2 Linux clients can connect simultaneously using same user/pw as in /ppp secrets but with different client certificates.
The problem occurs with windows clients. The connection aborts with:
[...]
Wed Nov 25 15:30:04 2009 [RB450_1B5C01E0965C] Peer Connection Initiated with 213.135.21.86:1196
Wed Nov 25 15:30:06 2009 SENT CONTROL [RB450_1B5C01E0965C]: 'PUSH_REQUEST' (status=1)
Wed Nov 25 15:30:06 2009 PUSH: Received control message: 'PUSH_REPLY,route 10.10.10.0 255.255.255.224,ifconfig 10.10.10.29 10.10.10.1'
Wed Nov 25 15:30:06 2009 OPTIONS IMPORT: --ifconfig/up options modified
Wed Nov 25 15:30:06 2009 OPTIONS IMPORT: route options modified
Wed Nov 25 15:30:06 2009 ROUTE: default_gateway=UNDEF
Wed Nov 25 15:30:06 2009 There is a problem in your selection of --ifconfig endpoints [local=10.10.10.29, remote=10.10.10.1]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info.
Wed Nov 25 15:30:06 2009 Exiting
I don’t understand that. Does it only work with an ip pool ranges=10.10.10.2 ?
But then only one client works at one time. Is there any solution except using mode=ethernet ?
I think that I’ve to use the “route up..”-command in the client.ovpn because the “push route..”-command from the server doesnt work with the windows clients.
The problem is that due to the “IP pool”-trick a static route in the client.ovpn doenst work anymore, because the server IP (gateway for the static route) could change for every connection.
I can’t find a way to set the “push route..”-command in the RouterOS OpenVPN server, anyway. Is there a way to?
I think I found a solution to the route-up problem mentioned by Volans.
Don’t do the multiple pool setup mentioned earlier in the post; it’s not part of this solution. Make each Windows user log in using a secrets listing unique to them, not a generic VPN user for use with many clients (e.g make a PPP secret called paul just for Windows user Paul). You may do that already. Also, in this unique secrets listing for the Windows user, hard code a local address and remote address from those in the 255.255.255.252 range (a convenient list is given when you run openvpn --show-valid-subnets at the command line on the Windows OpenVPN client machine.
For the hard-coded addresses in the Windows user’s secrets profile, use an address pair outside of whatever existing VPN pool you might have (e.g. if your existing pool is 10.10.10.10-10.10.10.30, use a pair of numbers higher such as 10.10.10.53 and 10.10.10.54. Specify a unique address pair for each unique Windows user secret listing (I’m sure you could also use address pairs outside of your /24 generic pool as well). The other settings can stay the same as those used in a generic user’s secret (if you have one), this includes the same PPP profile. The local and remote address hard-coded in the Windows user’s secret listing will override the remote address setting from the profile you specify, but the client will still get the DNS servers from the profile.
On the Windows client side, you still have to set a route in the client.ovpn file because Mikrotik OpenVPN server can’t push a route (thanks patrickmkt for simpler method). If the server-side LAN uses 192.168.76.0 for a subnet, use this line in the client.ovpn file.
route 192.168.76.0 255.255.255.0
This configuration is no more complex than the multi-pool setup mentioned earlier, and the routes can be made to work using the route command in the client.ovpn file. Plus, you can still have a generic user, larger VPN-specific address pool, and profile to use with Linux and Mikrotik ip/tun clients.
That works. Thanks. Now the .bat file is not needed, and the client.ovpn can be generic instead of client-specific. I’ll adjust my post. I wonder why so many references show the route set up through route-up instead?
But now there is another problem. 
