NEW FEATURE: Back to Home VPN

Announcements
1

BTH provides easy VPN to your router, even if you are behind NAT. Main use - take the phone app and enable the new feature, then connect to your home network, while abroad or anywhere.

In the background it takes care of all the configuration in the router, makes a Wireguard setup, configures the firewall, communicates with our cloud.
Then use the same phone app to go “back to home” when you are away. Use internet through your home network, to have pihole block ads, or just to change your IP and watch content only available “back home”.

In case your router is behind NAT, somewhere inside a private network, the connection will be made though our relay servers.

Feature is in BETA (Gradual rollout to see what our relays are capable of, to slowly test load) and is currently available on ARM/ARM64/TILE.

Apple iPhone: https://apps.apple.com/lv/app/mikrotik-back-to-home/id6450679198
Android: https://play.google.com/store/apps/details?id=com.mikrotik.android.freevpn

Manual with more info:
https://help.mikrotik.com/docs/display/ROS/Back+To+Home

Available from 7.11 (currently in RC)

Please test it and report any issues.

2

DNS should be your home ISP DNS or any public DNS like 1.1.1.1

3

Answers to common questions:

  1. It uses Wireguard and is a secure VPN
  2. (If used) Relay does not decrypt your tunnel and has no access to your data
  3. It secures your router with firewall, it does not open up full access to your router in any way
  4. It is not a feature for anonymity, it is a home user feature for maximum ease of use.
  5. If you wish, after you have enabled it with our BTH app, you can also connect using Wireguard on your computer. You can use the QR code in Winbox IP CLOUD menu to get the needed config to your computer
4

Hi,

Could you perhaps consider making a NAT helper for routerOS, that would make a router act as a relay like your BTH relay.
That can be applied to a small number of UDP ports.

Some maybe simplifications.

Server connects via one port clients connect via another port. (does this make it simpler?)
Only on devices with good amount of flash.

5

What would be the use case, sorry I don’t get it

6

Silly question, but is it safe to just use the wireguard app with the QR code as I already installed that on the other-halves phone which seems to work ok but took ages to connect? Android by the way.

7

Of course you can just keep using Wireguard. This new feature is also using Wireguard, but it has one advantage, it can work even if your router has no public IP

8

Thanks for the further info. Great feature by the way!

9

will ever be support for mipsbe devices?

10

As always mipsbe and mmips are forgotten. :frowning:

For now my only alternative is using Raspberry Pi and/or x86 machines with some Linux.

11

Will Back to Home also come on Mipsle devices? Wireguard does work fine on mipsel router, so it should not be a big change to make it work.

However, if the router is not directly reachable from the internet, the connection will be made through the MikroTik relay server

Any information on the relay server? Capacity? Where are they located? Will there be server on other countries?

12

Apple iPhone version released (but some updates coming soon): https://apps.apple.com/lv/app/mikrotik-back-to-home/id6450679198

13

If the router has no public ip (4G connection) all traffic goes through MikroTik servers, am I right?
If yes, are there any speed or traffic limits?
Or does it work as a ZeroTier relay?

Thanks

14

Yes that’s true. Currently there are no limits. It might change in the future, but there is no plan for that at the moment.
If we run into traffic problems, we will just add more relays around the world.

15

Did quick test if iOS app. Seems to work, at least against two different router, using LTE/CGNAT on device with BTH iOS app.

Was able to connect to a BTH-enabled router with public IP. And was also able to connect using relay with a host behind a CGNAT address e.g. remote end also uses LTE, so BOTH ends behind a CGNAT – this later case isn’t possible with WG alone without the BTH relay (or using ZeroTier).

Although latency is pretty bad if relayed, things do route/connect. I see ping times in the 600-800ms range using BTH with relay from phone to router. This router also has ZeroTier, so if disconnect from BTH and use ZT as VPN instead, latency is about 150-250ms in same ping test. I’d imagine difference is ZT roots are closer than Latvia…not that ZeroTier is inherently faster, just way closer in proximity to California.

16

Can we get answer on the xMIPSx situation with BTH?

That really is where BTH be more useful. e.g. I used ZeroTier to enable BTH to test it – so really didn’t need BTH since I already had ZeroTier. On xMIPSx, there are no options for a VPN from a CGNAT to a CGNAT, without building your own VPN hub.

17

Nice feature specially for the ones that are stuck with CGNAT!!!. I like to see as a feature virtual stacking for CRS switches (CRS3xx and CRS5xx) for HA core Switches!

Keep it going!

18

@normis - great feature!

Two questions:

Is it possible to open source/release the server side of the BTH relay? I’d love the ability to roll my own relay - which would remove the traffic from going through Mikrotik’s server (would save Mikrotik cost as well)

Where are the relays currently located?

thank you!

19

While in Beta, we have a relay in the MikroTik data center in Latvia. Depending on demand, we will expand to other regions and will lauch relays in other countries. If somebody here works in a well connected data center with high speed connectivity, you are welcome to drop us an email :smiley:

20

Why? Instead of a relay you could just run a Wireguard server with public IP address. The point of the relay is that Mikrotik is not able to decrypt your traffic - you do not need traffic for yourself, do you? :winking_face_with_tongue: