MikroTik OpenVPN: Sound Alert When VPN Tunnel Fails

Sound Alert When VPN Tunnel Fails

OpenVPN is a popular solution for establishing secure tunnels between remote devices. MikroTik supports OpenVPN as a client, allowing your router to connect securely to a remote VPN server. However, MikroTik lacks built-in notifications when the VPN tunnel goes down. You won’t hear or see anything if the connection fails—until services stop working. That’s a problem.

This article explains how to set up a sound notification using two custom scripts:

check_vpn_music_alert — to detect and alert when the VPN tunnel drops
check_vpn_music_alert_startup — to alert you if the VPN did not connect on startup

Problem Overview: No Notification When VPN Tunnel Fails

When your OpenVPN tunnel drops, MikroTik doesn’t notify you in any way. This is dangerous in production setups or remote access environments.

You might not notice the failure until it’s too late. To fix this, I created a solution that uses MikroTik scripting and a music alert. The router will play a sound alert using the built-in beeper and optionally send logs or alerts.

Key Requirements

Ensure that both music_siren and music_all_good scripts are defined on the router.
These scripts contain the actual :beep sequences to produce audio alerts.
- You can find sample implementations and creative beeper music ideas in the MikroTik forums, specifically the “Some Music” topic MikroTik community forum.

music_siren – Alert Sound (When VPN Fails)

:for i from=1 to=3 do={
  /beep frequency=800 length=300ms;
  :delay 300ms;
  /beep frequency=600 length=300ms;
  :delay 300ms;
}

music_all_good – Confirmation Sound (When VPN is Restored)

/beep frequency=1000 length=200ms
:delay 100ms
/beep frequency=1200 length=200ms
:delay 100ms
/beep frequency=1400 length=300ms

Solution 1: Sound Alert When VPN Tunnel Drops

This MikroTik script checks if any of the defined OpenVPN tunnels is active. If all tunnels are down, it runs a sound alert script (music_siren). When the connection comes back, it resets the alert state.

Global Variable Declaration mikrotik:global vpnSirenPlayed
- A global variable is used to track whether the siren alert has already been triggered. This prevents the alert from repeating continuously every time the script runs.
Define VPN Tunnel Names :local openvpn_client_1 "openvpn_client_1" :local openvpn_client_2 "openvpn_client_2" :local openvpn_client_3 "openvpn_client_3"
- These are placeholders for your OpenVPN client interface names. Replace them with actual names used on your router.
Check if Any Tunnel is Running :local isAnyRunning false :foreach tunnel in=(...) do={ ... }
- The script loops through all three tunnels. If at least one is active (running = true), it sets isAnyRunning to true.
Trigger Siren if All Tunnels Are Down :if ($isAnyRunning = false) do={ :if ($vpnSirenPlayed != true) do={ ... } }
- If none of the tunnels are running, and the siren has not already been played, the script:
  - Logs a warning message
  - Runs the script music_siren (for sound alert)
  - Sets the global flag vpnSirenPlayed to true so the siren doesn’t repeat
Reset Alert When Tunnel Comes Back Up mikrotikCopyEdit:if ($vpnSirenPlayed = true) do={ ... } If a tunnel is now active, and the siren flag was previously set, the script:
- Logs an info message
- Resets the vpnSirenPlayed flag to false

Result:

First VPN failure: you get a one-time alert via music_siren.
If the script keeps running (e.g. via scheduler), it won’t repeat the sound unless the tunnel recovers and fails again.
When any tunnel is restored, the alert system resets and will notify again if the connection drops later.

Step 1: Create a Script `check_vpn_music_alert`

This script checks the VPN interface status. If the OpenVPN tunnel is not running, it plays a sound and logs the failure.

:global vpnSirenPlayed

:local openvpn_client_1 "openvpn_client_1"
:local openvpn_client_2 "openvpn_client_2"
:local openvpn_client_3 "openvpn_client_3"

:local isAnyRunning false

:foreach tunnel in=($openvpn_client_1, $openvpn_client_2, $openvpn_client_3) do={
    :if ([/interface ovpn-client get [find name=$tunnel] running]) do={
        :set isAnyRunning true
    }
}

:if ($isAnyRunning = false) do={
    :if ($vpnSirenPlayed != true) do={
        :log warning "No VPN tunnel is active – running music_siren"
/system script run music_siren
        :set vpnSirenPlayed true
    }
} else={
    :if ($vpnSirenPlayed = true) do={
        :log info "VPN tunnel is active again – resetting siren"
        :set vpnSirenPlayed false
    }
}

Replace openvpn_client_1, openvpn_client_2, and openvpn_client_3 with your actual OpenVPN interface names from:

Step 2: Schedule It to Run Periodically

To run the script after 90 seconds on startup:

/system scheduler
add name=vpn_check_on_startup start-time=startup on-event=":delay 90000ms; /system script run vpn_check_and_alarm"

This runs the script every 1 minute. Adjust as needed.

Solution 2: Alert on Startup If VPN Fails to Connect

When the MikroTik router boots up, it tries to connect to the OpenVPN server. But again—if the VPN fails—you won’t know.

Step 1: Create a Script `check_vpn_music_alert_startup`

:local openvpn_client_1 "openvpn_client_1"
:local openvpn_client_2 "openvpn_client_2"
:local openvpn_client_3 "openvpn_client_3"

:local isAnyRunning false

:foreach tunnel in=($openvpn_client_1, $openvpn_client_2, $openvpn_client_3) do={
    :if ([/interface ovpn-client get [find name=$tunnel] running]) do={
        :set isAnyRunning true
    }
}

:if ($isAnyRunning = true) do={
    :log info "VPN tunnel is active, running alert script"
/system script run music_all_good
} else={
    :log warning "No VPN tunnel is active, running alert script"
/system script run music_siren
}

This script checks the VPN status during boot and plays a sound if the tunnel didn’t connect.

Replace openvpn_client_1, openvpn_client_2, and openvpn_client_3 in the script with your actual OpenVPN client interface names. You can find these names on your MikroTik router by running:

/interface ovpn-client print

Step 2: Run Script at Startup

To make the script run automatically when the router boots, add it to the system scheduler with a short delay. Here’s an example that waits 60 seconds after startup, then runs the VPN check script:

/system scheduler
add name=vpn_check_on_startup start-time=startup on-event=":delay 60000ms; /system script run check_vpn_music_alert_startup"

This ensures the router has time to initialize network interfaces before checking the VPN tunnel status.

Conclusion

A failed VPN tunnel can cause serious problems if it goes unnoticed. MikroTik doesn’t offer built-in alerts, but with these two scripts:

You get notified immediately when the VPN tunnel drops
You know right after reboot whether the router connected successfully

For broader use cases, including seamless OpenVPN failover when a primary tunnel drops, see the “MikroTik: OpenVPN Client Failover Script” . It monitors multiple tunnels, implements a priority-based failover mechanism, and ensures you receive prompt alerts—perfect for business, branch offices, and IoT setups.