routes with distance 0 (and the DAc routes that always have distance 0) will take precedence over any other route of same width.
But there is also the duplicated 0.0.0.0/0 one, one DAv and one DAd (with the + sign meaning that they are automatically ECMP).

What happens if you set the "add-default-route=no"?

As pe1chl suggested a traceroute to 1.1.1.1 should tell you if you are going through 192.168.1.1 or 10.20.0.1.

7

I have not reached out to the VPN provider yet.

Are you saying that entries

DAv  0.0.0.0/1        10.20.0.1              main                  0
DAc  10.20.0.0/16     ovpn-import1763121518  main                  0
DAv  128.0.0.0/1      10.20.0.1              main                  0

are getting created based on some negotiating between the OVPN client and the VPN provider?

I noticed that entry

DAv+ 0.0.0.0/0 10.20.0.1 main 1

gets only added when Add Default Route has been selected.

And yes, I haven't done any specific NAT configuration yet.

8

This route:

DAd+ 0.0.0.0/0 192.168.1.1 main 1
means essentially access all the world (0.0.0.0/0) via 192.168.1.1 unless there is another route to 0.0.0.0/0 with the same or lower distance.

This route:

DAv+ 0.0.0.0/0 10.20.0.1 main 1

is exactly the same but going through a different gateway.

Since they are the same, they are “assembled” in ECMP, i.e. a form of load balancing.

The router through some calculations determines whether every single packet will take the one or the other route, and very likely you don’t want that.

So, you should NOT select “add default route”.

About NAT, you probably have a default one, but that needs to be seen in the whole context, as you may also have mis-categorized as LAN or WAN (or not categorized at all) this or that interface.

Once you have set the NAT for the VPN also, post your full configuration, instructions here:

1 Like
9

Result of export file=myconfig hide-sensitive:

# 2025-11-14 19:26:39 by RouterOS 7.20.2
# software id = <software id>
#
# model = L009UiGS-2HaxD
# serial number = <serial number>
/interface bridge
add admin-mac=<admin-mac> auto-mac=no comment=defconf name=bridge
/interface ovpn-client
add add-default-route=yes auth=sha512 certificate=cert_ovpn-import1763121518 \
    cipher=aes256-cbc connect-to=italy-cosenza-ca-version-2.expressnetw.com \
    mac-address=<mac-address> name=ovpn-import1763121518 port=1195 \
    protocol=udp tls-version=only-1.2 user=<user> \
    verify-server-certificate=yes
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=<ssid> disabled=\
    no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=\
    yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/routing table
add disabled=no fib name=vpn_traffic
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wifi1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.0.0.0/8 disabled=yes list=local_traffic
add address=172.16.0.0/12 disabled=yes list=local_traffic
add address=192.168.0.0/16 disabled=yes list=local_traffic
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="ovpn masquerade" out-interface=\
    ovpn-import1763121518
/ip service
set ssh port=10022
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=<name>
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
10

OK, no add-default-route then.

So let's say I want to route all traffic to 1.1.1.1 via interface ovpn-import1763121518, shouldn't it be sufficient to add route and nat like

/ip route add dst-address=1.1.1.1 gateway=ovpn-import1763121518
/ip firewall nat add chain=srcnat out-interface=ovpn-import1763121518 action=masquerade

resulting in

/ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP, v - VPN
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
#     DST-ADDRESS       GATEWAY                ROUTING-TABLE  DISTANCE
  DAd 0.0.0.0/0         192.168.1.1            main                  1
  DAv 0.0.0.0/1         10.35.0.1              main                  0
0  As 1.1.1.1/32        ovpn-import1763121518  main                  1
  DAc 10.35.0.0/16      ovpn-import1763121518  main                  0
  DAv 128.0.0.0/1       10.35.0.1              main                  0
  DAc 192.168.1.0/24    ether1                 main                  0
  DAc 192.168.88.0/24   bridge                 main                  0
  DAv 213.21.226.43/32  192.168.1.1            main                  0

/ip/firewall/nat/print
Flags: X - disabled, I - invalid; D - dynamic
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
 1    ;;; ovpn masquerade
      chain=srcnat action=masquerade out-interface=ovpn-import1763121518

/tool/traceroute 1.1.1.1
ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS
                                 100%    1 timeout
                                 100%    1 timeout
                                 100%    1 timeout
                                 100%    1 timeout
                                 100%    1 timeout
                                   0%    1     0ms

?

11

Did you try that before adding that route? It should work when 10.35.0.1 is a valid router.

Does the OpenVPN connection remain up or is it bouncing all the time?

A common problem with this kind of setup is that you (presumably) want to route all outgoing traffic to your VPN, but that should NOT include the VPN traffic (to the VPN server) itself. So usually a /32 route to that VPN server has to be added separately.

1 Like
12

Did you try that before adding that route? It should work when 10.35.0.1 is a valid router.

I’m not sure what you mean. I assume that 10.35.0.1 has been assigned during OpenVPN negotiations.

Does the OpenVPN connection remain up or is it bouncing all the time?

It is mostly stable, although initially I got some TLS errors:

 2025-11-15 09:58:31 ovpn,info ovpn-import1763121518: disconnected <nothing received for a while>
 2025-11-15 09:58:31 ovpn,info ovpn-import1763121518: terminating... - nothing received for a while
 2025-11-15 09:58:31 ovpn,info ovpn-import1763121518: disconnected
 2025-11-15 09:58:31 ovpn,info ovpn-import1763121518: initializing...
 2025-11-15 09:58:31 ovpn,info ovpn-import1763121518: connecting...
 2025-11-15 09:59:01 ovpn,info ovpn-import1763121518: disconnected <TLS error: handshake timed out (6)>
 2025-11-15 09:59:01 ovpn,info ovpn-import1763121518: terminating... - TLS error: handshake timed out (6)
 2025-11-15 09:59:01 ovpn,info ovpn-import1763121518: disconnected
 2025-11-15 09:59:01 ovpn,info ovpn-import1763121518: initializing...
 2025-11-15 09:59:01 ovpn,info ovpn-import1763121518: connecting...
 2025-11-15 09:59:31 ovpn,info ovpn-import1763121518: disconnected <TLS error: handshake timed out (6)>
 2025-11-15 09:59:31 ovpn,info ovpn-import1763121518: terminating... - TLS error: handshake timed out (6)
 2025-11-15 09:59:31 ovpn,info ovpn-import1763121518: disconnected
 2025-11-15 09:59:31 ovpn,info ovpn-import1763121518: initializing...
 2025-11-15 09:59:31 ovpn,info ovpn-import1763121518: connecting...
 2025-11-15 10:00:01 ovpn,info ovpn-import1763121518: disconnected <TLS error: handshake timed out (6)>
 2025-11-15 10:00:01 ovpn,info ovpn-import1763121518: terminating... - TLS error: handshake timed out (6)
 2025-11-15 10:00:01 ovpn,info ovpn-import1763121518: disconnected
 2025-11-15 10:00:02 ovpn,info ovpn-import1763121518: initializing...
 2025-11-15 10:00:02 ovpn,info ovpn-import1763121518: connecting...
 2025-11-15 10:00:32 ovpn,info ovpn-import1763121518: disconnected <TLS error: handshake timed out (6)>
 2025-11-15 10:00:32 ovpn,info ovpn-import1763121518: terminating... - TLS error: handshake timed out (6)
 2025-11-15 10:00:32 ovpn,info ovpn-import1763121518: disconnected
 2025-11-15 10:00:34 ovpn,info ovpn-import1763121518: initializing...
 2025-11-15 10:00:34 ovpn,info ovpn-import1763121518: connecting...
 2025-11-15 10:01:04 ovpn,info ovpn-import1763121518: disconnected <TLS error: handshake timed out (6)>
 2025-11-15 10:01:04 ovpn,info ovpn-import1763121518: terminating... - TLS error: handshake timed out (6)
 2025-11-15 10:01:04 ovpn,info ovpn-import1763121518: disconnected
 2025-11-15 10:01:07 ovpn,info ovpn-import1763121518: initializing...
 2025-11-15 10:01:07 ovpn,info ovpn-import1763121518: connecting...
 2025-11-15 10:01:07 ovpn,info ovpn-import1763121518: using encoding - AES-256-CBC/SHA512
 2025-11-15 10:01:07 ovpn,info ovpn-import1763121518: connected

A common problem with this kind of setup is that you (presumably) want to route all outgoing traffic to your VPN, but that should NOT include the VPN traffic (to the VPN server) itself. So usually a /32 route to that VPN server has to be added separately.

That’s exactly what I’m trying to do. So what changes should I make to the routing then?

13

Try to add a route to 213.21.226.0/26 via 192.168.1.1

14

Tried that. Same behavior:

/ip/route/print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP, v - VPN
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
#     DST-ADDRESS       GATEWAY                ROUTING-TABLE  DISTANCE
  DAd 0.0.0.0/0         192.168.1.1            main                  1
  DAv 0.0.0.0/1         10.51.0.1              main                  0
0  As 1.1.1.1/32        ovpn-import1763121518  main                  1
  DAc 10.51.0.0/16      ovpn-import1763121518  main                  0
  DAv 128.0.0.0/1       10.51.0.1              main                  0
  DAc 192.168.1.0/24    ether1                 main                  0
  DAc 192.168.88.0/24   bridge                 main                  0
1  As 213.21.226.0/26   192.168.1.1            main                  1
  DAv 213.21.226.49/32  192.168.1.1            main                  0

/tool/traceroute 1.1.1.1
ADDRESS                          LOSS SENT    LAST     AVG    BEST   WORST STD-DEV STATUS
                                 100%    1 timeout
                                 100%    1 timeout
                                 100%    1 timeout
                                   0%    1     0ms
15

I had not seen that the route was already there (as a /32) in a later post, at first it was missing. It seems that it does that only when you do not have the “add default route” setting, which seems exactly reverse to what one would expect.

Anyway, too difficult to debug this kind of thing remotely.

16

You added the ovpn interface as name=ovpn-import1763121518.

Shouldn't the ovpn interface be set as either LAN or WAN (I presume WAN) in:
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
?

Without an appropriate categorization the default firewall would not allow the packets, I believe.

17

Tried that too:

/interface list member print
Columns: LIST, INTERFACE
# LIST  INTERFACE
;;; defconf
0 LAN   bridge
;;; defconf
1 WAN   ether1
;;; ovpn-client
2 WAN   ovpn-import1763121518

Didn’t make a difference.

18

Or maybe as LAN?

19

Neither setting seems to make a difference.