I live in a poor country of South Asia, when I visit Internet my network identity appearing as from a poor country. But, I want to make my home network to a rich country like USA or UK.

So, I subscribed a low cost VPS ($2/month) from an UK data-center, and I’m going to use the London based ISP as my home country’s home network.

I installed MikroTik CHR (Cloud Hosted Router) image on my UK VPS as server side router. So both side (server side & client side) will be MikroTik RouterOS.

Server Side MikroTik Configuration:

If the VPS provider has external firewall configuration panel, then open the necessary 3 ports to configure our expected setup. TCP ports 1194, 8291, & 443

Login to Winbox by your VPS real IP with username admin and password blank.

After first login, change the admin password. Then start the setup by following:

Create Cert:

add name=ca common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server common-name=*.example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=homerouter common-name=homerouter.example.com days-valid=3650 key-size=2048 key-usage=tls-client

Sign Cert:

sign ca name=ca
sign server name=server ca=ca
sign homerouter name=homerouter ca=ca

All certs should be trusted marked, if not then double-click to open the certificate window and enable tick-mark “Trusted” then apply and ok.

Export Cert:

export-certificate ca export-passphrase=""
export-certificate homerouter export-passphrase=12345678

After exported you will find the certificate files in MikroTik’s File List. (Login to MikroTik > Files)

Download the certs from file list and save in your local computer.

We will decide an IP series for server side VPN IP allocation.

Add VPN IP address Pool:

pool add name="ovpn-pool" ranges=

Create a VPN User authentication profile.

profile add name="ovpn-profile" use-encryption=yes local-address= dns-server=, remote-address=ovpn-pool

Create a VPN User.

secret add name=homerouter profile=ovpn-profile password=ySw4eVnet

Create OpenVPN Server.

/interface ovpn-server server
set keepalive-timeout=86400 default-profile=ovpn-profile certificate=server require-client-certificate=yes auth=sha1 cipher=aes128,aes256 enabled=yes

Allow OpenVPN in Firewall.

/ip firewall filter
add chain=input protocol=tcp dst-port=1194 action=accept comment="Allow OpenVPN"

Enable Client’s Internet access via Server VPN.

/ip firewall nat
add chain=srcnat src-address= action=masquerade


Client Side (Home Router) MikroTik Configuration:

Disable peer DNS on PPPoE ISP connection interface.

Change default route distance to 5 on your PPPoE connection interface.

Upload and import the certificate files. (Use password 12345678 when required)

Create a OpenVPN client connection interface.

Configure with username homerouter and password ySw4eVnet and other settings …

Enable “Add Default Route” on OVPN-Client connection interface.

Change the masquerade firewall rule to enable Internet access via OpenVPN server internet.

/ip firewall nat
add chain=srcnat out-interface=ovpn-out1 action=masquerade

Done !