VPN configuration on MikroTik router

Author: Vlad Nepor
Published on

Regardless of which MikroTik router you have, its operating system and Router OS management interface is always the same. This wiki page describes how to set up and activate VPN on MikroTik router devices so that all devices connected to the network through this router benefit from the benefits of VPN.

What is VPN and What is it Used For?

VPN (Virtual Private Network) is a technology that enables the creation of secure and encrypted connections between two (or more) points over a public network like the internet. It serves to protect your privacy, secure data, and provide anonymity during communication and internet browsing.

The main benefits of using VPN are:

  • Data Security: VPN encrypts your data transmissions, meaning that even if someone intercepts your internet activities, they won't be able to decrypt and read them.
  • Anonymity and Privacy: VPN hides your IP address (your device's identification number on the internet), concealing your geographical location and identity. This is useful, for example, in bypassing content restrictions based on geographic location.
  • Access to Restricted Content: VPN can allow you to access content that is otherwise available only in specific countries. Just choose a server in that country, and it appears as if you're connecting to the internet from that location.
  • Public Wi-Fi Security: VPN can be useful when connecting to public Wi-Fi networks (e.g., in cafes, airports). It helps prevent potential threats, such as hacker attacks.
  • Firewall Protection: VPN can also function as an additional layer of protection against malicious traffic, as many VPN services come with built-in firewall features.

Why Have VPN at the Router Level (Router-Level VPN)?

  • Protection for All Devices: When you have VPN set up directly on your router, all devices connected to this router automatically use VPN without needing separate VPN configuration on each individual device. This includes devices like TVs, gaming consoles, smart home devices, and more.
  • Simplified Management: You don't need to worry about configuring and maintaining VPN on each device separately. Just set up VPN on the router, and you're done.
  • Network-Wide Protection: Router-level VPN provides protection for your entire home network, which is particularly useful in environments with multiple connected devices.
  • Security for Devices without VPN Capabilities: Some devices, like certain smart TVs or devices with limited settings, might not have the option to set up VPN. Router-level VPN allows these devices to enjoy VPN protection regardless of their capabilities.

However, it's important to note that router-level VPN might not be suitable for everyone and can impact your network's speed and performance. Additionally, if you don't want all your device communications to go through VPN, configuration could be more complex.

VPN and Its Impact on Internet Speed

The following tests were conducted via the website https://rychlost.cz/. Tests were performed on a MacBook Air device connected to the internet via 5G Wi-Fi from a Mikrotik router. The Mikrotik router was connected to a 100MBit network through an optical cable. In the case of active VPN, the nearest VPN server was used in both cases. The VPN client was launched both at the router level and on the testing computer. In both cases, a different VPN server in the same city was connected to.

Connection Mode Ping [ms] Download [Mbit/s] Upload [Mbit/s] IP Address
No VPN 7 104 18.9 PC
VPN on PC (Mullvad Client) 27 70.74 14.82 VPN server (PC config)
VPN on Router (WireGuard) 7 101.0 19.35 VPN server (router config)
VPN on Router and PC 28 57.04 14.55 VPN server (PC config)

Configuration and Activation of VPN on MikroTik Router

  1. RouterOS Update

    The VPN feature is available on MikroTik RouterOS from version 7. So, log in to the MikroTik administration interface (URL http://192.168.88.1/) and in the System section → Packages (http://192.168.88.1/webfig/#System:Packages.Check_For_Updates), verify that you have RouterOS version 7 or higher. If the interface shows version 6 and you're on the latest available version, in the Channel window, choose “Upgrade” to upgrade RouterOS from version 6 to version 7.

    In RouterOS 7, in the WebFig interface, you'll find the WireGuard section. (http://192.168.88.1/webfig/#WireGuard). We'll use this section in the following steps to configure the connection to the VPN server and then configure the router to reflect this connection during its operation (communicating with the internet through the designated VPN server).

  2. Safe Mode

    Since we will be making changes to the router configuration, and there's a possibility of "breaking" something and losing access to the router or the internet, we will activate the so-called Safe mode.

    Safe mode is a kind of working environment where all our actions are reflected in the router's function. However, if we don't properly exit the Safe mode (in case something goes wrong) and disconnect from the router without ending the Safe mode, the router's configuration will automatically revert to the state it was in when Safe mode was started.

    We activate Safe mode by clicking the Safe mode button in the toolbar.

    In case we mess something up without being in Safe mode, the typical easiest fix is to reset the Mikrotik Router to its factory settings.

  3. VPN Function Activation in Configuration

    In connection with setting up a VPN, the first step is to configure the VPN service in the Webfig/QuickSet interface (http://192.168.88.1/webfig/#Quick_Set). This is done by checking the VPN access field and setting the password in the VPN password field.

  4. WireGuard Configuration

    WireGuard is a modern and highly efficient protocol for creating virtual private networks (VPNs). It is designed to provide fast and secure connections between devices over public networks like the internet. In our case, we will use the WireGuard protocol to connect our router to a VPN server.

    Configuration Details for Connecting to the VPN Server

    The easiest way to use a VPN is through public VPN service providers, such as Mullvad VPN. With Mullvad, for 4.5 euros per month, you can connect up to 5 devices to the VPN server simultaneously—this includes all your household devices through your Mikrotik router and 4 additional devices.

    Choosing a VPN service provider is optional, but what's crucial is providing the WireGuard configuration details to connect to the VPN server. In the case of Mullvad VPN, you can obtain these in the Downloads/WireGuard configuration section. Choose the Linux platform, click the Generate Key button, and then select which Mullvad VPN server locations you want to generate configuration files for. For example, choose Czech RepublicPraguecz-prg-wg-101. You can skip the Advanced settings and Configurate Content Blocking sections. Once you've made your selections, click the Download zip archive button.

    After extracting the downloaded .zip file and opening cz-prg-wg-101.conf in a text editor, you'll find similar configuration details:

    [Interface]
# Device: Awesome Device
PrivateKey = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (44 characters)
Address = bb.bb.bbb.bbb/bb,cccc:cccc:cccc:cccc::c:cccc/ccc
DNS = dd.dd.d.d

[Peer]
PublicKey = eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee (44 characters)
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = fff.ff.fff.ff:51820

    I deliberately modified the details for easier reference. The port 51820 within the [peer] endpoint is the default port, which could have been changed in the Advanced settings section when configuring file preferences in the Mullvad VPN service.

  5. Wireguard Section Settings - Wireguard Tab

    In the Mikrotik Router interface, navigate to the WebFig section → WireGuard (http://192.168.88.1/webfig/#WireGuard). Here, choose the Add New option to open the window for adding a new WireGuard connection.

    Fill in the following:

    • Comment - Enter information that this rule was created by us, when, and for what purpose. For example, Today'sDate-WireguardVPN
    • Name - Enter the server name (matching the name of the downloaded configuration file). Following the example, use cz-prg-wg-101
    • PrivateKey - After expanding the arrow, insert the 44-character PrivateKey number from the [Interface] section of the downloaded configuration file (in the example file, this value is represented by the letter a)

    Click the Apply button, which will automatically perform the following:

    • Assign Actual MTU and Public Key
    • Start the interface in the WireGuard and interfaces sections

  6. Wireguard Section Settings - Peers Tab

    In the WebFig section → WireGuard, switch to the Peers tab. By clicking the Add New button, you'll open the window to add a new peer.

    Fill in the following:

    • Comment - Enter information that this rule was created by us, when, and for what purpose. For example, Today'sDate-WireguardVPN
    • Interface - Assign the interface created in the [Wireguard] tab, for example, cz-prg-wg-101
    • Public Key - Enter the 44-character PublicKey value from the [peers] section of the downloaded configuration file (value marked with the letter e in the example configuration file)
    • Endpoint - Enter the Endpoint value (part before the slash) from the configuration file - in the example file, it's fff.ff.fff.ff
    • Endpoint Port - Enter the Endpoint port value (part after the slash) from the configuration file - in the example file, it's 51820
    • Allowed Address - Enter the AllowedIPs value from the configuration file - in the example file, it's 0.0.0.0/0

    Click Apply.

  7. Adding Wireguard Interface IP Address to the Router

    Navigate to the webfig section → IPAddresses (http://192.168.88.1/webfig/#IP:Addresses) and click the Add New button.

    Fill in the following:

    • Comment - Enter information that this rule was created by us, when, and for what purpose. For example, Today'sDate-WireguardVPN
    • Address - Enter the Address value from the [Interface] section of the configuration file. In the example file, it's bb.bb.bbb.bbb/bb
    • Interface - Assign the interface created in the [Wireguard] tab, for example, cz-prg-wg-101

    Click Apply.

  8. Assigning DNS Server

    Navigate to the webfig section → IPDNS (http://192.168.88.1/webfig/#IP:DNS).

    Here, expand the Servers field and add the value of DNS from the [Interface] section of the configuration file. In the example file, it's dd.dd.d.d. Also, ensure that the Allow Remote Requests option is checked. Then click Apply.

  9. Routing

    Navigate to the webfig section → IPRoutes (http://192.168.88.1/webfig/#IP:Routes).

    Here, click the Add New button to open the new routing configuration window.

    1. Routing Dst. AddressVPN server Gateway

      After clicking the Add new button, fill in the following:

      • Comment - Enter information that this rule was created by us, when, and for what purpose. For example, Today'sDate-WireguardVPN
      • Dst Address - Enter the value 0.0.0.0/0
      • Gateway - Enter the WireGuard Gateway value. Typically %, in the example case %cz-prg-wg-101. This value can be found in multiple places in the RouterOS interface (for example, in existing routes in the currently opened routing section). Simply locate and copy it.

      Click Apply.

      Default Route

      In the route configuration, note that we now have two default routes with Dst. Address value 0.0.0.0/0. Ideally, we would need to disable the original rule and keep only our newly added rule referring to the VPN WireGuard. Unfortunately, this route cannot be disabled through the UI, only deleted.

      For now, let's leave it and delete it when needed, see Section 3 - Testing IP. However, if we decide to delete it, we'll manually create an identical route and immediately set it to Disabled. This way, if we need to delete the default route and then deactivate the VPN route, we can enable it again at any time to restore internet connectivity.

      If you've deleted the default route and need it later, you can create it anytime - it's a route with Dst. Address 0.0.0.0/0 pointing to the Immediate Gateway address of the "%ether1" Gateway.

    2. Routing Peer VPN endpointRouter Dst Address (optional)

      After clicking the Add new button, fill in the following:

      • Comment - Enter information that this rule was created by us, when, and for what purpose. For example, Today'sDate-WireguardVPN
      • Dst Address - Enter the value Endpoint without the port from the [Peers] section of the configuration file. In the example file, it's fff.ff.fff.ff.
      • Gateway - Enter the value that you find in the list of existing routes (http://192.168.88.1/webfig/#IP:Routes) as the Gateway value for the row with Dst address equal to 0.0.0.0/0

      Click Apply.

  10. NAT Rule Configuration in Firewall

    Navigate to the webfig section → IPFirewall, and switch to the NAT tab (http://192.168.88.1/webfig/#IP:Firewall.NAT). Here, click the Add new button and fill in the following:

    • Chain = srcnat
    • Out. Interface = Wireguard interface, for example, cz-prg-wg-101 in the example configuration
    • Action = masquerade

    Click Apply

  11. Test Your IP

    Through a website like https://www.mojeip.cz/, determine your current IP address (it should be the VPN server's address). If your actual computer's IP address is displayed, the VPN is not configured correctly.

    • If you still see your original IP address, it's likely necessary to remove the default routing, see section 2.9 - Default Route. However, note that if you want to deactivate the VPN, you'll likely need to restore the removed route.

    • If you're having trouble with the connection, you can try expanding webfigIPFirewall/FilterRules with a new rule allowing data flow to Wireguard. Follow these steps:

      1. In Firewall/Filter Rules (http://192.168.88.1/webfig/#IP:Firewall), click the Add new button
      2. Choose Chain as Output
      3. Use Dst. Address as the address of the Peer Endpoint from the configuration file. In the example file, it's "ff.ff.fff.ff".
      4. Choose Protocol as udp
      5. Use Dst. Port from the Peer Endpoint address in the configuration file. In the example file, it's 51820.
      6. Choose Action as Accept

  12. Deactivating the VPN

    Activating and deactivating the VPN on the router can be done with a single click by enabling and disabling the route leading to Wireguard (section webfigIPRoutes - http://192.168.88.1/webfig/#IP:Routes), using the D (Disable) or E (Enable) button.

  13. Deactivating Safe Mode

    If everything is working as expected, deactivate Safe Mode to finalize the current router configuration.

    Of course, you must have Default route enabled at the same time.

If you are looking for how to enable Mullvad VPN on Ubuntu Server or PC, go to Wiki Installing Mullvad VPN on Ubuntu in 10 steps.