Summary
Sub-menu: /ip cloud
Packages required: routeros
RouterOS version required: v7.11Hardware requirements: ARM/ARM64/TILE architecture devices
Back To Home is a convenience feature, that configures your device for secure VPN access from anywhere in the world to your router and your network, even if your router does not have a public IP address, is behind NAT or Firewall.
Configuration can be done manually, or with our MikroTik VPN companion app (Android, iPhone).
If the VPN server (your home router) has a public IP address, the VPN app will create a direct VPN connection between the phone and the router. However, if the router is not directly reachable from the internet, the connection will be made through the MikroTik relay server. The connection is always end-to-end encrypted, the relay server or any other device does not have access to the encryption keys, in essence, the relay only helps your device to reach the router. The connection will appear as going out from your router, not from the relay. In case of going through relay, speed could be limited.
This feature is a convenient option to access your home network or view content available in your home country, from locations, where some content is not available. It is not meant for anonymity, it is for simple one click access to your home network. For more granular security controls, we recommend to manually configure and secure a VPN connection using the advanced RouterOS options.
Optional
You can also use a standard Wireguard application to connect to your BTH enabled devices. The configuration that is required for your laptop or phone Wireguard application is available in the IP CLOUD menu, once BTH is configured.
Using the companion app
- Connect to router's Wi-Fi;
- Open MikroTik VPN application;
- Open bottom sheet;
- Tap "Add Tunnel";
- Enter your local router IP address (most likely 192.168.88.1), username, and password, tap "Connect";
- Give tunnel a name, optionally enter DNS server address (this can also be 192.168.88.1 or a public DNS like 1.1.1.1), tap "Create tunnel";
- You can disconnect from router's Wi-Fi and connect to other network;
- Tap power button to toggle connection of selected tunnel.
|
|
|
|
|---|---|---|---|
Tap "Add tunnel" | Provide your router info | Connection established | If device is not supported, error is shown |
Configuring manually in RouterOS
- Connect to router
- Enable DDNS Cloud service: `/ip/cloud/set ddns-enabled=yes`
- Enable Back To Home: `/ip/cloud/set back-to-home-vpn=enabled`
- Print tunnel configuration: `/ip/cloud/print`
- Scan QR Code (`vpn-wireguard-client-config-qrcode`) or Copy config (`vpn-wireguard-client-config`) and enter in preferred WireGuard® client. Only one client at a time will be available to use this config. To create more clients, you will need to manually create more peers: `/interface/wireguard/peers/add interface=freevpn-wg public-key=<public_key> allowed-address=192.168.216.x/32`
Removing and disabling
In the smartphone app, the VPN configuration is added to the System VPN settings. In this regard, the Back to Home app only acts as a wizard. It supplies needed config to the operating system (this is why iPhone will warn you about altering system configuration).
To remove the created connection, go into the smartphone settings app and remove the VPN connections from there.
In the MikroTik router side, you should manually delete the added Peers in the Wireguard menu. Note that "remove-and-disable" button can't be used to "Pause" the use of the Back to Home feature. Once you disable-and-remove in RouterOS, all Peers will be disassociated from the Cloud / Relay servers and you will have to re-create the connection from the Smartphone app. Therefore once you have used the option "disable-and-remove" in RouterOS IP Cloud menu, you need to also delete the Peers from the Wireguard menu, as they can't be re-used.