> ppp profile add 
        name=OVPN-client 
        change-tcp-mss=yes 
        only-one=yes 
        use-encryption=required 
        use-mpls=no

This command adds a new OVPN client into RouterOS. This OVPN is named OVPN-client with many configurations. To confirm that the connection is added using the following command.

 ppp profile print

This command list all configurations added into the Mikrotik.

Create an OpenVPN interface

Mikrotik/RouterOS uses the interface concept as an input-output resource. So it is too easy to manage routing based on interfaces. OVPN client is another interface and can be used to send or receive packets through it.

> interface ovpn-client add 
    connect-to=xxx.xxx.xxx.xxx 
    add-default-route=no 
    auth=sha1 
    certificate=client 
    disabled=no 
    user=vpnuser 
    password=vpnpass 
    name=myvpn 
    profile=OVPN-client

This command creates a new OVPN client interface in Mikrotik router. User/password properties seem to be mandatory on the client even if the server doesn’t have auth-user-pass-verify enabled. If everything went according to plan you should now be connected. To test the OVPN-Client is connected, use the following command:

interface ovpn-client monitor myvpn

This will print the status of the VPN.

Then we set up a 'mangle' a rule which marks packets coming from the local network and destined for the internet with a mark named vpn_traffic:

ip firewall mangle add 
    disabled=no 
    action=mark-routing 
    chain=prerouting 
    dst-address-list=\!local_traffic 
    new-routing-mark=vpn_traffic 
    passthrough=yes 
    src-address=192.168.88.2-192.168.88.254