There are three authentication modes for OpenVPN on MikroTik:
| Mode | Server Setting | Client Needs | Security Level |
|---|---|---|---|
| User/pass only | require-client-certificate=no |
CA + username/password | Basic |
| Cert only | require-client-certificate=yes |
CA + client cert/key | Good |
| Combo (both) | require-client-certificate=yes |
CA + client cert/key + username/password | Best |
- What it is: The server's Certificate Authority certificate
- Purpose: Verifies the server is legitimate (prevents man-in-the-middle attacks)
- Required: Always (for secure TLS connection)
- Does NOT authenticate the client
- What it is: A certificate issued to a specific client, signed by the CA
- Purpose: Proves the client's identity to the server
- Required: Only when
require-client-certificate=yes - Authenticates the client
/interface ovpn-server server set require-client-certificate=no
/ppp secret add name=username password=password service=ovpn profile=YourProfile
client
dev tun
proto tcp
remote YOUR_SERVER_IP PORT
auth SHA1
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
(CA certificate here)
-----END CERTIFICATE-----
</ca>
- CA cert verifies server identity only
- User authenticates with username/password
- Easiest to manage and distribute
/interface ovpn-server server set require-client-certificate=yes
# Create client certificate
/certificate add name=client1 common-name=client1 key-usage=tls-client
/certificate sign client1 ca=ca
# Export certificates
/certificate export-certificate client1 export-passphrase=""
client
dev tun
proto tcp
remote YOUR_SERVER_IP PORT
auth SHA1
cipher AES-256-CBC
data-ciphers AES-256-CBC
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
(CA certificate here)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(Client certificate here)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
(Client private key here)
-----END PRIVATE KEY-----
</key>
- No username/password required
- Each client needs unique cert/key pair
- Revoke access by revoking certificate
- MikroTik doesn't cleanly support this mode alone (usually combined with user/pass)
/interface ovpn-server server set require-client-certificate=yes
/ppp secret add name=username password=password service=ovpn profile=YourProfile
# Create client certificate
/certificate add name=client1 common-name=client1 key-usage=tls-client
/certificate sign client1 ca=ca
client
dev tun
proto tcp
remote YOUR_SERVER_IP PORT
auth SHA1
cipher AES-256-CBC
data-ciphers AES-256-CBC
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
(CA certificate here)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(Client certificate here)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
(Client private key here)
-----END PRIVATE KEY-----
</key>
- Two-factor: something you have (cert) + something you know (password)
- Most secure option
- Can revoke access by either removing ppp secret OR revoking certificate
/interface ovpn-server server print
# List users
/ppp secret print
# Add user
/ppp secret add name=user1 password=pass123 service=ovpn profile=YourProfile
# Remove user
/ppp secret remove [find name=user1]
# List certificates
/certificate print
# Create and sign client cert
/certificate add name=client1 common-name=client1 key-usage=tls-client
/certificate sign client1 ca=ca
# Export certificates
/certificate export-certificate ca export-passphrase=""
/certificate export-certificate client1 export-passphrase=""
/ppp active print
# Enforce single connection per user
/ppp profile set YourProfile only-one=yes