These instructions are based on a tutorial written by MikroTik. You can find the original article here.
MikroTik routers with RouterOS version 6.45 and later allow to establish an IKEv2 EAP VPN tunnel to a NordVPN server. This tutorial explains how you can create an IKEv2 EAP VPN tunnel from a MikroTik router to a NordVPN server.
- Open the terminal in your RouterOS settings.
- Install the NordVPN root CA certificate by running the following commands:
/tool fetch url="https://downloads.nordcdn.com/certificates/root.der"
/certificate import file-name=root.der
- Go to https://nordvpn.com/servers/tools/ to find out the hostname of the server recommended for you. In our case, it is nl125.nordvpn.com.
- Now you have to set up the IPsec tunnel. It is advised to create a separate Phase 1 profile and Phase 2 proposal configurations to avoid interfering with any existing or future IPsec configuration:
/ip ipsec profile
/ip ipsec proposal
add name=NordVPN pfs-group=none
While it is possible to use the default policy template for policy generation, it is better to create a new policy group and template to separate this configuration from any other IPsec configuration.
/ip ipsec policy group add name=NordVPN
/ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
- Create a new mode config entry with responder=no that will request configuration parameters from the server:
/ip ipsec mode-config
add name=NordVPN responder=no
- Create peer and identity configurations. Specify your NordVPN credentials in the username and password parameters:
/ip ipsec peer
add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=YourNordVPNServiceUsername password=YourNordVPNServicePassword
You can find your NordVPN service credentials in the Nord Account dashboard. Copy the credentials using “Copy” the buttons on the right.
- Now choose what to send over the VPN tunnel. In this example, we have a local network 192.168.88.0/24 behind the router and we want all traffic from this network to be sent over the tunnel. First of all, we have to make a new IP/Firewall/Address list which consists of our local network.
/ip firewall address-list
add address=192.168.88.0/24 list=local
Assign the newly created IP/Firewall/Address list to the mode-config configuration:
/ip ipsec mode-config
set [ find name=NordVPN ] src-address-list=local
- Verify that the correct source NAT rule is dynamically generated when the tunnel is established.
/ip firewall nat print