This is complete tutorial, tested and working. You can just copy-paste commands. Will be good, if admins can copy it to WIKI pages.

Goal: Use Mikrotik OVPN client connection as gateway interface to encrypt your internet activity from prying eyes.

What we have:
1. Mikrotik Router (in my case - RB951G-2HnD v6.6)
2. OpenVZ VPS service (in my case - BuyVM with Ubuntu 12.04 LTS Server x64)
3. Working internet connection (via Mikrotik Router)

TUTORIAL:

1. Install Ubuntu 12.04 LTS on your VPS service and start it

2. SSH connect to installed server (with Putty for example)

3. Login as root

4. Use command line: change to save and exit
change to and to save and exit

Initialize the certificate authority and the public key infrastructure (PKI) by issuing the following commands in sequence: (After issuing the last command (above), you'll be prompted to enter some values.)
type in: save and exit
type in: YOUR_VPS_IP is external IP of your VPS
save and exit
remove # from line: save and exit
Connect to your server using SFTP (FileZilla for example) and copy /etc/openvpn/easy-rsa/2.0/keys folder to your local PC.

Reboot your installed Ubuntu server.

5. Start WinBox application on local PC

Open "Files"

Drug and drop ca.crt client.crt client.pem from LOCAL PC to Mikrotik File List window

Open "System -> Certificates"

Import ca.crt client.crt and client.pem

CA will be with "T" and Client with "KT" now

Close "Certificates" and open it again or you will get error on the next step.

Rename your CA and Client Certificates as you want to remember it.

Open "PPP"

Click "+" and "OVPN Client" there

Connect to: YOUR_VPS_IP

Port: 443

Mode: ip

User: client

Password:

Profile: default

Certificate: choose your client certificate (not CA)

Auth: sha1

Cipher: aes 256

Click "OK"

Now your OVPN connection should be up and running. If not - you make some mistakes somewhere before.

Now you need to add a Mangle rule which IP addresses you want to give access to VPN through Mikrotik:

Go IP -> “Firewall” -> "Mangle" tab, select "Add new".
In "Chain", select "prerouting".
In "Src. Adress", enter the IP or IP range you want to have routed through the VPN connection.
In "Action", select "mark routing".
In "New Routing Mark", here enter any name for the routing mark, e.g. "OVPN"
Tick Passthrough
Click "OK".

Next, you need to add routes for the new VPN connection:

Go to "IP" and then to "Routes" and "Add New".
Dst. Address: has to be "0.0.0.0/0".
Gateway: Here enter the name of the VPN connection you created, e.g. "OVPN"
Routing Mark: select the routing mark you created before. (OVPN)
Click "OK".

Add Masquerade for this OpenVPN connection:

Now please go to "IP" tab and select "Firewall" and "NAT".
In "Chain", select "srcnat", and check the "Enabled" checkbox.
In "Out. Interface", select the name of the OpenVPN connection you just created and check the box.
In "Action", select "Masquerade".
Click "OK".

If you have firewall - you will need to accept 443 TCP port on out OVPN interface in chain "Output" and all ports on out OVPN interface in chain "Forward"

That's all. If you did all steps, all devices with IPs or IP ranges you enter in the Mangle rule will go to internet via your OVPN tunnel. External IP will be same as YOUR_VPS_IP

Hope you like it. If you have any suggestions, corrections or questions - please write in this topic.

(c) Enot

I followed them all. We even have the same tutorial for the openvpn server. I'm sure it is working as I can connect a Linux computer or another router as a client to the vpn server. The server is working fine.

How ever when I try to connect the mikrotik RB951Ui-2HnD, I can't connect to the server. There were even no logs on the server that there is a connection initiated. In simple terms, the routerboard can't even reach the server.
I have a fresh routerboard which I wiped the default config. How do I start trouble shooting?

How do I start trouble shooting?

Turn on logging ovpn in Microtik Router (System->Logging) and post here what it say when you try to connect...

What internet connection your Router have? Is it connected directly or via another router?

If you are using default configuration, then in input chain all traffic is blocked except icmp. Add firewall rules to accept ovpn.

Thanks for your replies. I read the config again. Seems like the default was to use UDP and Mikrotik doesn't support it. Changed the server config to TCp and its working now.

Now I can begin writing scripts for failover.

Thanks for your replies. I read the config again. Seems like the default was to use UDP and Mikrotik doesn't support it. Changed the server config to TCp and its working now.

Now I can begin writing scripts for failover.

Nice to see that everything working now!

Hi, I used this guide and everything works

I would have to ask how NAT of public IP ports on the server to the internal IP?

I tried:

iptables -A FORWARD -p tcp -i eth0 -d VPSIP --dport 3389 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -d VPSIP --dport 3389 -j DNAT --to-destination CLIENTIP:3389

does not work, please help...