Sub-menu: /ip cloud
Packages required: routeros
RouterOS version required: v7.12
Hardware requirements: ARM/ARM64/TILE architecture devices

Back To Home is a convenience feature, that configures your device for secure VPN access from anywhere in the world to your router and your network, even if your router does not have a public IP address, is behind NAT or Firewall.

Configuration can be done manually, or with our MikroTik VPN companion app (Android, iPhone).


Back to Home is a feature still in active development. Many features are yet to come!

If the VPN server (your home router) has a public IP address, the VPN app will create a direct VPN connection between the phone and the router. However, if the router is not directly reachable from the internet, the connection will be made through the MikroTik relay server. The connection is always end-to-end encrypted, the relay server or any other device does not have access to the encryption keys, in essence, the relay only helps your device to reach the router. The connection will appear as going out from your router, not from the relay. In case of going through relay, speed could be limited.

This feature is a convenient option to access your home network or view content available in your home country, from locations, where some content is not available. It is not meant for anonymity, it is for simple one click access to your home network. For more granular security controls, we recommend to manually configure and secure a VPN connection using the advanced RouterOS options.


You can also use a standard Wireguard application to connect to your BTH enabled devices. The configuration that is required for your laptop or phone Wireguard application is available in the IP CLOUD menu, once BTH is configured.

Using the companion app

- Connect to router's Wi-Fi;
- Open MikroTik VPN application;
- Open bottom sheet;
- Tap "Add Tunnel";
- Enter your local router IP address (most likely, username, and password, tap "Connect";
- Give tunnel a name, optionally enter DNS server address (this can also be or a public DNS like, tap "Create tunnel";
- You can disconnect from router's Wi-Fi and connect to other network;
- Tap power button to toggle connection of selected tunnel.

Tap "Add tunnel"

Provide your router info

Connection established

If device is not supported, error is shown

Configuring manually in RouterOS

  1. Connect to router  
  2. Enable DDNS Cloud service: `/ip/cloud/set ddns-enabled=yes`
  3. Enable Back To Home: `/ip/cloud/set back-to-home-vpn=enabled`
  4. Print tunnel configuration: `/ip/cloud/print`
  5. Scan QR Code (`vpn-wireguard-client-config-qrcode`) or Copy config (`vpn-wireguard-client-config`) and enter in preferred WireGuard® client. Only one client at a time will be available to use this config. To create more clients, you will need to manually create more peers: `/interface/wireguard/peers/add interface=freevpn-wg public-key=<public_key> allowed-address=192.168.216.x/32`

Removing and disabling

In the smartphone app, the VPN configuration is added to the System VPN settings. In this regard, the Back to Home app only acts as a wizard. It supplies needed config to the operating system (this is why iPhone will warn you about altering system configuration).

To remove the created connection, go into the smartphone settings app and remove the VPN connections from there. 

In the MikroTik router side, you should manually delete the added Peers in the Wireguard menu. Note that "revoke-and-disable" button can't be used to "Pause" the use of the Back to Home feature. Once you revoke-and-disable in RouterOS, all Peers will be disassociated from the Cloud / Relay servers and you will have to re-create the connection from the Smartphone app. Therefore once you have used the option "revoke-and-disable" in RouterOS IP Cloud menu, you need to also delete the Peers from the Wireguard menu, as they can't be re-used.