dokuwiki

https://systemzone.net/mikrotik-openvpn-setup-with-windows-client/

#Creating CA
Click on + New Certificate
name: ca
Commin Name: ca
on Key Usage tab check: crl sign, key cert. sign


Click on Apply
click on Sign then Select your newly created certificate 

CA CRL Host: 87.238.211.250
Click on Start

Be sure Flag status shows Trusted Yes (if not, do it manualy)
-------------------------------------------------------------------
#Creating Server
Click on + New Certificate
Name: server
Commin Name: server
on Key Usage tab check: digital signature, key encipherment, tls server
Click on Apply
click on Sign then Select your newly created certificate
select CA certificate
Click on Start
Be sure Flag status shows Trusted Yes (if not, do it manualy)
-------------------------------------------------------------------

#Creating Client
Click on + New Certificate
Name: client
Commin Name: client
on Key Usage tab check: tls client
Click on Apply
click on Sign then Select your newly created certificate 
select CA certificate
Click on Start
Click OK 
Client certificate does not require T flag
-------------------------------------------------------------------
#Exporting CA and Client
export CA (PEM, no pass)
export client (PEM, put password) uYhmG@aa&8

Drag and Drop cert files in a folder openvpn path C:\Users\xxx\OpenVPN\config
-------------------------------------------------------------------

#OpenVPN Server Config in MikroTik

on PPP menu/click on Secrets  create user
Name: user
Password:***
Service: ovpn
Profile: ovpn-profile
Local Address: GW IP (IP for router)
Remote Address: LAN IP (IP qe e merr useri)

Enabling Proxy ARP on LAN Interface
After enabling proxy-arp, the remote client can successfully reach all workstations in the local network behind the router.

Enable OPENVPN
PPP/Interfaces/OVPN server
enable checkbox
port chhange (recomanded)
Certificate: Server
enable checkbox Require client sertificate
sha1 and aes256
-------------------------------------------------------------------