Skip to content
MKController

MikroTik RouterOS Config Templates

Summary The MKController adoption script installs 8 components on your MikroTik device: an OpenVPN certificate, a VPN profile, an OpenVPN tunnel to MKController servers, a firewall rule allowing VPN gateway access, a monitoring scheduler, a managed user account, a firewall priority rule, and enabled service ports restricted to the VPN tunnel. This page explains each component and what breaks if it is removed.

What Does the MKController Adoption Script Install on MikroTik?

The MKController adoption script is a short RouterOS program that establishes a secure, encrypted connection between your MikroTik device and the MKController cloud infrastructure. When you run it, it creates exactly 8 components on the device — no more. Understanding each component helps you maintain the connection, troubleshoot issues, and make informed decisions about your RouterOS configuration.

Requirements

RouterOS version 6.39 or higher is required. For the full supported version list, see Supported RouterOS Versions.

Component 1: OpenVPN Certificate

An OpenVPN certificate is downloaded and saved to the MikroTik file system, then imported into the device’s certificate store.

You can verify it in: System → Certificates

/certificate import file-name="[CERTIFICATE_ID]" passphrase=""

This certificate authenticates the device to the MKController VPN server. Without it, the VPN connection cannot be established.

Component 2: VPN Profile

A PPP profile is created with encryption enabled. This profile is used by the VPN tunnel created in Component 3.

/ppp profile add name="[PROFILE_ID]" use-encryption=yes comment="MKController"

Component 3: OpenVPN Client Tunnel

Using the certificate from Component 1 and the profile from Component 2, an OpenVPN client interface is created. It connects outbound to ovpn.mkcontroller.com on port 443 using AES-256 cipher and SHA-1 authentication.

/interface ovpn-client add connect-to="ovpn.mkcontroller.com" user="[USER_ID]" auth=sha1 cipher=aes256 certificate="[CERTIFICATE_ID]" port=443 profile="[PROFILE_ID]" name="MKController" comment="MKController"

This tunnel is what enables all cloud features: remote access, backups, monitoring, and API calls — without requiring any open inbound ports on your router.

Component 4: Firewall Input Rule

A single firewall rule is created that allows the VPN gateway address (10.8.0.1) to access the MikroTik through the tunnel.

/ip firewall filter add chain=input action=accept src-address="10.8.0.1" priority=0 comment="MKController"

Only this IP address — the MKController VPN server — gains access. No other external IP is whitelisted.

Component 5: Monitoring Scheduler

A RouterOS scheduler script runs every 90 seconds and sends device health data to MKController: CPU usage, RAM consumption, disk space, and temperature (on supported models).

/system scheduler add name="resources-[ID]" interval="90" on-event="[EVENT]" comment="MKController"

This data populates the real-time device cards and availability reports on the MKController dashboard.

Component 6: MKController User Account

A full-access user is created on the MikroTik. This account is used for all API communication between MKController and the device. Its password rotates automatically and frequently to prevent brute-force attacks.

/user add name="[USER_ID]" group=full password="[TEMPORARY_PASSWORD]"

You can see this user in: System → Users (it appears as a UUID-style name).

Component 7: Firewall Rule Priority

The firewall rule from Component 4 is moved to the top of the input chain, ensuring MKController access is not blocked by other rules added later.

:do {
  :local n [/ip firewall filter find where comment="MKController"];
  /ip firewall filter move numbers=$n destination=0
} on-error {}

Component 8: Service Port Activation

Five RouterOS service ports are enabled and their access is restricted to the VPN gateway address 10.8.0.1 — meaning only MKController (via the VPN tunnel) can reach them. If a port was already open, 10.8.0.1 is added to its allowed-address list without removing existing entries.

/ip service enable www;    /ip service set www    address="10.8.0.1"
/ip service enable winbox; /ip service set winbox address="10.8.0.1"
/ip service enable ssh;    /ip service set ssh    address="10.8.0.1"
/ip service enable api;    /ip service set api    address="10.8.0.1"
/ip service enable ftp;    /ip service set ftp    address="10.8.0.1"

You can verify service states in: IP → Services

What Breaks if a Service Is Disabled?

ServiceIf disabled, this breaks
www (WebFig)Remote WebFig access in MKController web and mobile app
winboxRemote Winbox access in MKController desktop app
sshBackup creation, file upload/download, script execution
apiAll API features including Walled Garden, Voucher, and the Public API
ftpFile system operations: FTP integration, file listing, batch file upload

Questions about the adoption script or component behavior? Contact MKController support on WhatsApp.