I live in a underdeveloped country of South Asia, when I visit the Internet, my network identity appearing as from a poor country. But, I want to make my home network to a rich country like USA or UK.

So, I subscribed a low cost VPS ($2/month) from an UK data-center, and I’m going to use the London based ISP as my home country’s home network.

I installed MikroTik CHR (Cloud Hosted Router) image on my UK VPS as server side router. So both side (server side & client side) will be MikroTik RouterOS.

Server/Cloud Side MikroTik/CHR Configuration:

If the VPS provider has external firewall configuration panel, then open the necessary 3 ports to configure our expected setup. TCP ports 1194, 8291, & 443

external firewall panel

Login to Winbox by your VPS real IP with username admin and password blank.

After first login, change the admin password. Then start the setup by following:

Create and Sign Certificates:

add name=ca common-name=cloudrouter.example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
sign ca
add name=cloudrouter common-name=cloudrouter.example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
sign cloudrouter ca=ca
add name=clientrouter common-name=clientrouter.example.com days-valid=3650 key-size=2048 key-usage=tls-client
sign clientrouter ca=ca

All certs should be trusted marked, if not then go to Winbox > System > Certificates ; double-click to open the certificate window and enable tick-mark “Trusted” then apply and ok.

Export Cert:

export-certificate ca export-passphrase=""
export-certificate clientrouter export-passphrase=12345678

After exported you will find the certificate files in MikroTik’s File List. (Login to MikroTik > Files)

Download the certs from file list and save in your local computer. (Use drag and drop to download)


We will decide IP addresses range for server side VPN IP allocation to give to client router.
( Example: )


Add VPN IP address Pool:

pool add name="ovpn-pool" ranges=


Create a VPN User authentication profile.

profile add name="ovpn-profile" use-encryption=yes local-address= dns-server=, remote-address=ovpn-pool

The DNS server in the PPP profile line above you can use the two nameserver provided by your VPS company/provider.


Create a VPN User.

secret add name=clientrouter password=ySw4eVnet profile=ovpn-profile remote-address=

If you have more home/office router available then create more users as needed. Just remember that the remote IP address remote-address= will increment by 1 to each user.

eg. secret add name=officerouter password=dQk8vTx5j profile=ovpn-profile remote-address=

Or, for your third branch office: secret add name=thirdbranch password=eJb7dWh3pk profile=ovpn-profile remote-address=


Create OpenVPN Server.

Important ! Please create “OVPN Server” from the Winbox GUI, not by command line input. the below command is for reference only.

/interface ovpn-server server
set keepalive-timeout=86400 default-profile=ovpn-profile certificate=cloudrouter require-client-certificate=yes auth=sha1 cipher=aes128,aes256 enabled=yes

mikrotik ovpn server

It’s time to configure the firewall, do the commands:

/ip firewall filter

add chain=forward connection-state=established,related,untracked action=accept comment="Accept Forward for Established and Related Connections"
add chain=forward src-address= action=accept comment="Allow Forwarding by OVPN Clients"
add chain=input connection-state=established,related,untracked action=accept comment="Accept Input for Established and Related Connections"
add chain=input protocol=tcp dst-port=1194 action=accept comment="Allow OpenVPN Connection"
add chain=input in-interface=all-ppp action=accept comment="Allow Input by OVPN Clients"
add chain=input protocol=tcp dst-port=8291 action=accept comment="Allow Winbox Input"
add chain=input protocol=tcp dst-port=443 action=accept comment="Allow HTTPS Input"
add chain=input action=drop comment="Input drop for all other connection"
add chain=forward action=drop comment="Forward drop for all other connection"
add chain=forward connection-state=invalid action=drop comment="Invalid drop for all other connection"

/ip firewall nat

add chain=srcnat src-address= action=masquerade comment="Allow OVPN Clients to Browse the Internet via Cloud/Server Network"

Well, our server side configuration is completed. Now, additionally we will create an SSL certificate to access our cloud router via HTTPS.

add name=ssl-ca common-name=CloudRouterSSL days-valid=3650 key-usage=key-cert-sign,crl-sign
sign ssl-ca
add name=ssl-cert common-name=CloudRouterSSL days-valid=3650
sign ssl-cert ca=ssl-ca

All certs should be trusted marked, if not then go to > System > Certificates ; double-click to open the certificate window and enable tick-mark “Trusted” then apply and ok.

Then enable HTTPS (www-ssl): Login to Winbox > IP > Services > www-ssl enable

And, disable HTTP (www): Login to Winbox > IP > Services > www disable


Done, you can access your Cloud router by visiting the real IP in a browser. https://xx.xx.xx.xx



Client Side (Home/Office  Router) MikroTik Configuration:

Disable peer DNS on PPPoE ISP connection interface.

Change default route distance to 2 on your PPPoE connection interface. So that we can set OVPN/PPP route distance to 1

In each home/office router, upload and import the certificate files. (Use password 12345678 when required)

To upload: Login to Winbox > Files > Drag & Drop Cert Files

To import: Login to Winbox > System > Certificates > Import (GUI Button)

Create a OpenVPN client connection interface.

ovpn client setup

ovpn dial out

Configure with username clientrouter and password ySw4eVnet and other settings …

Enable “Add Default Route” on OVPN-Client connection interface.

openvpn client setup

Then, configure client router firewall rules:

/ip firewall filter

add chain=output out-interface=ovpn-out1 action=accept comment="Allow Traffic Routing Through OVPN"
add chain=forward out-interface=ovpn-out1 action=accept comment="Allow Traffic Forwarding Through OVPN"
add chain=input src-address= in-interface=ovpn-out1 action=accept comment="Allow Input from OVPN Clients"
add chain=input protocol=tcp dst-port=8291 action=accept comment="Allow Winbox Access"

Change the masquerade firewall rule to enable Internet access via OpenVPN server internet, and also access other client router.

/ip firewall nat
add chain=srcnat out-interface=ovpn-out1 action=masquerade comment="Allow Internet Browsing via CHR Network"
add chain=srcnat dst-address= out-interface=ovpn-out1 action=masquerade comment="Remote/Other Winbox/MikroTik access via OVPN"

Done !


!!! Most Important !!!

Without license, your internet browsing speed will be up to 1 Mbps. Upgrade the MikroTik license to get internet speed.

Please license the cloud router. https://wiki.mikrotik.com/wiki/Manual:CHR#Getting_the_License