Use o terminal do mikrotik para executar os comandos, ou pelo ssh.
/certificate add name=ca country=”br” state=”sao_paulo” locality=”cidade” organization=”organizacao” unit=”setor|departamento” common-name=”ca” key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign ca ca-crl-host=127.0.0.1 name=”ca”
/certificate add name=server country=”br” state=”sao_paulo” locality=”cidade” organization=”organizacao” unit=”setor|departamento” common-name=”ip-publico-servidor” key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server trusted=yes
/certificate sign server ca=”ca” name=”server”
/certificate add name=client country=”br” state=”sao_paulo” locality=”cidade” organization=”organizacao” unit=”setor|departamento” common-name=”client” key-size=4096 days-valid=3650 key-usage=tls-client
/certificate add name=”filial-01” copy-from=client common-name=”filial-01”
/certificate sign filial-01 ca=”ca” name=”filial-01”
/certificate export-certificate ca export-passphrase=””
/certificate export-certificate filial-01 export-passphrase=crie-senha-cliente
/ppp profile add name=vpn local-address=10.10.10.1 remote-address=10.10.10.2 change-tcp-mss=yes use-compression=no use-encryption=required use-upnp=default
/ppp secret add name=filial-01 service=ovpn password=#123!321# profile=vpn
name = nome do cliente
password = senha do cliente
/interface ovpn-server server set enabled=yes port=1194 mode=ip netmask=24 max-mtu=1500 keepalive-timeout=60 default-profile=vpn certificate=server require-client-certificate=yes auth=sha1 cipher=aes256
port = porta da vpn (padrão 1194)
/ip route add dst-address=172.16.2.0/24 gateway=10.10.10.1
/ip firewall filter add chain=input dst-port=1194 protocol=tcp
/ip firewall nat add chain=srcnat src-address=172.16.0.0/24 dst-address=172.16.2.0/24
cert_export_ca.crt
cert_export_filial-01.crt
cert_export_filial-01.key
cert_export_ca.crt
cert_export_filial-01.crt
cert_export_filial-01.key
/certificate import file-name="cert_export_ca.crt" passphrase=""
/certificate import file-name="cert_export_filial-01.crt" passphrase=senha-cliente
/certificate import file-name="cert_export_filial-01.key" passphrase=senha-cliente
/interface ovpn-client add certificate=cert_export_R2.crt_0 cipher=aes256 connect-to=ip_wan_mikrotik_server name=ovpn-filial password=senha-cliente
/ip route add dst-address=172.16.0.0/24 gateway=10.10.10.1
/ip firewall filter add chain=input dst-port=1194 protocol=1194
/ip firewall nat add chain=srcnat src-address=172.16.2.0/24 dst-address=172.16.0.0/24