How can we help you?

MikroTik IKEv2 setup with NordVPN

These instructions are based on a tutorial written by MikroTik. You can find the original article here.

MikroTik routers support many VPN services, including NordVPN. In particular, MikroTik routers with RouterOS version 6.45 and later let you establish an IKEv2 EAP VPN tunnel to a NordVPN server. This tutorial explains how you can connect to a VPN on your MicroTik router.

  1. Open the terminal in your RouterOS settings.
  2. Install the NordVPN root certificate by running the following commands:

    /tool fetch url="https://downloads.nordcdn.com/certificates/root.der"

    /certificate import file-name=root.der

     
  3. Go to NordVPN’s recommended server utility to find out the hostname of the most suitable NordVPN server for you. In our example, it is "nl125.nordvpn.com."

    NordVPN’s recommended server utility gives you the hostname needed for MikroTik setup
  4. Now you have to set up the IPsec tunnel. We recommend creating a separate profile and proposal configuration to avoid interfering with existing or future IPsec configuration:

    /ip ipsec profile
    add name=NordVPN


    /ip ipsec proposal
    add name=NordVPN pfs-group=none


    While it is possible to use the default policy template, it is better to create a new policy group and template to separate this configuration from other IPsec configurations.

    /ip ipsec policy group add name=NordVPN
    /ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes
  5. Create a new “mode config” entry with “responder=no” (no quotation marks) that will request configuration parameters from the server:

    /ip ipsec mode-config
    add name=NordVPN responder=no
  6. Create peer and identity configurations. Enter your NordVPN credentials in the username and password parameters:

    /ip ipsec peer
    add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN


    /ip ipsec identity
    add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=YourNordVPNServiceUsername password=YourNordVPNServicePassword


    You can find your NordVPN service credentials through the Nord Account dashboard. Copy the credentials using the “Copy” buttons on the right.

    The NordVPN service credentials you need for setup on MikroTik routers can be found through your Nord Account
  7. Now choose what to send over the VPN tunnel. In this example, we have the local network “192.168.88.0/24” behind the router, and we want all traffic from this network to be sent through the tunnel. First, we have to make a new “IP/Firewall/Address” list that consists of our local network.

    /ip firewall address-list
    add address=192.168.88.0/24 list=local


    Assign the newly created "IP/Firewall/Address" list to the "mode-config" configuration:

    /ip ipsec mode-config
    set [ find name=NordVPN ] src-address-list=local
  8. Verify that the correct source NAT rule is dynamically generated when the tunnel is established.

    /ip firewall nat print
Related Articles
© Copyright 2022 all rights reservedSelf-service by