Hi, colleagues. I'd like to connect my Mikrotik RB915Ui-HnD to some VPN provider (haven chosen yet which one, but definitely with OpenVPN protocol) therefore all my traffic passing to internet provider including DNS requests and BitTorrent will be encrypted.

My RB connected to the internet via PPPoE and my problem is I can't figure out how to start. I need some generalized approach like "Create bridge with that" and "Add route here" (some schemes may be).

Could you give me directions?

I'm not experienced much with OpenWRT OpenVPN configuration, but with Mikrotik you should start from:
1. Upload OpenWRT image
2. Create a new metarouter and assign uploaded image
3. Create a virtual ethernet interface and assign it to your new metarouter instance
4. Change your default PPPoE route 0.0.0.0/0 with new distance (2 or more)
5. IMPORTANT Add a static route to your OpenVPN server through the gateway of your ISP PPPoE with distance 1.
5. Add your new virtual ethernet interface to your LAN bridge
6. On your OpenWRT set up eth0 to get ip/gw by dhcp. It will take an IP from your Tik LAN dhcp (while it is bridged to LAN)
7. Set up OpenWRT with OpenVPN, you shall have a tun0 interface.
8. Add a new route to 0.0.0.0/0 network with a gateway ip address of your OpenWRT's eth0 interface. Distance set to 1 .

How it works:
Now metarouter will use static route to allow nested metarouter to connect to OpenVPN and start tunnel.
Than Tik will use new route thru virtual eth0 as default.
OpenWRT internally routes traffic from it's eth0 to tun0 (looping back the traffic inside metarouter's virtual interface and routing it to meta openvpn, that is really returns back to Tik's LAN towards your PPPoE GW)

A little bit complicated, but it should work in theory. I'll try to make it myself within few days to proove the concept!

Thanks for the reply. As far as I understand when tunnel doesn't exist (connection isn't established yet or broken already) all my traffic will be sent unencrypted. If so — can I prevent this?

Forgive me my curiosity, but are you sure that running another OS in Metarouter is really necessary ?
You should be also aware of that: https://wiki.openwrt.org/inbox/doc/mikr ... er_openwrt

Until Tik natively will support UDP and LZO — yes, it's necessary.

Thanks for the reply. As far as I understand when tunnel doesn't exist (connection isn't established yet or broken already) all my traffic will be sent unencrypted. If so — can I prevent this?

If you don't want your traffic to be sent unencrypted through you PPPoE interface, you should switch off your 0.0.0.0/0 route to PPPoE interface, but leave one static route to your OpenVPN host. Don't forget about DNS traffic to resolve OpenVPN's hostname or just use IP address instead.

Until Tik natively will support UDP and LZO — yes, it's necessary.

Some time ago that topic was really important to me, that's the reason of my question.
What down/up speed you want to get? From my personal experience: router isn't allways best place for VPN client.

Until Tik natively will support UDP and LZO — yes, it's necessary.

Some time ago that topic was really important to me, that's the reason of my question.
What down/up speed you want to get? From my personal experience: router isn't allways best place for VPN client.

I hope I'll manage that and will post a how-to. Now I have 30 Mbps symmetrical channel and I'd like to keep the same speed with VPN if possible. If not — I can sacrifice speed down to maximum possible. The goal is to stay away from new anti-people surveillance law.

I bought Tik because it has enough memory to do the job. I don't want yet another device. What do you propose?

Simplest solutions are often the best. If you're using Windows, try OpenVPN Windows client with that options in conf: ... and try to determine best tun-mtu and mssfix for your link https://www.sonassi.com/help/magestack/ ... or-openvpn
After that I would compare performance with pfSense or VyOS closed in some kind of virtualization solution (VirtualBox, vmware Player)

Hardware embedded routers/firewalls in price range of RB915Ui rather not offers good VPN performance, we must deal with it

Until Tik natively will support UDP and LZO — yes, it's necessary.

Some time ago that topic was really important to me, that's the reason of my question.
What down/up speed you want to get? From my personal experience: router isn't allways best place for VPN client.

I hope I'll manage that and will post a how-to. Now I have 30 Mbps symmetrical channel and I'd like to keep the same speed with VPN if possible. If not — I can sacrifice speed down to maximum possible. The goal is to stay away from new anti-people surveillance law.

I bought Tik because it has enough memory to do the job. I don't want yet another device. What do you propose?

I'd suggest RB850gx2. It costs ~150$ and is able to encrypt OpenVPN at least at 150Mbit+ due to it's AES hardware encryption feature. I'g gonna take this device soon and share results.

If it will be possible, could you please test Metarouter performance with ovpn (client) in udp mode for us?

150$ and is able to encrypt OpenVPN at least at 150Mbit+ due to it's AES hardware encryption feature. I'g gonna take this device soon and share results.

Multicore Mikrotiks do not support metarouter. This includes the 850gx2

One more question:

Will I be able to connect to my Tik? AS far as I understand, incoming packet will go through ISP and outgoing — through VPN, like satellite/GSM scheme?

150$ and is able to encrypt OpenVPN at least at 150Mbit+ due to it's AES hardware encryption feature. I'g gonna take this device soon and share results.

Multicore Mikrotiks do not support metarouter. This includes the 850gx2

That's bad.. The only solution is to l2tp/ipsec.

I've made a sample scheme:
I don't understand how LAN and WiFi clients should be connected. If you do — please draw some lines (may be in Paint).

I've made a sample scheme:

VPN-Mikrotik.png

I don't understand how LAN and WiFi clients should be connected. If you do — please draw some lines (may be in Paint).

PPPoE adds some extra complexity to the schema..

Got the same question and found solution yesterday:
Add second virtual interface to metarouter -> bridge to WAN (in my case **) interface -> add eth1 to WAN inside OpenWRT. Don't forget remove default gateway from eth0, add default gateway to your eth1 and tun0 with different distances.

** PPPoE is bridged with BCP, but i dont exactly know how to do it. If you don't want to overload your with extreme complicity, you'd better put any cheap and dummy router like dir-100 to perform as PPPoE -> Ethernet box.
.. or just add one more meta %)

Tests have shown about 1 MBit/s and ping ~120 ms what is REALLY slow.

I've installed VPN server and client by default. May be there are few options to increase speed?

Tests have shown about 1 MBit/s and ping ~120 ms what is REALLY slow.

I've installed VPN server and client by default. May be there are few options to increase speed?

Do not expect good performance on soho boards using metarouter. I'd better take a separate device for OpenWRT or take something stronger like PowerPC single** core (RB450).
smips devices are weak in encryption, so you shouldn't expect it better with meta
I've just taken RB850gx2 (~150usd with case) for heavy vpn encryption tasks.
This board rocks in encryption:
I got l2tp/ipsec 195mbit/s, but i should perform much better after some tunings.
In OpenVPN you may gain more than 100mbit/s due to current OpenVPN utilizes only one core... Waiting for ROS v7

** Metarouter doesnt work on multi core devices (Waiting for ROS v7, it will be KVM)