Introduction

Do you want to mask your home or office IP address to protect your digital identity? While paid VPN services are common, building your own DIY VPN gives you total control, better privacy, and significant cost savings.

In this comprehensive guide, I will show you how to set up a high-performance, low-cost VPN solution using MikroTik Cloud Hosted Router (CHR). We will use a VPS from a provider like IONOS (starting at just $2/month) as our Central VPN Server and connect your local MikroTik router as a client. By the end, you’ll be able to route specific local devices through the VPN while others use your standard ISP.

Prerequisites

Click here to learn how to convert your Ubuntu VPS to MikroTik CHR

 

Part 1: Server-Side Configuration (Cloud VPS)

First, we must prepare the Cloud VPS. Ensure your VPS provider’s external firewall is set to “Open” or allows traffic on your custom VPN port (51194).

Step 1: Initial Security

Login to Winbox using your VPS Public IP (User: admin, Password: blank). Immediately set a strong password under System > Password.

Step 2: Generate SSL Certificates

To secure the OVPN tunnel, we use SSL certificates. Open the Terminal and run:

/certificate
add name=vpn-ca common-name=vpn.local days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
sign vpn-ca
set vpn-ca trusted=yes

add name=vpnserver common-name=vpnserver.local days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
sign vpnserver ca=vpn-ca
set vpnserver trusted=yes

add name=vpnclient common-name=vpnclient.local days-valid=3650 key-size=2048 key-usage=tls-client
sign vpnclient ca=vpn-ca
set vpnclient trusted=yes

Export for Client MikroTik Use:

/certificate
export-certificate vpn-ca export-passphrase=""
export-certificate vpnclient export-passphrase=YOUR_PASSPHRASE

Go to Files in Winbox and download the CA Cert, Client Cert, and Private Key to your computer.

Step 3: Define IP Pool & PPP Profile

/ip pool add name="vpn-pool" ranges=172.16.0.2-172.16.3.254
/ppp profile add name="vpn-profile" local-address=172.16.0.1 remote-address=vpn-pool dns-server=1.1.1.1,8.8.8.8 use-encryption=yes

Step 4: Create VPN Users (Secrets)

/ppp secret add name=homemikrotik password=STRONG_PASSWORD profile=vpn-profile remote-address=172.16.0.2

If you have more branch offices, you can add more users by incrementing the IP (e.g., 172.16.0.3).

Step 5: Enable OpenVPN Server

Navigate to PPP > Interface > OVPN Server and apply these settings:

  • Port: 51194

  • Mode: ip

  • Certificate: vpnserver

  • Auth: sha1, md5, sha256, sha512

  • Cipher: aes 128 cbc, aes 256 cbc, aes 128 gcm

  • Default Profile: vpn-profile

Step 6: Server Firewall, NAT & MSS Clamping

To secure your Cloud Router and manage VPN traffic flow, apply these rules.

Remember to place “Accept” rules above “Drop” rules.

Firewall Filter Rules:

/ip firewall filter
add chain=input protocol=tcp dst-port=51194 action=accept comment="Allow OVPN connections"
add chain=input src-address=172.16.0.0/22 in-interface=all-ppp action=accept comment="Allow OVPN users input"
Established,Related input connections default rule should be placed here
add chain=input protocol=tcp dst-port=58291 action=accept comment="Allow Winbox/MikroTik Access"
Note: Winbox > IP > Firewall > Service Ports: disable all except winbox, change winbox port to custom port 58291
Invalid input drop rule should be placed here
All other input drop rule should be placed here
add chain=forward src-address=172.16.0.0/22 action=fasttrack-connection comment="Fasttrack for OVPN users"
add chain=forward src-address=172.16.0.0/22 dst-address=!172.16.0.0/22 out-interface=ether1 action=accept comment="Allow OVPN internet browsing"
add chain=forward src-address=172.16.0.0/22 in-interface=all-ppp action=accept comment="Forward from OVPN users"
add chain=forward dst-address=172.16.0.0/22 out-interface=all-ppp action=accept comment="Forward to OVPN users"
Established,Related forward connections default rule should be placed here
Invalid forword drop rule should be placed here
not dstNAT'ed forword drop rule should be placed here
All other forward drop rule should be placed here

To allow browsing and fix MTU issues, apply the following:

NAT:

/ip firewall nat
add chain=srcnat src-address=172.16.0.0/22 dst-address=!172.16.0.0/22 out-interface=ether1 action=masquerade comment="VPN Internet Access"
add chain=srcnat dst-address=172.16.0.0/22 out-interface=all-ppp action=masquerade comment="Hairpin NAT"

Mangle (MSS Fix):

/ip firewall mangle
add chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes tcp-flags=syn protocol=tcp out-interface=all-ppp comment="Fix MSS for all OVPN Clients"

 

Part 2: Client-Side Configuration (Home/Office)

Step 7: Import Certificates

  1. Drag and drop the exported certificate files from your Computer into the Files section of your local/client MikroTik.

  2. Go to System > Certificates > Import and import them one by one (enter the passphrase for the private key).

Step 8: Create OVPN Client

(Client Side)

Go to PPP > Interface > “+” > OVPN Client:

  • Connect To: [Your VPS IP]

  • Port: 51194

  • User/Password: [Created in Step 4]

  • Profile: default-encryption

  • Certificate: vpnclient.crt

  • Verify Server Certificate: no
  • Auth: sha1
  • Cipher: aes 128
  • Use Peer DNS: yes

  • Add Default Route: No (Important: We will use Policy Routing).

Step 9: Client Routing & MSS Clamping

On your local home/office router, you need to allow traffic from the OVPN tunnel.

Remember to place “Accept” rules above “Drop” rules.

Firewall Filter Rules (Client Side):

/ip firewall filter

add chain=input in-interface=ovpn-out1 action=accept comment="Allow Input from OVPN"

add chain=forward in-interface=ovpn-out1 action=accept comment="Allow Forward from OVPN"
add chain=forward dst-address=172.16.0.0/22 out-interface=ovpn-out1 action=accept comment="Allow Forward to OVPN Network"

NAT Rules (Client Side):

/ip firewall nat
add chain=srcnat src-address=192.168.88.0/24 out-interface=ovpn-out1 action=masquerade place-before=2 comment="Browse via CHR"
add chain=srcnat dst-address=172.16.0.0/22 out-interface=ovpn-out1 action=masquerade comment="Reach other VPN branches"

Mangle (MSS Fix) (Client Side):

/ip firewall mangle
add chain=forward action=change-mss new-mss=clamp-to-pmtu passthrough=yes tcp-flags=syn protocol=tcp out-interface=ovpn-out1 comment="Fix MSS for OVPN"

Routes (Client Side):

/ip route
add dst-address=0.0.0.0/0 gateway=172.16.0.1%ovpn-out1 check-gateway=ping distance=12 comment="OVPN Route"
add dst-address=0.0.0.0/0 gateway=172.16.0.1%ovpn-out1 distance=22 routing-table=Browsing_via_CHR

(Note: In RouterOS v7, ensure you create the Routing Table Browsing_via_CHR under Winbox > Routing > Tables first).

Part 3: Policy Based Routing (The Magic)

Suppose you want only one specific device (192.168.88.156) to browse via the VPN while everyone else uses the local ISP.

(Client Side)

  1. Go to Local Winbox > IP > Routes > Rules.

  2. Add a new Rule:

    • Src. Address: 192.168.88.156

    • Action: lookup

    • Table: Browsing_via_CHR

(Note: In RouterOS v7, go to Winbox > Routing > Rules to create the rule).

Verification

Visit whatismyipaddress.com from the target device. It should now show the IONOS VPS IP.

Key Takeaways

  • Privacy: No third-party VPN provider logs your data.

  • Customization: Use MSS Clamping and Policy Routing for a lag-free experience.

  • Scalability: Connect multiple branch offices to the same CHR hub.

Bandwidth Note: The free MikroTik CHR license is limited to 1 Mbps. For production environments, I recommend the “P1” perpetual license for unlimited speed.

If you found this guide helpful, please share it with the networking community! Have questions? Drop a comment below.

By Published On: January 10th, 2026Categories: MikroTik RouterOS0 Comments on MikroTik Advanced VPN: How to Route LAN Traffic Through a Remote OVPN ServerTags: , , , Views: 32

Leave A Comment