Back to home supported router

RouterOS Beginner Basics
1

Folks:

New guy here.

I’ve got a RB750Gr3 and it’s working great for my work from home office. I’m primarily using it to keep my work and home networks isolated from each other.

The back to home vpn offering is very intriguing, but my current router doesn’t support it.

Can anyone recommend a router comparable to the RB750Gr3 that supports BTH?

Thanks,

David

2

What’s wrong using wireguard in the normal way ?
In essence, bth is the same.

If you REALLY want to change devices, AX Lite is the lowest budget alternative.
But 1 port less.

3

Sure the 750 supports wireguard what seems to be the issue?

4

Back to Home (BTH) is only on ARM, ARM64, and TILE. Just because a device supports WG, doesn’t mean it support BTH (e.g. all the MIPS things, like the '750).

5

BTH is not the only way to apply wireguard parameters silly ammo!

6

Well, true enough. Unless the router is behind CGNAT…

@fallingrock does your ISP provide you with public IP on the router?

7

Dont forget the other question,
a. do you have a public IP
b. IF NOT, can you forward a port from your ISP modem/router to your ROUTER.

8

Why not ?
You only go out then towards a device with public IP (dynamic or static) but it will still work.
Same with Zerotier BTW when it’s behind CGNAT.

9

BTH is nice if both devices are behind NAT.

10

True but what’s the rationale to limit to arm/arm64/Tile only ?

11

Dear Sir Holvoe, I have written many times of MTs unwritten agenda to move all users to newer ARM products, its called the ‘obsolescence - death by 1000 cuts product strategy’

Just so I can get this straight the difference then between BTH and normal wireguard, and the power/allure of BTH, is that Mikrotik is providing a FREE CHR in the cloud for this service??? I dont mean anything the user can see/touch but a virtual server in the cloud is used/provided by MT to connect two ends of a WG tunnel where neither has a public IP and neither can port forward from their upstream router/modem to their MT device? IPSO FACTOR cloudflare type of service? and thus reliance on a third party?

12

You don’t seem to get BTH idea at all, sorry about that.

  • BTH is free of charge if you have one of the supported devices (all new / currently manufactured mikrotik devices)
  • There is no middleman with access to your data, as opposed to traditional VPN providers
  • Data goes directly between mobile device and home router, Relay only helps to establish connection (with holepunching method)
  • Setting up BTH takes only a few steps in a mobile app, you do not have to open winbox or computer
  • Giving friend or family access to your VPN service is a one click operation, no need to even see RouterOS
  • If the ISP set up your device, or maybe you just use the default config and don’t want to learn RouterOS, it sets up a modern and very secure VPN with 2-3 taps of your phone
  • Of course, many other nice features are planned for the app
13

Much thanks Normis, its slowly getting clearer.
Basically the process is

a. at home or office router setup BTH.
b. then any user can connect to this VPN
c. if the BTH is using a public IP, no relay service is used
d. If the BTH is used behind a cgnat or non port forwarding capable ISP, then relay service is used.

It is not clear how this relay service works?
What is the throughput of this relay service?

Clearly the BTH goes out on a specific port from the home or office router and talks to something on a server somewhere…
How transparent is this? Is it based on RouterID??

From the user APP perspective, how does the app differentiate between going directly to public IP or to Relay Server.
(assuming admin gives credentials/setup to user and that determines the above)

14

There is all kinds of smart technology involved, I can’t share details.
MikroTik knows nothing about the connections. Like I said, relay helps to establish hole-punched connections, but from then, the connection goes direct between users, not over relay.

About use cases, one example I like is this:

  1. I go to my parents house, they have a mikrotik router. They need some help with it. I don’t want to waste time there, so I open the BTH app on the phone, connect to the router with it, make a BTH tunnel. It takes 5 seconds to do this. Then I go home, when I have time, connect to my parents router, now I can even make another shared tunnel, and send pure wireguard config file to my computer and continue work there. So you can use it to make very quick management access for yourself.

  2. of course all the basic stuff too. I can connect to my home device where my DNS is a PiHole. Now my phone no longer has ads. Or I can watch netflix via friends router, who is in another country etc.

15
  1. get arrested because someone who you give access to BTH VPN has done some illegal activities on the internet over your connection (this doesn’t need to be directly by someone who you give access if client device is compromised)
16

share responsibly :smiley:

P.S: how is this specific aspect different from VPN options any router has had for 30 years?

17

Usually was not so easy to share VPN connection for reckless/technically non skilled people who usually don’t know setup VPN manually

18

I personally think this is more an imaginary problem, than reality. Maybe I just don’t know as many digital criminals :smiley:

19

It’s digital criminals heaven when can compromise someones VPN connection

20

Hi Normis,

  1. As an admin or helper admin, I can go to the local site and quickly setup a vpn connection which I can use later when remote.
  2. What about the opposite, I want to send my brother the ability to connect to my MT wireguard router
    a. from his device directly (no mt router), be it windows laptop or android/Iphone
    b. from his MT router, where he may not be config savvy… ( and assuming I dont have connectivity to it yet but I suppose the quick answer is teamviewer or anydesk.