Community discussions

MikroTik App
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 11:39 am

BTH provides easy VPN to your router, even if you are behind NAT. Main use - take the phone app and enable the new feature, then connect to your home network, while abroad or anywhere.

In the background it takes care of all the configuration in the router, makes a Wireguard setup, configures the firewall, communicates with our cloud.
Then use the same phone app to go "back to home" when you are away. Use internet through your home network, to have pihole block ads, or just to change your IP and watch content only available "back home".

In case your router is behind NAT, somewhere inside a private network, the connection will be made though our relay servers.

Feature is in BETA (Gradual rollout to see what our relays are capable of, to slowly test load) and is currently available on ARM/ARM64/TILE.

Apple iPhone: https://apps.apple.com/lv/app/mikrotik- ... 6450679198
Android: https://play.google.com/store/apps/deta ... id.freevpn

Manual with more info:
https://help.mikrotik.com/docs/display/ROS/Back+To+Home

Available from 7.11 (currently in RC)

Please test it and report any issues.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Back to Home VPN

Mon Jul 31, 2023 11:40 am

DNS should be your home ISP DNS or any public DNS like 1.1.1.1
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: Back to Home VPN

Mon Jul 31, 2023 11:44 am

Answers to common questions:

1) It uses Wireguard and is a secure VPN
2) (If used) Relay does not decrypt your tunnel and has no access to your data
3) It secures your router with firewall, it does not open up full access to your router in any way
4) It is not a feature for anonymity, it is a home user feature for maximum ease of use.
5) If you wish, after you have enabled it with our BTH app, you can also connect using Wireguard on your computer. You can use the QR code in Winbox IP CLOUD menu to get the needed config to your computer
 
rplant
Member
Member
Posts: 463
Joined: Fri Sep 29, 2017 11:42 am

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 12:43 pm

Hi,

Could you perhaps consider making a NAT helper for routerOS, that would make a router act as a relay like your BTH relay.
That can be applied to a small number of UDP ports.

Some maybe simplifications.

Server connects via one port clients connect via another port. (does this make it simpler?)
Only on devices with good amount of flash.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 12:46 pm

What would be the use case, sorry I don't get it
 
ToTheFull
Member
Member
Posts: 367
Joined: Fri Mar 24, 2023 3:24 pm

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 1:05 pm

Silly question, but is it safe to just use the wireguard app with the QR code as I already installed that on the other-halves phone which seems to work ok but took ages to connect? Android by the way.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 1:24 pm

Of course you can just keep using Wireguard. This new feature is also using Wireguard, but it has one advantage, it can work even if your router has no public IP
 
ToTheFull
Member
Member
Posts: 367
Joined: Fri Mar 24, 2023 3:24 pm

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 1:31 pm

Of course you can just keep using Wireguard. This new feature is also using Wireguard, but it has one advantage, it can work even if your router has no public IP
Thanks for the further info. Great feature by the way!
 
freemannnn
Forum Veteran
Forum Veteran
Posts: 700
Joined: Sun Oct 13, 2013 7:29 pm

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 1:45 pm

will ever be support for mipsbe devices?
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1041
Joined: Sun Jun 28, 2015 7:36 pm

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 1:56 pm

As always mipsbe and mmips are forgotten. :(

For now my only alternative is using Raspberry Pi and/or x86 machines with some Linux.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3333
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 3:23 pm

Will Back to Home also come on Mipsle devices? Wireguard does work fine on mipsel router, so it should not be a big change to make it work.
However, if the router is not directly reachable from the internet, the connection will be made through the MikroTik relay server
Any information on the relay server? Capacity? Where are they located? Will there be server on other countries?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 4:10 pm

Apple iPhone version released (but some updates coming soon): https://apps.apple.com/lv/app/mikrotik- ... 6450679198
 
massinia
Member Candidate
Member Candidate
Posts: 171
Joined: Thu Jun 09, 2022 7:20 pm

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 5:03 pm

If the router has no public ip (4G connection) all traffic goes through MikroTik servers, am I right?
If yes, are there any speed or traffic limits?
Or does it work as a ZeroTier relay?

Thanks
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 5:15 pm

Yes that's true. Currently there are no limits. It might change in the future, but there is no plan for that at the moment.
If we run into traffic problems, we will just add more relays around the world.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 5:45 pm

Did quick test if iOS app. Seems to work, at least against two different router, using LTE/CGNAT on device with BTH iOS app.

Was able to connect to a BTH-enabled router with public IP. And was also able to connect using relay with a host behind a CGNAT address e.g. remote end also uses LTE, so BOTH ends behind a CGNAT – this later case isn't possible with WG alone without the BTH relay (or using ZeroTier).

Although latency is pretty bad if relayed, things do route/connect. I see ping times in the 600-800ms range using BTH with relay from phone to router. This router also has ZeroTier, so if disconnect from BTH and use ZT as VPN instead, latency is about 150-250ms in same ping test. I'd imagine difference is ZT roots are closer than Latvia...not that ZeroTier is inherently faster, just way closer in proximity to California.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 5:49 pm

Can we get answer on the xMIPSx situation with BTH?

That really is where BTH be more useful. e.g. I used ZeroTier to enable BTH to test it – so really didn't need BTH since I already had ZeroTier. On xMIPSx, there are no options for a VPN from a CGNAT to a CGNAT, without building your own VPN hub.
 
ksteink
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Thu Mar 31, 2016 6:54 pm

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 6:25 pm

Nice feature specially for the ones that are stuck with CGNAT!!!. I like to see as a feature virtual stacking for CRS switches (CRS3xx and CRS5xx) for HA core Switches!

Keep it going!
 
JoshDi
newbie
Posts: 37
Joined: Fri May 21, 2021 4:49 pm

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 7:19 pm

@normis - great feature!

Two questions:

Is it possible to open source/release the server side of the BTH relay? I'd love the ability to roll my own relay - which would remove the traffic from going through Mikrotik's server (would save Mikrotik cost as well)

Where are the relays currently located?

thank you!
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 7:30 pm

While in Beta, we have a relay in the MikroTik data center in Latvia. Depending on demand, we will expand to other regions and will lauch relays in other countries. If somebody here works in a well connected data center with high speed connectivity, you are welcome to drop us an email :D
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1082
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 7:31 pm

Is it possible to open source/release the server side of the BTH relay? I'd love the ability to roll my own relay - which would remove the traffic from going through Mikrotik's server (would save Mikrotik cost as well)
Why? Instead of a relay you could just run a Wireguard server with public IP address. The point of the relay is that Mikrotik is not able to decrypt your traffic - you do not need traffic for yourself, do you? 😜
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 7:36 pm

Exactly. If you can run a relay, you basically don't need a relay.
 
R1CH
Forum Guru
Forum Guru
Posts: 1108
Joined: Sun Oct 01, 2006 11:44 pm

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 7:56 pm

Why use a full relay and not STUN? Wireguard runs over UDP so hole punching should work fine with a short enough keepalive.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6115
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 8:18 pm

If somebody here works in a well connected data center with high speed connectivity, you are welcome to drop us an email :D
Our own TomJonesNorthIdaho comes to mind...
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 8:32 pm

Is it possible to open source/release the server side of the BTH relay? I'd love the ability to roll my own relay [...]
Why? Instead of a relay you could just run a Wireguard server with public IP address. [...]
That's actually nice part. Any peer will directly connect to the router's WG from BTH app (or any WG client) if you have a public IP on router, automatically.

If there is not a public IP (e.g. some dual WAN that failover to LTE, or other routing change, etc.) ... the nifty part is nothing in the client configuration changes, except then it traffic be proxied if the router with BTN does NOT have public IP detected.

Only requirement is using Mikrotik DDNS...since that's critical to how this work: if you resolve the <sn>.vpn.mynetname.com address shown in winbox/CLI, you'll can see that's it's your own public IP (if direct) OR a Mikrotik IP (if proxied)... Also means if your WAN IP changes, it take DNS TTL and /ip/cloud DDNS update interval for it to "switch" between proxy and direct...

So if you have public IP and BTH... the only dependency is on Mikrotik DDNS but otherwise it's normal WG peer connection.
 
zandhaas
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Tue Dec 11, 2018 11:02 pm
Location: The Netherlands

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 10:08 pm

When using the standard Wireguard Iphone App I am able to connect.At the moment I can not find the Mikrotik BTH Iphone app in the app store (I'm living in the Netherlands)
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1041
Joined: Sun Jun 28, 2015 7:36 pm

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 10:30 pm

Can we get answer on the xMIPSx situation with BTH?

That really is where BTH be more useful. e.g. I used ZeroTier to enable BTH to test it – so really didn't need BTH since I already had ZeroTier. On xMIPSx, there are no options for a VPN from a CGNAT to a CGNAT, without building your own VPN hub.
Probably never will be supported, so, Wireguard apparently not supports MIPS architecture. Probably I'm wrong.

On past I used ZeroTier and Tailscale on Windows and Linux machines but sometimes some machines randomly lost the connection or never connects at machine's startup. So I decided to implement Twingate on my Raspberry Pi 4 under Debian Minimal and worked really well.

A bit detail yesterday I decided to upgrade all system and stupidly reboot and now I can't access to my devices, and now I'm not at home until this Wednesday.

I think that ends to a kernel panic probably or another boot problem, so on my windows server I will create a VM with some Linux minimal (probably CentOS Stream) to create a "copy" that can works as backup.

You know another VPN solutions? I'm also using on both sides LTE with CGNAT on both sides of course. My home core is LtAP (mmips).

Regards.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3333
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 10:47 pm

Wireguard apparently not supports MIPS architecture. Probably I'm wrong.
There you are wrong. Wireguard works fine on the RB750g3 Mipsel.
.
WireGuard.png
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6115
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 10:52 pm

Wireguard works fine on the RB750g3 Mipsel.
Quite true.
Hex (MMIPS) was my first Tik and the very first I used Wireguard on, already with first beta of ROS7.
Also on Map and mAP Lite (MIPSBE, 2nd and 3th Tik :lol: ) it works just fine.
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1041
Joined: Sun Jun 28, 2015 7:36 pm

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 10:56 pm

Oh, thanks for clarification Jotne and holvoetn, so, only waiting for BTH compatible with MIPS.

Regards.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 11:16 pm

You know another VPN solutions? I'm also using on both sides LTE with CGNAT on both sides of course. My home core is LtAP (mmips).
Not really. I have to use LTE with public IPs, but that's not always possible & expensive. So use SSTP as backup, but that takes another router to act as the relay (at some point could use normal WG, but still some lingering V6 devices)...

[...] only waiting for BTH compatible with MIPS.
Yup, as BTH be fine a solution (in my initial testing on a remote wAPacR) for the CGNAT problem on LtAP (and KNOTs) without ZT... e.g. there are 0 devices with 2 modems in the ARM lineup... Why do you think I've resorted to begging here?

Since BTH is really just some UI/CLI around WG client config & another DDNS update, at least on the RouterOS side.... I don't see how BTH be an intensive feature on [CPU limited] xMIPSx platforms — at least no more so than standard WG [which is supported, as noted above].

I can see xMIPSx may not be the first platform for a beta. Just some clarity here is all I'm asking... Since I just need remote access to routers behind a CGNAT, I really don't care if ZT or BTH+WG – different but either work behind CGNAT...
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1041
Joined: Sun Jun 28, 2015 7:36 pm

Re: NEW FEATURE: Back to Home VPN

Mon Jul 31, 2023 11:36 pm

Thanks for response.

We wait...

Regards.
 
rplant
Member
Member
Posts: 463
Joined: Fri Sep 29, 2017 11:42 am

Re: NEW FEATURE: Back to Home VPN

Tue Aug 01, 2023 1:34 am

What would be the use case, sorry I don't get it
Similar use case to using your Relay Except closer to home.

I have a CHR in a nearby data centre, and currently use a wireguard in wireguard tunnel to get back to home (CGNAT) with e2e encryption.
It is not ideal on a number of points, but still brisk, and quite low latency.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 01, 2023 8:38 am

You can already make a Wireguard connection to your CHR from the home router, and then make a Wireguard VPN from your phone to the same CHR. This way you can achieve the same result without custom "relay".
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 01, 2023 8:41 am

When using the standard Wireguard Iphone App I am able to connect.At the moment I can not find the Mikrotik BTH Iphone app in the app store (I'm living in the Netherlands)
did you try the direct link? https://apps.apple.com/lv/app/mikrotik- ... 6450679198
 
zandhaas
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Tue Dec 11, 2018 11:02 pm
Location: The Netherlands

Re: NEW FEATURE: Back to Home VPN

Tue Aug 01, 2023 8:56 am

That did the trick.
 
User avatar
Gennadiy51
newbie
Posts: 30
Joined: Fri Nov 06, 2009 4:33 pm
Location: Moldova, Chisinau

Re: NEW FEATURE: Back to Home VPN

Tue Aug 01, 2023 10:25 am

A huge request to you, please make a video on this topic.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Tue Aug 01, 2023 1:15 pm

nice work!
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1041
Joined: Sun Jun 28, 2015 7:36 pm

Re: NEW FEATURE: Back to Home VPN

Tue Aug 01, 2023 2:18 pm

You can already make a Wireguard connection to your CHR from the home router, and then make a Wireguard VPN from your phone to the same CHR. This way you can achieve the same result without custom "relay".
I can't open any port on my home router and always I get 10.x.x.x IP segment from my ISP. Anyway I can do that?

Regards.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 01, 2023 3:05 pm

not to your home. FROM your home. that's the idea

Phone ------> [CHR server] <------- Home behind NAT
 
User avatar
baragoon
Member
Member
Posts: 357
Joined: Thu Jan 05, 2017 10:38 am
Location: Kyiv, UA
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 01, 2023 3:24 pm

Thanks, but we need xMIPSx devices support :'(
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1041
Joined: Sun Jun 28, 2015 7:36 pm

Re: NEW FEATURE: Back to Home VPN

Tue Aug 01, 2023 5:26 pm

not to your home. FROM your home. that's the idea

Phone ------> [CHR server] <------- Home behind NAT
And there are some free service to alocate CHR on cloud that can recommend?

Thanks and regards.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 01, 2023 6:52 pm

not to your home. FROM your home. that's the idea

Phone ------> [CHR server] <------- Home behind NAT
And there are some free service to alocate CHR on cloud that can recommend?
Another workaround for lack of BTH on MIPS... is using VPN (WG or whatever) on IPv6. This depends on the LTE provider with CGNAT, but good chance they support IPv6. No middle CHR need if both sides have IPv6.
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1041
Joined: Sun Jun 28, 2015 7:36 pm

Re: NEW FEATURE: Back to Home VPN

Tue Aug 01, 2023 8:53 pm

True, but in my case none of ISP's of my country provides IPv6 address for LTE. Anyway for people that applies this, it can helps. Good point.

Regards.
 
templeos
just joined
Posts: 19
Joined: Mon Aug 26, 2019 3:58 pm

Re: NEW FEATURE: Back to Home VPN

Tue Aug 01, 2023 9:49 pm

Can you fix the hexagons background image in the Android app? It looks stretched compared to the iOS version.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 01, 2023 10:47 pm

well, if we're going to be picky... on iOS BTH app
- it should start with the username/password scene if there no/0 tunnels setup (e.g. fresh install) - the "add" step is unneeded in most basic use case
- if you have the Mikrotik app with saved passwords, it be nice if the BTH used/access those (or y'all just used the keychain)
- if you click the name of the tunnel, that's what should expend the selector shown at bottom
- ... similarly perhaps a gear icon or something at bottom, so to the tunnel selector tab at bottom isn't always shown (e.g. make UI look more complex if there is only simple "single router home" case).
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3333
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: NEW FEATURE: Back to Home VPN

Wed Aug 02, 2023 8:20 am

I take the silence from MT about "Back to Home" on mips some like this:
* We can get it to work, but we like to phase out the mips series, so it will not be supporter.
* We have problem to get it to work, so we wait to inform about status for mips until we have a good answer to give.
Should not be hard to implement since Wireguard works fine today on mips devices.
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 287
Joined: Mon Oct 02, 2006 11:47 am

Re: NEW FEATURE: Back to Home VPN

Fri Aug 04, 2023 9:22 am

Excellent idea, but... QR code is huge and unreadable...
I have managed to read the QR code only after importing hashes from screen dump to excel, and replacing them with black or white squares..
can you make it smaller to fit the screen or exportable somehow?
 
User avatar
Kanzler
Member Candidate
Member Candidate
Posts: 133
Joined: Wed Oct 05, 2022 6:55 pm
Location: Ukraine

Re: NEW FEATURE: Back to Home VPN

Fri Aug 04, 2023 10:50 am

@satman1w, Are you sure you're using the latest version of Winbox(3.39)?
 
nonolk
just joined
Posts: 23
Joined: Fri Jun 11, 2021 4:56 pm

Re: NEW FEATURE: Back to Home VPN

Fri Aug 04, 2023 2:12 pm

Hello everyone,

@Normis, the application is still not available in France on IOS, searching for it gives no results, and using the direct link says « this application is not available in your country ». I don’t think it’s wished.

Regards,
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1430
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: NEW FEATURE: Back to Home VPN

Fri Aug 04, 2023 9:58 pm

Did anybody tried to play with site to site configuration ?
 
fqx
newbie
Posts: 27
Joined: Tue Dec 20, 2016 2:24 pm

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 5:55 am

there was an application called Tailscale.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 8:53 am

Hello everyone,

@Normis, the application is still not available in France on IOS, searching for it gives no results, and using the direct link says « this application is not available in your country ». I don’t think it’s wished.

Regards,
It does find it for me, if you search for MikroTik, but it's below some other results. So use the link
https://apps.apple.com/lv/app/mikrotik- ... 6450679198
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 9:22 am

Maybe Apple has additional requirements for France App Store? Between Apple and France... easy to imagine might be some additional paperwork... ;)
Last edited by Amm0 on Mon Aug 07, 2023 9:28 am, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 9:26 am

Sorry, update about France. It looks like France is banning encryption apps, so this is why we could not release it there. They require special approval from the government to release app that encrypts data. https://www.ssi.gouv.fr/en/regulation/c ... pplication
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12379
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 10:10 am

Sorry, update about France. It looks like France is banning encryption apps, so this is why we could not release it there. They require special approval from the government to release app that encrypts data. https://www.ssi.gouv.fr/en/regulation/c ... pplication
Are we kidding?
They are ridiculous.

If they do it for terrorism, imagine if blocking the app in the store prevents criminals from installing it anyway, or evidently using even safer alternative means...
 
nonolk
just joined
Posts: 23
Joined: Fri Jun 11, 2021 4:56 pm

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 11:05 am

@Normis, I think you miss interpreted this rule, because It apply to cryptography solution(new systems, new cyphers….), and even more it seems only to apply when you are selling something, I.posting or exporting goods…. Otherwise even selling routers, switches with vpn technology should also require it.

Other example, wireguard, openvpn and so on also have their own apps present in the AppStore… so there I don’t see any valuable reason
IMG_0013.jpeg
You do not have the required permissions to view the files attached to this post.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 11:35 am

It was request from Apple to submit that paper
 
nonolk
just joined
Posts: 23
Joined: Fri Jun 11, 2021 4:56 pm

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 11:40 am

@Normis, so here it’s just a miss understanding from their side…

I will try to use my US account to get it
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 11:47 am

I tried to submit appeal. Try again in a moment.
 
nonolk
just joined
Posts: 23
Joined: Fri Jun 11, 2021 4:56 pm

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 1:02 pm

@Normis, ok just tell me when to try ;-) But I know that it could take a while to make Apple change their mind.

Anyway thank you for your answer and great work.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 2:04 pm

try now
 
nonolk
just joined
Posts: 23
Joined: Fri Jun 11, 2021 4:56 pm

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 2:38 pm

@Normis it is available now… thank you
 
Josephny
Long time Member
Long time Member
Posts: 597
Joined: Tue Sep 20, 2022 12:11 am

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 3:23 pm

I've been holding my breath waiting for BTH to be available on mmips and I'm about to pass out.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 4:38 pm

I take the silence from MT about "Back to Home" on mips some like this:
* We can get it to work, but we like to phase out the mips series, so it will not be supporter.
* We have problem to get it to work, so we wait to inform about status for mips until we have a good answer to give.
Well, can't blame Apple or French regulations on the MIPS topic...
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1041
Joined: Sun Jun 28, 2015 7:36 pm

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 9:53 pm

So, why you made great devices like LtAP or LtAP mini with MIPS architecture instead of ARM? There is a plan to launch something like it with ARM architecture?
 
HACKFRAUD
newbie
Posts: 26
Joined: Sat Apr 01, 2023 6:22 pm

Re: NEW FEATURE: Back to Home VPN

Mon Aug 07, 2023 11:03 pm

Does it work when admin nazis block all udp ports?
I was trying to connect to home LAN using Wireguard once on public wifi in Bratislava, everything was blocked.
I was able to connect using Wireguard from a plane flying over USA, its a great vpn with fast speeds.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 08, 2023 2:51 am

Does it work when admin nazis block all udp ports?
I don't think so... it's still WG under-the-covers. But ZeroTier should support TCP fallback if a NAT-punching VPN is needed as an alternative when faced with a "ZeroUDP" network .
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Tue Aug 08, 2023 6:15 am

i wish if i can do that with laptop
 
User avatar
antonsb
MikroTik Support
MikroTik Support
Posts: 397
Joined: Sun Jul 24, 2016 3:12 pm
Location: Riga, Latvia

Re: NEW FEATURE: Back to Home VPN

Tue Aug 08, 2023 8:05 am

i wish if i can do that with laptop
You can. Configure it as regular wireguard on PC.
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 287
Joined: Mon Oct 02, 2006 11:47 am

Re: NEW FEATURE: Back to Home VPN

Tue Aug 08, 2023 9:04 am

@satman1w, Are you sure you're using the latest version of Winbox(3.39)?
Now, I do..

:-D

and it looks much better

:-D
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Tue Aug 08, 2023 9:45 am

You can. Configure it as regular wireguard on PC.

i was thinking to use the fancy way of back-to-home, but still i can use your CHR server without opening port on my Main Router, which is great

Thanks @antonsb!
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 08, 2023 9:46 am

You can. Winbox BTH menu shows the code to copy into your Wireguard app on your PC (also a QR code). It will use the fancy BTH when you do, so it will work behind NAT too, even if you don't use BTH app in your phone.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 08, 2023 2:42 pm

Okay, so what we have here is a way to connect back to the router using any device remotely, via the Mikrotik provided cloud ( third party substitute inbound ).
Assuming this is for access to the config but could be used to access subnets? Will play today.
Assuming this makes it easier than what I have already done EONS ago which is setup a wireguard connection on my iphone to the router directly and then using the wireguard APP to access my router etc......... ( Assuming the new app blends the two into one process ? )

The main difference is the MT Cloud removes anyone from not being able to access their router due to CGNAT, non-public IP, no access to port forward on upstream router!!!

IF so, a BIG THANKS to MT, for making themselves a relay server.
Almost as generous as zerotrust cloudflare tunnel for hosting servers without exposing public IP, coming to all mikrotik devices, from a smarter MT, in a parallel universe. :-)
Last edited by anav on Tue Aug 08, 2023 2:46 pm, edited 3 times in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 08, 2023 2:43 pm

It is the same wireguard, just smarter - because if your home router is on private IP, it still works.
MikroTik relay is only involved in this case. IF you have public IP, it's just a direct wireguard, no relay.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 08, 2023 5:55 pm

IF so, a BIG THANKS to MT, for making themselves a relay server.
Almost as generous as zerotrust cloudflare tunnel for hosting servers without exposing public IP, coming to all mikrotik devices, from a smarter MT, in a parallel universe. :-)
There room for more tabs in IP>Cloud for other future proxies ;) ... just not for poor LtAP and KNOT owners that would really benefit from BTH...
 
anuser
Long time Member
Long time Member
Posts: 601
Joined: Sat Nov 29, 2014 7:27 pm

Re: NEW FEATURE: Back to Home VPN

Tue Aug 08, 2023 8:29 pm

Dreaming of an easy solution for our xx.xxx students:

- Back To Home
- Shibboleth login
- Full IPv4 + IPv6 dual stack tunnel after connect
 
User avatar
own3r1138
Forum Veteran
Forum Veteran
Posts: 727
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 08, 2023 9:00 pm

MikroTik relay is only involved in this case. IF you have public IP, it's just a direct wireguard, no relay.
I have a valid dynamic IP which is obtained via PPPOE. However, BTH didn't have a direct IPv4 connection.
2023-08-08_02-26-21.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 08, 2023 9:27 pm

Dreaming of an easy solution for our xx.xxx students:

- Back To Home
- Shibboleth login
- Full IPv4 + IPv6 dual stack tunnel after connect
Interesting idea...

Yeah Mikrotik BTH app uses the local router to authenticate someone, which then gets the peer's WG config using some RouterOS API. So not far off. [ Maybe sooner than xMIPSx ]

Getting WG creds — without some manual key exchange process — is something BTH app does that's seems really helpful if you wanted to use WG at scale. It may not be fully appeciated here that BTH app does not need QR code, or providing someone keys. Only the standard WG app need(/likes) the QR. Instead, the BTH app essential turns a RouterOS username/password into a configured WG peer (*if port allowed to Mikrotik & user creds valid). e.g. none of the problems with how to get WG peer's key to someone...

The issue I suspect is BTH require at least "write" policy on the router (e.g. "BTH" is NOT a policy AFAIK). I'd imagine BTH authentication goes though RADIUS since BTH seemingly uses winbox login (but dunno, didn't test). But some policy to allow control BTH peer creation via RADIUS get you pretty close to SAML/SibbolethSSO since WG supports IPv6 already. Ideal being the BTH app could be used by your student's to create the WG to your network... indirectly, using BTH auth->RouterOS->RADIUS->SAML = WG-peer on phone.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Aug 09, 2023 7:51 am

MikroTik relay is only involved in this case. IF you have public IP, it's just a direct wireguard, no relay.
I have a valid dynamic IP which is obtained via PPPOE. However, BTH didn't have a direct IPv4 connection.
2023-08-08_02-26-21.jpg
Apparently it was not possible to connect to it, maybe ISP blocking something
 
User avatar
own3r1138
Forum Veteran
Forum Veteran
Posts: 727
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Aug 09, 2023 2:53 pm



I have a valid dynamic IP which is obtained via PPPOE. However, BTH didn't have a direct IPv4 connection.
2023-08-08_02-26-21.jpg
Apparently it was not possible to connect to it, maybe ISP blocking something
Well, I use the main WG tunnel daily. Does the BTH check the tunnel connectivity from your server? Because Wireguard to/from outside my region is blocked.
 
User avatar
mtiksense
just joined
Posts: 4
Joined: Sat Mar 19, 2016 6:57 pm

Re: NEW FEATURE: Back to Home VPN

Tue Aug 15, 2023 3:53 pm

"Available from 7.11 (currently in RC)"


Mikrotik RB4011iGS+5HacQ2HnD-IN stable ROS 7.11 he didn't get an option Back to Home VPN.

??
 
ToTheFull
Member
Member
Posts: 367
Joined: Fri Mar 24, 2023 3:24 pm

Re: NEW FEATURE: Back to Home VPN

Tue Aug 15, 2023 3:57 pm

"Available from 7.11 (currently in RC)"


Mikrotik RB4011iGS+5HacQ2HnD-IN stable ROS 7.11 he didn't get an option Back to Home VPN.

??
They had a change of heart!
viewtopic.php?t=198228#p1018758
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 15, 2023 4:34 pm

"Available from 7.11 (currently in RC)" ....
They had a change of heart!
viewtopic.php?t=198228#p1018758
I think if you had the configuration from the 7.11rc...and upgrade to 7.11stable, it keeps the configuration at least. Or at least that's what I see.
So I don't think it breaks for previous beta users — since it really just create the config needed for WG, the peers remain after upgrade.
Now since UI is not stable build, you cannot enable it, or setup a new BTH peers – until 7.12beta comes out (if my reading MT's post right).
 
ToTheFull
Member
Member
Posts: 367
Joined: Fri Mar 24, 2023 3:24 pm

Re: NEW FEATURE: Back to Home VPN

Tue Aug 15, 2023 4:39 pm

I moved straight to 7.12alpha...
Sorry if I gave bad info.
 
User avatar
carl0s
Member Candidate
Member Candidate
Posts: 193
Joined: Thu Jun 25, 2009 7:18 pm

Re: NEW FEATURE: Back to Home VPN

Fri Aug 18, 2023 10:05 am

Pretty cool.

I do still buy Hex (RB 750gr3) though. They're good spec, dual core, SD slot, IPsec acceleration, so feels like they should not be left behind. I'm not sure there is a direct replacement for that model? Maybe hap ax2 is close but they have different uses
 
PackElend
Member Candidate
Member Candidate
Posts: 272
Joined: Tue Sep 29, 2020 6:05 pm

Re: NEW FEATURE: Back to Home VPN

Fri Aug 18, 2023 10:14 am

Will this solution allow VPN via 443 only and to accept custom Root CA?
That would allow to reach the router out of cooperate networks.

Thx
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1430
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: NEW FEATURE: Back to Home VPN

Fri Aug 18, 2023 10:20 am

Pretty cool.

I do still buy Hex (RB 750gr3) though. They're good spec, dual core, SD slot, IPsec acceleration, so feels like they should not be left behind. I'm not sure there is a direct replacement for that model? Maybe hap ax2 is close but they have different uses
Maybe something like hAP ac2, it has USB, arm CPU, 5×1Gig eth ports, wifi but you can disable that if you don't need it. Or maybe new L009 ?
 
User avatar
carl0s
Member Candidate
Member Candidate
Posts: 193
Joined: Thu Jun 25, 2009 7:18 pm

Re: NEW FEATURE: Back to Home VPN

Fri Aug 18, 2023 11:06 am

Pretty cool.

I do still buy Hex (RB 750gr3) though. They're good spec, dual core, SD slot, IPsec acceleration, so feels like they should not be left behind. I'm not sure there is a direct replacement for that model? Maybe hap ax2 is close but they have different uses
Maybe something like hAP ac2, it has USB, arm CPU, 5×1Gig eth ports, wifi but you can disable that if you don't need it. Or maybe new L009 ?
Yes it's close. It's just the USB feels fragile and temporary. Although, I haven't really been using the SD. It's just that I think I should, and might use it, for capsman firmware updates.
Also, using a wireless router for the non-wireless role just looks confusing. Like, someone might think "is this thing working?" or something.
The rb750gr3 has been my go-to mini main-router & capsman controller.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1430
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: NEW FEATURE: Back to Home VPN

Fri Aug 18, 2023 12:24 pm

You can disable WiFi, or you can use L009 version without wifi
 
User avatar
rushlife
Member Candidate
Member Candidate
Posts: 250
Joined: Thu Nov 05, 2015 12:30 pm

Re: NEW FEATURE: Back to Home VPN

Tue Aug 22, 2023 8:14 am

Hi, new feature is really awesome. App for android and iPhone/iPad/MacBook already tested and they are great.
Will be there also app for windows ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Aug 22, 2023 9:13 am

For windows you can use Wireguard app https://www.wireguard.com/install/
You will need to copy the config from your router, that is provided in menu "IP > Cloud > BTH wireguard"
 
unizhu
just joined
Posts: 7
Joined: Sat May 21, 2016 11:41 am

Re: NEW FEATURE: Back to Home VPN

Fri Aug 25, 2023 2:36 am

What does "use local address" mean?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Fri Aug 25, 2023 12:33 pm

use-local-address is not for Back to Home. It is for Cloud DNS.
 
unizhu
just joined
Posts: 7
Joined: Sat May 21, 2016 11:41 am

Re: NEW FEATURE: Back to Home VPN

Fri Aug 25, 2023 5:44 pm

use-local-address is not for Back to Home. It is for Cloud DNS.
So what will happen if I enable use-local-address ? The Cloud DNS will be set to my local public ipv4 address?
 
User avatar
spippan
Member
Member
Posts: 429
Joined: Wed Nov 12, 2014 1:00 pm

Re: NEW FEATURE: Back to Home VPN

Fri Aug 25, 2023 6:11 pm

use-local-address is not for Back to Home. It is for Cloud DNS.
So what will happen if I enable use-local-address ? The Cloud DNS will be set to my local public ipv4 address?
it appears to be that way:
https://help.mikrotik.com/docs/display/ ... d-Advanced
 
PackElend
Member Candidate
Member Candidate
Posts: 272
Joined: Tue Sep 29, 2020 6:05 pm

Re: Back to Home VPN

Wed Aug 30, 2023 10:25 pm

Answers to common questions:

1) It uses Wireguard and is a secure VPN
2) (If used) Relay does not decrypt your tunnel and has no access to your data
any chance that connection to the relay server goes via port 443?
So that I can use BTH from within restricted networks.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Aug 31, 2023 3:34 pm



So what will happen if I enable use-local-address ? The Cloud DNS will be set to my local public ipv4 address?
it appears to be that way:
https://help.mikrotik.com/docs/display/ ... d-Advanced
yes, but it does not matter for BTH. That is for Cloud DNS feature, unrelated to this topic. BTH does not care if you have public or private IP.
 
User avatar
spippan
Member
Member
Posts: 429
Joined: Wed Nov 12, 2014 1:00 pm

Re: NEW FEATURE: Back to Home VPN

Fri Sep 01, 2023 1:55 am

yes, but it does not matter for BTH. That is for Cloud DNS feature, unrelated to this topic. BTH does not care if you have public or private IP.
thanks for the clarification
 
Milecus
just joined
Posts: 2
Joined: Thu Oct 17, 2019 9:14 am

Re: NEW FEATURE: Back to Home VPN

Mon Sep 04, 2023 8:38 pm

I'd like to know what will be the consumption of ВТН traffic in idle mode?
(device behind a NAT; а metered Internet connection; per day;)
Is there a possibility of optimization?
 
Jarek9008
just joined
Posts: 21
Joined: Sun Dec 05, 2021 12:38 pm

Re: NEW FEATURE: Back to Home VPN

Wed Sep 06, 2023 9:40 pm

Hi, I have a problem with the correct connection between Wireguard BTH and AdGuard Home, namely - AdGuard Home placed on the container, VETH interface in the main bridge, AdGuard address set as DNS in the DHCP server, Wireguard works properly as it should, I have access via a connection VPN with internal network, etc. - generally works, with one exception - in the Wireguard Client on Android, DNS set as the AdGuard address, it also works, but in the AdGuard admin panel in the logs this connection is shown at the Router's gateway address, not as the address assigned in Wireguard - the question is what to do that it works with Wireguard address in AdGuard admin panel? Thank you in advance for your help.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Sep 06, 2023 10:06 pm

[...] AdGuard Home placed on the container, VETH interface in the main bridge, AdGuard address set as DNS in the DHCP server, Wireguard works properly as it should [...] AdGuard admin panel in the logs this connection is shown at the Router's gateway address, not as the address assigned in Wireguard - the question is what to do that it works with Wireguard address in AdGuard admin panel? [...]
I suppose you can create a /ip/firewall/nat action=src-nat rule so the VETH's IP be masqueraded to router's WG address, when going out wireguard. Issue is the LAN subnet (including VETH) is likely already allowed addresses, so VETH is just another bridge member, so it use the router's IP and thus using normal WAN NAT rule.
 
Jarek9008
just joined
Posts: 21
Joined: Sun Dec 05, 2021 12:38 pm

Re: NEW FEATURE: Back to Home VPN

Wed Sep 06, 2023 10:48 pm

[...] AdGuard Home placed on the container, VETH interface in the main bridge, AdGuard address set as DNS in the DHCP server, Wireguard works properly as it should [...] AdGuard admin panel in the logs this connection is shown at the Router's gateway address, not as the address assigned in Wireguard - the question is what to do that it works with Wireguard address in AdGuard admin panel? [...]
I suppose you can create a /ip/firewall/nat action=src-nat rule so the VETH's IP be masqueraded to router's WG address, when going out wireguard. Issue is the LAN subnet (including VETH) is likely already allowed addresses, so VETH is just another bridge member, so it use the router's IP and thus using normal WAN NAT rule.
But I used Zerotier and in this case in AdGuard admin panel I saw ip address from Zerotier.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Wed Sep 06, 2023 11:06 pm

What does "use local address" mean?
If your router is behind another router, enabling this checkbox will update the ddns entry with its local address (e.g. 192.168.1.x).
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Sep 06, 2023 11:26 pm

[...] Issue is the LAN subnet (including VETH) is likely already allowed addresses, so VETH is just another bridge member, so it use the router's IP and thus using normal WAN NAT rule.
But I used Zerotier and in this case in AdGuard admin panel I saw ip address from Zerotier.

It was just one suggestion. BTH I believe NAT's everything via dynamically added NAT masquerade rule and that's what you're running into. Hard to visualize without config... but maybe better to use an accept rule for the dst-address of your AdGuard container, and place before the BTH NAT rule.

In other words — It the the default BTH NAT rule's behavior you need work-around since you can't disable BTH's NAT rule that's added automatically by RouterOS.

If ZeroTier is working, one less thing to worry about— it's just different than BTH. ;)
 
Jarek9008
just joined
Posts: 21
Joined: Sun Dec 05, 2021 12:38 pm

Re: NEW FEATURE: Back to Home VPN

Thu Sep 07, 2023 5:57 pm


But I used Zerotier and in this case in AdGuard admin panel I saw ip address from Zerotier.

It was just one suggestion. BTH I believe NAT's everything via dynamically added NAT masquerade rule and that's what you're running into. Hard to visualize without config... but maybe better to use an accept rule for the dst-address of your AdGuard container, and place before the BTH NAT rule.

In other words — It the the default BTH NAT rule's behavior you need work-around since you can't disable BTH's NAT rule that's added automatically by RouterOS.

If ZeroTier is working, one less thing to worry about— it's just different than BTH. ;)
I'm rather beginer with Mikrotik, so can You write me, how should look NAT rule, which I need to place before this dynamic BTH NAT rule?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Sep 07, 2023 7:40 pm

In other words — It's the the default BTH NAT rule's behavior you need work-around since you can't disable BTH's NAT rule that's added automatically by RouterOS.
I'm rather beginer with Mikrotik, so can You write me, how should look NAT rule, which I need to place before this dynamic BTH NAT rule?
Hard to do this blind without config. And there may be other solutions and/or other firewall may effect solution... but something like this:
/ip/firewall/nat add action=accept protocol=udp port=53 src-address=192.168.216.2 place-before=0 chain=src-nat
/ip/firewall/nat add action=accept protocol=tcp port=53 src-address=192.168.216.2 place-before=0 chain=src-nat
The action=accept say to not NAT traffic from WG BTH peer's IP to UDP or TCP to the DNS port 53, since the BTH NAT rule (e.g. with the "D" in left most column) is first by default, these need to be before that rule, which is what the place-before=0 does. You can do same in winbox creating IP > Firewall > NAT, setting protocol, port, etc. and dragging the new rules to the first in the list.

What I don't know myself is how aggressive BTH's dynamic NAT rule is... e.g. will BTH NAT rule will move itself first in list via some reboot/background process/config changes.
 
Jarek9008
just joined
Posts: 21
Joined: Sun Dec 05, 2021 12:38 pm

Re: NEW FEATURE: Back to Home VPN

Thu Sep 07, 2023 10:00 pm


I'm rather beginer with Mikrotik, so can You write me, how should look NAT rule, which I need to place before this dynamic BTH NAT rule?
Hard to do this blind without config. And there may be other solutions and/or other firewall may effect solution... but something like this:
/ip/firewall/nat add action=accept protocol=udp port=53 src-address=192.168.216.2 place-before=0 chain=src-nat
/ip/firewall/nat add action=accept protocol=tcp port=53 src-address=192.168.216.2 place-before=0 chain=src-nat
The action=accept say to not NAT traffic from WG BTH peer's IP to UDP or TCP to the DNS port 53, since the BTH NAT rule (e.g. with the "D" in left most column) is first by default, these need to be before that rule, which is what the place-before=0 does. You can do same in winbox creating IP > Firewall > NAT, setting protocol, port, etc. and dragging the new rules to the first in the list.

What I don't know myself is how aggressive BTH's dynamic NAT rule is... e.g. will BTH NAT rule will move itself first in list via some reboot/background process/config changes.
Thank You very much for help - it works! 👍🙂
 
zandhaas
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Tue Dec 11, 2018 11:02 pm
Location: The Netherlands

Re: NEW FEATURE: Back to Home VPN

Fri Sep 08, 2023 9:51 am

i'm using the iPhobe BTH app.
Yesterday I encounterd the app was not able to connect anymore. Reason unknown sofar.

But when I added a new tunnel to the same router everything worked again but........
I then wanted to remove the old tunnel from the app. I could not find a delete option so I had to remove the app and reinstall it again after which I again had to add a new tunnel.

Two questions:

It would be nice to have an delete option for tunnels in the app and
A number somewhere in the configuration to see which router BTH config belongs to which tunnel in the app so it's easy to remove the old router BTH config's
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Fri Sep 08, 2023 11:20 am

The BTH config name matches the system VPN tunnel name already.
We plan to add "delete tunnel" feature in the app.

If you see such a situation that tunnel is not working, make a supout.rif file and email us, maybe support can see what happened.
 
zandhaas
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Tue Dec 11, 2018 11:02 pm
Location: The Netherlands

Re: NEW FEATURE: Back to Home VPN

Fri Sep 08, 2023 1:58 pm

The BTH config name matches the system VPN tunnel name already.
We plan to add "delete tunnel" feature in the app.

If you see such a situation that tunnel is not working, make a supout.rif file and email us, maybe support can see what happened.
For the new tunnel I configured the same tunnel name so .....

And I'm still running ROS 7.11 beta7 and the iPhone app was updated een week ago or so. My thought was that it could have impact. So I did not open a ticket. Next time I will not think to much myself and leave it to you :)
 
User avatar
stmx38
Long time Member
Long time Member
Posts: 646
Joined: Thu Feb 14, 2008 4:03 pm
Location: Moldova, Chisinau

Re: Back to Home VPN

Sat Sep 16, 2023 7:52 am

Answers to common questions:

1) It uses Wireguard and is a secure VPN
2) (If used) Relay does not decrypt your tunnel and has no access to your data
any chance that connection to the relay server goes via port 443?
So that I can use BTH from within restricted networks.
Get into the same issue at least twice and was not able to use VPN. Is there a way to set 443 port?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Sep 18, 2023 8:28 am

In your country is there like a whole range of blocked ports, or how does that work?
 
User avatar
stmx38
Long time Member
Long time Member
Posts: 646
Joined: Thu Feb 14, 2008 4:03 pm
Location: Moldova, Chisinau

Re: NEW FEATURE: Back to Home VPN

Mon Sep 18, 2023 3:52 pm

In your country is there like a whole range of blocked ports, or how does that work?
The last time it happened when I was at Nova Poshta office in Ukraine and tried to connect to my home router to make a call to local Nova Poshta office. I didn't check ports, but my voice app didn't work and probably because of the blocked ports, this is why I've tried to use BTH. By the end I've switched to Skype Out.

I had similar issue in the Romanian Airport.
 
miankamran7100
Member Candidate
Member Candidate
Posts: 281
Joined: Tue Sep 17, 2019 9:28 am

Re: NEW FEATURE: Back to Home VPN

Sun Sep 24, 2023 9:17 pm

Dear all concern,
Unexpected behavior of BTH. Sometimes BTH on the Windows wireguard client is connected and works smoothly. After some time it's not connected and I have tried many times to disable and enable BTH in IP Cloud. but no result still not connecting.
it is not a permanent solution.
I tried many times on many sites on different ISPs but still have the same problem.
I thought the Mikrotik BTH relay server was down???? or maybe there bug in the ROS
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1430
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: NEW FEATURE: Back to Home VPN

Sun Sep 24, 2023 9:24 pm

Tested right now, relay is working without a problem. Maybe problem is on windows machine ?

Did you try to connect with mobile app ?
 
User avatar
TeWe
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Tue Sep 12, 2023 1:27 pm

Re: NEW FEATURE: Back to Home VPN

Sun Sep 24, 2023 10:01 pm

Working fine for me as well.

miankamran7100 - could it be a problem with your laptop's WiFi?
Intel released a new Windows driver these days which finally resolves those random disconnect issues (22.250.1).
Mentioned here: https://www.neowin.net/news/intel-relea ... ss-issues/
and here: https://downloadmirror.intel.com/788770 ... .250.1.pdf
 
miankamran7100
Member Candidate
Member Candidate
Posts: 281
Joined: Tue Sep 17, 2019 9:28 am

Re: NEW FEATURE: Back to Home VPN

Sun Sep 24, 2023 10:48 pm

Tested right now, relay is working without a problem. Maybe problem is on windows machine ?

Did you try to connect with mobile app ?
I have tried to reconnect now it's working.
I don't know why it's happening.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Mon Sep 25, 2023 6:49 am

is ther any issue with Back_To_home?

i'm no longer able to ping = 78.28.208.100
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Mon Sep 25, 2023 7:07 am

actually , my issues is when i'm using LTE im not able to establish back to home
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1430
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: NEW FEATURE: Back to Home VPN

Mon Sep 25, 2023 8:15 am

Back to home works like it should, at least for me, just test it, I'm connecting to my home router via app, speeds and ping as usual. Also can't ping 78.28.208.100
 
User avatar
Smoerrebroed
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Mon Feb 12, 2018 10:21 am

Re: NEW FEATURE: Back to Home VPN

Mon Sep 25, 2023 9:10 am

Correction: Apparently now you need to run 7.12. I just tested with my RB5009 on 7.11.2 and it complains that the device isn't compatible. :(
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1430
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: NEW FEATURE: Back to Home VPN

Mon Sep 25, 2023 9:15 am

Just update to latest beta, it's stable.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Mon Sep 25, 2023 9:32 am

yeah it does work, but transferring from one to another it takes too long.

That is my job to find out why
 
axe3
just joined
Posts: 6
Joined: Wed Mar 08, 2023 1:54 pm

Re: NEW FEATURE: Back to Home VPN

Mon Sep 25, 2023 5:40 pm

Feature request: could you add the ability for this VPN to be used by devices connected to the Mobile Hotspot?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Sep 25, 2023 5:42 pm

I think that is a phone OS limitation. If I remember correctly, you can't use any VPN through mobile hotspot. Each connected device needs to connect on their own.
 
axe3
just joined
Posts: 6
Joined: Wed Mar 08, 2023 1:54 pm

Re: NEW FEATURE: Back to Home VPN

Mon Sep 25, 2023 7:05 pm

Apparently there's a workaround, by using a proxy, I've seen that something like superpoxy or everyproxy which do not require Android root permissions, can be used to share a VPN connection. I suppose then it would be possible to integrate such functionality within a VPN app.
 
User avatar
Smoerrebroed
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Mon Feb 12, 2018 10:21 am

Re: NEW FEATURE: Back to Home VPN

Mon Sep 25, 2023 11:05 pm

Just update to latest beta, it's stable.
Oh, I'm sure that'll work, but the starting post in this thread mentions ROS 7.11 as a requirement, and that is no longer accurate.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Sep 25, 2023 11:30 pm

Feature request: could you add the ability for this VPN to be used by devices connected to the Mobile Hotspot?
I think there is a double-NAT going on when you use a mobile hotspot... That might be solvable.
- You might able to set the Mikrotik as the "DMZ host" if your hotspot has admin page/screen.
- The other way, perhaps, is involving https://help.mikrotik.com/docs/display/ ... pendentNAT but you need to look at the traffic flows to know if that work/help.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1430
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: NEW FEATURE: Back to Home VPN

Tue Sep 26, 2023 8:00 am

Oh, I'm sure that'll work, but the starting post in this thread mentions ROS 7.11 as a requirement, and that is no longer accurate.
That should be changed now because Mikrotik stated that BTH won't be available in ROS 7.11 but can be used from 7.12beta and up.
 
axe3
just joined
Posts: 6
Joined: Wed Mar 08, 2023 1:54 pm

Re: NEW FEATURE: Back to Home VPN

Tue Sep 26, 2023 12:11 pm

Feature request: could you add the ability for this VPN to be used by devices connected to the Mobile Hotspot?
I think there is a double-NAT going on when you use a mobile hotspot... That might be solvable.
- You might able to set the Mikrotik as the "DMZ host" if your hotspot has admin page/screen.
- The other way, perhaps, is involving https://help.mikrotik.com/docs/display/ ... pendentNAT but you need to look at the traffic flows to know if that work/help.
I'm a bit confused by your answer, I think you might be talking about a different kind of hotspot?
What I'm talking about is the 'Mobile Hotspot' functionality in Android. It's for sharing your phones mobile data with other devices as a wifi network. The issue with this is, that if you enable a VPN on your phone, the traffic originating from the phone is routed through the VPN, but (relevant to my 'Feature request') the phone does not route traffic from the other tethered devices connected to the phone's 'Mobile Hotspot' over the VPN tunnel, it goes directly out to the internet. Since this is the case, clearly your second suggestion does not apply, since the tethered traffic would never hit the Mikrotik device. I'm guessing your first suggestion also isn't talking about the Android 'Mobile Hotspot' feature
But seeing as there are workarounds to this using proxies like superproxy or everyproxy I wonder if this functionality could be included within the VPN app, so no additional workaround is needed.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Sep 26, 2023 12:13 pm

Can you name a commercial VPN solution that has such functionality? We can't make a solution based on workarounds, especially if it's not supported in all OS.
 
axe3
just joined
Posts: 6
Joined: Wed Mar 08, 2023 1:54 pm

Re: NEW FEATURE: Back to Home VPN

Tue Sep 26, 2023 12:34 pm

No, I'm not aware of any (I haven't looked for such). But I would be interested to have my computer appear to be at home while using my phones mobile data without having to do additional setup on the computer itself. I suppose this kind of functionality would have to be an optional feature, as at least the mentioned proxies are protocol specific (e.g. http/https) and not general purpose for all traffic?
 
PackElend
Member Candidate
Member Candidate
Posts: 272
Joined: Tue Sep 29, 2020 6:05 pm

Re: NEW FEATURE: Back to Home VPN

Tue Sep 26, 2023 12:39 pm

If I'm not mistaken this
But seeing as there are workarounds to this using proxies like superproxy or everyproxy I wonder if this functionality could be included within the VPN app, so no additional workaround is needed.
could solve this

any chance that connection to the relay server goes via port 443?
So that I can use BTH from within restricted networks.
Get into the same issue at least twice and was not able to use VPN. Is there a way to set 443 port?
?

Can you name a commercial VPN solution that has such functionality? We can't make a solution based on workarounds, especially if it's not supported in all OS.
would rather have a unique selling point instead of copying another provider.
Don't you think that is worth providing such a feature?
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1082
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Sep 26, 2023 12:57 pm

If you have these requirements you should think about using a Mikrotik device with LTE modem. You can set up routing to your needs there.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Sep 26, 2023 5:40 pm

Re "mobile hotspot" — my bad, iPhone user here — I though you mean an external device, not the "tethering" with Android. But it's a double-NAT and the CGNAT may not be able to map the needed BTH port.

Can you name a commercial VPN solution that has such functionality? We can't make a solution based on workarounds, especially if it's not supported in all OS.
If you consider WebRTC's DataChannels/SCTP as a VPN, they use ICE (plus STUN/TURN) "things" to help with figure out NAT situation to transport data through NAT/firewall.

But BTH could do the ICE/STUN/TURN standard dance (outside of WebRTC/SIP) on /ip/cloud's backend, to augment port selection for BTH/WG. That be useful even without BTH to do "NAT type detection" inside RouterOS.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Mon Oct 02, 2023 7:35 am

qr code doesn't work any more.
was working fine before upgrading
 
User avatar
petardo
newbie
Posts: 30
Joined: Fri Sep 25, 2015 4:06 pm

Re: NEW FEATURE: Back to Home VPN

Wed Oct 04, 2023 4:46 pm

BTH doesn't support mips cpu.
At most of our premises we have hEX as the main router - which is not supported yet.
Is is a good idea to use hAP ax lite instead of hEX? Does it have the same throughput?
 
holvoetn
Forum Guru
Forum Guru
Posts: 6115
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: NEW FEATURE: Back to Home VPN

Wed Oct 04, 2023 5:39 pm

Don't make a mistake about the name 'lite'.
AX Lite is performance wise not that much worse then Hex.
 
User avatar
petardo
newbie
Posts: 30
Joined: Fri Sep 25, 2015 4:06 pm

Re: NEW FEATURE: Back to Home VPN

Wed Oct 04, 2023 8:04 pm

Thanks for reply.
So, not that worse means worse? - I didn't find any info regarding this.
If worse, in which parameter worse?
My use case is simple wired router / firewall / Wireguard VPN.
If hAP ax lite is not worse for that use case I'll buy that instead of hEX in the future - hence cheaper and BTH compatible.
(WIFI will be switched off)
 
holvoetn
Forum Guru
Forum Guru
Posts: 6115
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: NEW FEATURE: Back to Home VPN

Wed Oct 04, 2023 8:13 pm

Check test results of both devices but keep in mind results from Hex are ROS6 based, AX Lite are ROS7 based.

I did some rudimentary testing with AX Lite using 3 VPN protocols: wireguard, zerotier and ipsec.
See here:
viewtopic.php?t=193126
 
User avatar
petardo
newbie
Posts: 30
Joined: Fri Sep 25, 2015 4:06 pm

Re: NEW FEATURE: Back to Home VPN

Wed Oct 04, 2023 9:07 pm

I didn't find any hEX results in that thread
 
holvoetn
Forum Guru
Forum Guru
Posts: 6115
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: NEW FEATURE: Back to Home VPN

Wed Oct 04, 2023 9:13 pm

Logical.
I didn't say I tested that one (I do have it, was my very first MT device).
Do your own testing :lol:

I was also referring to test results on product pages for both devices.
 
User avatar
petardo
newbie
Posts: 30
Joined: Fri Sep 25, 2015 4:06 pm

Re: NEW FEATURE: Back to Home VPN

Wed Oct 04, 2023 9:56 pm

https://1drv.ms/i/s!Aukw5KCzXdEthpw4MTL ... Q?e=L6hcwG
Rother mixed picture, dependency from pocket size.
What do you think?

Additional thoughts:
As I just noticed, hAP AC2 is not much more expensive and outperforms both hEX and hAP AX Lite.
I just don't like it because it's warming issue.
However with wireless off hopefully no warming issue exists.
 
miankamran7100
Member Candidate
Member Candidate
Posts: 281
Joined: Tue Sep 17, 2019 9:28 am

Re: NEW FEATURE: Back to Home VPN

Mon Oct 09, 2023 11:38 pm

not able to SCAN wireguard QR Codes on mobile phones?
How to Scan QR Code.
It is not shown fully in Mikrotik Windows.
It shows half.

Help...
 
User avatar
NetHorror
just joined
Posts: 22
Joined: Fri Dec 06, 2013 8:12 am

Re: NEW FEATURE: Back to Home VPN

Tue Oct 10, 2023 1:15 am

photo_2023-10-10_01-15-11.jpg
AX3 is ARM64!! (7.12rc1)

and for AC3 too!!
Screenshot_5.png
You do not have the required permissions to view the files attached to this post.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1430
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: NEW FEATURE: Back to Home VPN

Tue Oct 10, 2023 5:39 am

BTH is only available in beta versions of ROS for now. You need to install beta version of ROS if you want to use BTH.
 
nostromog
Member Candidate
Member Candidate
Posts: 226
Joined: Wed Jul 18, 2018 3:39 pm

Re: NEW FEATURE: Back to Home VPN

Tue Oct 10, 2023 10:39 am

I tried it with a hAP AC2, upgrading from 7.11.2 and got a boot-loop. Slow: boot, crash, reboot. Fortunately I was able to downgrade (fast SSH through several boot-crash-reboot cycles) and regained control. So I will wait for a while to install 7.12
 
User avatar
NetHorror
just joined
Posts: 22
Joined: Fri Dec 06, 2013 8:12 am

Re: NEW FEATURE: Back to Home VPN

Tue Oct 10, 2023 12:14 pm

BTH is only available in beta versions of ROS for now. You need to install beta version of ROS if you want to use BTH.
It was in RC1 changelog.

==================================

Where I can find beta with BTH with changes in RC1?
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1430
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: NEW FEATURE: Back to Home VPN

Tue Oct 10, 2023 12:38 pm

As @holvoetn said:
Use URL for rc package and modify as needed.
It worked for me just fine.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Oct 10, 2023 2:06 pm

new BTH will come in 7.13beta1
 
User avatar
TeWe
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Tue Sep 12, 2023 1:27 pm

Re: NEW FEATURE: Back to Home VPN

Tue Oct 10, 2023 2:09 pm

 
PackElend
Member Candidate
Member Candidate
Posts: 272
Joined: Tue Sep 29, 2020 6:05 pm

Re: NEW FEATURE: Back to Home VPN

Tue Oct 10, 2023 2:26 pm

new BTH will come in 7.13beta1
What is the difference?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Oct 10, 2023 2:41 pm

You will see when it comes out :D
 
hlp937
just joined
Posts: 1
Joined: Fri Dec 30, 2016 4:17 am
Location: USA

Re: NEW FEATURE: Back to Home VPN

Wed Oct 11, 2023 8:10 pm

While in Beta, we have a relay in the MikroTik data center in Latvia. Depending on demand, we will expand to other regions and will lauch relays in other countries. If somebody here works in a well connected data center with high speed connectivity, you are welcome to drop us an email :D
Hello, greetings, my name is Hector Prado, I live in the United States. What do you need to participate in this project?
my email is hlp937@gmail.com
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3333
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: NEW FEATURE: Back to Home VPN

Wed Oct 11, 2023 8:27 pm

Just download 7.12beta to an Arm router.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1430
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: NEW FEATURE: Back to Home VPN

Wed Oct 11, 2023 8:38 pm

I think that mr.Hector here is talking about what is needed for another relay station for BTH.

I think that best option is to contact Mikrotik support directly.
 
piotrek2555
just joined
Posts: 2
Joined: Fri Oct 13, 2023 11:36 pm

Re: NEW FEATURE: Back to Home VPN

Sun Oct 15, 2023 6:33 pm

don`t working on my hap ac3 with 7.12rc1
 
holvoetn
Forum Guru
Forum Guru
Posts: 6115
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: NEW FEATURE: Back to Home VPN

Sun Oct 15, 2023 7:38 pm

Normal.
Wait for 7.13 beta or use 7.12 beta 9.

Feature has been disabled in rc and stable.
 
User avatar
NetHorror
just joined
Posts: 22
Joined: Fri Dec 06, 2013 8:12 am

Re: NEW FEATURE: Back to Home VPN

Sun Oct 15, 2023 9:01 pm

Screenshot_5.png
ROS 7.12beta9 + WinBox 3.40
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3333
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: NEW FEATURE: Back to Home VPN

Mon Oct 16, 2023 1:05 pm

It looks like many need to read the thread before post.
1. Back to Home are moved to v7.13 but can be found in 7.12beta releases.
2. QR code will be fixed
 
ToTheFull
Member
Member
Posts: 367
Joined: Fri Mar 24, 2023 3:24 pm

Re: NEW FEATURE: Back to Home VPN

Mon Oct 16, 2023 1:39 pm

Would this BTH work from my cap ax setup in caps mode. Thought process off-load to the cap. I do intend to buy a 5009 but that wont be till I get better speed from an ISP some time next year. Modem>>hAP ax2>>cAP ax<<BTH setup
 
holvoetn
Forum Guru
Forum Guru
Posts: 6115
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: NEW FEATURE: Back to Home VPN

Mon Oct 16, 2023 1:57 pm

If the correct version is on that device, it should work.
But why not on AX2 ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Oct 16, 2023 2:09 pm

you can run it on any of the devices in your network, but I personally would put it on the hAP ax2, yes
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Oct 16, 2023 2:17 pm

@holvoetn's question is a good one.
But why not on AX2 ?
While BTH should work* on a cAP downstream of ISP, it will be proxied via Latvia. Assuming the hAPax2 has a public IP, if BTH runs there it will NOT be proxied, and direct connection from remote BTH/WG client will be used. Proxying is slower and avoidable if BTH does run on a device with public IP. In theory, you can forward the BTH port from hAPax2 to the cAP which avoid the proxy. But all easier if BTH was on the edge AX2 router.

* in a beta release
 
ToTheFull
Member
Member
Posts: 367
Joined: Fri Mar 24, 2023 3:24 pm

Re: NEW FEATURE: Back to Home VPN

Mon Oct 16, 2023 4:52 pm

Thanks for the Input all, I'll keep it on the AX2 as that makes it better from a proxy stand point alone.
I was just wanting to off-load whatever I could to save on the AX2 resources, but as recommended that isn't the best option.
 
axe3
just joined
Posts: 6
Joined: Wed Mar 08, 2023 1:54 pm

Re: NEW FEATURE: Back to Home VPN

Mon Oct 23, 2023 5:46 pm

Feature request: could you add the ability for this VPN to be used by devices connected to the Mobile Hotspot?
Anyway, irrespective of this comment, I want to say a big thanks to Mikrotik as the feature in any case solves an issue for me. I have a router behind CGNAT at one of my places which I want to access remotely and was planning to solve it with a free setup of a container with Cloudflare Quick tunnel + custom container that would update the randomly generated tunnelname to a git repo I have access to for cases I wanted to access the network.

Nice work, thanks! 😃
 
balves
just joined
Posts: 12
Joined: Fri Jan 13, 2017 8:00 pm

Re: NEW FEATURE: Back to Home VPN

Wed Nov 08, 2023 6:35 pm

It's a great feature, but there is one issue. When I connect to the VPN on my iPhone running iOS 17.1, I'm unable to access the router via SSH. I've been using iPhone shortcuts to enable or disable firewall rules, and it works perfectly through the web or the MikroTik app.

I have granted permission for the network 192.168.261.0/24 to access SSH through the firewall and in the services configuration.

Has anyone else encountered this issue and managed to find a solution?

Thanks
 
balves
just joined
Posts: 12
Joined: Fri Jan 13, 2017 8:00 pm

Re: NEW FEATURE: Back to Home VPN

Thu Nov 09, 2023 4:14 pm

It's a great feature, but there is one issue. When I connect to the VPN on my iPhone running iOS 17.1, I'm unable to access the router via SSH. I've been using iPhone shortcuts to enable or disable firewall rules, and it works perfectly through the web or the MikroTik app.

I have granted permission for the network 192.168.261.0/24 to access SSH through the firewall and in the services configuration.

Has anyone else encountered this issue and managed to find a solution?

Thanks
Solve it, forgot to add the network to user!
 
kiaunel
Member Candidate
Member Candidate
Posts: 219
Joined: Mon Jul 21, 2014 7:59 pm
Location: Germany

Re: NEW FEATURE: Back to Home VPN

Fri Nov 10, 2023 5:13 pm

Any chance that in the app you can insert an option to manually disable relay server? My case is that I have local address on mikrotik but all traffic is redirected from modem. No, I can not setup modem in bridge mode. So for me any connection goes to my public ip will arrive on mikrotik. I think I am not the only one in this situation so for many this feature will be usefull
 
User avatar
ROCCAT
just joined
Posts: 6
Joined: Fri Sep 15, 2023 11:11 pm
Location: Havana

Re: Back to Home VPN

Sun Nov 12, 2023 9:57 am

Answers to common questions:

1) It uses Wireguard and is a secure VPN
2) (If used) Relay does not decrypt your tunnel and has no access to your data
3) It secures your router with firewall, it does not open up full access to your router in any way
4) It is not a feature for anonymity, it is a home user feature for maximum ease of use.
5) If you wish, after you have enabled it with our BTH app, you can also connect using Wireguard on your computer. You can use the QR code in Winbox IP CLOUD menu to get the needed config to your computer
Hello, have you thought about integrating User Manager as a WireGuard administrator?

Greetings from CUBA.
 
sas2k
Frequent Visitor
Frequent Visitor
Posts: 89
Joined: Tue Jan 18, 2022 8:17 am

Re: NEW FEATURE: Back to Home VPN

Sun Nov 12, 2023 6:42 pm

@normis, Do you plan to make BTH available for MT7621A?
Thanks
 
User avatar
mantouboji
newbie
Posts: 47
Joined: Mon Aug 01, 2022 2:21 pm
Location: Shanghai

Re: NEW FEATURE: Back to Home VPN

Sun Nov 12, 2023 7:10 pm

BTH is good, but the problem is in the ddns of IP cloud.

The ddns detects the IP and IPv6 address automatically, but in my scenario, since use WireGuard VPN to access any site out of China, the ddns will get the address of my VPS, not my real one, so BTH forward will fail.

So you’d better add an option to make ddns use the address of local interface , for instance the pppoe-out1 , ranther than remote auto detect.
 
gjniewenhuijse
just joined
Posts: 20
Joined: Tue Jan 17, 2017 9:36 am

Re: NEW FEATURE: Back to Home VPN

Mon Nov 27, 2023 6:13 pm

I have a Hap ac^2 and a Hap ax^2. For both devices the IOS BTH app and Wireguard app works great.

But BTH doesn't work with a windows client for the hAP ac^2. Same config for hAP ax^2 works. I tried it on different windows devices and different clients. I can connect to the Hap ac^2 with winbox, but all menu items are empty. With ios app i see all the data.

What can be the problem?

I created the BTH function on the mikrotik devices with the BTH mikrotik app.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Tue Nov 28, 2023 12:28 am

it does perfectly fine, i've added everything manually.
show us here how u do
 
gjniewenhuijse
just joined
Posts: 20
Joined: Tue Jan 17, 2017 9:36 am

Re: NEW FEATURE: Back to Home VPN

Tue Nov 28, 2023 11:16 am

I added the config with the BTH app, it created the right config. And as i say it works with ios, but not with the windows client. Only problems with 1 Mikrotik router, the others works great

My VPN Wireguard client config:

[Interface]
PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 192.168.216.2/32,fc00:0:0:216::2/128
DNS = 8.8.8.8

[Peer]
PublicKey = //////////////////////////////////////////8=
AllowedIPs = 0.0.0.0/32
Endpoint = hcf07r99zar.sn.mynetname.net:12657
PersistentKeepalive = 15

[Peer]
PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = hcf07r99zar.vpn.mynetname.net:12657
PersistentKeepalive = 15

Backup config:

# 2023-11-28 10:08:18 by RouterOS 7.12.1
# software id = 93RL-JAG9
#
# model = RBD52G-5HacD2HnD
# serial number = HCF07R99ZAR
/interface bridge
add admin-mac=DC:2C:6E:F5:66:60 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=wan name="ether1 wan"
set [ find default-name=ether2 ] comment=lan
/interface wireguard
add comment=back-to-home-vpn listen-port=12657 mtu=1420 name=back-to-home-vpn
/interface wireless manual-tx-power-table
set wlan2 comment=wifi
/interface wireless nstreme
set wlan2 comment=wifi
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=\
"profile gast" supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.8.10-192.168.8.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1d name=defconf
/interface bridge filter
add action=drop chain=forward in-interface="wlan5 gast"
add action=drop chain=forward out-interface="wlan5 gast"
add action=drop chain=forward in-interface="wlan2 gast"
add action=drop chain=forward out-interface="wlan2 gast"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge comment=defconf interface=wlan5
add bridge=bridge interface="wlan5 gast"
add bridge=bridge interface="wlan2 gast"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="ether1 wan" list=WAN
/ip address
add address=192.168.8.1/24 comment=defconf interface=bridge network=\
192.168.8.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface="ether1 wan"
/ip dhcp-server network
add address=192.168.8.0/24 comment=defconf dns-server=192.168.8.1 gateway=\
192.168.8.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.8.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="accept router management from VPN" \
dst-address=192.168.8.1 dst-port=80,8291 in-interface-list=VPN protocol=\
tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="accept from VPN" dst-address=\
192.168.8.2 dst-port=80 in-interface-list=VPN protocol=tcp
add action=drop chain=forward comment="drop all from VPN" in-interface-list=\
VPN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=\
"ovpn client" pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Paris
/system identity
set name="xxxxxxxx"
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Nov 29, 2023 5:45 pm

We have released new Back To Home apps for both iPhone and Android. Some exciting new features have been added - sharing of tunnels. Normally you only could use one device to connect to the router (as seen above, using multiple devices causes problems).

Now you can invite others to use your router, by sending them time limited invites to your VPN. Share using a link, using a QR code, or even the Wireguard config file for using in your PC.

Try it out and let us know, how to improve the flow and user experience of the app!
Make sure you upgrade to at least RouterOS 7.12 and install the newest phone app relesed today
 
gjniewenhuijse
just joined
Posts: 20
Joined: Tue Jan 17, 2017 9:36 am

Re: NEW FEATURE: Back to Home VPN

Wed Nov 29, 2023 6:07 pm

how to remove existing BTH functionality and start from the beginning with the new app?
 
Juan58
just joined
Posts: 1
Joined: Fri May 07, 2021 7:34 pm

Re: NEW FEATURE: Back to Home VPN

Thu Nov 30, 2023 9:28 am

Hello,
I use BTH between an iPhone and an Audience. The Audience is behind a CGNAT (LTE) network. A reboot of Audience is necessary every day for it to work. Audience is connected to the internet but without reboot BTH from Iphone app no longer connects.
I don't understand what's blocking it. Disable/ Enable of the WireGuard interface is not sufficient.DNS cache ? Do you have any ideas ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Nov 30, 2023 9:55 am

how to remove existing BTH functionality and start from the beginning with the new app?
IP -> Cloud -> BTH -> Revoke and Disable
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Nov 30, 2023 9:55 am

Hello,
I use BTH between an iPhone and an Audience. The Audience is behind a CGNAT (LTE) network. A reboot of Audience is necessary every day for it to work. Audience is connected to the internet but without reboot BTH from Iphone app no longer connects.
I don't understand what's blocking it. Disable/ Enable of the WireGuard interface is not sufficient.DNS cache ? Do you have any ideas ?
How do you mean "no longer connects". Is there an error somewhere? In the BTH app?
 
zandhaas
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Tue Dec 11, 2018 11:02 pm
Location: The Netherlands

Re: NEW FEATURE: Back to Home VPN

Thu Nov 30, 2023 10:01 am

how to remove existing BTH functionality and start from the beginning with the new app?
IP -> Cloud -> BTH -> Revoke and Disable
And how to remove existing connections from the app?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Nov 30, 2023 10:02 am

in the phone settings go to VPN configuation and delete there
 
zandhaas
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Tue Dec 11, 2018 11:02 pm
Location: The Netherlands

Re: NEW FEATURE: Back to Home VPN

Thu Nov 30, 2023 10:05 am

in the phone settings go to VPN configuation and delete there
Thanx
 
zandhaas
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Tue Dec 11, 2018 11:02 pm
Location: The Netherlands

Re: NEW FEATURE: Back to Home VPN

Thu Nov 30, 2023 10:05 am

in the phone settings go to VPN configuation and delete there
Thanx
 
gjniewenhuijse
just joined
Posts: 20
Joined: Tue Jan 17, 2017 9:36 am

Re: NEW FEATURE: Back to Home VPN

Thu Nov 30, 2023 12:43 pm

how to remove existing BTH functionality and start from the beginning with the new app?
IP -> Cloud -> BTH -> Revoke and Disable
Ok, nothing changed in the firmware for BTH. So revoke and disable and after that enabled doesn't change anything for my problem?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Nov 30, 2023 12:48 pm

Like I said above, you can't use multiple devices with the same settings. You must use the new Share feature in the phone app, to make a separate tunnel for each new device.
 
Juan58
just joined
Posts: 1
Joined: Fri May 07, 2021 7:34 pm

Re: NEW FEATURE: Back to Home VPN

Thu Nov 30, 2023 2:29 pm

Hello,
I use BTH between an iPhone and an Audience. The Audience is behind a CGNAT (LTE) network. A reboot of Audience is necessary every day for it to work. Audience is connected to the internet but without reboot BTH from Iphone app no longer connects.
I don't understand what's blocking it. Disable/ Enable of the WireGuard interface is not sufficient.DNS cache ? Do you have any ideas ?
How do you mean "no longer connects". Is there an error somewhere? In the BTH app?
The application remains in the connecting state. Seen from the iPhone VPN menus, a tunnel exists but it does not work. After rebooting the router, the application switches to connected and the traffic passes through the tunnel. Do you kill unused tunnels at night?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Nov 30, 2023 2:49 pm

please make a supout.rif file in the router at the time, when the tunnel is not working. and if you can - one more file, when it starts to work after reboot. send both files to support@mikrotik.com, it could be an issue with RouterOS
 
Juan58
just joined
Posts: 1
Joined: Fri May 07, 2021 7:34 pm

Re: NEW FEATURE: Back to Home VPN

Thu Nov 30, 2023 3:04 pm

please make a supout.rif file in the router at the time, when the tunnel is not working. and if you can - one more file, when it starts to work after reboot. send both files to support@mikrotik.com, it could be an issue with RouterOS
Thanks ! I will do that
 
gjniewenhuijse
just joined
Posts: 20
Joined: Tue Jan 17, 2017 9:36 am

Re: NEW FEATURE: Back to Home VPN

Thu Nov 30, 2023 3:32 pm

Like I said above, you can't use multiple devices with the same settings. You must use the new Share feature in the phone app, to make a separate tunnel for each new device.
i don't use multiple devices at the same time.

and using a seperate tunnel with the sharing option doesn't change it.

and why al other mikrotiks i have works great and why this one not?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Nov 30, 2023 3:40 pm

In that case I don't understand what is not working. Please send an email to mikrotik support and include a supout,rif file and error message from the windows computer
 
cuky
just joined
Posts: 1
Joined: Mon Feb 04, 2019 11:48 pm

Re: NEW FEATURE: Back to Home VPN

Fri Dec 01, 2023 10:41 am

Hello Normis! Please tell me when do you plan to release app update to android google playstore?

I see it's already available for iOS.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Fri Dec 01, 2023 10:55 am

The same changes and sharing is already in Android app. It was simply released before iPhone
 
cuky
just joined
Posts: 1
Joined: Mon Feb 04, 2019 11:48 pm

Re: NEW FEATURE: Back to Home VPN

Fri Dec 01, 2023 8:29 pm

Oh, I didn't see it.

It's here but the app has some bugs with the layout on the settings screen. I've just sent a bug report.

Thank you.
 
elico
Member Candidate
Member Candidate
Posts: 157
Joined: Mon Nov 07, 2016 3:23 am

Re: NEW FEATURE: Back to Home VPN

Sat Dec 02, 2023 11:22 am

@normis, I have just installed the BTH app on andorid and tried to connect to my device but it shows:
VPN Connection failed.

Do I open a ticket for that? I am using latest 7.12.1.
 
Binser
newbie
Posts: 48
Joined: Fri Dec 28, 2018 7:50 pm

Re: NEW FEATURE: Back to Home VPN

Sat Dec 02, 2023 10:49 pm

How can I connect two mikrotik arm routers in different locations using B2H?

I would like to have my local network (PCs, phones) connect to my local mikrotik hap ac2 and connect to my other arm mikrotik router in another countries and surf the web with an IP address from the other country when I use any of my local devices.

What exactly would I need to do?

Thanks for your help. :)
 
Juan58
just joined
Posts: 1
Joined: Fri May 07, 2021 7:34 pm

Re: NEW FEATURE: Back to Home VPN

Mon Dec 04, 2023 11:18 am

Hello,
I use BTH between an iPhone and an Audience. The Audience is behind a CGNAT (LTE) network. A reboot of Audience is necessary every day for it to work. Audience is connected to the internet but without reboot BTH from Iphone app no longer connects.
I don't understand what's blocking it. Disable/ Enable of the WireGuard interface is not sufficient.DNS cache ? Do you have any ideas ?
How do you mean "no longer connects". Is there an error somewhere? In the BTH app?
Hello, I think I found the problem. The BTH application enables DDNS, but it forgets the ddns-update-interval. As soon as the public IP address changes the DDNS may remain false and the tunnel may become inoperable. I don't know the 1m value is too low but it works.

/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes "I added" ddns-update-interval=1m

I think you need to correct the application setup
 
mfrey
newbie
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

Re: NEW FEATURE: Back to Home VPN

Wed Dec 06, 2023 8:25 am

Are there any further settings required for the Android App? I configured a connection to my router and can successfully connect, but none of my traffic is actually routed over the VPN.

The router's DNS does not seem to be used at all and I can't reach any local device including the router itself. And internet traffic is also not routed over the tunnel.

Edit: I think the fault is on my smartphones side. Some apps seem to use the VPN just fine and some ignore it.

Edit2: The WireGuard-App is working fine however, maybe this is an app issue.
Last edited by mfrey on Wed Dec 06, 2023 8:39 am, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Dec 06, 2023 8:30 am

About DDNS update time, it is a known issue and will be fixed in the next release.

Mfrey about your Android app - no other config should be needed. BTH works best with default config on home AP type devices. Maybe there is some more complex configuration on your device that is conflicting with BTH, or maybe you used an older version of BTH before? Send a supout.rif file to support@Mikrotik.com and we will look at the situation. Maybe there is something we can do to improve the experience for future users.
 
mfrey
newbie
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

Re: NEW FEATURE: Back to Home VPN

Wed Dec 06, 2023 8:52 am

@normis I don't think this is related to the router config. I get the same behaviour with multiple routers and using the WireGuard-App is working just fine. I also already deleted and re-created the connections.

Somehow, the Mikrotik Home App is not even trying to forwarding the traffic of almost all apps. The only exception that I've found so far is the Play Store, whose traffic is tunneled.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Dec 06, 2023 8:58 am

The App simply creates a system standard VPN profile, the app itself does not do any VPN tunneling.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Dec 06, 2023 9:13 am

Check in the Settings - Show Advanced Connection Info, it will show how the connection was made - Direct, Relay, Relay hole-punched.
Also in the settings you can try to disable holepunching and see if it makes a difference.

another thing, check what you have in the app tunnel settings under allowed IPs;
Ir must be 0.0.0.0/0,::/0
 
mfrey
newbie
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

Re: NEW FEATURE: Back to Home VPN

Wed Dec 06, 2023 10:07 am

The connection is done using IPv4-Relay. Disabling hole punching unfortunately didn't help. Also the tunnel settings are as you described.

I've tried the app on my iPhone now and tunneling is working fine with it. Maybe it has something to do with my Phone being rootet and running LineageOS. But as described, the WireGuard app is working perfectly fine on the same device.

What I'm really wondering about is how Play Store traffic is tunneled, but none of any other app I tried.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1082
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Dec 06, 2023 11:24 am

I think Android has a "security feature" to make play store traffic bypass VPN connections. Possibly that's the issue.

IIRC the wireguard app can force all traffic through its tunnels anyway.
 
mfrey
newbie
Posts: 36
Joined: Wed Jan 06, 2021 12:31 am

Re: NEW FEATURE: Back to Home VPN

Wed Dec 06, 2023 12:37 pm

@eworm That's interesting. But in my case it's the exact opposite and only Play Store traffic is routed trough the VPN.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1082
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Dec 06, 2023 1:11 pm

Oh, ok... I misread then.
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Sat Dec 16, 2023 4:18 pm

Does hole punching and relay server works if you use ordinary Wireguard app? Every time i try to connect with wireguard to device behind NAT, there is no incoming traffic. If i use BTH it works perfectly.

Also, somehow i don't get any updates to the app, what is the last version?
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Sat Dec 16, 2023 6:37 pm

In the iOS app, how do you remove a existing tunnel?
I can share them, but there is no "Delete" options/tab/swipe/etc that I can find.
If I remove the app from iPhone, and reinstall it...the tunnels are still even after removing app (and even rebooting phone).
I have test BTH on a few devices previously, none are still configured for BTH... so wanted to start fresh. But have a bunch of peers in the BTH app, that I cannot remove.
Ideas?
(using iOS BTH v0.7 + RouterOS 7.13)
 
zandhaas
Frequent Visitor
Frequent Visitor
Posts: 74
Joined: Tue Dec 11, 2018 11:02 pm
Location: The Netherlands

Re: NEW FEATURE: Back to Home VPN

Sat Dec 16, 2023 8:22 pm

In the iOS app, how do you remove a existing tunnel?
in the phone settings go to VPN configuation and delete there
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Sat Dec 16, 2023 11:05 pm

In the iOS app, how do you remove a existing tunnel?
in the phone settings go to VPN configuation and delete there
Geez, I should have figured that out. That works. Thanks!
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Sun Dec 17, 2023 12:04 pm

What is the last Android app version?
 
Voklav
just joined
Posts: 4
Joined: Mon Jan 07, 2019 12:32 am
Location: Bulgaria

Re: NEW FEATURE: Back to Home VPN

Tue Dec 19, 2023 1:15 am

I'm at this point where I have too many devices in different locations and I was wondering about a centralized method to set up the routers if something needed to happen.
And I accidentally found this thread.

is there a reason for the ARM/ARM64/TILE hardware limitation?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Dec 19, 2023 9:46 am

We would like to concentrate all newest and most exciting features on the currently manufactured devices first.
 
brankor
just joined
Posts: 1
Joined: Sun Jun 24, 2018 12:20 am

Re: NEW FEATURE: Back to Home VPN

Tue Dec 19, 2023 2:49 pm

Why is Back to Home VPN missing from 7.13 RoS version?
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Tue Dec 19, 2023 3:38 pm

It's not on MIPS devices.
 
templeos
just joined
Posts: 19
Joined: Mon Aug 26, 2019 3:58 pm

Re: NEW FEATURE: Back to Home VPN

Tue Dec 19, 2023 4:12 pm

What is the last Android app version?
0.22 as the time of writing .There's an update waiting for you on the Play Store.

Changelog:
- Added LAN/Internet accessibility icons
- Added Allow/Block LAN option (ros 7.14+)
- Added support for new user manager (ros 7.14+)
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Tue Dec 19, 2023 6:14 pm

Ok, i see it now, it just appeared. Thank you.
 
jimint
just joined
Posts: 18
Joined: Fri Aug 11, 2017 12:58 am

Re: NEW FEATURE: Back to Home VPN

Wed Dec 20, 2023 11:41 pm

I downloaded the new version of BTH.
I have RB4011(version ROS 7.12.1) and the BTH app not connected(with qrcode).
I try to add manually the config file but when login in my router with BTH app then app crashed and closed.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Dec 21, 2023 1:52 am

Hi Normis, Two requests:

(1) Can you please explain the steps for an admin, behind a router without public IP and cannot forward a port to his MT router to create a BTH and send out a configuration to
a. an IOS iphone user
b. another MT router also without public IP.

It is not clear at least to me..... happy if you do this in a video instead ..........

(2) The configs I am starting to see people post are confusing the hell out of me........
they have
allowed IPs=xxxxx followed by client address=????

What the heck is client address or anything doing on the allowed IP config line?? ,,,,,, I tell people to get rid of it.........
if you want to do a Teams, or zoom of skype or discord chat, let me know.
 
miankamran7100
Member Candidate
Member Candidate
Posts: 281
Joined: Tue Sep 17, 2019 9:28 am

Re: NEW FEATURE: Back to Home VPN

Mon Dec 25, 2023 6:22 pm

Is it possible to connect multiple Wireguard peers with Mikrotik at the same time? And use it for VPN service in an Organization instead of L2TP or SSTP?
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1430
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: NEW FEATURE: Back to Home VPN

Mon Dec 25, 2023 8:51 pm

Did somebody else noticed ping increase and drop in speed ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Jan 01, 2024 6:21 pm

Did somebody else noticed ping increase and drop in speed ?
Your post has no context. Do you mean if you are drinking a cup of coffee while running on the treadmill??
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Jan 01, 2024 6:29 pm

Is it possible to connect multiple Wireguard peers with Mikrotik at the same time? And use it for VPN service in an Organization instead of L2TP or SSTP?
Have you used wireguard? Its not an enterprise solution where 1000s of employees need to VPN into work............
However yes, one can have many wireguard users attached to one mikrotik device ( for the handshake ) after that you have to understand each connection is a peer to peer connection between the client device and the mikrotik. Having each device on the same subnet makes it very easy for the MIKROTIK to relay traffic among its associated devices and they can be on the same wireguard interface or you can create multiple wireguard interfaces. Firewall rules and routes and allowed Ips allow very flexible approaches to connecting users and other routers.

For example I could have 5 clients, 3 of which are other routers and 2 are remote users.
They could be on one wireguard interface or five separate wireguard interfaces.
For simplicity and load, its easy to run only one one Wireguard Interface, however if firewall rules were not enough separation in that you wanted IP separation, you could assign 5 different IP addresses to the single wiregaurd interface on the MAIN server router. In this case, all the clients would not be on the same wireguard subnet structure, which may be a requirement, but for the admin they would all be on the same wireguard interface.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1430
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: NEW FEATURE: Back to Home VPN

Mon Jan 01, 2024 7:10 pm

Did somebody else noticed ping increase and drop in speed ?
Your post has no context. Do you mean if you are drinking a cup of coffee while running on the treadmill??
Yea i know, it was quickly written. I noticed that speed was cut in half and ping was about 250-300 ms instead of the regular 120 ms.

This is right now. Usually speeds were about 40 Mbps DL and 20 Mbps UL
Screenshot_2024-01-01-18-06-20-683_org.zwanoo.android.speedtest-edit.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Mon Jan 01, 2024 8:51 pm

when?? using back to home wireguard, regular wireguard, something else......... again no context, we are not inside your head nor have any inkling of what network we are looking at etc...
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1430
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: NEW FEATURE: Back to Home VPN

Tue Jan 02, 2024 7:15 am

Well... Back to home feature of course, otherwise i wouldn't post here. Phone is connecting to home router (ax3) via Mikrotik BTH app. Setup is mikrotik default when enabling BTH and config on the phone is imported by scanning qr code, nothing special.

Speeds on both home internet connection and phone are normal (home 180/120 with ping of 6 ms and 5G network with about 450/116 Mbps and 23 ms ping)
 
rviteri
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Fri Nov 18, 2011 5:53 pm

Re: NEW FEATURE: Back to Home VPN

Wed Jan 03, 2024 5:17 am

Hello, have you seen this from cloudflare https://developers.cloudflare.com/cloud ... connector/ ? Maybe a warp connector can be implemented in ROS? This seems like it would save MK the need to setup relays around the world.
 
t0mm13b
just joined
Posts: 18
Joined: Sat Mar 04, 2023 5:11 pm

Re: NEW FEATURE: Back to Home VPN

Thu Jan 04, 2024 10:58 am

What is the difference with this BTTH vs Zerotier?

Which would be the right one to use?
 
holvoetn
Forum Guru
Forum Guru
Posts: 6115
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: NEW FEATURE: Back to Home VPN

Thu Jan 04, 2024 11:57 am

Conceptually:
BTH uses wireguard = L3
Zerotier operates on L2 level.

So it depends on your requirements ... as usual with such questions.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Jan 04, 2024 11:59 am

What is the difference with this BTTH vs Zerotier?

Which would be the right one to use?
Biggest difference is ease of use. To use BTH you only need a phone and the router's password. You don't even need to ever see Winbox or any other router config. Just connect and click enable.
 
User avatar
grusu
Member Candidate
Member Candidate
Posts: 135
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: NEW FEATURE: Back to Home VPN

Thu Jan 04, 2024 12:02 pm

It would be very useful if there was something similar when you have to set up a laptop.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Jan 04, 2024 12:05 pm

It is almost same, but you need to download the Wireguard app in your computer.

1) set up BTH via phone, just like normal
2) in BTH app click the Share button
3) Choose Wireguard config file option and send the file to your computer (iPhone to Macbook is the easiest, just AirDrop the file)
4) Open the file with Wireguard app and it's done
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Thu Jan 04, 2024 1:25 pm

It is almost same, but you need to download the Wireguard app in your computer.

1) set up BTH via phone, just like normal
2) in BTH app click the Share button
3) Choose Wireguard config file option and send the file to your computer (iPhone to Macbook is the easiest, just AirDrop the file)
4) Open the file with Wireguard app and it's done
Where is this share button? I have version 0.22 on Android and i cannot find this Share button anywhere.
 
oskarsk
MikroTik Support
MikroTik Support
Posts: 63
Joined: Mon May 13, 2019 9:41 am

Re: NEW FEATURE: Back to Home VPN

Thu Jan 04, 2024 1:30 pm

Pull up create / tunnel bar and on your selected tunnel right on the side is button for sharing.
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Thu Jan 04, 2024 1:36 pm

Pull up create / tunnel bar and on your selected tunnel right on the side is button for sharing.
On the side of the tunnel selection bar i only have three dots, and if i press them it opens up tunnel settings. I don't see anything else.

https://www.dropbox.com/scl/fi/ip5l8w57 ... tdst6&dl=0

EDIT:
OK, i had to delete current configuration and create a new one. Then Manage Shares button appeared but it doesn't work. I'm guessing that's because i use different port than default for Winbox.

Ok, i checked. If i use default port, then it works ok.
 
t0mm13b
just joined
Posts: 18
Joined: Sat Mar 04, 2023 5:11 pm

Re: NEW FEATURE: Back to Home VPN

Thu Jan 04, 2024 4:09 pm

Conceptually:
BTH uses wireguard = L3
Zerotier operates on L2 level.

So it depends on your requirements ... as usual with such questions.
Cheers for that
 
t0mm13b
just joined
Posts: 18
Joined: Sat Mar 04, 2023 5:11 pm

Re: NEW FEATURE: Back to Home VPN

Thu Jan 04, 2024 4:10 pm

What is the difference with this BTTH vs Zerotier?

Which would be the right one to use?
Biggest difference is ease of use. To use BTH you only need a phone and the router's password. You don't even need to ever see Winbox or any other router config. Just connect and click enable.
Cheers for that. Did not realise it needs DDNS service to be enabled for that to work.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Jan 04, 2024 4:41 pm

dcavni you seem to have a very customised device. BTH is for people that don't want to configure their devices manually at all. So BTH works best with default config. If you are able to change ports and such things, you can create BTH setup manually too :D
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Jan 04, 2024 5:22 pm

Yes, Normands, most interested in the manual setup.
My question is regarding how to setup the Mikrotik manually, when using your, for want of better word, cloud touch relay point. Its not a full blown WG server, but a connection point that allows users to reach the MT regardless (no public IP and ISP modem router unable to forward port etc. ).

Should the MT still be setup as though its a server for the handshake, lets cover the points.
a. input chain rule accept dst-port=xxxxx protocol=udp ??
b. typical forward chain rules ( accept wg interface to LANsubnet )
c. typical input chain rules ( accept wg interface - to allow admin to config router remotely )
d. if connection is coming from another MT router ( acting as a client with subnet X ( need ip route dst-address=subnetX gateway=wireguard interface )

AND THE BIGGIE - ALLOWED IPS.
e. Typically MT as a server has all its peers like so. ( assuming IP address on MT 10.10.10.1/24 )
peer1 allowed IP = 10.10.10.2/32 admin remote 1 ( to laptop)
peer2 allowed IP = 10.10.10.3/32 admin remote 2 (to iphone )
peer 3 allowed IP = 10.10.10.4/32,192.168.2.0/24,192.168.4.0/24 ( to remote MT client router )

I think you get the drift, for a manual setup, what is the delta between a standard mt router server (for handshake setup) and a BTH setup for same??
Are there limitations............ ??
Next post intimates that it doesnt work with different Winbox Ports??
Last edited by anav on Thu Jan 04, 2024 6:17 pm, edited 1 time in total.
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Thu Jan 04, 2024 6:12 pm

dcavni you seem to have a very customised device. BTH is for people that don't want to configure their devices manually at all. So BTH works best with default config. If you are able to change ports and such things, you can create BTH setup manually too :D
Not realy so much for customisation as for the security reasons i changed Winbox port, but BTH doesn't know how to work with that, so i changed it back to default. For me BTH is the most convinient way to reach device behind cg-nat. And also to connect from my phone, to use Pihole on my home network.

When i tried to connect with Wireguard app from my phone by scanning QR code in /ip cloud to HapAX Lite LTE6 behind cg-nat it doesn't work. But it works with BTH app, so i just use that, it's easier.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Fri Jan 05, 2024 10:10 am

> Next post intimates that it doesnt work with different Winbox Ports??

only the BTH app (!) needs the default port. To set it up. We might fix that, but then again, if you have custom ports and whatnot, might as well just use winbox

> how to setup the Mikrotik manually, when using your relay point

IP > CLOUD and enable BTH. QR code and config file will be shown. When using a Wireguard app with this QR config, it will use our relay
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Fri Jan 05, 2024 5:11 pm

> Next post intimates that it doesnt work with different Winbox Ports??

only the BTH app (!) needs the default port. To set it up. We might fix that, but then again, if you have custom ports and whatnot, might as well just use winbox

> how to setup the Mikrotik manually, when using your relay point

IP > CLOUD and enable BTH. QR code and config file will be shown. When using a Wireguard app with this QR config, it will use our relay
...

Normands, a very disappointing answer. Please provide sufficient detail and information to compose a thorough response that answer more questions than it provokes!! Pretend you are Viktors and say more not less. ;-)..

Point 1. I am assuming you mean a remote user, once the connection has been made, with BTH app, one can use the mikrotik APP on i phone or winbox on laptop to connect to the Router for configuration purposes?

Point2.
Yes, if BTH also allows access to the router for config purposes. I didnt know it includes the functionality of the current MT APPS , but if it does, it appears that the BTH APP assumes the default port for winbox. If so, it needs to be modifed so that the BTH generated by the admin, contains the correct winbox port.

Point3. YOu totally missed the direction of my question. It wasnt how to setup the BTH, it was how to setup the corresponding wireguard interface.
You have NOT
1. made it clear if the MT router is still considere the Server ( for handshake ) consider the relay point as the public IP or port forward HELPER......... and thus its transparent and the Admin should configure the rest of the config as per normal as though it was Server for handshake!!

The only requirement I see NOT needed would be the input chain rule for the wireguard port as the the Router sends out a connection to the relay device (outbound) for this part, but one would still need to manually. ( RIGHT? WRONG?) In other words WHERE AND HOW does the handshake take place??

other things I think still need to be done manually to setup the wireguard tunnel........
a. ensure IP address on router
b. allowed IPs setup on router ( typically just wg IP of remote user but if to another router, also subnets coming in or being visited)
c. extra routes for remote subnet.
d. input chain rule for remote access to config router if required
e. forward chain rule for remote access to local subnets if required
f. forward chain rule for local access to remote subnets if required.
Last edited by anav on Tue Jan 09, 2024 1:03 pm, edited 1 time in total.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Fri Jan 05, 2024 5:54 pm

> Next post intimates that it doesnt work with different Winbox Ports??
only the BTH app (!) needs the default port. To set it up. We might fix that, but then again, if you have custom ports and whatnot, might as well just use winbox
Fair enough re non-standard winbox port. But if BTH app added MDP/LLDP/etc discovery, that solve the port problem... but more importantly potentially be "more friendly" (e.g. during on-boarding app could start with "Router found at 192.168.xx.1. Setup now?") instead of the end-user having to know the router's IP.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Jan 09, 2024 1:09 pm

anav, before I answer. Have you used the BTH app and understand what it's purpose is? It enables Wireguard in router. That is all.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Jan 09, 2024 1:43 pm

anav, before I answer. Have you used the BTH app and understand what it's purpose is? It enables Wireguard in router. That is all.
No, I have not set it up yet because I dont understand how it works and likely not to unless I understand the role of the router
is it a server for handshake - seems like no, and thus no input chain rule required??
is it a server in terms of how one views allowed IPs.... (lets say 3 peers, are they client devices identified by /32 or not )............
(Confusion recently added by statements of winbox ports or maybe it was wireguard ports having to be the default port, and further it auto selects wans to use??)

Think 3 clients attached to one router over BTH connections
Think 3 clients and another router attaching to one router over BTH connections.
Think 3 client and another router attached to one router over BTH connections and that single router (which 4 other sites connect to) is itself now connected to a third router as a client as the remote 3rd router has a public IP (non BTH connection).

I should be able to visualize all three scenarios and I will configure, firewall rules, allowed IPs and routes.
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Tue Jan 09, 2024 2:03 pm

Winbox port is only needed for BTH aplication, that it can access the router and configure everything. Just like Winbox Android app does, but there you can specify port to connect to. All other traffic has nothing to do with this port afterwards.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Jan 09, 2024 7:08 pm

anav, before I answer. Have you used the BTH app and understand what it's purpose is? It enables Wireguard in router. That is all.
BTH's main "trick" is using /ip/cloud DDNS to use a new "<sn>.vpn.mynetname.net" in the WG generated configuration (instead of an actual IP address). If you router is behind a CGNAT/non-public, the the x.vpn.mynetname.net address resolve to a Mikrotik server. If you have a public IP, BTH's DDNS name is stuff used, but /ip/cloud will resolve the x.vpn.mynetname.net to YOUR IP address, so Mikroitk isn't involved. So it's the DDNS services allows the proxy / non-proxy mode to change WITHOUT reconfiguring your remote WG peers since they use the DNS name, not an IP.

BTH 2nd trick is adding "dynamic" firewall rules for WG + BTH:
/ip/firewall/filter/print
0 D ;;; back-to-home-vpn
chain=forward action=drop src-address-list=back-to-home-lan-restricted-peers out-interface-list=LAN
1 D ;;; back-to-home-vpn
chain=input action=accept protocol=udp dst-port=19966
/ip/firewall/nat/print
0 D ;;; back-to-home-vpn
chain=srcnat action=masquerade src-address=192.168.216.0/24

Lastly, the apps simply connect via winbox, and check the "enable" box on BTH. Which you can also do directly in winbox, except in winbox you'd be responsible for cut-and-paste the pear configuration code to a normal WG client.

But to @anav's point, if WG is working and always have a public IP...there is no need to start using BTH. BTH allows the router to change mode between a public and non-public IP, WITHOUT regarding changing to WG remote peers is the key advantage. Other than easy-of-use... download app, router user/passwd, and few taps.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Jan 09, 2024 7:28 pm

Now someone is finally providing useful information with which to discuss further.
a. Why does the BTH config on the MT create a firewall rule blocking remote client to local LAN interface?
b. Why does the BTH config on the MT create an input chain rule - because the router is still responsible for sending the handshake accepted back to the user via the MT Relay???
c. Does the BTH automatically select the new listening port and is that changeable by the admin?
d. I dont get the BTH automatically creating a source-nat rule on the router and an incomplete rule at that??
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Jan 09, 2024 8:24 pm

a. Why does the BTH config on the MT create a firewall rule blocking remote client to local LAN interface?
Mine is empty. Not sure how the "back-to-home-lan-restricted-peers" address-list in firewall gets populated actually. So rule does nothing in my case.

b. Why does the BTH config on the MT create an input chain rule - because the router is still responsible for sending the handshake accepted back to the user via the MT Relay???
I'm not sure it's needed if proxied, but if you have default firewall and public IP, then the WG port does have to be allowed on "input". AFAIK it wouldn't be needed if proxied... But BTH does NOT seem to vary the dynamic firewall rules, so may just be superfluous if proxied.

c. Does the BTH automatically select the new listening port and is that changeable by the admin?
The port is calculated and NOT changeable. I'd imagine the port may be different than mine if proxied — Mikrotik's BTH proxy server does not have unlimited IP, but a lot of ports.

d. I dont get the BTH automatically creating a source-nat rule on the router and an incomplete rule at that??
The masquerade means you do NOT need routes back to any of your LANs, since they'd get NAT'ed to the router's IP by the BTH NAT masquerade rule. It could check the interface, but the IP restriction alone works.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Jan 09, 2024 9:18 pm

a. Why does the BTH config on the MT create a firewall rule blocking remote client to local LAN interface?
Mine is empty. Not sure how the "back-to-home-lan-restricted-peers" address-list in firewall gets populated actually. So rule does nothing in my case.

b. Why does the BTH config on the MT create an input chain rule - because the router is still responsible for sending the handshake accepted back to the user via the MT Relay???
I'm not sure it's needed if proxied, but if you have default firewall and public IP, then the WG port does have to be allowed on "input". AFAIK it wouldn't be needed if proxied... But BTH does NOT seem to vary the dynamic firewall rules, so may just be superfluous if proxied.

c. Does the BTH automatically select the new listening port and is that changeable by the admin?
The port is calculated and NOT changeable. I'd imagine the port may be different than mine if proxied — Mikrotik's BTH proxy server does not have unlimited IP, but a lot of ports.

d. I dont get the BTH automatically creating a source-nat rule on the router and an incomplete rule at that??
The masquerade means you do NOT need routes back to any of your LANs, since they'd get NAT'ed to the router's IP by the BTH NAT masquerade rule. It could check the interface, but the IP restriction alone works.
SMALL PROGRESS.
a. The firewall rule is not automatically created on the non public IP MT ROUTER or is it, since yours is empty??
b. So your intimating that its the MT proxy WG server that returns the handshake back to client and not the non-public IP and thus i nput chain rule is NOT required.
c. Masquerade rule is ON THE ROUTER or on the PROXY server???? STILL MAKES ZERO SENSE.
Which out interface is noted?? I see none, what is the significance of the address, there which address is it..........
Which direction aka from which device are we source natting.................


d. Understand it makes sense that the MT proxy wireguard server chooses the port or at least the IP DNS CLOUD enabling does or some combo thereof, just good enough to know its not the admin that selects the listening port.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Jan 09, 2024 10:53 pm

SMALL PROGRESS.
a. The firewall rule is not automatically created on the non public IP MT ROUTER or is it, since yours is empty??
The IP firewall filter is there regardless (7.14beta4) – it's the address-list that is empty. No address, "forward" rule doesn't hit.

b. So your intimating that it's the MT proxy WG server that returns the handshake back to client and not the non-public IP and thus i nput chain rule is NOT required.
Correct, in the proxy case, should not be needed. But you can't remove, so dunno for sure. In the direct connection method, the port is still random I believe, so dynamic input filter rule make sense.

c. Masquerade rule is ON THE ROUTER or on the PROXY server???? STILL MAKES ZERO SENSE.
On your router is where masquerade happens. It essentially hide the BTH IP address from the rest of the network, which allow everything to be reachable via your router to the BTH client app. It's a dirty/easy trick to use the router IP for BTH/WG peer traffic. But...in the "always VLAN" model, with firewall protections...this approach would be sacrilegious.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Jan 10, 2024 8:29 am

Instead of trying it yourself, you want somebody to do all the work and show you each step. That is lazy
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Jan 10, 2024 8:32 am

Not sure how the "back-to-home-lan-restricted-peers" address-list in firewall gets populated actually.
This is a new feature, when you have your own BTH connection, you can make a shared connection for your friend. For this friend you can add a checkbox in the app, that only allows the friend to go to internet, but not see your LAN.
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Wed Jan 10, 2024 8:53 am

That is a nice possibility.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Wed Jan 10, 2024 11:56 am

back-to-home-lan-restricted-peers -is that existing?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Jan 10, 2024 12:21 pm

It is an address list, that is by default empty / not existing. If you add a shared user and specify "block LAN", then his tunnel IP will be added into that address list and LAN acess will be blocked
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Wed Jan 10, 2024 12:37 pm

ok , it looks interesting and useful , we are waiting for that
 
mszru
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Wed Aug 10, 2016 10:42 am

Re: NEW FEATURE: Back to Home VPN

Wed Jan 10, 2024 4:14 pm

For this friend you can add a checkbox in the app, that only allows the friend to go to internet, but not see your LAN.
If the intention is to provide access to the Internet only, then I would name this option accordingly. Changing LAN to !WAN in that firewall rule will make it more generic and applicable to configurations slightly different from standard like mine.

I extended standard config with GUEST and IOT interface lists and the current rule won't block forwards to guests or IoT devices.

I realize that BTH's target audience is mostly home users with standard configuration, but changing LAN to !WAN won't make any difference for them.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Jan 10, 2024 6:48 pm

Being of the drop all ilk at end of chains, I would prefer
forward accept source-address=list=xxx out-interface-list=WAN disabled
forward accept source-address-list=xxx out-interface-list=LAN disabled

and let the admin decide if the users need one or the other or both.
one could argue EQUALLY that purpose of the partial attempt by MT is to ensure:

either admins can let folks access to internet
OR
admins can let folks access to servers

Blocking either one and permitting the other is hit and miss and makes TOO much of an assumption either way!.

The proper security approach is to disable both and have the admin enable manually when back at the router config aka to match what is required.......
OR add the choices to the app setup somehow, as oh user Johnny needs X, will choose ........

Anything more probably too complex, anything less misses the boat and fails to capture the majority of needs.
 
makoloved
just joined
Posts: 4
Joined: Fri Sep 29, 2023 8:38 am

Re: NEW FEATURE: Back to Home VPN

Wed Jan 17, 2024 8:15 pm

I need to ask!
If I need to applied the new vpn "back to home"
And I don't have public ip address that mean can I setup BTH? and can access to my Router from remotly?
 
holvoetn
Forum Guru
Forum Guru
Posts: 6115
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: NEW FEATURE: Back to Home VPN

Wed Jan 17, 2024 8:25 pm

Short answer: yes.

Long answer: see short answer.
:lol:
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1430
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: NEW FEATURE: Back to Home VPN

Wed Jan 17, 2024 8:34 pm

If im not wrong if you have public IP then BTH will not use mikrotik relay server but your public IP instead.

Ofcourse you need to have router that supports BTH (arm,arm64,tile if im not wrong)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Jan 18, 2024 1:48 am

If im not wrong if you have public IP then BTH will not use mikrotik relay server but your public IP instead.
Correct. If you have a public IP and thus NOT using the relay, under /ip/cloud "BTH VPN", it will show "reachable directly (region: ... ip:... rtt: 59.581ms)" next to "VPN Relay IPv4 Status".

If it using the relay/proxy via Mikrotik's servers, the same setting will show: "reachable via relay" instead.

I don't know how often it checks, but it will switch modes if your config changes from having reachable port for WG (e.g. if the default route changes from a public IP to a CGNAT/etc.). I haven't extensively tested it, but this automatic selection could be handy if you a "normal" internet connection with public IP and say an LTE backup (which likely does not have a public IP). The WG clients don't care since they use DNS name, and depending on the mode, the DNS resolve to your public IP or Mikrotik's proxy depending on the BTH status.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Jan 18, 2024 9:46 am

The BTH is not only helpful because of the relay server*, but also because it makes setting up a strong and secure VPN a simple task for beginners. We have seen people who simply disable firewall rules, to allow Winbox access from their workplace, for example. For beginners - just use BTH :)

* - fun fact for technical people, in latest versions BTH actually has three modes of operation. 1) Direct 2) via the relay server 3) using hole punching. this means relay only helps to find both ends, but traffic will go direct.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Jan 18, 2024 3:07 pm

3) using hole punching. this means relay only helps to find both ends, but traffic will go direct.
I guess now I have questions...
Under what conditions does it use hole punching?
Does that require the BTH app, or can a normal WG use "hole punched" BTH too?

Basically I cannot picture how hole punching would work with WG (and not in the docs)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Jan 18, 2024 3:49 pm

3) using hole punching. this means relay only helps to find both ends, but traffic will go direct.
I guess now I have questions...
Under what conditions does it use hole punching?
Does that require the BTH app, or can a normal WG use "hole punched" BTH too?

Basically I cannot picture how hole punching would work with WG (and not in the docs)
Concur with questions AMMO. A technical paper would be highly appreciated. MT is doing some neat sheite with wireguard but its tantalizingly out of my grasp of comprehending to the degree to what I would like. Its funny it took them so long to fix the lost comms with WG server issue but at least they didnt stop there and have really made an effort to give us more functionality.

The HEX is not a discontinued product and will be around for a while, heck its my favorite managed switch! and giving it BTH would actually be responding the the many basic users needs ( the ones with less knowledge, and on a budget using MT. Hopefully Mips BTH will be forthcoming.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Jan 18, 2024 3:54 pm

Basically I cannot picture how hole punching would work with WG (and not in the docs)
This especially. How would the cloud instance create a hole to two entities that have no public IP aka CGNAT, then faciliate a direct connection without relay???
Perhaps MT has discovered true magic. :-)
 
mszru
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Wed Aug 10, 2016 10:42 am

Re: NEW FEATURE: Back to Home VPN

Thu Jan 18, 2024 9:00 pm

Basically I cannot picture how hole punching would work with WG (and not in the docs)
How would the cloud instance create a hole to two entities that have no public IP...???

The hole is punched by the router itself when making an outgoing UDP connection to the MikroTik Cloud. The "connection" object will be kept alive until the UDP timeout is reached. And while it's alive the UDP packets can be received to the opened "hole" in the ISP's firewall and NATed back to BTH client at the router.

When such outgoing connections are made by the router's BTH client and the iOS/Android BTH client, some unique identifier (e.g. router's serial no) must be passed to the MikroTik cloud. This identifier will help the BTH service in the cloud to logically link these 2 connections.

Then the BTH service tells both clients to use their ISP public addresses for establishing direct WireGuard connection using the "holes" on both ends.

I hope my understanding is not far from the truth.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Jan 18, 2024 11:08 pm

Not a bad improvisation! I am still curious as there has not really been a handshake at all, just two clients somehow connected and maintaining a connection. I wonder what the underlying virtual structure laid down looks like. Also what happens when one end loses communications? In a typical lost comms scenario, the client peer will continue to attempt to c connect with keep alive.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4011
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Jan 18, 2024 11:16 pm

When such outgoing connections are made by the router's BTH client and the iOS/Android BTH client, some unique identifier (e.g. router's serial no) must be passed to the MikroTik cloud. This identifier will help the BTH service in the cloud to logically link these 2 connections.
I can see how the BTH iOS/Android app could do this, since port might need changing. But I'm not sure it be possible when use a standard WG client. But dunno.
 
foraster
newbie
Posts: 29
Joined: Tue Oct 01, 2019 5:31 pm

Re: NEW FEATURE: Back to Home VPN

Fri Jan 19, 2024 5:35 pm

I've been using Wireguard on my main router, an hEX (mmips) for some time, running great. To the point of being sure to shut down my openvpn server.

Sometimes the main connection is down and the backup is behing a CGNAT, so I needed a solution for this puntual cases.

I read the BTH uses wireguard, so what's the point of not supporting other architectures like mmips, taking into account the huge number of devices out there?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Sat Jan 20, 2024 7:00 pm

so what's the point of not supporting other architectures like mmips, taking into account the huge number of devices out there?
Business Decisions:
LIST OF POTENTIAL ACTION ITEMS
BUDGET AVAILABLE THIS YEAR
PRIORITIZED LISTS
weighting factors
- which devices can gain functionality without hardware changes ( memory/cpu capacity throughput )
- development cost - lab resources
- personnel costs - coders
- testing costs - regress test, independent testers

SCHEDULE:
- time available this budget year AFTER all new product development on-going
- time available this budget year AFTER current RoS Beta work
- time available this budget year AFTER any other RoS work ( eg. waiting for long-term stable vers7)

HARDWARE ROADMAP:
- time left before EOL
- new products being released or on horizon to replace EOL hardware or address now areas.

OPERATING EXPENSES:
- raises for personnel except Normands until he gets on board with better First Posting Process.

COMPANY PLANNING
- privately owned by two people, not public, so they decide how much profit they desire ( thus determines spending on hardware, software etc. )
- future projections ( market assessments etc), play a large role in the directions a company takes.

+++++++++++++++++++++
What does not come into play.
Individual posters miffed about missing functionality including myself :-)
How to rectify.
Convince a billionaire business person to request 6 figure worth of product if it has X functionality, may gain some traction.
 
JimKusz
just joined
Posts: 24
Joined: Sat Apr 23, 2022 6:41 pm

Re: NEW FEATURE: Back to Home VPN

Tue Jan 30, 2024 1:15 am

Although latency is pretty bad if relayed, things do route/connect. I see ping times in the 600-800ms range using BTH with relay from phone to router. This router also has ZeroTier, so if disconnect from BTH and use ZT as VPN instead, latency is about 150-250ms in same ping test. I'd imagine difference is ZT roots are closer than Latvia...not that ZeroTier is inherently faster, just way closer in proximity to California.
Zerotier generally tries to NOT directly relay through their servers; instead, they use the servers to "punch holes" through nat so that a direct connection can be established, and ZT is not in the data plane of the feed. Relays are an absolute last resort with ZT. Normally your latency and throughput drops notably if you have to relay through ZT. The NAT hole-punching is really quite amazing on ZT...
 
MTL7
just joined
Posts: 5
Joined: Fri Nov 26, 2021 9:04 am

Re: NEW FEATURE: Back to Home VPN

Tue Jan 30, 2024 6:53 am

I’ve read the BTH manual but cannot find any information regarding the required rights for the user account that you would login with at the BTH iOS mobile app. Pls share information on this. I suppose we should not use the router’s admin account to login from the BTH iOS app. Thx.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Jan 30, 2024 9:32 am

Depending on the type of actions you want to perform.

When BTH creates a new tunnel - BTH app creates and deletes all kinds of configuration in the router, so yes, it needs full admin rights to do that.
When sharing the already created tunnel (as admin) to another person, that only needs to use the VPN, there is no need for a router user at all. Only the created tunnnel is used, the app does not connect to router administration facilities in this case.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Tue Jan 30, 2024 9:34 am

Although latency is pretty bad if relayed, things do route/connect. I see ping times in the 600-800ms range using BTH with relay from phone to router. This router also has ZeroTier, so if disconnect from BTH and use ZT as VPN instead, latency is about 150-250ms in same ping test. I'd imagine difference is ZT roots are closer than Latvia...not that ZeroTier is inherently faster, just way closer in proximity to California.
Zerotier generally tries to NOT directly relay through their servers; instead, they use the servers to "punch holes" through nat so that a direct connection can be established, and ZT is not in the data plane of the feed. Relays are an absolute last resort with ZT. Normally your latency and throughput drops notably if you have to relay through ZT. The NAT hole-punching is really quite amazing on ZT...
BTH basically does all the same things. Direct connection first, if that does not work, it tries hole punching (on android currently), if that does not work, only then it goes through our relays. Currently we only have relays in EU and US, but more are coming.
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Wed Feb 07, 2024 1:07 pm

Not sure how the "back-to-home-lan-restricted-peers" address-list in firewall gets populated actually.
This is a new feature, when you have your own BTH connection, you can make a shared connection for your friend. For this friend you can add a checkbox in the app, that only allows the friend to go to internet, but not see your LAN.
How can someone find this checkbox? I select new share and below it just says "acess to home network" "acess to internet" and in new share settings i can only select when in expires, use router DNS and Allowed IPs.

Version 0.24
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Feb 07, 2024 1:15 pm

acess to home network" "acess to internet"
you just described it yourself.
what is the question?
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Wed Feb 07, 2024 1:43 pm

There is no option to add a checkmark.

Image
Last edited by dcavni on Wed Feb 07, 2024 1:49 pm, edited 2 times in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Feb 07, 2024 1:46 pm

You are looking at status icons for existing users.
When you make a NEW share for your wife or friend, this selector will be available
You do not have the required permissions to view the files attached to this post.
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Wed Feb 07, 2024 1:52 pm

Where? Maybe i should try to delete this BTH profile for device again and start over. It helped last time, when options ware missing.

Edit: Nope i tried and i still don't see this option. 5009 is on 7.13.2

Image
Last edited by dcavni on Wed Feb 07, 2024 1:56 pm, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Feb 07, 2024 1:56 pm

Looks like your RouterOS is not running the latest version. Make sure you are up to date.
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Wed Feb 07, 2024 1:57 pm

It's 7.13.2. Is this only available in beta?
 
User avatar
normis
MikroTik Support
MikroTik Support
Topic Author
Posts: 26807
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: NEW FEATURE: Back to Home VPN

Wed Feb 07, 2024 1:58 pm

Yes, since 7.14
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Wed Feb 07, 2024 1:59 pm

Ok, thanks for clarification Normis. I thought that i simply became extremly stupid in the meantime because i couldn't find this option anywhere.
 
User avatar
krafg
Forum Guru
Forum Guru
Posts: 1041
Joined: Sun Jun 28, 2015 7:36 pm

Re: NEW FEATURE: Back to Home VPN

Fri Feb 09, 2024 4:51 pm

Quick question: BTH will be compatible with LtAP + LTE connection behind NAT?

Thanks ans regards.
 
zax
just joined
Posts: 17
Joined: Wed Jan 24, 2024 1:35 am

Re: NEW FEATURE: Back to Home VPN

Fri Mar 01, 2024 1:28 pm

I've been using Wireguard on my main router, an hEX (mmips) for some time, running great. (...)
(...) so what's the point of not supporting other architectures like mmips, taking into account the huge number of devices out there?
Its unbelievable, they have Wireguard already implemented on mmips. mmips devices, such as hEX are probably their most sold devices ever...
then they randomly decided not to support mmips, for reasons.
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Sat Mar 09, 2024 5:23 pm

In latest version on 5009 log is full of this messages: back-to-home-vpn: QXJZkH4qn5A***************************=: Handshake for peer did not complete after 5 seconds, retrying (try 2)
and after some time Handshake for peer did not complete after 20 attempts, giving up, but it keeps on populating the log with theese messages.

When i'm connected with Android phone (BTH app) there are no log messages.

Already i tried with disabling BTH, deleting configuration from phone, but issue keeps repeating.

Is this normal behaviour?
Last edited by dcavni on Sat Mar 09, 2024 5:37 pm, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6115
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: NEW FEATURE: Back to Home VPN

Sat Mar 09, 2024 5:33 pm

Supposedly fixed in 7.15beta6.
There is also a workaround if you modify the logging rules to numb down those messages but in my book these shouldn't even be displayed (it's debug, not info)
 
dcavni
Member Candidate
Member Candidate
Posts: 132
Joined: Sun Mar 31, 2013 6:02 pm

Re: NEW FEATURE: Back to Home VPN

Sat Mar 09, 2024 5:40 pm

Supposedly fixed in 7.15beta6.
There is also a workaround if you modify the logging rules to numb down those messages but in my book these shouldn't even be displayed (it's debug, not info)
I was thinking the same, this does not even need to be in the log. I disabled Wireguard logging with !wireguard for now. I rather wait for a more stable 7.15 version. Thank you for temporary solution.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Sun Mar 10, 2024 4:00 am

why i cant see the following rule on my firewall?
I got BTH enabled on v7.14
ip/firewall/filter/print
0 D ;;; back-to-home-vpn
chain=forward action=drop src-address-list=back-to-home-lan-restricted-peers out-interface-list=LAN
 
sflores
just joined
Posts: 2
Joined: Mon Dec 25, 2023 12:17 pm

Re: NEW FEATURE: Back to Home VPN

Mon Mar 11, 2024 1:19 pm

Supposedly fixed in 7.15beta6.
There is also a workaround if you modify the logging rules to numb down those messages but in my book these shouldn't even be displayed (it's debug, not info)
I was thinking the same, this does not even need to be in the log. I disabled Wireguard logging with !wireguard for now. I rather wait for a more stable 7.15 version. Thank you for temporary solution.
Version 7.14.1 is supposed to fix this problem:
*) wireguard - do not attempt to connect to peer without specified endpoint-address;
Something has been fixed. With version 7.14, "ghost" TX packets appeared in the BTH interface:
Captura de pantalla 2024-03-03 a las 12.45.53.png
And now that TX traffic has disappeared:
Captura de pantalla 2024-03-11 a las 11.57.19.png
But, unfortunately, those annoying logs are still shown in the BTH interface:
Captura de pantalla 2024-03-11 a las 11.58.29.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
diamuxin
Member
Member
Posts: 323
Joined: Thu Sep 09, 2021 5:46 pm

Re: NEW FEATURE: Back to Home VPN

Mon Mar 11, 2024 8:14 pm

Idem...

With the latest update 7.14.1 the logging problems with the handshake have NOT been solved, both in the wireguard road-warrior links and with BTH.

Image

BR.
 
User avatar
MrBonding
just joined
Posts: 15
Joined: Mon Jul 05, 2021 1:32 pm

Re: NEW FEATURE: Back to Home VPN

Sun Mar 31, 2024 8:07 pm

Idem...

With the latest update 7.14.1 the logging problems with the handshake have NOT been solved, both in the wireguard road-warrior links and with BTH.

Image

BR.
Still same bug on 7.14.2
 
User avatar
aaronk6
just joined
Posts: 5
Joined: Tue Mar 14, 2023 11:06 am
Location: Germany

Re: NEW FEATURE: Back to Home VPN

Mon Apr 08, 2024 11:49 pm

Is anyone using BTH with the WireGuard app on iOS, specifically with the on-demand setting enabled? I aim to have the VPN connection establish automatically when I'm away from my home WiFi (for which I've configured the SSID in the WireGuard profile). It seems the BTH app doesn't support this, so I imported the BTH WireGuard configuration from my router into the WireGuard app on my iPhone and made the following adjustments:

  • Set DNS to my local DNS server at 192.168.88.1 to resolve local domain names.
  • Replaced 0.0.0.0/0,::/0 with 192.168.88.0/24 to ensure only connections to my home network are tunneled.

This setup mostly works, but the connection doesn’t establish or disconnect on-demand as expected.

However, if I remove the *.sn.mynetname.net peer from the config (which has AllowedIPs set to 0.0.0.0/32 and a weird public key of //////////////////////////////////////////8=), it works as intended.

It works whether my home router has a public address or is on LTE behind CGNAT.

Could someone shed light on the purpose of the *.sn.mynetname.net peer and the 0.0.0.0/32, and what I might be losing by removing it?
 
User avatar
diamuxin
Member
Member
Posts: 323
Joined: Thu Sep 09, 2021 5:46 pm

Re: NEW FEATURE: Back to Home VPN

Tue Apr 09, 2024 8:59 pm

With the latest beta (7.15beta9), I now get this new message all the time when disconnecting (peer with resolver checked)
back-to-home-vpn: [peer19] CHWCHPuLuweWVZkq3r2HynUP59yxk3GsMX4i9XamAQw=: Handshake for peer did not complete after 20 attempts, giving up
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20903
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: NEW FEATURE: Back to Home VPN

Thu Apr 11, 2024 12:15 am

Is BTH programming, interfering with normal wireguard use? BUG?
Unable to successfully mangle traffic coming in on WAN2, back out WAN2 for wireguard handshake, when WAN1 is a primary WAN.
Return traffic appears to be sent out WAN1 instead, iaw connection-tracking and inability to access config from remote user.
All other traffic to the router (directed at WAN2) is captured by mangles and routed out WAN2 as expected (via table, and additional IP route)
(keep alive deselected to rule out that functionality).
 
Techknow
just joined
Posts: 8
Joined: Wed Feb 02, 2022 7:33 am

Re: NEW FEATURE: Back to Home VPN

Thu Apr 18, 2024 1:33 am

I have been using Zerotier as recommendation from Mikrotik and I find it very easy to setup and use.

https://help.mikrotik.com/docs/display/ROS/ZeroTier

https://docs.zerotier.com/mikrotik/

https://www.zerotier.com/download/

Cheers
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: NEW FEATURE: Back to Home VPN

Thu Apr 18, 2024 6:07 am

pretty sure that you added this on wrong topic
 
User avatar
petardo
newbie
Posts: 30
Joined: Fri Sep 25, 2015 4:06 pm

Re: NEW FEATURE: Back to Home VPN

Sun Apr 21, 2024 7:18 pm

Hi,
I noticed that all of our MTs get 192.168.216.1 wg address.
Is it always the same? Can we count on it?

Who is online

Users browsing this forum: No registered users and 5 guests