+# OpenVPN Server and certificate management on MikroTik
+- [Setup OpenVPN server and generate certificates](#setup-openvpn-server-and-generate-certificates)
+- [Add a new user](#add-a-new-user)
+- [Setup OpenVPN client](#setup-openvpn-client)
+- [Decrypt private key to avoid password asking (optional)](#decrypt-private-key-to-avoid-password-asking-optional)
+- [Delete a user and revoke his certificate](#delete-a-user-and-revoke-his-certificate)
+- [Revert OpenVPN server configuration on MikroTik](#revert-openvpn-server-configuration-on-mikrotik)
+## Setup OpenVPN server and generate certificates
+# Setup OpenVPN Server and generate certs
+# Change variables below if needed then copy the whole script
+# and paste into MikroTik terminal window.
+:global CN [/system identity get name]
+## generate a CA certificate
+add name=ca-template common-name="$CN" days-valid=3650 \
+ key-usage=crl-sign,key-cert-sign
+sign ca-template ca-crl-host=127.0.0.1 name="$CN"
+## generate a server certificate
+add name=server-template common-name="server@$CN" days-valid=3650 \
+ key-usage=digital-signature,key-encipherment,tls-server
+sign server-template ca="$CN" name="server@$CN"
+## create a client template
+add name=client-template common-name="client" days-valid=3650 \
+add name=VPN-POOL ranges=192.168.252.128-192.168.252.224
+add dns-server=192.168.252.1 local-address=192.168.252.1 name=VPN-PROFILE \
+ remote-address=VPN-POOL use-encryption=yes
+/interface ovpn-server server
+set auth=sha1 certificate="server@$CN" cipher=aes128,aes192,aes256 \
+ default-profile=VPN-PROFILE mode=ip netmask=24 port="$PORT" \
+ enabled=yes require-client-certificate=yes
+add chain=input action=accept dst-port="$PORT" protocol=tcp \
+ comment="Allow OpenVPN"
+add chain=input action=accept dst-port=53 protocol=udp \
+ src-address=192.168.252.0/24 \
+ comment="Accept DNS requests from VPN clients"
+move [find comment="Allow OpenVPN"] 0
+move [find comment="Accept DNS requests from VPN clients"] 1
+## Setup completed. Do not forget to create a user.
+**NOTE:** To allow clients to surf the Internet, make sure that there are permissive rules, such as:
+add chain=forward action=accept src-address=192.168.252.0/24 \
+ out-interface-list=WAN place-before=0
+add chain=forward action=accept in-interface-list=WAN \
+ dst-address=192.168.252.0/24 place-before=1
+add chain=srcnat src-address=192.168.252.0/24 out-interface-list=WAN \
+# Add a new user and generate/export certs
+# Change variables below if needed then copy the whole script
+# and paste into MikroTik terminal window.
+:global CN [/system identity get name]
+:global PASSWORD "password"
+add name=$USERNAME password=$PASSWORD profile=VPN-PROFILE service=ovpn
+## generate a client certificate
+add name=client-template-to-issue copy-from=client-template \
+ common-name="$USERNAME@$CN"
+sign client-template-to-issue ca="$CN" name="$USERNAME@$CN"
+## export the CA, client certificate, and private key
+export-certificate "$CN" export-passphrase=""
+export-certificate "$USERNAME@$CN" export-passphrase="$PASSWORD"
+## Done. You will find the created certificates in Files.
+1. Copy the exported certificates from the MikroTik
+ sftp admin@MikroTik_IP:cert_export_\*
+ Also, you can download the certificates from the web interface or Winbox.
+ Open Winbox/WebFig → <kbd>Files</kbd> for this.
+2. Create `user.auth` file
+ The file auth.auth holds your username/password combination. On the first
+ line must be the username and on the second line your password.
+3. Create OpenVPN config that named like `USERNAME.ovpn`:
+ remote MikroTik_IP 1194
+ # Create a file 'user.auth' with a username and a password
+ # cat << EOF > user.auth
+ auth-user-pass user.auth
+ # Copy the certificates from MikroTik and change
+ # the filenames below if needed
+ ca cert_export_MikroTik.crt
+ cert cert_export_user@MikroTik.crt
+ key cert_export_user@MikroTik.key
+ # Uncomment the following line if Internet access is needed
+ # Add routes to networks behind MikroTik
+ #route 192.168.88.0 255.255.255.0
+ sudo openvpn USERNAME.ovpn
+## Decrypt private key to avoid password asking (optional)
+openssl rsa -passin pass:password -in cert_export_user@MikroTik.key -out cert_export_user@MikroTik.key
+## Delete a user and revoke his certificate
+# Delete a user and revoke his certificate
+# Change variables below and paste the script
+# into MikroTik terminal window.
+:global CN [/system identity get name]
+remove [find name=$USERNAME profile=VPN-PROFILE]
+## revoke a client certificate
+issued-revoke [find name="$USERNAME@$CN"]
+## Revert OpenVPN server configuration on MikroTik
+## Revert OpenVPN configuration
+/interface ovpn-server server
+set enabled=no default-profile=default port=1194
+remove [find name=VPN-POOL]
+remove [find profile=VPN-PROFILE]
+remove [find name=VPN-PROFILE]
+remove [find comment="Allow OpenVPN"]
+remove [find comment="Accept DNS requests from VPN clients"]
+## delete the certificates manually