iVPN is a VPN service that I’ve been using to protect my privacy online. I have it configured on my laptop and phone and it’s pretty handy, especially when I’m on public wifi.

But if I want to protect my entire home network? Is it possible to configure a Mikrotik router to use iVPN? Yes, it is!

I will quickly go over the steps you need to take to configure your Mikrotik to use iVPN Wireguard servers.

I’ll assume you already have a Mikrotik router with a working internet connection, a basic understanding of Mikrotik and RouterOS, and an iVPN account.

Extra note here, most parts of this how-to can be applied to any VPN service that provides Wireguard connections.

---

Create a new Wireguard configuration on iVPN

Log into your iVPN account and go to the Wireguard configuration generator. Select “Configuration file generator” and at the end you will have a configuration file that looks like this:

[Interface]
PrivateKey = <your private key>
Address = <local ip address to use>

[Peer]
PublicKey = <iVPN public key>
AllowedIPs = 0.0.0.0/0
Endpoint = <iVPN server ip>:<iVPN server port>

So far so good. Now we need to configure our Mikrotik router to use this configuration.

---

Mikrotik address list

Personally, I like to control which devices or subnets on my network use the VPN. I also can have a script to enable/disable the VPN for certain devices. To do this, I use an address list.

/ip firewall address-list add list=to-iVPN address=<some-ip-addr-or-subnet>

I also don’t want to redirect my internal traffic to the VPN, so I have a list of RFC1918 addresses that I use, so only destination addresses that are not in this list will be redirected to the VPN. If you want to use their DNS servers, your list must be a little different, and here, like everything on Mikrotik, your creativity is the limit.

/ip firewall address-list
  add address=10.0.0.0/8 list=rfc-1918
  add address=172.16.0.0/12 list=rfc-1918
  add address=192.168.0.0/16 list=rfc-1918

---

Wireguard interface

Now let’s create the Wireguard interface and the peer configuration. Now you will need to replace the values in the configuration file you got from iVPN.

/interface wireguard add name=iVPN private-key=<your-private-key>

Set the IP address of the interface to the one you got from iVPN.

/ip address add interface=iVPN address=<local-ip-address-to-use>

Now we need to add the peer configuration. Again, don’t forget to replace the values in the configuration file you got from iVPN.

/interface wireguard peers
  add interface=iVPN public-key=<iVPN-public-key> endpoint-address=<iVPN-server-ip> endpoint-port=<iVPN-server-port> allowed-address=0.0.0.0/0

---

Routing

Let’s create the routing table that we will use to redirect traffic to the VPN.

/routing table add name=iVPN fib

Also, we need to add a default route to the VPN interface.

/ip route add dst-address=0.0.0.0/0 gateway=iVPN routing-table=iVPN

---

Firewall

Here we have a few steps to cover. We need Mangle rules to mark the packets that we want to redirect to the VPN, and we need a NAT rule to redirect the marked packets to the VPN interface, so let’s get it done.

First, let’s mark the packets and also change the MSS to avoid fragmentation.

/ip firewall mangle
  add action=mark-connection chain=prerouting dst-address-list=!rfc-1918 new-connection-mark=ivpn passthrough=yes src-address-list=to-iVPN

  add action=mark-routing chain=prerouting dst-address-list=!rfc-1918 new-routing-mark=ivpn passthrough=yes src-address-list=to-iVPN

  add action=change-mss chain=forward connection-mark=ivpn new-mss=1360 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1375

Now we need to create the NAT rule to redirect the marked packets to the VPN interface.

/ip firewall nat
  add action=masquerade chain=srcnat out-interface=iVPN src-address-list=to-iVPN

---

Check your configuration

Now you should be able to see the Wireguard interface connected to the iVPN server. If you don’t see it connected, check your configuration and try again.

From your Mikrotik, you must be able to ping the iVPN gateway (172.16.0.1), but make sure to specify the source interface.

It is also important to make sure you don’t have the Fasttrack rules enabled.

That’s it! I hope this helps you to protect your home network.