It works if you configure server to use only features available in RouterOS OpenVPN client. Which means not using many standard ones, most notably UDP transport. I don’t usually use RouterOS as OpenVPN client, so I may not be completely correct, but about specific questions:
You need to enter username, but when I tested it some time ago, I think server just ignored it, if it was configured for certificate-only authentication.
Certificates go to System->Certificates.
I don’t understand what you want with address list.
tun = ip, tap = ether
I don’t think you can set local port. You could probably do something with srcnat, if you need it.
lport parameter will be ignored. @Mikrotik: Please implement this - then the firewall rules can be more restrictive.
username and password are for locally certificates (although when they are not password protected it seems to be ignored - I just entered anything).
OpenVPN supports more targets. If one server fails the connection to the second server will be established.
remote IP port
remote IP_Backup port
Connection can be established but no pinging at moment but no ping. Maybe some little config-problem.
Wed Jan 4 10:17:06 2017 client/IP:38610 IP packet with unknown IP version=0 seen
Wed Jan 4 10:17:13 2017 client/IP:38610 IP packet with unknown IP version=0 seen
Compression is disabled on the server - it seems that ROS OpenVPN is not compatible to OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
WTF: If the parameter no-replay is activated on the server this problem occurs and no pings are possible. When I removed the no-replay in server-config it works without problems.
It doesn’t seem that lport would help you much. Definitely not on client, all you need is to allow established connections, which you most likely do anyway. On server, you need to open incoming port, and even though you could do additional filtering based on source port, anyone can set source port (if they don’t use RouterOS ). But yeah, if you required all your clients to use specific source port(s), you could make your firewall more restrictive. Not a real security measure, but it can’t hurt.
More targets don’t seem to be supported. Maybe if you used hostname that resolves to multiple addresses (different servers), it might work as fallback mechanism. It should work (= it’s desired behaviour), but I didn’t test if it really does. But it wouldn’t help you with different ports. Other way may be doing some magic with scripting, which I guess is probably doable, but not admin-friendly.
All together, it’s known fact (and you’re finding it now yourself) that OpenVPN in RouterOS is little behind. There are improvements promissed for RouterOS v7, but it’s not yet clear how many of them and when exactly it will be.
). But yeah, if you required all your clients to use specific source port(s), you could make your firewall more restrictive. Not a real security measure, but it can’t hurt.