Skip to content
MikroTik RouterOS Docs

OpenVPN UDP Tunnels

OpenVPN UDP Tunnels

Section titled “OpenVPN UDP Tunnels”

RouterOS supports OpenVPN over both TCP and UDP. UDP is the preferred transport for most deployments: it eliminates the TCP-over-TCP meltdown problem, reduces latency under packet loss, and improves throughput on congested or high-latency links. When inner application traffic (TCP streams) is carried inside a TCP-based tunnel, both the inner and outer TCP stacks perform independent retransmissions and congestion control, creating cascading delays. UDP encapsulation avoids this by leaving reliability to the applications.

UDP server support was added in RouterOS v7.4. RouterOS can also act as an OpenVPN UDP client. Third-party OpenVPN clients (Linux, Windows, macOS) can connect to a RouterOS UDP server on any supported RouterOS version.

Prerequisites

Section titled “Prerequisites”
  • RouterOS v7.4 or later for the OpenVPN server with UDP transport
  • RouterOS v7.15.3 or later if RouterOS itself is the OpenVPN client using UDP
  • A PKI with a CA certificate, server certificate, and one client certificate per client
  • PPP profile and IP pool configured for address assignment
  • Firewall input rule allowing UDP on the configured port

How UDP Transport Works

Section titled “How UDP Transport Works”

OpenVPN encapsulates TLS-authenticated data frames inside UDP datagrams. The tunnel itself provides reliability through the TLS record layer for control messages; data channel packets are sent best-effort. This avoids the retransmit amplification problem of TCP-in-TCP, at the cost of requiring MTU discipline: because UDP does not fragment, oversized packets are dropped rather than split. Proper max-mtu and MSS-clamp configuration is mandatory.

UDP sessions require periodic keepalive traffic to maintain NAT bindings on intermediate devices. RouterOS uses the keepalive-timeout parameter to control this interval.

Step 1 — PKI and Certificates

Section titled “Step 1 — PKI and Certificates”

Each RouterOS OpenVPN deployment requires a CA, a server certificate, and a client certificate. Generate these in RouterOS or import from an external PKI.

Generate a CA and certificates on RouterOS:

/certificate
add name=ovpn-ca common-name=OVPN-CA key-usage=key-cert-sign,crl-sign
sign ovpn-ca name=ovpn-ca
set ovpn-ca trusted=yes


add name=ovpn-server common-name=ovpn-server \
    key-usage=digital-signature,key-encipherment,tls-server
sign ovpn-server ca=ovpn-ca name=ovpn-server


add name=ovpn-client1 common-name=ovpn-client1 \
    key-usage=digital-signature,key-encipherment,tls-client
sign ovpn-client1 ca=ovpn-ca name=ovpn-client1

Export the CA and client certificate for distribution:

/certificate export-certificate ovpn-ca
/certificate export-certificate ovpn-client1 export-passphrase=StrongPassphrase

This writes cert_export_ovpn-ca.crt, cert_export_ovpn-client1.crt, and cert_export_ovpn-client1.key to the router’s file system. Transfer them to the client device using SFTP or Winbox Files.

Step 2 — PPP Profile and IP Pool

Section titled “Step 2 — PPP Profile and IP Pool”

OpenVPN clients receive addresses from a PPP profile. Create a dedicated pool and profile:

/ip pool add name=ovpn-pool ranges=10.8.0.2-10.8.0.254


/ppp profile add name=ovpn \
    local-address=10.8.0.1 \
    remote-address=ovpn-pool \
    use-encryption=required \
    change-tcp-mss=yes \
    dns-server=10.8.0.1


/ppp secret add name=vpnuser password=StrongPassword service=ovpn profile=ovpn

change-tcp-mss=yes in the PPP profile enables automatic MSS adjustment for PPP-negotiated sessions. Add explicit mangle rules (Step 4) as well for forwarded traffic.

Step 3 — OpenVPN UDP Server

Section titled “Step 3 — OpenVPN UDP Server”

Enable the OpenVPN server with protocol=udp. The default port is 1194; change it if needed.

/interface ovpn-server server set \
    enabled=yes \
    port=1194 \
    protocol=udp \
    mode=ip \
    certificate=ovpn-server \
    require-client-certificate=yes \
    auth=sha256 \
    cipher=aes256-cbc \
    default-profile=ovpn \
    keepalive-timeout=30 \
    max-mtu=1420
PropertyRecommended valueNotes
protocoludpUse tcp as fallback for restrictive networks
port1194Standard OpenVPN port; adjustable
max-mtu1420Leaves room for IP+UDP+OpenVPN headers on a 1500-byte path
keepalive-timeout30Keeps NAT state alive; 60 (default) may be too long
authsha256Minimum; avoid md5 and sha1 on new deployments
cipheraes256-cbcCBC required for RouterOS <7.17beta5; GCM available in ≥7.17beta5 with cipher=null
require-client-certificateyesEnforces mutual TLS; set no for username/password-only auth

Step 4 — Firewall and MTU Rules

Section titled “Step 4 — Firewall and MTU Rules”

Allow inbound OpenVPN UDP on the server:

/ip firewall filter
add chain=input protocol=udp dst-port=1194 action=accept \
    comment="OpenVPN UDP"

Permit forwarded tunnel traffic (use an interface list):

/interface list add name=ovpn-interfaces


/ip firewall filter
add chain=forward in-interface-list=ovpn-interfaces action=accept \
    comment="Forward from OVPN clients"
add chain=forward out-interface-list=ovpn-interfaces action=accept \
    comment="Forward to OVPN clients"

After clients connect, dynamic interfaces named <ovpn-clientN> appear. Add them to the list:

/interface list member add interface=<ovpn-client1> list=ovpn-interfaces

NAT masquerade for internet access from VPN clients:

/ip firewall nat add chain=srcnat \
    src-address=10.8.0.0/24 \
    out-interface=ether1 \
    action=masquerade \
    comment="Masquerade OVPN UDP clients"

MSS clamping to prevent fragmentation over UDP paths:

UDP encapsulation adds approximately 50–60 bytes of overhead (IP + UDP + OpenVPN headers). With max-mtu=1420 the effective TCP MSS through the tunnel should be 1380 or lower. Clamp it explicitly:

/ip firewall mangle
add chain=forward action=change-mss new-mss=1380 protocol=tcp tcp-flags=syn \
    out-interface-list=ovpn-interfaces tcp-mss=1381-65535 \
    comment="Clamp MSS for OVPN UDP outbound"
add chain=forward action=change-mss new-mss=1380 protocol=tcp tcp-flags=syn \
    in-interface-list=ovpn-interfaces tcp-mss=1381-65535 \
    comment="Clamp MSS for OVPN UDP inbound"

Start with max-mtu=1420 and reduce by 20-byte increments if fragmentation symptoms persist. Test with:

/ping 8.8.8.8 size=1400 do-not-fragment count=5

Step 5 — RouterOS Client (UDP)

Section titled “Step 5 — RouterOS Client (UDP)”

When the client is a RouterOS device, configure an ovpn-client interface with protocol=udp. Import the CA and client certificate first:

/certificate import file-name=cert_export_ovpn-ca.crt
/certificate import file-name=cert_export_ovpn-client1.crt
/certificate import file-name=cert_export_ovpn-client1.key passphrase=StrongPassphrase
/certificate set [find where name~"ovpn-ca"] trusted=yes

Create the client interface:

/interface ovpn-client add \
    name=ovpn-udp \
    connect-to=vpn.example.com \
    port=1194 \
    protocol=udp \
    mode=ip \
    user=vpnuser \
    password=StrongPassword \
    certificate=ovpn-client1 \
    verify-server-certificate=yes \
    auth=sha256 \
    cipher=aes256-cbc \
    add-default-route=no \
    disabled=no

Set add-default-route=yes to route all traffic through the tunnel (road-warrior mode). Add static routes for split-tunnel deployments instead.

Step 6 — Third-Party Client (OpenVPN App)

Section titled “Step 6 — Third-Party Client (OpenVPN App)”

For Linux, Windows, or macOS clients connecting to the RouterOS UDP server, create an .ovpn profile. RouterOS does not support LZO compression or NCP cipher negotiation; third-party clients using OpenVPN 2.4+ defaults require explicit directives to disable these.

Minimal working .ovpn for RouterOS UDP server:

client
proto udp
remote vpn.example.com 1194
dev tun


# Disable NCP (cipher negotiation) — RouterOS does not support it
ncp-disable
cipher AES-256-CBC
auth SHA256


# Disable LZO compression — RouterOS does not support it
comp-lzo no


# Certificates (inline or referenced by path)
ca ca.crt
cert client1.crt
key client1.key


verify-x509-name ovpn-server name


persist-key
persist-tun
verb 3

The import-ovpn-configuration command requires RouterOS v7.17rc3 or later. On earlier versions (including 7.15.x stable), the command exists but returns a confusing error. Configure the OVPN client manually on older versions using the settings shown above.

Alternatively, import an .ovpn file directly on RouterOS (v7.17rc3+):

/interface ovpn-client import-ovpn-configuration \
    file-name=client.ovpn \
    ovpn-user=vpnuser \
    ovpn-password=StrongPassword

After import, verify that protocol=udp is set (the importer reads the proto udp directive) and confirm auth and cipher match the server.

Verification

Section titled “Verification”

Server — active sessions:

/interface ovpn-server print

Connected client interfaces:

/interface print where type=ovpn-in

PPP active sessions:

/ppp active print

Client — connection status:

/interface ovpn-client print detail

Routes installed by tunnel:

/ip route print where gateway~"ovpn"

Logs:

/log print where topics~"ovpn"
/log print where topics~"ppp"

Connectivity test from server to VPN client:

/ping 10.8.0.2

Troubleshooting

Section titled “Troubleshooting”

UDP mode not available on client: protocol=udp on /interface ovpn-client is verified on RouterOS v7.15.3 and later current v7 builds. If the option is absent, check the installed version with /system resource print and upgrade to a current RouterOS v7 release.

UDP tunnel drops after idle period: Intermediate NAT devices time out idle UDP flows. Reduce keepalive-timeout from 60 to 30 seconds on the server: /interface ovpn-server server set keepalive-timeout=30. RouterOS v7 ovpn-client interfaces do not expose a client-side keepalive-timeout; the server setting controls both directions.

Fragmentation or packet loss in tunnel: Lower max-mtu by 20-byte steps and retest. Verify MSS clamping is active: /ip firewall mangle print. Packets larger than the tunnel MTU are silently dropped on UDP paths because there is no fragmentation at the OpenVPN layer.

Third-party client connects but passes no traffic: The most common cause is NCP cipher mismatch. Add ncp-disable and cipher AES-256-CBC (or the cipher configured on the RouterOS server) to the client .ovpn file. Remove comp-lzo or replace with comp-lzo no.

Certificate verification failed: Ensure the CA used to sign the server certificate is imported on the client and marked trusted. Check certificate validity with /certificate print detail. Re-export and re-import if in doubt.

PPP authentication fails: Verify the PPP secret has service=ovpn (or service=any). service=ppp does not match OpenVPN. Confirm the username and password in the secret match the client configuration.

auth or cipher mismatch: The server auth and cipher settings must overlap with the client’s configured values. Check /interface ovpn-server server print detail and compare to the client config. RouterOS <7.17beta5 only supports CBC ciphers; GCM is available in ≥7.17beta5 when cipher=null.

See Also

Section titled “See Also”
  • OpenVPN — Full OpenVPN reference including TCP mode, bridged mode, PKI setup, and properties
  • IPsec — Kernel-level VPN with IKE negotiation; higher throughput for router-to-router tunnels
  • WireGuard VPN — Modern UDP-only VPN with simpler configuration and better performance
  • L2TP — L2TP/IPsec for road-warrior clients requiring broad OS compatibility