When MikroTik released RouterOS v7, they implemented a Peer-to-Peer VPN protocol called WireGuard, allowing users to take advantage of truly secure tunneling with top-notch security and performance. It was a welcome step forward for seasoned MikroTik users but has never been truly intuitive for inexperienced users looking to securely access resources remotely.
In this video, we introduce MikroTik's Back to Home feature, the quickest and easiest way for anyone to implement a basic WireGuard tunnel with almost no setup.
You can watch our video on the topic, or read about it below.
Prerequisites
Before getting started, ensure your router is based on ARM, ARM64, or Tilera architecture. Most modern home routers are based on ARM, but you can verify this in the System Resources if you have direct access to your router. Next, ensure you are running RouterOS v7.12 or higher and finally install the MikroTik Back to Home app on your mobile device.
Configuration via Back to Home app
MikroTik's Back to Home app allows you to create all the required configuration as long as you have direct local connectivity to your router. After launching the app, it's as easy as selecting "Add Tunnel," inputting your local IP followed by username and password. Now you can create a name for the tunnel with some optional settings which allow you to use custom DNS and allowed IPs. The app will show you a brief list of changes that will be created on your router, and once you select "Create Tunnel," everything is configured. It's now just a matter of switching it on in the app, and you have a secure WireGuard tunnel which can be used from anywhere.
Manual configuration via Winbox or CLI
The advantage of manual configuration is that it allows you to deploy the Back to Home service without the client having to be on-site or exposing the router's IP address or username and password.
In order for any remote device to communicate back to the router, you will need to know its public IP address. In a home user scenario, it's rare that you will have a static IP and will likely have to rely on Dynamic DNS to ensure connectivity in case the IP address changes. MikroTik users get free built-in DDNS which is linked to the router's serial number. To use it, simply navigate to the IP > Cloud menu and enable it.
Next up, we need to configure the VPN by going over to the BTH VPN tab and enabling the feature. This automatically generates the WireGuard tunnel as well as dynamically adds the necessary configuration for the IP address and firewall entries for end-to-end connectivity. When we switch to the BTH VPN Wireguard tab, you will be able to view the client configuration and generated QR code to easily onboard your mobile device.
When we launch the app and add a new tunnel, this time we select "Scan QR Code." Once we scan the available code from the router, we can create a name for this connection and start using the newly created service.
Why Use Back To Home?
Besides the ease of configuration, Back to Home is far more secure than port forwarding and also doesn't suffer from potential technical issues related to NAT. Creating a tunnel gives you direct peer connectivity to network resources with more throughput and less latency than other types of VPN available in RouterOS. WireGuard uses cutting-edge encryption and is robust for mobile devices roaming to various networks. So whether you use it for basic remote access or for more intricate scenarios like VoIP clients, it is an excellent all-round mobile solution.
Conclusion
MikroTik’s back to home is still in early development and they hint at adding more features to enhance its adoption. It's great to see that MikroTik are making some things simple and adding appeal to a wider audience for their products. Whether you are considering rolling out MikroTik as a product or already have a bunch of supported routers in production we hope you will find some good use for this feature.
To download this app please click on the relevent icon below:
