I have spent a lot of time on this
OpenVPN will work, however all of the phones will show the single remote mikrotik address, which makes it so you can’t easily do a tunnel back thru to the phone since the Vital server is also the Openvpn server and the mikrotik is only client
A better solution for me was to use and IPsec point to point
Install OpenSwan VPN to your server
yum install openswan lsof
Setup firewall rules
4500 UDP/TCP
500 UDP
Setup your IPsec config files are here /etc/
ipsec.secrets
0.0.0.0 %any: PSK “YourIPSecPassword” (change 0.0.0.0 to the mikrotik ip for security)
ipsec.conf
config setup
# nat_traversal=yes
protostack=netkey
fragicmp=no
conn mikrotik
# This is where you define your connection to the router NAME.
left=XXX.XXX.XXX.XXX #your Vital Wan address
leftsourceip=10.5.0.1 #Vital pbx local, you may need to add this as an interface
leftsubnet=10.5.0.0/24
leftid=XXX.XXX.XXX.XXX #your Vital Wan Address
right=XXX.XXX.XXX.XXX ##mikrotikwanip or %any if the server is dynamic
rightid=XXX.XXX.XXX.XXX ##mikrotikwanip
rightsubnet=192.168.0.0/24 ##mikrotik local ips or multiple ranges using a coma “,”
keyingtries=0
pfs=yes
aggrmode=no
ike=3des-sha1;modp1024 ## Or what you want just so it matches the other router
esp=3des-sha1;modp1024
authby=secret
keyexchange=ike
# This allows the VPN to come up automatically when openswan starts
auto=start
ikelifetime=86400s
keylife=3600s
Enable and start the service Like this
systemctl enable ipsec.service
systemctl status ipsec.service
Mikrotik special settings if the wan is dhcp
Policy behind a NAT
Change SA Scr Address to 0.0.0.0
I have also used this with pfsense ipsec vpns or other
The advantage is each phone will have a unique ip address of 1.05.0.X
