How can we help you?

Topics

MikroTik IKEv2 setup with NordVPN

These instructions are based on a tutorial written by MikroTik. You can find the original article here.

MikroTik routers support many VPN services, including NordVPN. In particular, MikroTik routers with RouterOS version 6.45 and later let you establish an IKEv2 EAP VPN tunnel to a NordVPN server. This tutorial explains how you can connect to a VPN on your MicroTik router.

  1. Open the terminal in your RouterOS settings.
  2. Install the NordVPN root certificate by running the following commands:

    /tool fetch url="https://downloads.nordcdn.com/certificates/root.der"

    /certificate import file-name=root.der

     
  3. Connect to the NordVPN server to find out the hostname of the recommended server. For our example, we used "nl125.nordvpn.com."

Follow the steps below to find the best server for your connection:

  1. Log into your Nord Account, and click NordVPN.


     
  2. Scroll down to Advanced Settings and click Set up NordVPN manually.


     
  3. Select the Server recommendation tab. According to your location, the best server will be recommended.


     
  4. By pressing Advanced filters you can further customize the recommended servers by selecting the Server type and the Security protocol.




     

 

  1. Now you have to set up the IPsec tunnel. We recommend creating a separate profile and proposal configuration to avoid interfering with existing or future IPsec configuration:

    /ip ipsec profile
    add name=NordVPN


    /ip ipsec proposal
    add name=NordVPN pfs-group=none


    While it is possible to use the default policy template, it is better to create a new policy group and template to separate this configuration from other IPsec configurations.

    /ip ipsec policy group add name=NordVPN
    /ip ipsec policy add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 template=yes

  2. Create a new “mode config” entry with “responder=no” (no quotation marks) that will request configuration parameters from the server:

    /ip ipsec mode-config
    add name=NordVPN responder=no

  3. Create peer and identity configurations. Enter your NordVPN credentials in the username and password parameters:

    /ip ipsec peer
    add address=nl125.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN


    /ip ipsec identity
    add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN username=YourNordVPNServiceUsername password=YourNordVPNServicePassword

    You can find your NordVPN service credentials (service username and service password) in the Nord Account dashboard.

Follow the steps below to find the service credentials for manual connection setup:

  1. Log into your Nord Account, and click NordVPN.


     
  2. Scroll down to Advanced Settings and click Set up NordVPN manually.


     
  3. Select the Service credentials tab, where you'll find the Username and Password needed to connect manually.

 

  1. Now choose what to send over the VPN tunnel. In this example, we have the local network “192.168.88.0/24” behind the router, and we want all traffic from this network to be sent through the tunnel. First, we have to make a new “IP/Firewall/Address” list that consists of our local network.

    /ip firewall address-list
    add address=192.168.88.0/24 list=local


    Assign the newly created "IP/Firewall/Address" list to the "mode-config" configuration:

    /ip ipsec mode-config
    set [ find name=NordVPN ] src-address-list=local

  2. Verify that the correct source NAT rule is dynamically generated when the tunnel is established.

    /ip firewall nat print
Was this article helpful?
Thanks!