Select Page
This entry has been published on 2017-08-07 and may be out of date.

Last Updated on 2017-08-07.


In a previous post, I explained how to set up Mikrotik Routerboards as a VPN gateway.

This post is about how to remotely switch the VPN on and off via Smart Home visualization OpenHAB 2, so it affects your whole LAN. You can even switch to other VPN servers, conveniently via phone or browser interface.

Basic procedure: User starts a command via OpenHAB interface -> SSH commands are executed via shell -> RouterOS accepts the commands.

SSH preparation

First we need to establish a simple and secure connection between your server (e.g. Ubuntu, running OpenHAB) and your routerboard, which can be used in scripts without passwords.

On your OH server, execute:

su - openhab -s /bin/bash #the Linux user which is running the OpenHAB process
mkdir /ssh-mikrotik
cd /ssh-mikrotik
ssh-keygen -t rsa #as location, choose /ssh-mikrotik/id_rsa

Copy the file /ssh-mikrotik/ to your Mikrotik device, e.g. via WinSCP and RouterOS WinBox (or FTP / terminal).

Then open WinBox -> System -> Users and create a user “openhab” with full permissions. If you want, restrict it to a certain IP address.

In “SSH keys” tab, import the file you copied before, and assign it to Mikrotik user “openhab”.

Test the SSH connection on your OH server:

ssh -l openhab -i /ssh-mikrotik/id_rsa "echo asdf" # assuming is your RouterOS device



You need some scripts on your OH server to get the VPN state and be able to control it.


if [ "$1" = "ON" ]
        echo "enabling vpn"
        ssh -l openhab -i /ssh-mikrotik/id_rsa "/interface pptp-client enable myvpn" #assuming your VPN runs via PPTP and is called "myvpn"

if [ "$1" = "OFF" ]
        echo "disabling vpn"
        ssh -l openhab -i /ssh-mikrotik/id_rsa "/interface pptp-client disable myvpn"



$result = `ssh -l openhab -i /ssh-mikrotik/id_rsa "/interface pptp-client print where name=myvpn"`;

#echo $result;

$lines = explode("\n", $result);

if (count($lines) < 5)
        echo "error";

$line = $lines[1];

$expl = explode(" ",$line);


if ($expl[3] == "R")
        echo "ON";
        echo "OFF";


Make both scripts executable by the openhab user:

chmod a+x openhab /ssh-mikrotik/vpn-*

You can later extend these scripts e.g. to be able to switch to another VPN host. Use the commands like in WinBox terminal, e.g. “/interface pptp-client set myvpn”.

Execute the scripts in your OH server’s shell manually to see if they work (they must be able to run under user openhab).

OpenHAB2 configuration

The last step is to configure OH visualization.

We use the Exec binding for OH2, so make sure it is enabled in runtime.cfg (or in your preferred OH admin interface).

Thing exec:command:Vpn-Control [command="/ssh-mikrotik/ %2$s", interval=0, autorun=true] 
Thing exec:command:Vpn-Status [command="/usr/bin/php /ssh-mikrotik/vpn-status.php", interval=3600, timeout=15]
String VPN "VPN" <network> (All) { channel="exec:command:Vpn-Control:input", channel="exec:command:Vpn-Status:output", autoupdate="true"}
Switch item=VPN

You should now be able to control your VPN interface via OpenHAB: