Introduction

The company that I work for has a private network that can only be accessed through VPN. The VPN server is using OpenVPN. I have a MikroTik router at home and I want to setup OpenVPN client on it, so I can access the private network from home. The problem is, the private network has a private DNS server that is not accessible from outside the network. So I need to setup the MikroTik router to use the private DNS server when accessing the private network.

Import OpenVPN client as PPP interface

First, we need to setup OpenVPN client as PPP interface. Upload your .ovpn file to the router. You can use Winbox or FTP to upload the file. Then go to PPP > Interface, Click on Import .ovpn button and select the .ovpn file that you got from the VPN server.

Now you should select the .ovpn in File Name dropdown. Then fill the Private key passphrase with the passphrase that you got from the VPN server and also OVPN Client User, OVPN Client Password with the username and password that you got from the VPN server. Then click Start button.

Note: My VPN server is using tls-auth which is not supported by "stable" versions of RouterOS. So I need to use "testing" version of RouterOS to be able to connect to the VPN server. From RouterOS 7.12beta2, tls-auth is supported. So if you got the same problem, you can try to upgrade your RouterOS to the latest testing version.

After successful import you will have a new PPP interface named ovpn-import1699042054 or something like that (I recommend to rename it to something more meaningful). Also, VPN certificate will be added to the router's certificate list. You can check imported certificates in System > Certificates (rename the certificate to something more meaningful as well).

Enable the interface and check if it's connected. You can check the connection status in PPP > Interface > ovpn-import1699042054 > Status tab.

Make sure you selected Use Peer DNS in PPP > Interface > ovpn-import1699042054 > General tab. This will add the DNS server that you got from the VPN server to the router's DNS list. You can check the DNS list in IP > DNS > Servers tab as dynamic entries.

Moreover, you will have a new route in IP > Routes list. This route will route all traffic to the VPN server. You can check the route in IP > Routes list.

Setup DNS

Now we need to setup DNS to use the private DNS server when accessing the private network. Go to IP > DNS > Static tab and add a new static DNS entry. Fill the Name with the domain name that you want to resolve using the private DNS server. For example arr.lan. Then select Type to FWD and check Match Subdomains. Then fill the Forward to with the IP address of the private DNS server that you got from the VPN server, and you checked from IP > DNS > tab. Then click OK button. Do this for all domain names and DNS IP addresses that you got from the VPN server.

Don't forget to check Allow Remote Requests in IP > DNS > Settings tab. This will allow the router to resolve DNS requests from the private network.

Consider that FWD will not work when you are using DoH (DNS over HTTPS). Read more

Test DNS resolution

If you are using Windows, you can use nslookup command to test DNS resolution. Open cmd and run nslookup command. Then type the domain name that you want to resolve.

nslookup git.arr.lan

If you are using Linux, or MacOS, you can use dig command to test DNS resolution. Open terminal and run dig command. Then type the domain name that you want to resolve.

dig git.arr.lan

If everything is ok, you should get the IP address of the domain name that you want to resolve.