最後更新: 2020-050-07


  1. Set NTP Client
  2. Create CA & Certificate

Software& Hardware

/system resource print

                   uptime: 1w1d21h7m13s
                  version: 6.44.4 (stable)
               build-time: May/09/2019 12:14:50
         factory-software: 6.43.2
              free-memory: 38.7MiB
             total-memory: 64.0MiB
                      cpu: MIPS 74Kc V4.12
                cpu-count: 1
            cpu-frequency: 600MHz
                 cpu-load: 0%
           free-hdd-space: 110.1MiB
          total-hdd-space: 128.0MiB
  write-sect-since-reboot: 9559
         write-sect-total: 9559
               bad-blocks: 0%
        architecture-name: mipsbe
               board-name: RB2011iL
                 platform: MikroTik


Set NTP Client


/system ntp client set enabled=yes

/system clock print


Create CA & Certificate


 * If CA certificate is removed then all issued certificates in chain are also removed

 * 建立 CA, Cert. 前留意 Router 當前時間, 否則建立了過期的 CA, Cert.


  1. Make certificate templates
  2. Sign certificates
  3. Trust CA (Set "T" flag)
  4. Export CA Cert.
  5. Check




add name=ca-template common-name=myCa days-valid=3650 key-size=4096 key-usage=key-cert-sign,crl-sign

add name=server-template common-name=myServer

key-usage(RFC 5280)

  1. name: Name of the certificate. Name can be edited.
  2. subject-alt-name: contact email address


sign ca-template name=myCa

sign server-template ca=myCa name=myServer

* Certificate templates are deleted right after certificate issue or certificate request command is executed

* templates without Flags

ca-crl-host - CRL host if issuing CA certificate

ca - which CA to use if signing issued certificates


  • T - trusted
  • A - authority


set myCa trusted=yes         # Default trusted


export-certificate myCa

Remark: Export Private

# 加 'export-passphrase=xxxx' 會 export crt & key

export-certificate myCa export-passphrase=xxxx

/file print



/certificate print

# 有過期時間

/certificate print detail


Cleint Cert.

add name=client1-template common-name=myClient1


/certificate> import file-name=xxxx passphrase=xxxx

OVPN Server


Sub-menu: /interface ovpn-server

Server configuration

/interface ovpn-server server print


  • ether1 - Internet
  • ether2 - Local control
  • ether3 - Vpn bridge

Config 1: FW Rule

/ip firewall filter
add action=accept chain=input dst-port=1194 protocol=tcp \
comment="OpenVPN" disabled=no

Config 2: Add bridge & Config Port

/interface bridge add name=vpn-bridge

/interface bridge port> set [find interface=ether3] bridge=vpn-bridge


/interface bridge port> add interface=ether3 bridge=vpn-bridge


Interface Name: ovpn-USERNAME


  • /interface bridge print
  • /interface bridge port print

Config 3: Add a vpn user

# 必須加 local-address 及 remote-address 否則會有 Error

<ovpn-client1>: terminating... - could not add address: local address cannot be (6)
could not add address: local address cannot be (6)

/ppp secret add name=client1 password=123 local-address= remote-address=

# 不加 detail 見唔到 local-address

/ppp secret print detail

Config 4:

/ppp profile add name=ovpn bridge=vpn-bridge

Config 5:

/interface ovpn-server server

set auth=sha1,md5 \
cipher=blowfish128,aes128,aes192,aes256 \
default-profile=ovpn \
certificate=myServer require-client-certificate=no \
mode=ethernet enabled=yes


/interface ovpn-server server print

                     enabled: yes
                        port: 1194
                        mode: ethernet
                     netmask: 32
                 mac-address: FE:5D:C9:??:??:??
                     max-mtu: 1500
           keepalive-timeout: 60
             default-profile: default
                 certificate: myServer
  require-client-certificate: no
                        auth: sha1,md5
                      cipher: blowfish128,aes128,aes192,aes256

/interface ovpn-server monitor 0

no such item

/interface ovpn-server monitor <ovpn-client1>

     status: connected
     uptime: 1w19h8m5s
       user: client1
   encoding: AES-256-CBC/SHA1
        mtu: 1500

/ip address print

 2 D        <ovpn-client1>

/ppp active print

Flags: R - radius
 0   client1      ovpn        2m7s     AES-256-CBC/SHA1

/ppp active remove 0


OVPN Client


Sub-menu: /interface ovpn-client


  • ether1 - Internet
  • ether2 - Local control
  • ether3 - Vpn bridge

Config Client

/interface ovpn-client

add name="ovpn-out1" connect-to= port=1194 \
default-profile=ovpn \
mode=ethernet \
user="client1" password="123" \
cipher=aes256 auth=sha1 \


/interface ovpn-client print

/interface ovpn-client monitor 0



More Security


1. 用 winbox upload cert_export_myCa.crt 上去

2. Import CA Cert.


import file-name=cert_export_myCa.crt

     certificates-imported: 1
     private-keys-imported: 0
            files-imported: 1
       decryption-failures: 0
  keys-with-no-certificate: 0

/certificate print

Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #         NAME                 COMMON-NAME    SUBJECT-ALT-NAME      FINGERPRINT
 0    A  T cert_export_myCa.... myCa                                 c6cca0b76f301055860fc...

3. Config client

/interface ovpn-client

set 0 verify-server-certificate=yes

/interface ovpn-client disable ovpn-out1

/interface ovpn-client enable ovpn-out1

/interface ovpn-client monitor ovpn-out1