How to configure Mikrotik to connect to iVPN
iVPN is a VPN service that I’ve been using to protect my privacy online. I have it configured on my laptop and phone and it’s pretty handy, especially when I’m on public wifi.
But if I want to protect my entire home network? Is it possible to configure a Mikrotik router to use iVPN? Yes, it is!
I will quickly go over the steps you need to take to configure your Mikrotik to use iVPN Wireguard servers.
I’ll assume you already have a Mikrotik router with a working internet connection, a basic understanding of Mikrotik and RouterOS, and an iVPN account.
Extra note here, most parts of this how-to can be applied to any VPN service that provides Wireguard connections.
Create a new Wireguard configuration on iVPN
Log into your iVPN account and go to the Wireguard configuration generator. Select “Configuration file generator” and at the end you will have a configuration file that looks like this:
[Interface]
PrivateKey = <your private key>
Address = <local ip address to use>
[Peer]
PublicKey = <iVPN public key>
AllowedIPs = 0.0.0.0/0
Endpoint = <iVPN server ip>:<iVPN server port>
So far so good. Now we need to configure our Mikrotik router to use this configuration.
Mikrotik address list
Personally, I like to control which devices or subnets on my network use the VPN. I also can have a script to enable/disable the VPN for certain devices. To do this, I use an address list.
/ip firewall address-list add list=to-iVPN address=<some-ip-addr-or-subnet>
I also don’t want to redirect my internal traffic to the VPN, so I have a list of RFC1918 addresses that I use, so only destination addresses that are not in this list will be redirected to the VPN. If you want to use their DNS servers, your list must be a little different, and here, like everything on Mikrotik, your creativity is the limit.
/ip firewall address-list
add address=10.0.0.0/8 list=rfc-1918
add address=172.16.0.0/12 list=rfc-1918
add address=192.168.0.0/16 list=rfc-1918
Wireguard interface
Now let’s create the Wireguard interface and the peer configuration. Now you will need to replace the values in the configuration file you got from iVPN.
/interface wireguard add name=iVPN private-key=<your-private-key>
Set the IP address of the interface to the one you got from iVPN.
/ip address add interface=iVPN address=<local-ip-address-to-use>
Now we need to add the peer configuration. Again, don’t forget to replace the values in the configuration file you got from iVPN.
/interface wireguard peers
add interface=iVPN public-key=<iVPN-public-key> endpoint-address=<iVPN-server-ip> endpoint-port=<iVPN-server-port> allowed-address=0.0.0.0/0
Routing
Let’s create the routing table that we will use to redirect traffic to the VPN.
/routing table add name=iVPN fib
Also, we need to add a default route to the VPN interface.
/ip route add dst-address=0.0.0.0/0 gateway=iVPN routing-table=iVPN
Firewall
Here we have a few steps to cover. We need Mangle rules to mark the packets that we want to redirect to the VPN, and we need a NAT rule to redirect the marked packets to the VPN interface, so let’s get it done.
First, let’s mark the packets and also change the MSS to avoid fragmentation.
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=!rfc-1918 new-connection-mark=ivpn passthrough=yes src-address-list=to-iVPN
add action=mark-routing chain=prerouting dst-address-list=!rfc-1918 new-routing-mark=ivpn passthrough=yes src-address-list=to-iVPN
add action=change-mss chain=forward connection-mark=ivpn new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1375
Now we need to create the NAT rule to redirect the marked packets to the VPN interface.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=iVPN src-address-list=to-iVPN
Check your configuration
Now you should be able to see the Wireguard interface connected to the iVPN server. If you don’t see it connected, check your configuration and try again.
From your Mikrotik, you must be able to ping the iVPN gateway (172.16.0.1), but make sure to specify the source interface.
It is also important to make sure you don’t have the Fasttrack rules enabled.
That’s it! I hope this helps you to protect your home network.