VPN with relay on a VPS - working around the CGNAT

Hey.
I’m setting up a small network for my parents’ new house. The hardware is all Mikrotik - a switch, a router, and several access points. I’ve configured VLAN switching on a single bridge on the router so I can split my network into multiple VLANs. One of those VLANs (99) is used for management and all the Mikrotik devices get an IP on this VLAN.
What I want to do, as I’m sure problems will arise when I’m not around, is to configure VPN access into this management VLAN to be able to Winbox into the Mikrotiks and sort stuff out.
One other important thing to note is that the ISP at my parents’ does not provide a public IP - everything is behind a CGNAT.

Now, for the questions:

1. I understand that the best way to achieve what I need would be to have a VPS configured as the VPN server and connecting to it from the Mikrotik Router and my laptop when I’m away. This way, the CGNAT wouldn’t be a problem. Is this a good idea?
2. I’d like to use OpenVPN, mainly because of the possibility of using TCP 443 for my device. A mixed setup with Wireguard between my VPS and the Mikrotik Router and then OpenVPN between my laptop and the VPS would be ideal, I think, but it would probably add complexity to an already complicated situation. What would be the best choice here?
3. Are there any tutorials on the web describing a situation similar to mine? I’m currently in the process of searching and reading, but haven’t found any good resources as of yet.
4. What I think I’d like would be for my laptop connecting to the VPN to automatically get an IP address from the DHCP server taking care of the Management VLAN. Is this possible and is it even a good idea?

Well the VPS aka a CHR in a cloud is about $6 a month to rent plus the CHR license and use Wireguard VPN, and is a great way to do what you want to do without third party servers. Preferred option 4

You could do it right now with VPN WIREGUARD BTH depending upon what router you bought your parents and uses a microtik relay server. Preferred Option2
You could do it right away with regular wireguard VPN if your router is an MT router. Preferred Option 1

Another alternative is to use zerotier which connects routers at layer2, but uses cloudflare secure servers. This is available right away as well. Preferred option 3

Hi Anav, thanks for your reply.
I like the simplicity of BTH. After configuring it, I can see a new interface called “back-to-home-vpn”. I tried adding it to the bridge as an access port but it seems that it’s not possible. I suppose that’s because WireGuard is L3 and bridges are a L2 concept.
How do I allow the clients connected to WireGuard to access the MGMT_VLAN?

Well the way it works is you enable BTH on the router.
Take the first created user and install that on your smart phone, any other users have to be created on the smartphone as well.
You will need to go to the router at your parents place allows the subnet of wireguard access on the input chain

add chain=input action=accept comment=“admin access” in-interface=wireguardBTH ( or whatever its name is).

OR
add chain=input action=accept comment=“admin access” src-address=subnetof BTH wireguard tunnel.

There is no need to pay such expensive VPS and licenses. I have a VPS for 2€ per month (unlimited traffic, 100 Mbps connectivity and public IPv4 address + IPv6 prefix) and Debian on it. Currently the VPS act as L2TP server and MikroTik routers have L2TP clients… but I only use it for remote site management where there is no IPv6 or public IPv4.

If you want to run an L2 tunnel through the BTH, it should be possible by running an EoIP tunnel through the Wireguard and it will (somehow, idk how reliable) work.

I think you’re missing the VLAN part. Allowing the WireGuard interface on the input chain gives me access to the router only, not the switch or any other device on the MGMT_VLAN.

Then add access to the management vlan.
add action=accept chain=forward comment=“remote admin to trusted vlan” in-interface=BTHWireguard out-interface=vlan-mgmt

I’ve added the rule you suggested. Now the situation is as follows:

• I can ping both 10.99.0.1 and 10.99.0.2
• I can connect with Winbox to 10.99.0.2
• I cannot connect with Winbox to 10.99.0.1 - Probably because there is no rule on the input chain for BTH, but why is it needed if I already allow MGMT_VLAN access to 10.99.0.1?
• Neighbor discovery does not work on my laptop when connected through the VPN - I can’t see any device in Mikrotik

How do I fix those last two issues?

Here is my config. I’ll be very thankful if you take a look at it and maybe point out some other misconfigurations, especially regarding my firewall rules and VLAN setup.

# 2025-03-30 15:06:00 by RouterOS 7.18.2
#
# model = RB5009UG+S+
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface wireguard
add comment=back-to-home-vpn listen-port=3218 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=bridge name=GUEST_VLAN vlan-id=20
add interface=bridge name=IOT_VLAN vlan-id=30
add interface=bridge name=MGMT_VLAN vlan-id=99
add interface=bridge name=PRIVATE_VLAN vlan-id=10
add interface=bridge name=SECURITY_VLAN vlan-id=50
/interface list
add name=WAN
add name=VLAN
add name=MGMT
/interface wifi datapath
add bridge=bridge name=WiFi_PRIVATE vlan-id=10
add bridge=bridge name=WiFi_GUEST vlan-id=20
add bridge=bridge name=WiFi_IoT vlan-id=30
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=\
    WiFi_PRIVATE
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=\
    WiFi_GUEST
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=\
    WiFi_IoT
/interface wifi configuration
add datapath=WiFi_PRIVATE name=WiFi_PRIVATE security=WiFi_PRIVATE ssid=\
    SUPER_INTERNET
add datapath=WiFi_GUEST name=WiFi_GUEST security=WiFi_GUEST ssid=SUPER_GUEST
add datapath=WiFi_IoT name=WiFi_IoT security=WiFi_IoT ssid=SUPER_IoT
/ip pool
add name=PRIVATE_POOL ranges=10.0.10.2-10.0.10.254
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
add name=IOT_POOL ranges=10.0.30.2-10.0.30.254
add name=SECURITY_POOL ranges=10.0.50.2-10.0.50.254
add name=MGMT_POOL ranges=10.99.0.2-10.99.0.254
/ip dhcp-server
add address-pool=PRIVATE_POOL interface=PRIVATE_VLAN name=PRIVATE_DHCP
add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=IOT_POOL interface=IOT_VLAN name=IOT_DHCP
add address-pool=SECURITY_POOL interface=SECURITY_VLAN name=SECURITY_DHCP
add address-pool=MGMT_POOL interface=MGMT_VLAN name=MGMT_DHCP
/dude
set enabled=yes
/interface bridge port
add bridge=bridge interface=ether8 pvid=99
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether6
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6 \
    vlan-ids=10
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6 \
    vlan-ids=20
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6 \
    vlan-ids=30
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6 \
    vlan-ids=50
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6 \
    untagged=ether8 vlan-ids=99
/interface list member
add interface=ether7 list=WAN
add interface=PRIVATE_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=SECURITY_VLAN list=VLAN
add interface=MGMT_VLAN list=VLAN
add interface=MGMT_VLAN list=MGMT
/interface ovpn-server server
add mac-address=FE:8F:AF:29:63:8B name=ovpn-server1
/interface wifi capsman
set enabled=yes interfaces=MGMT_VLAN
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=WiFi_PRIVATE \
    supported-bands=5ghz-ax
add action=create-dynamic-enabled master-configuration=WiFi_PRIVATE \
    slave-configurations=WiFi_GUEST,WiFi_IoT supported-bands=2ghz-ax
/ip address
add address=10.99.0.1/16 interface=MGMT_VLAN network=10.99.0.0
add address=10.0.10.1/24 interface=PRIVATE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
add address=10.0.30.1/24 interface=IOT_VLAN network=10.0.30.0
add address=10.0.50.1/24 interface=SECURITY_VLAN network=10.0.50.0
add address=192.168.88.201/24 interface=ether7 network=192.168.88.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip cloud back-to-home-user
add allow-lan=yes file-access=full name=smigol private-key=\
    "wOVKygOk90s1LpmZjYl6R762JNDypzgyyPlbVqKcmFo=" public-key=\
    "r4HZ9rPfCCCYlVj9SzB1XT+geA0zvByWBj3Tlvqvazw="
/ip dhcp-server lease
add address=10.0.50.2 client-id=\
    ff:9a:cd:72:c2:0:2:0:0:ab:11:9e:13:50:9:3f:a:80:14 mac-address=\
    0C:EA:14:3D:83:1D server=SECURITY_DHCP
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.99.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=10.99.0.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.99.0.1 gateway=10.0.30.1
add address=10.0.50.0/24 dns-server=10.99.0.1 gateway=10.0.50.1
add address=10.99.0.0/16 dns-server=10.99.0.1 gateway=10.99.0.1
/ip dns
set allow-remote-requests=yes use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN to access DNS (TCP)" \
    dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow VLAN to access DNS (UDP)" \
    dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow MGMT_VLAN full access" \
    in-interface-list=MGMT
add action=accept chain=input comment="Allow ICMP" icmp-options=8:0-255 \
    protocol=icmp
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="BTH Internet Access" \
    connection-state=new in-interface=back-to-home-vpn out-interface-list=WAN
add action=accept chain=forward comment="BTH allow MGMT_VLAN" in-interface=\
    back-to-home-vpn out-interface-list=MGMT
add action=accept chain=forward comment=\
    "Allow MGMT_VLAN to access UI CloudKey+ in SECURITY_VLAN" dst-address=\
    10.0.50.2 in-interface-list=MGMT
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.88.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MainRouter
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=none

Easy Peasy now that I have facts to work with!

/interface list member
add interface=ether7 list=WAN
add interface=PRIVATE_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=SECURITY_VLAN list=VLAN
add interface=MGMT_VLAN list=VLAN
add interface=MGMT_VLAN list=MGMT
add interface=back-to-home-vpn list=VLAN
add interface=back-to-home-vpn list=MGMT

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“Allow VLAN to access DNS (TCP)”
dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment=“Allow VLAN to access DNS (UDP)”
dst-port=53 in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="admin access" in-interface-list=MGMT
add action=drop chain=input comment=Drop
+++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=“internet traffic” in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=“admin to vlans” in-interface=MGMT
out-interface-list=VLAN
add action=drop chain=forward comment=Drop

Almost there
Now I can Winbox into both 10.99.0.1 and 10.99.0.2 but Neighbor Discovery still doesn’t show any of the devices.
Besides that, does my config look correct? Am I achieving separation between the VLANs and is it a secure firewall config when it comes to WAN?

EDIT: I don’t think Winbox discovery is ever going to work using Wireguard, am I correct? Well, it’s not that big of a deal.

Current state of my firewall:

    /interface list add name=WAN
    /interface list add name=VLAN
    /interface list add name=MGMT

    /interface list member
    add interface=ether7 list=WAN

    add interface=PRIVATE_VLAN list=VLAN
    add interface=GUEST_VLAN list=VLAN
    add interface=IOT_VLAN list=VLAN
    add interface=SECURITY_VLAN list=VLAN
    add interface=MGMT_VLAN list=VLAN
    add interface=back-to-home-vpn list=VLAN

    add interface=MGMT_VLAN list=MGMT
    add interface=back-to-home-vpn list=MGMT
  
  
    /ip firewall filter

    # Input chain
    add chain=input action=accept connection-state=established,related,untracked comment="Allow Estab & Related"
    add chain=input action=drop  connection-state=invalid comment="Drop invalid"

    add chain=input action=accept protocol=icmp comment="Accept ICMP"
    add chain=input action=accept in-interface-list=VLAN protocol=tcp dst-port=53 comment="Allow VLAN to access DNS (TCP)"
    add chain=input action=accept in-interface-list=VLAN protocol=udp dst-port=53 comment="Allow VLAN to access DNS (UDP)"

    add chain=input action=accept in-interface-list=MGMT comment="Allow admin access"

    add chain=input action=drop comment="Drop"

    # Forward chain
    add chain=forward action=fasttrack-connection connection-state=established,related
    add chain=forward action=accept connection-state=established,related,untracked comment="Allow Estab & Related"
    add chain=forward action=drop  connection-state=invalid comment="Drop invalid"

    add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="Internet Access"
    add chain=forward action=accept in-interface-list=MGMT out-interface-list=VLAN comment="Allow MGMT to VLANs"

    add chain=forward action=drop comment="Drop"

Also, a little off topic: could you also take a look at the config of my switch? Just to check if everything is in order.

# 2025-03-30 18:29:23 by RouterOS 7.18.2
#
# model = CRS328-24P-4S+
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge name=MGMT_VLAN vlan-id=99
/interface list
add name=MGMT
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether8 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether9 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether11 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether12 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether13 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether14 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether15 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether16 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether17 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether18 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether19 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether20 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether21 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether22 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether23 pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether24 pvid=30
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface bridge vlan
add bridge=bridge tagged=ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids=10
add bridge=bridge tagged=ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids=20
add bridge=bridge tagged=ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids=30
add bridge=bridge tagged=ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids=50
add bridge=bridge tagged=bridge,ether1,ether2,ether3,ether4,ether5,ether6 vlan-ids=99
/interface list member
add interface=MGMT_VLAN list=MGMT
/ip address
add address=10.99.0.2/16 interface=MGMT_VLAN network=10.99.0.0
/ip dns
set servers=10.99.0.1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add distance=1 gateway=10.99.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MainSwitch
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=none

Not sure what you mean…
You have this on the config, which is a good start.
/ip neighbor discovery-settings
set discover-interface-list=MGMT

BUT THE ERROR comes later.
You reversed the settings
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=none

Should be:
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list**=MGMT**

As for your switch which port on the 5009 goes to the switch…

SAME ISSUE for discover,… WRONG
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=none

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac**-winbox**
set allowed-interface-list=MGMT

I have changed the settings as you said but I still cannot see devices in Winbox Neighbors.
As for the ports, ether1 from the 5009 is connected to ether1 of the switch.

If you mean the Neighbors tab on the login page of WinBox, the listing requires broadcast and will not work over WireGuard. And of course, MAC WinBox also does not work over WireGuard.

I use winbox all the time from PC behind my router to reach distant devices.
If you need to connect to devices behind the router, then type in their applicable IP address, in this case its management IP address.

Once connected to the 5009 over wireguard try this ( critical first step )
For example the switch…
Open winbox on your PC behind your router (assuming your PC has admin rights)

10.99.0.2:winboxport of switch

That’s what I thought. Thanks.

I think that’s all, guys. If my configs for both the router and switch are okay, then I think I’m done. I appreciate your help!