Hello,
please si posible on Mikrotik enable port forwarding from the internet only for selected mobile devices?
f.e. by certificate?
It depends.
Maybe you need to clarify in a lot more detail what you are planning to do ?
A logical workaround would be to use VPN on only those devices, then you control what comes via that VPN and what not.
Inside the internal network is running a Kerio Connect mail server, which expects communication on port 443. I need to access it with an email client from mobile devices on the Internet.
The mail server has only the default security settings of name, password. It is possible to enable F2A, but that will make it hell to log in on the internal network.
I was considering a VPN, but if I put OpenVPN on a mobile device, I would have to turn it on before each login to email or leave it running all the time. That doesn’t seem reasonable for a phone. Or am I seeing it wrong?
At least using Wireguard I know you can selectively specify which subnet should go over VPN and which not.
I suppose OpenVPN can do the same ?
Personal preference is WG, though 
It’s more resource friendly and faster and less chatter to keep the connection.
The last thing you want to do is open up your router for a mail server, will be hackapalooza time.
How many mobile device are you talking about that need to connect. Are they trusted persons?
You can setup wireguard such that some users only access the mail server while yourself as admin can reach any lan subnet or the router for config purposes, (wireguard is flexible).
I’ll try this option and let you know if it works. Thanks.
Therefore, I am looking for a solution to secure this port, or to avoid opening this port. I need to connect up to 15 mobile phones to this server. The people who should use this connection are trustworthy.
Then wireguard will work just fine, since its that many and manual can be a pita, suggest using BTH method.
You put the first account on your phone and then create the 14 others using a qr code etc, which you can send to their phone.
Rough concept here:
Preparing the Mikrotik Router
• On the main menu select IP, and then navigate to the sub-menu Cloud
• Select and enter the BTH VPN tab.
• Ensure the Back To Home VPN entry (first line) has the button selection of “Enabled”
• On the main menu select WireGuard
• Verify that the router has automatically created both BTH associated WireGuard and Peers settings.
Note: When generating the BTH (Back To Home VPN) configuration, the associated new BTH WireGuard and Peers entries, in the main WireGuard tab, are required in order for the router to interact with the Mikrotik relay servers. These additional BTH generated entries are used by the BTH wireguard configuration, if there is no direct connection between client device and router ( no local access to a public IP ).
Activating the BTH using the app and Primary smartphone
To set up Back to Home, you must have a smartphone with the BTH app and should be inside your home, with access to your routers WiFi network.
• Connect to router’s Wi-Fi using your phone;
• Open the Back to Home application (Android, iPhone);
• Tap “Create new”;
• Enter your local router IP address (most likely 192.168.88.1), username, and password of your router, tap “Connect”;
• Give tunnel a name, then tap “Create tunnel”;
• Your phone will ask for permission to add new VPN settings, approve it with your phone pin;
• Setup is done. You can now disconnect from router’s Wi-Fi and connect to any other network, like LTE/5G or simply leave your house now;
• Tap the “Connect” button to toggle connection of the selected tunnel.
Adding Remote Phone Users to the BTH Wireguard Network
Adding additional phone users to the BTH configuration is done via the BTH app on the primary smartphone. Added users will be able to access the Router’s internet and Router subnets (optional). Once a user tunnel is created you can share the tunnel by the created URL Link or QR Code, using standard communication methods ( whatsapp, discord etc..). The user will have to install the BTH app to activate the link.
• On the primary smartphone, connect to the BTH tunnel via the BTH app;
• Click the “…” icon next to your tunnel and click “Manage shares”;
• Enter the administrator’s router password, as this process will modify the router config;
• Tap “Create” in the Shares manager;
• Enter a unique identifying name for the device/user in the “TUNNEL NAME” entry area;
• Specify the expiry date of this new user tunnel;
• Turn on Home network access only if the user requires access to your LAN subnets. Otherwise, the user will only have router internet access.
• Review the advanced settings and then select “Create tunnel”
• Once created, select the new tunnel (by clicking on the adjacent three vertical dots) to view the Share Menu.
• Choose either Share URL invite or View QR invite to send to the user;
• After selecting the invite type, the smartphone OS will automatically present the standard share link/file menu prompts. Select the communication method to transfer the invite.
• After selecting the View QR invite, manually select the communication method to transfer the QR code.
• The user receiving the link, must click on the link and if the BTH app is loaded, will open up and allow tunnel creation. If not, the link first prompts the user to load the BTH app.
Note: The smart phone user may elect to use the regular Wireguard App, applicable for the user device, to import the QR code. The BTH VPN functionality and configuration are transparent to the type of App used at the remote end.