MikroTik

Posted: **Mon Jul 31, 2023 11:39 am**

BTH provides easy VPN to your router, even if you are behind NAT. Main use - take the phone app and enable the new feature, then connect to your home network, while abroad or anywhere.

In the background it takes care of all the configuration in the router, makes a Wireguard setup, configures the firewall, communicates with our cloud.
Then use the same phone app to go "back to home" when you are away. Use internet through your home network, to have pihole block ads, or just to change your IP and watch content only available "back home".

In case your router is behind NAT, somewhere inside a private network, the connection will be made though our relay servers.

Feature is in BETA (Gradual rollout to see what our relays are capable of, to slowly test load) and is currently available on ARM/ARM64/TILE.

Apple iPhone: https://apps.apple.com/lv/app/mikrotik- ... 6450679198
Android: https://play.google.com/store/apps/deta ... id.freevpn

Manual with more info:
https://help.mikrotik.com/docs/display/ROS/Back+To+Home

Available from 7.11 (currently in RC)

Please test it and report any issues.

Posted: **Mon Jul 31, 2023 11:40 am**

DNS should be your home ISP DNS or any public DNS like 1.1.1.1

Posted: **Mon Jul 31, 2023 11:44 am**

Answers to common questions:

1) It uses Wireguard and is a secure VPN
2) (If used) Relay does not decrypt your tunnel and has no access to your data
3) It secures your router with firewall, it does not open up full access to your router in any way
4) It is not a feature for anonymity, it is a home user feature for maximum ease of use.
5) If you wish, after you have enabled it with our BTH app, you can also connect using Wireguard on your computer. You can use the QR code in Winbox IP CLOUD menu to get the needed config to your computer

Posted: **Mon Jul 31, 2023 12:43 pm**

Hi,

Could you perhaps consider making a NAT helper for routerOS, that would make a router act as a relay like your BTH relay.
That can be applied to a small number of UDP ports.

Some maybe simplifications.

Server connects via one port clients connect via another port. (does this make it simpler?)
Only on devices with good amount of flash.

Posted: **Mon Jul 31, 2023 12:46 pm**

What would be the use case, sorry I don't get it

Posted: **Mon Jul 31, 2023 1:05 pm**

Silly question, but is it safe to just use the wireguard app with the QR code as I already installed that on the other-halves phone which seems to work ok but took ages to connect? Android by the way.

Posted: **Mon Jul 31, 2023 1:24 pm**

Of course you can just keep using Wireguard. This new feature is also using Wireguard, but it has one advantage, it can work even if your router has no public IP

Posted: **Mon Jul 31, 2023 1:31 pm**

Of course you can just keep using Wireguard. This new feature is also using Wireguard, but it has one advantage, it can work even if your router has no public IP

Thanks for the further info. Great feature by the way!

Posted: **Mon Jul 31, 2023 1:45 pm**

will ever be support for mipsbe devices?

Posted: **Mon Jul 31, 2023 1:56 pm**

As always mipsbe and mmips are forgotten. :(

For now my only alternative is using Raspberry Pi and/or x86 machines with some Linux.

Posted: **Mon Jul 31, 2023 3:23 pm**

Will Back to Home also come on Mipsle devices? Wireguard does work fine on mipsel router, so it should not be a big change to make it work.

However, if the router is not directly reachable from the internet, the connection will be made through the MikroTik relay server

Any information on the relay server? Capacity? Where are they located? Will there be server on other countries?

Posted: **Mon Jul 31, 2023 4:10 pm**

Apple iPhone version released (but some updates coming soon): https://apps.apple.com/lv/app/mikrotik- ... 6450679198

Posted: **Mon Jul 31, 2023 5:03 pm**

If the router has no public ip (4G connection) all traffic goes through MikroTik servers, am I right?
If yes, are there any speed or traffic limits?
Or does it work as a ZeroTier relay?

Thanks

Posted: **Mon Jul 31, 2023 5:15 pm**

Yes that's true. Currently there are no limits. It might change in the future, but there is no plan for that at the moment.
If we run into traffic problems, we will just add more relays around the world.

Posted: **Mon Jul 31, 2023 5:45 pm**

Did quick test if iOS app. Seems to work, at least against two different router, using LTE/CGNAT on device with BTH iOS app.

Was able to connect to a BTH-enabled router with public IP. And was also able to connect using relay with a host behind a CGNAT address e.g. remote end also uses LTE, so BOTH ends behind a CGNAT – this later case isn't possible with WG alone without the BTH relay (or using ZeroTier).

Although latency is pretty bad if relayed, things do route/connect. I see ping times in the 600-800ms range using BTH with relay from phone to router. This router also has ZeroTier, so if disconnect from BTH and use ZT as VPN instead, latency is about 150-250ms in same ping test. I'd imagine difference is ZT roots are closer than Latvia...not that ZeroTier is inherently faster, just way closer in proximity to California.

Posted: **Mon Jul 31, 2023 5:49 pm**

Can we get answer on the xMIPSx situation with BTH?

That really is where BTH be more useful. e.g. I used ZeroTier to enable BTH to test it – so really didn't need BTH since I already had ZeroTier. On xMIPSx, there are no options for a VPN from a CGNAT to a CGNAT, without building your own VPN hub.

Posted: **Mon Jul 31, 2023 6:25 pm**

Nice feature specially for the ones that are stuck with CGNAT!!!. I like to see as a feature virtual stacking for CRS switches (CRS3xx and CRS5xx) for HA core Switches!

Keep it going!

Posted: **Mon Jul 31, 2023 7:19 pm**

@normis - great feature!

Two questions:

Is it possible to open source/release the server side of the BTH relay? I'd love the ability to roll my own relay - which would remove the traffic from going through Mikrotik's server (would save Mikrotik cost as well)

Where are the relays currently located?

thank you!

Posted: **Mon Jul 31, 2023 7:30 pm**

While in Beta, we have a relay in the MikroTik data center in Latvia. Depending on demand, we will expand to other regions and will lauch relays in other countries. If somebody here works in a well connected data center with high speed connectivity, you are welcome to drop us an email

Posted: **Mon Jul 31, 2023 7:31 pm**

Is it possible to open source/release the server side of the BTH relay? I'd love the ability to roll my own relay - which would remove the traffic from going through Mikrotik's server (would save Mikrotik cost as well)

Why? Instead of a relay you could just run a Wireguard server with public IP address. The point of the relay is that Mikrotik is not able to decrypt your traffic - you do not need traffic for yourself, do you? 😜

Posted: **Mon Jul 31, 2023 7:36 pm**

Exactly. If you can run a relay, you basically don't need a relay.

Posted: **Mon Jul 31, 2023 7:56 pm**

Why use a full relay and not STUN? Wireguard runs over UDP so hole punching should work fine with a short enough keepalive.

Posted: **Mon Jul 31, 2023 8:18 pm**

If somebody here works in a well connected data center with high speed connectivity, you are welcome to drop us an email

Our own TomJonesNorthIdaho comes to mind...

Posted: **Mon Jul 31, 2023 8:32 pm**

Is it possible to open source/release the server side of the BTH relay? I'd love the ability to roll my own relay [...]
Why? Instead of a relay you could just run a Wireguard server with public IP address. [...]

That's actually nice part. Any peer will directly connect to the router's WG from BTH app (or any WG client) if you have a public IP on router, automatically.

If there is not a public IP (e.g. some dual WAN that failover to LTE, or other routing change, etc.) ... the nifty part is nothing in the client configuration changes, except then it traffic be proxied if the router with BTN does NOT have public IP detected.

Only requirement is using Mikrotik DDNS...since that's critical to how this work: if you resolve the <sn>.vpn.mynetname.com address shown in winbox/CLI, you'll can see that's it's your own public IP (if direct) OR a Mikrotik IP (if proxied)... Also means if your WAN IP changes, it take DNS TTL and /ip/cloud DDNS update interval for it to "switch" between proxy and direct...

So if you have public IP and BTH... the only dependency is on Mikrotik DDNS but otherwise it's normal WG peer connection.

Posted: **Mon Jul 31, 2023 10:08 pm**

When using the standard Wireguard Iphone App I am able to connect.At the moment I can not find the Mikrotik BTH Iphone app in the app store (I'm living in the Netherlands)

Posted: **Mon Jul 31, 2023 10:30 pm**

Can we get answer on the xMIPSx situation with BTH?

That really is where BTH be more useful. e.g. I used ZeroTier to enable BTH to test it – so really didn't need BTH since I already had ZeroTier. On xMIPSx, there are no options for a VPN from a CGNAT to a CGNAT, without building your own VPN hub.

Probably never will be supported, so, Wireguard apparently not supports MIPS architecture. Probably I'm wrong.

On past I used ZeroTier and Tailscale on Windows and Linux machines but sometimes some machines randomly lost the connection or never connects at machine's startup. So I decided to implement Twingate on my Raspberry Pi 4 under Debian Minimal and worked really well.

A bit detail yesterday I decided to upgrade all system and stupidly reboot and now I can't access to my devices, and now I'm not at home until this Wednesday.

I think that ends to a kernel panic probably or another boot problem, so on my windows server I will create a VM with some Linux minimal (probably CentOS Stream) to create a "copy" that can works as backup.

You know another VPN solutions? I'm also using on both sides LTE with CGNAT on both sides of course. My home core is LtAP (mmips).

Regards.

Posted: **Mon Jul 31, 2023 10:47 pm**

Wireguard apparently not supports MIPS architecture. Probably I'm wrong.

There you are wrong. Wireguard works fine on the RB750g3 Mipsel.
.

WireGuard.png

Posted: **Mon Jul 31, 2023 10:52 pm**

Wireguard works fine on the RB750g3 Mipsel.

Quite true.
Hex (MMIPS) was my first Tik and the very first I used Wireguard on, already with first beta of ROS7.
Also on Map and mAP Lite (MIPSBE, 2nd and 3th Tik

) it works just fine.

Posted: **Mon Jul 31, 2023 10:56 pm**

Oh, thanks for clarification Jotne and holvoetn, so, only waiting for BTH compatible with MIPS.

Regards.

Posted: **Mon Jul 31, 2023 11:16 pm**

You know another VPN solutions? I'm also using on both sides LTE with CGNAT on both sides of course. My home core is LtAP (mmips).

Not really. I have to use LTE with public IPs, but that's not always possible & expensive. So use SSTP as backup, but that takes another router to act as the relay (at some point could use normal WG, but still some lingering V6 devices)...

[...] only waiting for BTH compatible with MIPS.

Yup, as BTH be fine a solution (in my initial testing on a remote wAPacR) for the CGNAT problem on LtAP (and KNOTs) without ZT... e.g. there are 0 devices with 2 modems in the ARM lineup... Why do you think I've resorted to begging here?

Since BTH is really just some UI/CLI around WG client config & another DDNS update, at least on the RouterOS side.... I don't see how BTH be an intensive feature on [CPU limited] xMIPSx platforms — at least no more so than standard WG [which is supported, as noted above].

I can see xMIPSx may not be the first platform for a beta. Just some clarity here is all I'm asking... Since I just need remote access to routers behind a CGNAT, I really don't care if ZT or BTH+WG – different but either work behind CGNAT...

Posted: **Mon Jul 31, 2023 11:36 pm**

Thanks for response.

We wait...

Regards.

Posted: **Tue Aug 01, 2023 1:34 am**

What would be the use case, sorry I don't get it

Similar use case to using your Relay Except closer to home.

I have a CHR in a nearby data centre, and currently use a wireguard in wireguard tunnel to get back to home (CGNAT) with e2e encryption.
It is not ideal on a number of points, but still brisk, and quite low latency.

Posted: **Tue Aug 01, 2023 8:38 am**

You can already make a Wireguard connection to your CHR from the home router, and then make a Wireguard VPN from your phone to the same CHR. This way you can achieve the same result without custom "relay".

Posted: **Tue Aug 01, 2023 8:41 am**

When using the standard Wireguard Iphone App I am able to connect.At the moment I can not find the Mikrotik BTH Iphone app in the app store (I'm living in the Netherlands)

did you try the direct link? https://apps.apple.com/lv/app/mikrotik- ... 6450679198

Posted: **Tue Aug 01, 2023 8:56 am**

did you try the direct link? https://apps.apple.com/lv/app/mikrotik- ... 6450679198

That did the trick.

Posted: **Tue Aug 01, 2023 10:25 am**

A huge request to you, please make a video on this topic.

Posted: **Tue Aug 01, 2023 1:15 pm**

nice work!

Posted: **Tue Aug 01, 2023 2:18 pm**

You can already make a Wireguard connection to your CHR from the home router, and then make a Wireguard VPN from your phone to the same CHR. This way you can achieve the same result without custom "relay".

I can't open any port on my home router and always I get 10.x.x.x IP segment from my ISP. Anyway I can do that?

Regards.

Posted: **Tue Aug 01, 2023 3:05 pm**

not to your home. FROM your home. that's the idea

Phone ------> [CHR server] <------- Home behind NAT

Posted: **Tue Aug 01, 2023 3:24 pm**

Thanks, but we need xMIPSx devices support :'(

Posted: **Tue Aug 01, 2023 5:26 pm**

not to your home. FROM your home. that's the idea

Phone ------> [CHR server] <------- Home behind NAT

And there are some free service to alocate CHR on cloud that can recommend?

Thanks and regards.

Posted: **Tue Aug 01, 2023 6:52 pm**

not to your home. FROM your home. that's the idea

Phone ------> [CHR server] <------- Home behind NAT
And there are some free service to alocate CHR on cloud that can recommend?

Another workaround for lack of BTH on MIPS... is using VPN (WG or whatever) on IPv6. This depends on the LTE provider with CGNAT, but good chance they support IPv6. No middle CHR need if both sides have IPv6.

Posted: **Tue Aug 01, 2023 8:53 pm**

True, but in my case none of ISP's of my country provides IPv6 address for LTE. Anyway for people that applies this, it can helps. Good point.

Regards.

Posted: **Tue Aug 01, 2023 9:49 pm**

Can you fix the hexagons background image in the Android app? It looks stretched compared to the iOS version.

Posted: **Tue Aug 01, 2023 10:47 pm**

well, if we're going to be picky... on iOS BTH app
- it should start with the username/password scene if there no/0 tunnels setup (e.g. fresh install) - the "add" step is unneeded in most basic use case
- if you have the Mikrotik app with saved passwords, it be nice if the BTH used/access those (or y'all just used the keychain)
- if you click the name of the tunnel, that's what should expend the selector shown at bottom
- ... similarly perhaps a gear icon or something at bottom, so to the tunnel selector tab at bottom isn't always shown (e.g. make UI look more complex if there is only simple "single router home" case).

Posted: **Wed Aug 02, 2023 8:20 am**

I take the silence from MT about "Back to Home" on mips some like this:
* We can get it to work, but we like to phase out the mips series, so it will not be supporter.
* We have problem to get it to work, so we wait to inform about status for mips until we have a good answer to give.
Should not be hard to implement since Wireguard works fine today on mips devices.

Posted: **Fri Aug 04, 2023 9:22 am**

Excellent idea, but... QR code is huge and unreadable...
I have managed to read the QR code only after importing hashes from screen dump to excel, and replacing them with black or white squares..
can you make it smaller to fit the screen or exportable somehow?

Posted: **Fri Aug 04, 2023 10:50 am**

@satman1w, Are you sure you're using the latest version of Winbox(3.39)?

Posted: **Fri Aug 04, 2023 2:12 pm**

Hello everyone,

@Normis, the application is still not available in France on IOS, searching for it gives no results, and using the direct link says « this application is not available in your country ». I don’t think it’s wished.

Regards,

Posted: **Fri Aug 04, 2023 9:58 pm**

Did anybody tried to play with site to site configuration ?

Posted: **Mon Aug 07, 2023 5:55 am**

there was an application called Tailscale.

Posted: **Mon Aug 07, 2023 8:53 am**

Hello everyone,

@Normis, the application is still not available in France on IOS, searching for it gives no results, and using the direct link says « this application is not available in your country ». I don’t think it’s wished.

Regards,

It does find it for me, if you search for MikroTik, but it's below some other results. So use the link
https://apps.apple.com/lv/app/mikrotik- ... 6450679198

Posted: **Mon Aug 07, 2023 9:22 am**

Maybe Apple has additional requirements for France App Store? Between Apple and France... easy to imagine might be some additional paperwork... ;)

Posted: **Mon Aug 07, 2023 9:26 am**

Sorry, update about France. It looks like France is banning encryption apps, so this is why we could not release it there. They require special approval from the government to release app that encrypts data. https://www.ssi.gouv.fr/en/regulation/c ... pplication

Posted: **Mon Aug 07, 2023 10:10 am**

Sorry, update about France. It looks like France is banning encryption apps, so this is why we could not release it there. They require special approval from the government to release app that encrypts data. https://www.ssi.gouv.fr/en/regulation/c ... pplication

Are we kidding?
They are ridiculous.

If they do it for terrorism, imagine if blocking the app in the store prevents criminals from installing it anyway, or evidently using even safer alternative means...

Posted: **Mon Aug 07, 2023 11:05 am**

@Normis, I think you miss interpreted this rule, because It apply to cryptography solution(new systems, new cyphers….), and even more it seems only to apply when you are selling something, I.posting or exporting goods…. Otherwise even selling routers, switches with vpn technology should also require it.

Other example, wireguard, openvpn and so on also have their own apps present in the AppStore… so there I don’t see any valuable reason

IMG_0013.jpeg

Posted: **Mon Aug 07, 2023 11:35 am**

It was request from Apple to submit that paper

Posted: **Mon Aug 07, 2023 11:40 am**

@Normis, so here it’s just a miss understanding from their side…

I will try to use my US account to get it

Posted: **Mon Aug 07, 2023 11:47 am**

I tried to submit appeal. Try again in a moment.

Posted: **Mon Aug 07, 2023 1:02 pm**

@Normis, ok just tell me when to try ;-) But I know that it could take a while to make Apple change their mind.

Anyway thank you for your answer and great work.

Posted: **Mon Aug 07, 2023 2:04 pm**

try now

Posted: **Mon Aug 07, 2023 2:38 pm**

@Normis it is available now… thank you

Posted: **Mon Aug 07, 2023 3:23 pm**

I've been holding my breath waiting for BTH to be available on mmips and I'm about to pass out.

Posted: **Mon Aug 07, 2023 4:38 pm**

I take the silence from MT about "Back to Home" on mips some like this:
* We can get it to work, but we like to phase out the mips series, so it will not be supporter.
* We have problem to get it to work, so we wait to inform about status for mips until we have a good answer to give.

Well, can't blame Apple or French regulations on the MIPS topic...

Posted: **Mon Aug 07, 2023 9:53 pm**

So, why you made great devices like LtAP or LtAP mini with MIPS architecture instead of ARM? There is a plan to launch something like it with ARM architecture?

Posted: **Mon Aug 07, 2023 11:03 pm**

Does it work when admin nazis block all udp ports?
I was trying to connect to home LAN using Wireguard once on public wifi in Bratislava, everything was blocked.
I was able to connect using Wireguard from a plane flying over USA, its a great vpn with fast speeds.

Posted: **Tue Aug 08, 2023 2:51 am**

Does it work when admin nazis block all udp ports?

I don't think so... it's still WG under-the-covers. But ZeroTier should support TCP fallback if a NAT-punching VPN is needed as an alternative when faced with a "ZeroUDP" network .

Posted: **Tue Aug 08, 2023 6:15 am**

i wish if i can do that with laptop

Posted: **Tue Aug 08, 2023 8:05 am**

i wish if i can do that with laptop

You can. Configure it as regular wireguard on PC.

Posted: **Tue Aug 08, 2023 9:04 am**

@satman1w, Are you sure you're using the latest version of Winbox(3.39)?

Now, I do..

:-D

and it looks much better

:-D

Posted: **Tue Aug 08, 2023 9:45 am**

You can. Configure it as regular wireguard on PC.

i was thinking to use the fancy way of back-to-home, but still i can use your CHR server without opening port on my Main Router, which is great

Thanks @antonsb!

Posted: **Tue Aug 08, 2023 9:46 am**

You can. Winbox BTH menu shows the code to copy into your Wireguard app on your PC (also a QR code). It will use the fancy BTH when you do, so it will work behind NAT too, even if you don't use BTH app in your phone.

Posted: **Tue Aug 08, 2023 2:42 pm**

Okay, so what we have here is a way to connect back to the router using any device remotely, via the Mikrotik provided cloud ( third party substitute inbound ).
Assuming this is for access to the config but could be used to access subnets? Will play today.
Assuming this makes it easier than what I have already done EONS ago which is setup a wireguard connection on my iphone to the router directly and then using the wireguard APP to access my router etc......... ( Assuming the new app blends the two into one process ? )

The main difference is the MT Cloud removes anyone from not being able to access their router due to CGNAT, non-public IP, no access to port forward on upstream router!!!

IF so, a BIG THANKS to MT, for making themselves a relay server.
Almost as generous as zerotrust cloudflare tunnel for hosting servers without exposing public IP, coming to all mikrotik devices, from a smarter MT, in a parallel universe. :-)

Posted: **Tue Aug 08, 2023 2:43 pm**

It is the same wireguard, just smarter - because if your home router is on private IP, it still works.
MikroTik relay is only involved in this case. IF you have public IP, it's just a direct wireguard, no relay.

Posted: **Tue Aug 08, 2023 5:55 pm**

IF so, a BIG THANKS to MT, for making themselves a relay server.
Almost as generous as zerotrust cloudflare tunnel for hosting servers without exposing public IP, coming to all mikrotik devices, from a smarter MT, in a parallel universe. :-)

There room for more tabs in IP>Cloud for other future proxies ;) ... just not for poor LtAP and KNOT owners that would really benefit from BTH...

Posted: **Tue Aug 08, 2023 8:29 pm**

Dreaming of an easy solution for our xx.xxx students:

- Back To Home
- Shibboleth login
- Full IPv4 + IPv6 dual stack tunnel after connect

Posted: **Tue Aug 08, 2023 9:00 pm**

MikroTik relay is only involved in this case. IF you have public IP, it's just a direct wireguard, no relay.

I have a valid dynamic IP which is obtained via PPPOE. However, BTH didn't have a direct IPv4 connection.

2023-08-08_02-26-21.jpg

Posted: **Tue Aug 08, 2023 9:27 pm**

Dreaming of an easy solution for our xx.xxx students:

- Back To Home
- Shibboleth login
- Full IPv4 + IPv6 dual stack tunnel after connect

Interesting idea...

Yeah Mikrotik BTH app uses the local router to authenticate someone, which then gets the peer's WG config using some RouterOS API. So not far off. [ Maybe sooner than xMIPSx ]

Getting WG creds — without some manual key exchange process — is something BTH app does that's seems really helpful if you wanted to use WG at scale. It may not be fully appeciated here that BTH app does not need QR code, or providing someone keys. Only the standard WG app need(/likes) the QR. Instead, the BTH app essential turns a RouterOS username/password into a configured WG peer (*if port allowed to Mikrotik & user creds valid). e.g. none of the problems with how to get WG peer's key to someone...

The issue I suspect is BTH require at least "write" policy on the router (e.g. "BTH" is NOT a policy AFAIK). I'd imagine BTH authentication goes though RADIUS since BTH seemingly uses winbox login (but dunno, didn't test). But some policy to allow control BTH peer creation via RADIUS get you pretty close to SAML/SibbolethSSO since WG supports IPv6 already. Ideal being the BTH app could be used by your student's to create the WG to your network... indirectly, using BTH auth->RouterOS->RADIUS->SAML = WG-peer on phone.

Posted: **Wed Aug 09, 2023 7:51 am**

MikroTik relay is only involved in this case. IF you have public IP, it's just a direct wireguard, no relay.
I have a valid dynamic IP which is obtained via PPPOE. However, BTH didn't have a direct IPv4 connection.
2023-08-08_02-26-21.jpg

Apparently it was not possible to connect to it, maybe ISP blocking something

Posted: **Wed Aug 09, 2023 2:53 pm**

I have a valid dynamic IP which is obtained via PPPOE. However, BTH didn't have a direct IPv4 connection.
2023-08-08_02-26-21.jpg
Apparently it was not possible to connect to it, maybe ISP blocking something

Well, I use the main WG tunnel daily. Does the BTH check the tunnel connectivity from your server? Because Wireguard to/from outside my region is blocked.

Posted: **Tue Aug 15, 2023 3:53 pm**

"Available from 7.11 (currently in RC)"

Mikrotik RB4011iGS+5HacQ2HnD-IN stable ROS 7.11 he didn't get an option Back to Home VPN.

??

Posted: **Tue Aug 15, 2023 3:57 pm**

"Available from 7.11 (currently in RC)"

Mikrotik RB4011iGS+5HacQ2HnD-IN stable ROS 7.11 he didn't get an option Back to Home VPN.

??

They had a change of heart!
viewtopic.php?t=198228#p1018758

Posted: **Tue Aug 15, 2023 4:34 pm**

"Available from 7.11 (currently in RC)" ....
They had a change of heart!
viewtopic.php?t=198228#p1018758

I think if you had the configuration from the 7.11rc...and upgrade to 7.11stable, it keeps the configuration at least. Or at least that's what I see.
So I don't think it breaks for previous beta users — since it really just create the config needed for WG, the peers remain after upgrade.
Now since UI is not stable build, you cannot enable it, or setup a new BTH peers – until 7.12beta comes out (if my reading MT's post right).

Posted: **Tue Aug 15, 2023 4:39 pm**

I moved straight to 7.12alpha...
Sorry if I gave bad info.

Posted: **Fri Aug 18, 2023 10:05 am**

Pretty cool.

I do still buy Hex (RB 750gr3) though. They're good spec, dual core, SD slot, IPsec acceleration, so feels like they should not be left behind. I'm not sure there is a direct replacement for that model? Maybe hap ax2 is close but they have different uses

Posted: **Fri Aug 18, 2023 10:14 am**

Will this solution allow VPN via 443 only and to accept custom Root CA?
That would allow to reach the router out of cooperate networks.

Thx

Posted: **Fri Aug 18, 2023 10:20 am**

Pretty cool.

I do still buy Hex (RB 750gr3) though. They're good spec, dual core, SD slot, IPsec acceleration, so feels like they should not be left behind. I'm not sure there is a direct replacement for that model? Maybe hap ax2 is close but they have different uses

Maybe something like hAP ac2, it has USB, arm CPU, 5×1Gig eth ports, wifi but you can disable that if you don't need it. Or maybe new L009 ?

Posted: **Fri Aug 18, 2023 11:06 am**

Pretty cool.

I do still buy Hex (RB 750gr3) though. They're good spec, dual core, SD slot, IPsec acceleration, so feels like they should not be left behind. I'm not sure there is a direct replacement for that model? Maybe hap ax2 is close but they have different uses
Maybe something like hAP ac2, it has USB, arm CPU, 5×1Gig eth ports, wifi but you can disable that if you don't need it. Or maybe new L009 ?

Yes it's close. It's just the USB feels fragile and temporary. Although, I haven't really been using the SD. It's just that I think I should, and might use it, for capsman firmware updates.
Also, using a wireless router for the non-wireless role just looks confusing. Like, someone might think "is this thing working?" or something.
The rb750gr3 has been my go-to mini main-router & capsman controller.

Posted: **Fri Aug 18, 2023 12:24 pm**

You can disable WiFi, or you can use L009 version without wifi

Posted: **Tue Aug 22, 2023 8:14 am**

Hi, new feature is really awesome. App for android and iPhone/iPad/MacBook already tested and they are great.
Will be there also app for windows ?

Posted: **Tue Aug 22, 2023 9:13 am**

For windows you can use Wireguard app https://www.wireguard.com/install/
You will need to copy the config from your router, that is provided in menu "IP > Cloud > BTH wireguard"

Posted: **Fri Aug 25, 2023 2:36 am**

What does "use local address" mean?

Posted: **Fri Aug 25, 2023 12:33 pm**

use-local-address is not for Back to Home. It is for Cloud DNS.

Posted: **Fri Aug 25, 2023 5:44 pm**

use-local-address is not for Back to Home. It is for Cloud DNS.

So what will happen if I enable use-local-address ? The Cloud DNS will be set to my local public ipv4 address?

Posted: **Fri Aug 25, 2023 6:11 pm**

use-local-address is not for Back to Home. It is for Cloud DNS.
So what will happen if I enable use-local-address ? The Cloud DNS will be set to my local public ipv4 address?

it appears to be that way:
https://help.mikrotik.com/docs/display/ ... d-Advanced

Posted: **Wed Aug 30, 2023 10:25 pm**

Answers to common questions:

1) It uses Wireguard and is a secure VPN
2) (If used) Relay does not decrypt your tunnel and has no access to your data

any chance that connection to the relay server goes via port 443?
So that I can use BTH from within restricted networks.

Posted: **Thu Aug 31, 2023 3:34 pm**

So what will happen if I enable use-local-address ? The Cloud DNS will be set to my local public ipv4 address?
it appears to be that way:
https://help.mikrotik.com/docs/display/ ... d-Advanced

yes, but it does not matter for BTH. That is for Cloud DNS feature, unrelated to this topic. BTH does not care if you have public or private IP.

Posted: **Fri Sep 01, 2023 1:55 am**

it appears to be that way:
https://help.mikrotik.com/docs/display/ ... d-Advanced
yes, but it does not matter for BTH. That is for Cloud DNS feature, unrelated to this topic. BTH does not care if you have public or private IP.

thanks for the clarification

Posted: **Mon Sep 04, 2023 8:38 pm**

I'd like to know what will be the consumption of ВТН traffic in idle mode?
(device behind a NAT; а metered Internet connection; per day;)
Is there a possibility of optimization?

Posted: **Wed Sep 06, 2023 9:40 pm**

Hi, I have a problem with the correct connection between Wireguard BTH and AdGuard Home, namely - AdGuard Home placed on the container, VETH interface in the main bridge, AdGuard address set as DNS in the DHCP server, Wireguard works properly as it should, I have access via a connection VPN with internal network, etc. - generally works, with one exception - in the Wireguard Client on Android, DNS set as the AdGuard address, it also works, but in the AdGuard admin panel in the logs this connection is shown at the Router's gateway address, not as the address assigned in Wireguard - the question is what to do that it works with Wireguard address in AdGuard admin panel? Thank you in advance for your help.

Posted: **Wed Sep 06, 2023 10:06 pm**

[...] AdGuard Home placed on the container, VETH interface in the main bridge, AdGuard address set as DNS in the DHCP server, Wireguard works properly as it should [...] AdGuard admin panel in the logs this connection is shown at the Router's gateway address, not as the address assigned in Wireguard - the question is what to do that it works with Wireguard address in AdGuard admin panel? [...]

I suppose you can create a /ip/firewall/nat action=src-nat rule so the VETH's IP be masqueraded to router's WG address, when going out wireguard. Issue is the LAN subnet (including VETH) is likely already allowed addresses, so VETH is just another bridge member, so it use the router's IP and thus using normal WAN NAT rule.

Posted: **Wed Sep 06, 2023 10:48 pm**

[...] AdGuard Home placed on the container, VETH interface in the main bridge, AdGuard address set as DNS in the DHCP server, Wireguard works properly as it should [...] AdGuard admin panel in the logs this connection is shown at the Router's gateway address, not as the address assigned in Wireguard - the question is what to do that it works with Wireguard address in AdGuard admin panel? [...]
I suppose you can create a /ip/firewall/nat action=src-nat rule so the VETH's IP be masqueraded to router's WG address, when going out wireguard. Issue is the LAN subnet (including VETH) is likely already allowed addresses, so VETH is just another bridge member, so it use the router's IP and thus using normal WAN NAT rule.

But I used Zerotier and in this case in AdGuard admin panel I saw ip address from Zerotier.

Posted: **Wed Sep 06, 2023 11:06 pm**

What does "use local address" mean?

If your router is behind another router, enabling this checkbox will update the ddns entry with its local address (e.g. 192.168.1.x).

Posted: **Wed Sep 06, 2023 11:26 pm**

[...] Issue is the LAN subnet (including VETH) is likely already allowed addresses, so VETH is just another bridge member, so it use the router's IP and thus using normal WAN NAT rule.
But I used Zerotier and in this case in AdGuard admin panel I saw ip address from Zerotier.

It was just one suggestion. BTH I believe NAT's everything via dynamically added NAT masquerade rule and that's what you're running into. Hard to visualize without config... but maybe better to use an accept rule for the dst-address of your AdGuard container, and place before the BTH NAT rule.

In other words — It the the default BTH NAT rule's behavior you need work-around since you can't disable BTH's NAT rule that's added automatically by RouterOS.

If ZeroTier is working, one less thing to worry about— it's just different than BTH. ;)

Posted: **Thu Sep 07, 2023 5:57 pm**

But I used Zerotier and in this case in AdGuard admin panel I saw ip address from Zerotier.

It was just one suggestion. BTH I believe NAT's everything via dynamically added NAT masquerade rule and that's what you're running into. Hard to visualize without config... but maybe better to use an accept rule for the dst-address of your AdGuard container, and place before the BTH NAT rule.

In other words — It the the default BTH NAT rule's behavior you need work-around since you can't disable BTH's NAT rule that's added automatically by RouterOS.

If ZeroTier is working, one less thing to worry about— it's just different than BTH. ;)

I'm rather beginer with Mikrotik, so can You write me, how should look NAT rule, which I need to place before this dynamic BTH NAT rule?

Posted: **Thu Sep 07, 2023 7:40 pm**

In other words — It's the the default BTH NAT rule's behavior you need work-around since you can't disable BTH's NAT rule that's added automatically by RouterOS.
I'm rather beginer with Mikrotik, so can You write me, how should look NAT rule, which I need to place before this dynamic BTH NAT rule?

Hard to do this blind without config. And there may be other solutions and/or other firewall may effect solution... but something like this:

/ip/firewall/nat add action=accept protocol=udp port=53 src-address=192.168.216.2 place-before=0 chain=src-nat
/ip/firewall/nat add action=accept protocol=tcp port=53 src-address=192.168.216.2 place-before=0 chain=src-nat

The action=accept say to not NAT traffic from WG BTH peer's IP to UDP or TCP to the DNS port 53, since the BTH NAT rule (e.g. with the "D" in left most column) is first by default, these need to be before that rule, which is what the place-before=0 does. You can do same in winbox creating IP > Firewall > NAT, setting protocol, port, etc. and dragging the new rules to the first in the list.

What I don't know myself is how aggressive BTH's dynamic NAT rule is... e.g. will BTH NAT rule will move itself first in list via some reboot/background process/config changes.

Posted: **Thu Sep 07, 2023 10:00 pm**

I'm rather beginer with Mikrotik, so can You write me, how should look NAT rule, which I need to place before this dynamic BTH NAT rule?
Hard to do this blind without config. And there may be other solutions and/or other firewall may effect solution... but something like this:
Code: Select all
/ip/firewall/nat add action=accept protocol=udp port=53 src-address=192.168.216.2 place-before=0 chain=src-nat
/ip/firewall/nat add action=accept protocol=tcp port=53 src-address=192.168.216.2 place-before=0 chain=src-nat
The action=accept say to not NAT traffic from WG BTH peer's IP to UDP or TCP to the DNS port 53, since the BTH NAT rule (e.g. with the "D" in left most column) is first by default, these need to be before that rule, which is what the place-before=0 does. You can do same in winbox creating IP > Firewall > NAT, setting protocol, port, etc. and dragging the new rules to the first in the list.

What I don't know myself is how aggressive BTH's dynamic NAT rule is... e.g. will BTH NAT rule will move itself first in list via some reboot/background process/config changes.

Thank You very much for help - it works! 👍🙂

Posted: **Fri Sep 08, 2023 9:51 am**

i'm using the iPhobe BTH app.
Yesterday I encounterd the app was not able to connect anymore. Reason unknown sofar.

But when I added a new tunnel to the same router everything worked again but........
I then wanted to remove the old tunnel from the app. I could not find a delete option so I had to remove the app and reinstall it again after which I again had to add a new tunnel.

Two questions:

It would be nice to have an delete option for tunnels in the app and
A number somewhere in the configuration to see which router BTH config belongs to which tunnel in the app so it's easy to remove the old router BTH config's

Posted: **Fri Sep 08, 2023 11:20 am**

The BTH config name matches the system VPN tunnel name already.
We plan to add "delete tunnel" feature in the app.

If you see such a situation that tunnel is not working, make a supout.rif file and email us, maybe support can see what happened.

Posted: **Fri Sep 08, 2023 1:58 pm**

The BTH config name matches the system VPN tunnel name already.
We plan to add "delete tunnel" feature in the app.

If you see such a situation that tunnel is not working, make a supout.rif file and email us, maybe support can see what happened.

For the new tunnel I configured the same tunnel name so .....

And I'm still running ROS 7.11 beta7 and the iPhone app was updated een week ago or so. My thought was that it could have impact. So I did not open a ticket. Next time I will not think to much myself and leave it to you :)

Posted: **Sat Sep 16, 2023 7:52 am**

Answers to common questions:

1) It uses Wireguard and is a secure VPN
2) (If used) Relay does not decrypt your tunnel and has no access to your data
any chance that connection to the relay server goes via port 443?
So that I can use BTH from within restricted networks.

Get into the same issue at least twice and was not able to use VPN. Is there a way to set 443 port?

Posted: **Mon Sep 18, 2023 8:28 am**

In your country is there like a whole range of blocked ports, or how does that work?

Posted: **Mon Sep 18, 2023 3:52 pm**

In your country is there like a whole range of blocked ports, or how does that work?

The last time it happened when I was at Nova Poshta office in Ukraine and tried to connect to my home router to make a call to local Nova Poshta office. I didn't check ports, but my voice app didn't work and probably because of the blocked ports, this is why I've tried to use BTH. By the end I've switched to Skype Out.

I had similar issue in the Romanian Airport.

Posted: **Sun Sep 24, 2023 9:17 pm**

Dear all concern,
Unexpected behavior of BTH. Sometimes BTH on the Windows wireguard client is connected and works smoothly. After some time it's not connected and I have tried many times to disable and enable BTH in IP Cloud. but no result still not connecting.
it is not a permanent solution.
I tried many times on many sites on different ISPs but still have the same problem.
I thought the Mikrotik BTH relay server was down???? or maybe there bug in the ROS

Posted: **Sun Sep 24, 2023 9:24 pm**

Tested right now, relay is working without a problem. Maybe problem is on windows machine ?

Did you try to connect with mobile app ?

Posted: **Sun Sep 24, 2023 10:01 pm**

Working fine for me as well.

miankamran7100 - could it be a problem with your laptop's WiFi?
Intel released a new Windows driver these days which finally resolves those random disconnect issues (22.250.1).
Mentioned here: https://www.neowin.net/news/intel-relea ... ss-issues/
and here: https://downloadmirror.intel.com/788770 ... .250.1.pdf

Posted: **Sun Sep 24, 2023 10:48 pm**

Tested right now, relay is working without a problem. Maybe problem is on windows machine ?

Did you try to connect with mobile app ?

I have tried to reconnect now it's working.
I don't know why it's happening.

Posted: **Mon Sep 25, 2023 6:49 am**

is ther any issue with Back_To_home?

i'm no longer able to ping = 78.28.208.100

Posted: **Mon Sep 25, 2023 7:07 am**

actually , my issues is when i'm using LTE im not able to establish back to home

Posted: **Mon Sep 25, 2023 8:15 am**

Back to home works like it should, at least for me, just test it, I'm connecting to my home router via app, speeds and ping as usual. Also can't ping 78.28.208.100

Posted: **Mon Sep 25, 2023 9:10 am**

Correction: Apparently now you need to run 7.12. I just tested with my RB5009 on 7.11.2 and it complains that the device isn't compatible. :(

Posted: **Mon Sep 25, 2023 9:15 am**

Just update to latest beta, it's stable.

Posted: **Mon Sep 25, 2023 9:32 am**

yeah it does work, but transferring from one to another it takes too long.

That is my job to find out why

Posted: **Mon Sep 25, 2023 5:40 pm**

Feature request: could you add the ability for this VPN to be used by devices connected to the Mobile Hotspot?

Posted: **Mon Sep 25, 2023 5:42 pm**

I think that is a phone OS limitation. If I remember correctly, you can't use any VPN through mobile hotspot. Each connected device needs to connect on their own.

Posted: **Mon Sep 25, 2023 7:05 pm**

Apparently there's a workaround, by using a proxy, I've seen that something like superpoxy or everyproxy which do not require Android root permissions, can be used to share a VPN connection. I suppose then it would be possible to integrate such functionality within a VPN app.

Posted: **Mon Sep 25, 2023 11:05 pm**

Just update to latest beta, it's stable.

Oh, I'm sure that'll work, but the starting post in this thread mentions ROS 7.11 as a requirement, and that is no longer accurate.

Posted: **Mon Sep 25, 2023 11:30 pm**

Feature request: could you add the ability for this VPN to be used by devices connected to the Mobile Hotspot?

I think there is a double-NAT going on when you use a mobile hotspot... That might be solvable.
- You might able to set the Mikrotik as the "DMZ host" if your hotspot has admin page/screen.
- The other way, perhaps, is involving https://help.mikrotik.com/docs/display/ ... pendentNAT but you need to look at the traffic flows to know if that work/help.

Posted: **Tue Sep 26, 2023 8:00 am**

Oh, I'm sure that'll work, but the starting post in this thread mentions ROS 7.11 as a requirement, and that is no longer accurate.

That should be changed now because Mikrotik stated that BTH won't be available in ROS 7.11 but can be used from 7.12beta and up.

Posted: **Tue Sep 26, 2023 12:11 pm**

Feature request: could you add the ability for this VPN to be used by devices connected to the Mobile Hotspot?
I think there is a double-NAT going on when you use a mobile hotspot... That might be solvable.
- You might able to set the Mikrotik as the "DMZ host" if your hotspot has admin page/screen.
- The other way, perhaps, is involving https://help.mikrotik.com/docs/display/ ... pendentNAT but you need to look at the traffic flows to know if that work/help.

I'm a bit confused by your answer, I think you might be talking about a different kind of hotspot?
What I'm talking about is the 'Mobile Hotspot' functionality in Android. It's for sharing your phones mobile data with other devices as a wifi network. The issue with this is, that if you enable a VPN on your phone, the traffic originating from the phone is routed through the VPN, but (relevant to my 'Feature request') the phone does not route traffic from the other tethered devices connected to the phone's 'Mobile Hotspot' over the VPN tunnel, it goes directly out to the internet. Since this is the case, clearly your second suggestion does not apply, since the tethered traffic would never hit the Mikrotik device. I'm guessing your first suggestion also isn't talking about the Android 'Mobile Hotspot' feature
But seeing as there are workarounds to this using proxies like superproxy or everyproxy I wonder if this functionality could be included within the VPN app, so no additional workaround is needed.

Posted: **Tue Sep 26, 2023 12:13 pm**

Can you name a commercial VPN solution that has such functionality? We can't make a solution based on workarounds, especially if it's not supported in all OS.

Posted: **Tue Sep 26, 2023 12:34 pm**

No, I'm not aware of any (I haven't looked for such). But I would be interested to have my computer appear to be at home while using my phones mobile data without having to do additional setup on the computer itself. I suppose this kind of functionality would have to be an optional feature, as at least the mentioned proxies are protocol specific (e.g. http/https) and not general purpose for all traffic?

Posted: **Tue Sep 26, 2023 12:39 pm**

If I'm not mistaken this

But seeing as there are workarounds to this using proxies like superproxy or everyproxy I wonder if this functionality could be included within the VPN app, so no additional workaround is needed.

could solve this

any chance that connection to the relay server goes via port 443?
So that I can use BTH from within restricted networks.
Get into the same issue at least twice and was not able to use VPN. Is there a way to set 443 port?

?

Can you name a commercial VPN solution that has such functionality? We can't make a solution based on workarounds, especially if it's not supported in all OS.

would rather have a unique selling point instead of copying another provider.
Don't you think that is worth providing such a feature?

Posted: **Tue Sep 26, 2023 12:57 pm**

If you have these requirements you should think about using a Mikrotik device with LTE modem. You can set up routing to your needs there.

Posted: **Tue Sep 26, 2023 5:40 pm**

Re "mobile hotspot" — my bad, iPhone user here — I though you mean an external device, not the "tethering" with Android. But it's a double-NAT and the CGNAT may not be able to map the needed BTH port.

Can you name a commercial VPN solution that has such functionality? We can't make a solution based on workarounds, especially if it's not supported in all OS.

If you consider WebRTC's DataChannels/SCTP as a VPN, they use ICE (plus STUN/TURN) "things" to help with figure out NAT situation to transport data through NAT/firewall.

But BTH could do the ICE/STUN/TURN standard dance (outside of WebRTC/SIP) on /ip/cloud's backend, to augment port selection for BTH/WG. That be useful even without BTH to do "NAT type detection" inside RouterOS.

Posted: **Mon Oct 02, 2023 7:35 am**

qr code doesn't work any more.
was working fine before upgrading

Posted: **Wed Oct 04, 2023 4:46 pm**

BTH doesn't support mips cpu.
At most of our premises we have hEX as the main router - which is not supported yet.
Is is a good idea to use hAP ax lite instead of hEX? Does it have the same throughput?

Posted: **Wed Oct 04, 2023 5:39 pm**

Don't make a mistake about the name 'lite'.
AX Lite is performance wise not that much worse then Hex.

Posted: **Wed Oct 04, 2023 8:04 pm**

Thanks for reply.
So, not that worse means worse? - I didn't find any info regarding this.
If worse, in which parameter worse?
My use case is simple wired router / firewall / Wireguard VPN.
If hAP ax lite is not worse for that use case I'll buy that instead of hEX in the future - hence cheaper and BTH compatible.
(WIFI will be switched off)

Posted: **Wed Oct 04, 2023 8:13 pm**

Check test results of both devices but keep in mind results from Hex are ROS6 based, AX Lite are ROS7 based.

I did some rudimentary testing with AX Lite using 3 VPN protocols: wireguard, zerotier and ipsec.
See here:
viewtopic.php?t=193126

Posted: **Wed Oct 04, 2023 9:07 pm**

I didn't find any hEX results in that thread

Posted: **Wed Oct 04, 2023 9:13 pm**

Logical.
I didn't say I tested that one (I do have it, was my very first MT device).
Do your own testing

I was also referring to test results on product pages for both devices.

Posted: **Wed Oct 04, 2023 9:56 pm**

https://1drv.ms/i/s!Aukw5KCzXdEthpw4MTL ... Q?e=L6hcwG
Rother mixed picture, dependency from pocket size.
What do you think?

Additional thoughts:
As I just noticed, hAP AC2 is not much more expensive and outperforms both hEX and hAP AX Lite.
I just don't like it because it's warming issue.
However with wireless off hopefully no warming issue exists.

Posted: **Mon Oct 09, 2023 11:38 pm**

not able to SCAN wireguard QR Codes on mobile phones?
How to Scan QR Code.
It is not shown fully in Mikrotik Windows.
It shows half.

Help...

Posted: **Tue Oct 10, 2023 1:15 am**

photo_2023-10-10_01-15-11.jpg

AX3 is ARM64!! (7.12rc1)

and for AC3 too!!

Screenshot_5.png

Posted: **Tue Oct 10, 2023 5:39 am**

BTH is only available in beta versions of ROS for now. You need to install beta version of ROS if you want to use BTH.

Posted: **Tue Oct 10, 2023 10:39 am**

I tried it with a hAP AC2, upgrading from 7.11.2 and got a boot-loop. Slow: boot, crash, reboot. Fortunately I was able to downgrade (fast SSH through several boot-crash-reboot cycles) and regained control. So I will wait for a while to install 7.12

Posted: **Tue Oct 10, 2023 12:14 pm**

BTH is only available in beta versions of ROS for now. You need to install beta version of ROS if you want to use BTH.

It was in RC1 changelog.

==================================

Where I can find beta with BTH with changes in RC1?

Posted: **Tue Oct 10, 2023 12:38 pm**

As @holvoetn said:

Use URL for rc package and modify as needed.

It worked for me just fine.

Posted: **Tue Oct 10, 2023 2:06 pm**

new BTH will come in 7.13beta1

Posted: **Tue Oct 10, 2023 2:09 pm**

@NetHorror Until then:

https://download.mikrotik.com/routeros/ ... -arm64.npk
https://download.mikrotik.com/routeros/ ... 2beta9.zip

Posted: **Tue Oct 10, 2023 2:26 pm**

new BTH will come in 7.13beta1

What is the difference?

Posted: **Tue Oct 10, 2023 2:41 pm**

You will see when it comes out

Posted: **Wed Oct 11, 2023 8:10 pm**

While in Beta, we have a relay in the MikroTik data center in Latvia. Depending on demand, we will expand to other regions and will lauch relays in other countries. If somebody here works in a well connected data center with high speed connectivity, you are welcome to drop us an email :D

Hello, greetings, my name is Hector Prado, I live in the United States. What do you need to participate in this project?
my email is hlp937@gmail.com

Posted: **Wed Oct 11, 2023 8:27 pm**

Just download 7.12beta to an Arm router.

Posted: **Wed Oct 11, 2023 8:38 pm**

I think that mr.Hector here is talking about what is needed for another relay station for BTH.

I think that best option is to contact Mikrotik support directly.

Posted: **Sun Oct 15, 2023 6:33 pm**

don`t working on my hap ac3 with 7.12rc1

Posted: **Sun Oct 15, 2023 7:38 pm**

Normal.
Wait for 7.13 beta or use 7.12 beta 9.

Feature has been disabled in rc and stable.

Posted: **Sun Oct 15, 2023 9:01 pm**

Screenshot_5.png

ROS 7.12beta9 + WinBox 3.40

Posted: **Mon Oct 16, 2023 1:05 pm**

It looks like many need to read the thread before post.
1. Back to Home are moved to v7.13 but can be found in 7.12beta releases.
2. QR code will be fixed

Posted: **Mon Oct 16, 2023 1:39 pm**

Would this BTH work from my cap ax setup in caps mode. Thought process off-load to the cap. I do intend to buy a 5009 but that wont be till I get better speed from an ISP some time next year. Modem>>hAP ax2>>cAP ax<<BTH setup

Posted: **Mon Oct 16, 2023 1:57 pm**

If the correct version is on that device, it should work.
But why not on AX2 ?

Posted: **Mon Oct 16, 2023 2:09 pm**

you can run it on any of the devices in your network, but I personally would put it on the hAP ax2, yes

Posted: **Mon Oct 16, 2023 2:17 pm**

@holvoetn's question is a good one.

But why not on AX2 ?

While BTH should work* on a cAP downstream of ISP, it will be proxied via Latvia. Assuming the hAPax2 has a public IP, if BTH runs there it will NOT be proxied, and direct connection from remote BTH/WG client will be used. Proxying is slower and avoidable if BTH does run on a device with public IP. In theory, you can forward the BTH port from hAPax2 to the cAP which avoid the proxy. But all easier if BTH was on the edge AX2 router.

* in a beta release

Posted: **Mon Oct 16, 2023 4:52 pm**

Thanks for the Input all, I'll keep it on the AX2 as that makes it better from a proxy stand point alone.
I was just wanting to off-load whatever I could to save on the AX2 resources, but as recommended that isn't the best option.

Posted: **Mon Oct 23, 2023 5:46 pm**

Feature request: could you add the ability for this VPN to be used by devices connected to the Mobile Hotspot?

Anyway, irrespective of this comment, I want to say a big thanks to Mikrotik as the feature in any case solves an issue for me. I have a router behind CGNAT at one of my places which I want to access remotely and was planning to solve it with a free setup of a container with Cloudflare Quick tunnel + custom container that would update the randomly generated tunnelname to a git repo I have access to for cases I wanted to access the network.

Nice work, thanks! 😃

Posted: **Wed Nov 08, 2023 6:35 pm**

It's a great feature, but there is one issue. When I connect to the VPN on my iPhone running iOS 17.1, I'm unable to access the router via SSH. I've been using iPhone shortcuts to enable or disable firewall rules, and it works perfectly through the web or the MikroTik app.

I have granted permission for the network 192.168.261.0/24 to access SSH through the firewall and in the services configuration.

Has anyone else encountered this issue and managed to find a solution?

Thanks

Posted: **Thu Nov 09, 2023 4:14 pm**

It's a great feature, but there is one issue. When I connect to the VPN on my iPhone running iOS 17.1, I'm unable to access the router via SSH. I've been using iPhone shortcuts to enable or disable firewall rules, and it works perfectly through the web or the MikroTik app.

I have granted permission for the network 192.168.261.0/24 to access SSH through the firewall and in the services configuration.

Has anyone else encountered this issue and managed to find a solution?

Thanks

Solve it, forgot to add the network to user!

Posted: **Fri Nov 10, 2023 5:13 pm**

Any chance that in the app you can insert an option to manually disable relay server? My case is that I have local address on mikrotik but all traffic is redirected from modem. No, I can not setup modem in bridge mode. So for me any connection goes to my public ip will arrive on mikrotik. I think I am not the only one in this situation so for many this feature will be usefull

Posted: **Sun Nov 12, 2023 9:57 am**

Answers to common questions:

1) It uses Wireguard and is a secure VPN
2) (If used) Relay does not decrypt your tunnel and has no access to your data
3) It secures your router with firewall, it does not open up full access to your router in any way
4) It is not a feature for anonymity, it is a home user feature for maximum ease of use.
5) If you wish, after you have enabled it with our BTH app, you can also connect using Wireguard on your computer. You can use the QR code in Winbox IP CLOUD menu to get the needed config to your computer

Hello, have you thought about integrating User Manager as a WireGuard administrator?

Greetings from CUBA.

Posted: **Sun Nov 12, 2023 6:42 pm**

@normis, Do you plan to make BTH available for MT7621A?
Thanks

Posted: **Sun Nov 12, 2023 7:10 pm**

BTH is good, but the problem is in the ddns of IP cloud.

The ddns detects the IP and IPv6 address automatically, but in my scenario, since use WireGuard VPN to access any site out of China, the ddns will get the address of my VPS, not my real one, so BTH forward will fail.

So you’d better add an option to make ddns use the address of local interface , for instance the pppoe-out1 , ranther than remote auto detect.

Posted: **Mon Nov 27, 2023 6:13 pm**

I have a Hap ac^2 and a Hap ax^2. For both devices the IOS BTH app and Wireguard app works great.

But BTH doesn't work with a windows client for the hAP ac^2. Same config for hAP ax^2 works. I tried it on different windows devices and different clients. I can connect to the Hap ac^2 with winbox, but all menu items are empty. With ios app i see all the data.

What can be the problem?

I created the BTH function on the mikrotik devices with the BTH mikrotik app.

Posted: **Tue Nov 28, 2023 12:28 am**

it does perfectly fine, i've added everything manually.
show us here how u do

Posted: **Tue Nov 28, 2023 11:16 am**

I added the config with the BTH app, it created the right config. And as i say it works with ios, but not with the windows client. Only problems with 1 Mikrotik router, the others works great

My VPN Wireguard client config:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 192.168.216.2/32,fc00:0:0:216::2/128
DNS = 8.8.8.8

[Peer]
PublicKey = //////////////////////////////////////////8=
AllowedIPs = 0.0.0.0/32
Endpoint = hcf07r99zar.sn.mynetname.net:12657
PersistentKeepalive = 15

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = hcf07r99zar.vpn.mynetname.net:12657
PersistentKeepalive = 15

Backup config:

# 2023-11-28 10:08:18 by RouterOS 7.12.1
# software id = 93RL-JAG9
#
# model = RBD52G-5HacD2HnD
# serial number = HCF07R99ZAR
/interface bridge
add admin-mac=DC:2C:6E:F5:66:60 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=wan name="ether1 wan"
set [ find default-name=ether2 ] comment=lan
/interface wireguard
add comment=back-to-home-vpn listen-port=12657 mtu=1420 name=back-to-home-vpn
/interface wireless manual-tx-power-table
set wlan2 comment=wifi
/interface wireless nstreme
set wlan2 comment=wifi
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=\
"profile gast" supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.8.10-192.168.8.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1d name=defconf
/interface bridge filter
add action=drop chain=forward in-interface="wlan5 gast"
add action=drop chain=forward out-interface="wlan5 gast"
add action=drop chain=forward in-interface="wlan2 gast"
add action=drop chain=forward out-interface="wlan2 gast"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge comment=defconf interface=wlan5
add bridge=bridge interface="wlan5 gast"
add bridge=bridge interface="wlan2 gast"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1 wan" list=WAN
/ip address
add address=192.168.8.1/24 comment=defconf interface=bridge network=\
192.168.8.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface="ether1 wan"
/ip dhcp-server network
add address=192.168.8.0/24 comment=defconf dns-server=192.168.8.1 gateway=\
192.168.8.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.8.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="accept router management from VPN" \
dst-address=192.168.8.1 dst-port=80,8291 in-interface-list=VPN protocol=\
tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="accept from VPN" dst-address=\
192.168.8.2 dst-port=80 in-interface-list=VPN protocol=tcp
add action=drop chain=forward comment="drop all from VPN" in-interface-list=\
VPN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=\
"ovpn client" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Paris
/system identity
set name="xxxxxxxx"
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Posted: **Wed Nov 29, 2023 5:45 pm**

We have released new Back To Home apps for both iPhone and Android. Some exciting new features have been added - sharing of tunnels. Normally you only could use one device to connect to the router (as seen above, using multiple devices causes problems).

Now you can invite others to use your router, by sending them time limited invites to your VPN. Share using a link, using a QR code, or even the Wireguard config file for using in your PC.

Try it out and let us know, how to improve the flow and user experience of the app!
Make sure you upgrade to at least RouterOS 7.12 and install the newest phone app relesed today

Posted: **Wed Nov 29, 2023 6:07 pm**

how to remove existing BTH functionality and start from the beginning with the new app?

Posted: **Thu Nov 30, 2023 9:28 am**

Hello,
I use BTH between an iPhone and an Audience. The Audience is behind a CGNAT (LTE) network. A reboot of Audience is necessary every day for it to work. Audience is connected to the internet but without reboot BTH from Iphone app no longer connects.
I don't understand what's blocking it. Disable/ Enable of the WireGuard interface is not sufficient.DNS cache ? Do you have any ideas ?

Posted: **Thu Nov 30, 2023 9:55 am**

how to remove existing BTH functionality and start from the beginning with the new app?

IP -> Cloud -> BTH -> Revoke and Disable

Posted: **Thu Nov 30, 2023 9:55 am**

Hello,
I use BTH between an iPhone and an Audience. The Audience is behind a CGNAT (LTE) network. A reboot of Audience is necessary every day for it to work. Audience is connected to the internet but without reboot BTH from Iphone app no longer connects.
I don't understand what's blocking it. Disable/ Enable of the WireGuard interface is not sufficient.DNS cache ? Do you have any ideas ?

How do you mean "no longer connects". Is there an error somewhere? In the BTH app?

Posted: **Thu Nov 30, 2023 10:01 am**

how to remove existing BTH functionality and start from the beginning with the new app?
IP -> Cloud -> BTH -> Revoke and Disable

And how to remove existing connections from the app?

Posted: **Thu Nov 30, 2023 10:02 am**

in the phone settings go to VPN configuation and delete there

Posted: **Thu Nov 30, 2023 10:05 am**

in the phone settings go to VPN configuation and delete there

Thanx

Posted: **Thu Nov 30, 2023 10:05 am**

in the phone settings go to VPN configuation and delete there

Thanx

Posted: **Thu Nov 30, 2023 12:43 pm**

how to remove existing BTH functionality and start from the beginning with the new app?
IP -> Cloud -> BTH -> Revoke and Disable

Ok, nothing changed in the firmware for BTH. So revoke and disable and after that enabled doesn't change anything for my problem?

Posted: **Thu Nov 30, 2023 12:48 pm**

Like I said above, you can't use multiple devices with the same settings. You must use the new Share feature in the phone app, to make a separate tunnel for each new device.

Posted: **Thu Nov 30, 2023 2:29 pm**

Hello,
I use BTH between an iPhone and an Audience. The Audience is behind a CGNAT (LTE) network. A reboot of Audience is necessary every day for it to work. Audience is connected to the internet but without reboot BTH from Iphone app no longer connects.
I don't understand what's blocking it. Disable/ Enable of the WireGuard interface is not sufficient.DNS cache ? Do you have any ideas ?
How do you mean "no longer connects". Is there an error somewhere? In the BTH app?

The application remains in the connecting state. Seen from the iPhone VPN menus, a tunnel exists but it does not work. After rebooting the router, the application switches to connected and the traffic passes through the tunnel. Do you kill unused tunnels at night?

Posted: **Thu Nov 30, 2023 2:49 pm**

please make a supout.rif file in the router at the time, when the tunnel is not working. and if you can - one more file, when it starts to work after reboot. send both files to support@mikrotik.com, it could be an issue with RouterOS

Posted: **Thu Nov 30, 2023 3:04 pm**

please make a supout.rif file in the router at the time, when the tunnel is not working. and if you can - one more file, when it starts to work after reboot. send both files to support@mikrotik.com, it could be an issue with RouterOS

Thanks ! I will do that

Posted: **Thu Nov 30, 2023 3:32 pm**

Like I said above, you can't use multiple devices with the same settings. You must use the new Share feature in the phone app, to make a separate tunnel for each new device.

i don't use multiple devices at the same time.

and using a seperate tunnel with the sharing option doesn't change it.

and why al other mikrotiks i have works great and why this one not?

Posted: **Thu Nov 30, 2023 3:40 pm**

In that case I don't understand what is not working. Please send an email to mikrotik support and include a supout,rif file and error message from the windows computer

Posted: **Fri Dec 01, 2023 10:41 am**

Hello Normis! Please tell me when do you plan to release app update to android google playstore?

I see it's already available for iOS.

Posted: **Fri Dec 01, 2023 10:55 am**

The same changes and sharing is already in Android app. It was simply released before iPhone

Posted: **Fri Dec 01, 2023 8:29 pm**

Oh, I didn't see it.

It's here but the app has some bugs with the layout on the settings screen. I've just sent a bug report.

Thank you.

Posted: **Sat Dec 02, 2023 11:22 am**

@normis, I have just installed the BTH app on andorid and tried to connect to my device but it shows:
VPN Connection failed.

Do I open a ticket for that? I am using latest 7.12.1.

Posted: **Sat Dec 02, 2023 10:49 pm**

How can I connect two mikrotik arm routers in different locations using B2H?

I would like to have my local network (PCs, phones) connect to my local mikrotik hap ac2 and connect to my other arm mikrotik router in another countries and surf the web with an IP address from the other country when I use any of my local devices.

What exactly would I need to do?

Thanks for your help. :)

Posted: **Mon Dec 04, 2023 11:18 am**

Hello,
I use BTH between an iPhone and an Audience. The Audience is behind a CGNAT (LTE) network. A reboot of Audience is necessary every day for it to work. Audience is connected to the internet but without reboot BTH from Iphone app no longer connects.
I don't understand what's blocking it. Disable/ Enable of the WireGuard interface is not sufficient.DNS cache ? Do you have any ideas ?
How do you mean "no longer connects". Is there an error somewhere? In the BTH app?

Hello, I think I found the problem. The BTH application enables DDNS, but it forgets the ddns-update-interval. As soon as the public IP address changes the DDNS may remain false and the tunnel may become inoperable. I don't know the 1m value is too low but it works.

/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes "I added" ddns-update-interval=1m

I think you need to correct the application setup

Posted: **Wed Dec 06, 2023 8:25 am**

Are there any further settings required for the Android App? I configured a connection to my router and can successfully connect, but none of my traffic is actually routed over the VPN.

The router's DNS does not seem to be used at all and I can't reach any local device including the router itself. And internet traffic is also not routed over the tunnel.

Edit: I think the fault is on my smartphones side. Some apps seem to use the VPN just fine and some ignore it.

Edit2: The WireGuard-App is working fine however, maybe this is an app issue.

Posted: **Wed Dec 06, 2023 8:30 am**

About DDNS update time, it is a known issue and will be fixed in the next release.

Mfrey about your Android app - no other config should be needed. BTH works best with default config on home AP type devices. Maybe there is some more complex configuration on your device that is conflicting with BTH, or maybe you used an older version of BTH before? Send a supout.rif file to support@Mikrotik.com and we will look at the situation. Maybe there is something we can do to improve the experience for future users.

Posted: **Wed Dec 06, 2023 8:52 am**

@normis I don't think this is related to the router config. I get the same behaviour with multiple routers and using the WireGuard-App is working just fine. I also already deleted and re-created the connections.

Somehow, the Mikrotik Home App is not even trying to forwarding the traffic of almost all apps. The only exception that I've found so far is the Play Store, whose traffic is tunneled.

MikroTik

NEW FEATURE: Back to Home VPN

NEW FEATURE: Back to Home VPN

Re: Back to Home VPN

Re: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN

Re: NEW FEATURE: Back to Home VPN