So Mikrotik released new feature called back to home (WG VPN) and @normis asked for us to do a little testing, so they can see how they relay handles the load. I'm opening new topic so we don't spam topic about ROS beta releases.

My results:

Without VPN, 5G network (rural area):



With VPN enabled:


Home internet speed is 170/140 Mbps so there are no bottlenecks on that side

If your router is behind NAT (no public IP), the connection is going through our Relay server in Latvia (for now our servers are only in one country). This is why the speed is different.

Good enough for me, will try it on laptop too.

Enabled on AX3, NOT using mobile app (it's not needed, you see ...)
Got print from terminal (zoomed WAY OUT), QR code scanned in Wireguard app on Android Samsung S20.

Home network: 500/30

Tested using mobile
baseline 66.6 / 3.86 ( )
BTH: 23.7 / 3.85

Tested using wifi (home network, observed counters on freevpn-wg were moving as well)
Baseline: 480/28.76
BTH: 21.9/12.6

But I must say, app looks pretty good

I presume speeds and ping will get better once Mikrotik deploys more relay servers.

We have now widened supported device list, ARM/ARM64/TILE are now supported in 7.11beta6. Please test

Tested on RB4011iGS+, no problems, same performance as on ax3, will try to test later with ac3, unfortunately i don't have any TILE based device...

Any ideas when this will be available on the Hex S / MMIPS?

Clarification, currently the early beta is enabled only for these models:

"L41G-2axD"
"L41G-2axD&FG621-EA"
"C52iG-5HaxD2HaxD-TC"
"C53UiG+5HPaxD2HPaxD"
"S53UG+5HaxD2HaxD-TC&FG621-EA"
"S53UG+5HaxD2HaxD-TC&EG18-EA"
"S53UG+M-5HaxD2HaxD-TC&RG502Q-EA"
"L009UiGS-2HaxD-IN";

7.11 stable will unlock it for all ARM64 and possibly more devices in future. This is a gradual rollout, to see what our relays are capable of.

And for now with 7.11beta6 we have ARM/ARM64/TILE devices

Little testing this weekend, my wife's phone and my were connected to VPN all the time, streaming videos, netflix etc no problems at all.

Hi,
I tried the new Back to Home feature. Downloaded the android Back to Home app on a Samsung A53. It connected succesfully with my RB5009 v7.11beta7 at home, on my local WiFi. I left the DNS Server (optional) empty. So I then switch off the WiFi on my phone, to try to see if I could connect via the gsm 4G network. It then also `connects, and I can open my MicroTik android app.

However, as soon as the VPN is connected, I'm losing all other acces to internet. So I also can't check the bandwitch speed via Speedtest, I can't even reach this forum then.
Any idea what I should change in the config?

Kind regards

You should set the DNS when you configure it. Next versions will handle this better and will not even ask for it.

Hi Normis,
What should I be entering in the DNS field in the android Back to Home app?
f.e: 1.1.1.1, or just set it to 192.168.88.1 ?

as you wish, both will work
either router, the ISP of the router, or any public DNS

Tested with Chateau LTE18 ax today, but with Wireguard app for Windows, works like a charm.

Oefff it got worse for me
I keep getting "Connection Refused" error messages when trying to open the MicroTik android app, even if the new BTH vpn is connected. I even did a reset of the RB5009 --> System --> Reset Configuration to start fresh. And then created a new tunnel in the BTH android app. That part goes fine, the vpn connection is getting established. But then, i lose my internet and now also the connection refused messages from both the android MicroTik Pro app and also the MicroTik Home app.
Any suggestions...?

Edit: not sure if it matters, but in Winbox: WireGuard --> tab WireGuard --> select the back-to-home entry, then go to tab Traffic. I see a lot of Tx/Rx Errors.

What are allowed IPs ? You should have 0.0.0.0/0 to be able to access internet through your RB5009 when connecting with a client.

I can connect with Mikrotik app normally to the router. One thing that you can check is that WG interface is in interface list and it's assigned to LAN list. That could be the reason your connection gets refused.

Also check if firewall rule is created, it should be first rule in chain, back-to-home-vpn.

Can you post your config here ? Minus sensitive data as public and private keys etc. Maybe WG guru @anav see post

Thanks for the tips!
-I tried to disable all firewall rules, just to see if one of these rules where the issue, but that did not help. So I could rule out the firewall.
-The WG interface is connected to LAN, I double checked. So that's fine I guess.

-the suggestion regarding 0.0.0.0/0 was the winning tip!! So, in WinBox, WireGuard --> Peers menu, there are two peers here. I'm seeing one with comments regarding my Samsung phone, so that's clear. The other one is called 'back-to-home-vpn'...so I'm guessing that's some sort of default peer that was automaticly created by the new BTH functionallity?
In the Samsung phone peer, strangley there was only one row with Allowed adress: 192.168.216.2/32. I have added a second entry here: 0.0.0.0/0 I'm asuming that's whtat you ment...
That did the trick! After connecting with the BTH app on my phone, i can open the MicroTik Pro app now succesfully! Thanks!

So my next question is, how do I reach all other network devices behind the RB5009 in the house? F.e, I can't reach my network audio players or NAS. So I'm guessing I have to do something extra to also reach these devices behind the router?

Your client should have 0.0.0.0/0 in allowed addresses, you need to check that.

I don't have 0.0.0.0/0 anywhere in router settings as far as i can see, only in client config so you should leave it as is.

You can always try with wireguard app, scan qr code and that's it

I tested a little bit right now and i can access my devices without a problem.

You should export your configuration, remove sensitive data like public keys etc and post it here so someone more experienced may help you, but as i said, i didn't make any additional changes, it worked out of the box.

You should have something like this:

Here some of the configs:





Are any other configs handy?
Again, it seems to work now I have added the extra 0.0.0.0/0 into the Allowed Address under the Peer. Only issue now is, what should I do to also be able to find other devices on the local network behind the RB5009?

Update: not sure what happend, but I can reach the devices behind the router now. So maybe it was just a mather of patience ...
Can someone confirm that the above added 'Allowed address' 0.0.0.0/0 in the Peer (it's the client peer, my Samsung phone) is oke/secure..? Since it seems that others are not adding it there.... so that's interesting.

Also, I would like to also add the Windows WireGuard client on my laptop, to also create a wiregueard tunnel between the laptop and the RB5009. Can I 'reuse' the 'back-to-home' Wireguard entry for that? If so, than al I would have to do I think is just create a new (client) Peer.... or shoud I create a compete new WireGuard entry, so I would then end up with a 'back-to-home' WireGuard entry and a 'Laptop-wireguard' entry under the WireGuard menu? Thanks for the help!

You need to create new peer for your laptop. I created one today for my laptop and wireguard client and it's working like a charm.

I don't have 0.0.0.0/0 entry on peers in router, only one address, and that address is IP address of your phone and what its mean ia that only that ip address can access your VPN, and 0.0.0.0/0 means that all addresses can access VPN. Not good...

You need to create new peer for your laptop. I created one today for my laptop and wireguard client and it's working like a charm.

I don't have 0.0.0.0/0 entry on peers in router, only one address, and that address is IP address of your phone and what its mean ia that only that ip address can access your VPN, and 0.0.0.0/0 means that all addresses can access VPN. Not good...

Hmmmm allright, I had a bad feeling about how secure it was indeeed....thanks for your feedback!! I removed the 0.0.0.0/0... and to my suprise it still works... magic!
I'll play around with WireGuard client on my laptop next week. Just one more question; do you expect that WOL still works when connected via BTH Wireguard, f.e to wake up a NAS?

Not over wireguard.
But if you have access to your home Tik, you can always send a command from there ?

Just one more question; do you expect that WOL still works when connected via BTH Wireguard, f.e to wake up a NAS?

Not over wireguard.
But if you have access to your home Tik, you can always send a command from there ?

True, WOL is layer-2, so not directly via WG.

But you can use /tool/netwatch to monitor the BTH peer allowed-address (e.g. 192.168.216.2), and in "on-up" script use "/tool/wol mac=XX:DD:CC:XX:XX:XX" as the script (replacing the MAC with your NAS's MAC address). Now perhaps with Windows, this might not work (since it normally blocks ping).

Just one more question; do you expect that WOL still works when connected via BTH Wireguard, f.e to wake up a NAS?

True, WOL is layer-2, so not directly via WG.

But you can use /tool/netwatch to monitor the BTH peer allowed-address (e.g. 192.168.216.2), and in "on-up" script use "/tool/wol mac=XX:DD:CC:XX:XX:XX" as the script (replacing the MAC with your NAS's MAC address). Now perhaps with Windows, this might not work (since it normally blocks ping).

Nice!! I tried it (via WinBox), and it works! Thanks!!

Hey there i just thought of testing the Back to Home Feature i only have few RB750gr2 and one RB2011 iL-rm. Architecture MIPSBE.
It looks like currently it only works on Hardware requirements: ARM/ARM64/TILE architecture devices
Do you know if it will be available for the old devices or MIPSBE based

(Fairly new user. I use Mikrotik on and off)

BTH won't be available until 7.12beta for now, so maybe Mikrotik add support for other devices in 7.12 stable

Do you know if it will be available for the old devices or MIPSBE based

There are no reason that it should not com on mipsbe devices, since it uses Wireguard that mipsbe do support today.

As far as I understand it, the limitation to certain devices was done only to deploy the new feature to a limited number of users so they could evaluate it before wider deployment. Not because of limitations of the architecture.

For CCR2004-16G-2S+PC it says not supported, but it's an arm device...

What version of ROS are you using ?
Did you enable it before on any of the 7.11 testing versions (beta or RC) ?
If not, it will not show in 7.11 stable if that was the first time 7.11 was loaded on your device.

Move to 7.12beta or first apply test version of 7.11, enable BTH and then it should remain working after upgrade to 7.11 stable.
At least that's how I understood it should work...

7.11 stable.
Where should I enable it ?

Again... was that the first 7.11 version on your device ?
If so, it will not work.

First move back to one of the 7.11 rc version, or move to 7.12 beta.
It will appear then in IP / Cloud.

I had the impression based on the forum thread that it will automatically configure it, not manually configuring wireguard.

Again... was that the first 7.11 version on your device ?
If so, it will not work.

First move back to one of the 7.11 rc version, or move to 7.12 beta.
It will appear then in IP / Cloud.

No, I've used previous 7.xx versions as well. I just updated today to 7.11

7.11 stable.
Where should I enable it ?

The BTH VPN has been removed from 7.11 stable! It was only available in 7.11 beta

Oh, I see
Then I will stick to openvpn that I have used previously.

Again... was that the first 7.11 version on your device ?
If so, it will not work.

First move back to one of the 7.11 rc version, or move to 7.12 beta.
It will appear then in IP / Cloud.

No, I've used previous 7.xx versions as well. I just updated today to 7.11

You're not really answering the question, are you ?

The BTH VPN has been removed from 7.11 stable! It was only available in 7.11 beta

...and 7.11rc, pulled from 7.11 stable and back again in 7.12 beta.

In addition to having RouterOS as the vpn server, could we all use Mikrotiks as the vpn clients?

Is there a limitation to how many clients one could setup with this?

Having a public IP on the server isn't an issue for us, but I like the simplicity of Zerotier for setup and management. I would love to have the same simplicity for Wireguard. (Having all my Zerotier clients mesh to each other over cell is not desirable.)

Will there be an option to self-host our own relays? Will there be a subscription option for those that want multiple clients?

Will there be an option to self-host our own relays?

You can already do that ? What's holding you back ?
All you need is a public accessible ip address.

Oh, I see
Then I will stick to openvpn that I have used previously.

You can install 7.12beta1 and use BTH, it's working without a problem.

In addition to having RouterOS as the vpn server, could we all use Mikrotiks as the vpn clients?

Is there a limitation to how many clients one could setup with this?

Having a public IP on the server isn't an issue for us, but I like the simplicity of Zerotier for setup and management. I would love to have the same simplicity for Wireguard. (Having all my Zerotier clients mesh to each other over cell is not desirable.)

Will there be an option to self-host our own relays? Will there be a subscription option for those that want multiple clients?

This is what the RouterOS device is for. You could do this for many years. There is no limit. Host VPN server with as many clients as you want. MikroTik can be client, server, whatver you need. If you have a public IP, you have all the possibilities already.

No updates here since August... is there a specific web page we can have a link to that will show the lastest updates on BTH, i.e. which Mikrotik devices are supported, which firmware is available that supports it, etc? Thanks,

There are many updates. The BTH app is in the app store, make sure you check for updates. Changelog is shown there.