Connecting your Mikrotik router to the pfSense OpenVPN on the cloud server

7 min readMay 15, 2020

Sometimes you need to access your HOME internal network but for the home user, it’s struggled to create a VPN tunnel through your HOME network because of the ISP CGNAT issue.

In this exercise, you can simulate everything in your virtual environment.

Our goal is to allow public users to access the customer internal network.

Our problem with this scenario, our CPE is not directly connected through the internet so we are not able to create any VPN tunnel from the Internet going through the home network.

And the CGNAT or Carrier Grade NAT it’s developed to allow ISP to use a limited Public IP address to support multiple customers by allowing all the CPE’s to use a Private IP address.

Our solution, to solve this problem we will deploy a Pfsense firewall on a very cheap Vultr cloud hosting and we will connect the customer Mikrotik or any routers that supported the OpenVPN.

Deploying the Pfsense firewall on a cloud

Please create an account on Vultr cloud hosting and input all the necessary information then select the subscription that will work on your current infrastructure.

Vultr vs another cloud hosting, I don’t want to argue if you are using other cloud hosting provider, you can use AWS OpenVPN instance but I found it not so reliable on this setup.

Once your account is successfully created, go to Products and click the + sign button.

Choose the closest country to your location.

Click the ISO Library

At the bottom select pfSense CE

And select the server resources you prepared.

Input your server hostname and click Deploy now.

And click Manage to install the pfSense.

Click the console.

Press enter.

Press enter.

Press enter.

Press enter.

And it will install the pfSense.

Press enter.

Press enter.

And it will successfully install the pfSense.

Remove the ISO file in the settings.

Go to Custo ISO and remove the ISO.

Click remove ISO.

Then open the console again to continue the initial configurations.

Indicate the WAN interface then proceed to yes.

It will update the initial configuration.

Once you landed like this just close the console.

And using the Public IP go to the browser and credentials are admin/pfsense.

It will continue the initial configuration, just click next.

Input your hostname and click next.

Just select your time zone and click next.

In this section just leave everything in default and click next.

Set the new admin password and click next.

Just click the Reload.

And click finish.

And it successfully installed the pfSense on the Vultr Cloud Hosting.

Checking the OpenVPN compatibility of your HOME router

Implementing an OpenVPN as a site to site tunnel is a little bit challenging because you have to pay attention to the client router OVPN compatibility, you need to match the server configuration to the client configuration and based on the research Mikrotik doesn’t support OVPN on UDP so we need to set the server on TCP.

And Mikrotik doesn’t support TLS as well.

In this example I’m using a Mikrotik router with at least license level 3.

On your, Winbox go to PPP, OVPN Client to check the OVPN authentication method and Cipher type.

You need to pay attention to this part.

Our Mikrotik router supported sha1 and aes 128, please take note of these we will implement these on the server.

Installing OpenVPN on pfSense

Install the OpenVPN client export features.

Go to Available Packages.

Install the openvpn-client-export package.

Go to Wizards to start the initial configurations.

Just click next, just select if you are using LDAP or RADIUS for authentication.

Input all the necessary information

Create a certificate, but we wouldn’t use this.

And for the server certificate.

This is very important, leave everything on default except the box in red.

Input your desire IP address for the VPN client, and as you notice we will allow communicating all the client to route the traffic going to HOME network, and we will use only 1 account to connect the VPN, but yeah it's up to you.