Managing your Mikrotik with VPS
Konten ini belum tersedia dalam bahasa Anda.
Summary
Use a public VPS as a secure tunnel hub to reach MikroTik and internal devices behind CGNAT. This guide covers VPS creation, OpenVPN setup, MikroTik client config, port forwarding, and hardening tips.
Remote MikroTik Management via VPS
Accessing devices behind a MikroTik without a public IP is a classic problem.
A public VPS makes a reliable bridge.
The router opens an outbound tunnel to the VPS, and you reach the router or any LAN device through that tunnel.
This recipe uses a VPS (example: DigitalOcean) and OpenVPN, but the pattern works with WireGuard, SSH reverse tunnels or other VPNs.
Architecture overview
Flow:
Administrator ⇄ Public VPS ⇄ MikroTik (behind NAT) ⇄ Internal device
The MikroTik initiates the tunnel to the VPS. The VPS is the stable rendezvous with a public IP.
Once the tunnel is up, the VPS can forward ports or route traffic into the MikroTik LAN.
Step 1 — Create a VPS (DigitalOcean example)
- Create an account on your chosen provider.
- Create a Droplet / VPS with Ubuntu 22.04 LTS.
- Small plan is fine for management workloads (1 vCPU, 1GB RAM).
- Add your SSH public key for secure root access.
Example (result):
- VPS IP:
138.197.120.24 - User:
root
Step 2 — Prepare the VPS (OpenVPN server)
SSH into the VPS:
ssh root@138.197.120.24apt update && apt upgrade -yapt install -y openvpn easy-rsa iptablesCreate the PKI and server certs (easy-rsa):
make-cadir ~/openvpn-cacd ~/openvpn-ca./easyrsa init-pki./easyrsa build-ca nopass./easyrsa gen-req server nopass./easyrsa sign-req server serveropenvpn --genkey --secret ta.keyEnable IP forwarding:
sysctl -w net.ipv4.ip_forward=1# persist in /etc/sysctl.conf if desiredAdd a NAT rule so tunnel clients can egress via the VPS public interface (eth0):
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADECreate a minimal server config /etc/openvpn/server.conf and start the service.
Tip: Lock down SSH (keys only), enable UFW/iptables rules and consider fail2ban for extra protection.
Step 3 — Build client credentials and config
On the VPS, generate a client cert (client1) and collect these files for the MikroTik:
ca.crtclient1.crtclient1.keyta.key(if used)client.ovpn(client config)
A minimal client.ovpn:
clientdev tunproto udpremote 138.197.120.24 1194resolv-retry infinitenobindpersist-keypersist-tunca ca.crtcert client1.crtkey client1.keycipher AES-256-CBCverb 3Step 4 — Configure MikroTik as OpenVPN client
Upload the client certs and client.ovpn to the MikroTik (Files list), then create an OVPN client interface:
/interface ovpn-client add name=vpn-to-vps connect-to=138.197.120.24 port=1194 \ user=vpnuser password="senha123" profile=default-encryption add-default-route=no
/interface ovpn-client printExpect status like:
status: connecteduptime: 00:00:45remote-address: 10.8.0.1local-address: 10.8.0.2Note: Adjust
add-default-routeto control whether the router sends all traffic through the tunnel.
Step 5 — Access the MikroTik via the VPS
Use DNAT on the VPS to forward a public port to the router’s WebFig or other service.
On the VPS:
iptables -t nat -A PREROUTING -p tcp --dport 8081 -j DNAT --to-destination 10.8.0.2:80iptables -t nat -A POSTROUTING -p tcp -d 10.8.0.2 --dport 80 -j MASQUERADENow http://138.197.120.24:8081 will reach the router’s WebFig through the tunnel.
Step 6 — Access internal LAN devices
To reach a device behind the MikroTik (example camera 192.168.88.100), add a DNAT rule on the VPS and a dst-nat on the MikroTik if necessary.
On the VPS (map public port 8082 to the tunnel peer):
iptables -t nat -A PREROUTING -p tcp --dport 8082 -j DNAT --to-destination 10.8.0.2:8082On the MikroTik, forward the incoming port from the tunnel to the internal host:
/ip firewall nat add chain=dstnat protocol=tcp dst-port=8082 action=dst-nat to-addresses=192.168.88.100 to-ports=80Access the camera:
http://138.197.120.24:8082
Traffic traverses: public IP → VPS DNAT → OpenVPN tunnel → MikroTik dst-nat → internal device.
Step 7 — Automation and hardening
Small practical tips:
- Use SSH keys for VPS access and strong passwords on MikroTik.
- Monitor and auto-restart the tunnel with a MikroTik script that checks the OVPN interface.
- Use static IPs or DDNS for the VPS if you change providers.
- Expose only the ports you need. Keep the rest firewalled.
- Log connections and set alerts for unexpected access.
Example MikroTik watchdog script (restart OVPN if down):
:if ([/interface ovpn-client get vpn-to-vps running] = false) do={ /interface ovpn-client disable vpn-to-vps /delay 3 /interface ovpn-client enable vpn-to-vps}Security checklist
- Keep the VPS OS and OpenVPN patched.
- Use unique certs per MikroTik and revoke compromised keys.
- Limit VPS firewall rules to management IPs where possible.
- Use HTTPS and authentication on forwarded services.
- Consider running the VPN on a non-standard UDP port and rate-limit connections.
Where MKController helps: If manual tunnel setup is too much overhead, MKController’s NATCloud offers centralized remote access and secure connectivity without per-device tunnel management.
Conclusion
A public VPS is a simple, controlled way to reach MikroTik devices and internal hosts behind NAT.
OpenVPN is a common choice, but the pattern works with WireGuard, SSH tunnels and other VPNs.
Use certificates, strict firewall rules and automation to keep the setup reliable and secure.
About MKController
Hope the insights above helped you navigate your MikroTik and Internet universe a little better! 🚀
Whether you’re fine-tuning configs or just trying to bring some order to the network madness, MKController is here to make your life simpler.
With centralized cloud management, automated security updates, and a dashboard that anyone can master, we’ve got what it takes to upgrade your operation.
👉 Start your free 7-day trial now at mkcontroller.com — and see what effortless network control reall