Exploring MikroTik CHR and VPNs: Deploying a Cloud Hosted Router and Setting Up Your First VPN Print

Hey everyone!
I’m Emmanuel Corels, your friendly admin from Emmanuel Corels Creatives, and welcome to our third article in this ongoing MikroTik series. So far, we’ve covered the basics of MikroTik & WinBox, along with firewall setup, NAT, and port forwarding. Now, it’s time to explore MikroTik’s Cloud Hosted Router (CHR) and dive into VPN configurations—two powerful topics that go hand in hand in modern network environments.

1. What Is MikroTik CHR?

CHR (Cloud Hosted Router) is a virtualized version of RouterOS designed to run in environments like VMware, VirtualBox, Hyper-V, or on cloud services like AWS and Azure. It gives you all the features of a physical MikroTik router—routing, firewall, VPN, QoS, etc.—without needing dedicated hardware.

Key Benefits

• Scalability: Spin up more instances as your network grows.
• Cost-Effective: Pay for only what you need, whether in the cloud or your own virtual infrastructure.
• Familiar Interface: Same RouterOS environment as physical MikroTik devices.

2. Getting Started with CHR

Let’s walk through setting up CHR on a local hypervisor (e.g., VMware Workstation). The steps are similar for other platforms.

2.1 Downloading CHR

1. Head over to https://mikrotik.com/download.
2. Look for “Cloud Hosted Router” under the “RouterOS” section.
3. Choose a disk image compatible with your hypervisor (e.g., .ova for VMware, .vhdx for Hyper-V, .vmdk for VirtualBox).
4. Download the image.

2.2 Importing into VMware Workstation

1. Open VMware Workstation.
2. File -> Open and select the downloaded CHR .ova file.
3. Follow the on-screen prompts—VMware will ask you for a name and storage location.
4. Once imported, power on the virtual machine.

Tip: If using VirtualBox, you’d go to File -> Import Appliance, then select the .ova file.

2.3 Initial CHR Setup

When you start the CHR VM, it might not have any default IP addresses. You can connect via console or WinBox (using MAC connectivity) to configure it.

1. Console Method: Open the VMware console, log in with the default username admin (no password).

2. WinBox (MAC): If you’re on the same Layer 2 network, open WinBox, go to the Neighbors tab, and look for the CHR’s MAC address. Double-click to connect via MAC.

3. Set an IP on the CHR’s interface that’s connected to your LAN or management network:

   /ip address add address=192.168.88.1/24 interface=ether1
   

4. Add a default route (if needed) to access the internet:

   /ip route add dst-address=0.0.0.0/0 gateway=192.168.88.254
   

   (Replace 192.168.88.254 with your actual gateway.)

5. Once the IP is set, you can use WinBox by IP address instead of MAC.

Licensing Note: CHR offers a 60-day free trial with full functionality. You can then choose a license level based on the throughput you need.

3. Setting Up a Basic VPN on Your CHR

VPNs let you securely connect remote users or sites to your network. Let’s start with an easy example: PPTP (Point-to-Point Tunneling Protocol). Although PPTP isn’t the most secure option nowadays (L2TP/IPsec or OpenVPN is recommended for stronger encryption), it’s a good starting point to grasp the fundamentals.

3.1 PPTP Server Configuration

1. Enable PPTP Server:

   • In WinBox, go to PPP.
   • Click the “PPTP Server” button.
   • Check the box for “Enabled”.

2. Create a PPP Profile:

   • In PPP -> Profiles, click “+”.
   • Set Name: pptp_profile (or anything you like).
   • In Local Address, type a local IP from your CHR’s subnet (e.g., 192.168.88.1).
   • In Remote Address, specify an IP pool or a single IP (e.g., 192.168.88.200-192.168.88.210).
   • Click OK.

3. Add a PPP Secret (User Account):

   • Still in PPP, go to the Secrets tab.
   • Click “+”.
   • Name: testuser.
   • Password: strongpassword.
   • Service: pptp.
   • Profile: Select the profile you created (pptp_profile).
   • Click OK.

That’s it for the PPTP server side. Your CHR is now ready to accept PPTP connections.

Command Line Equivalent:

/interface pptp-server server set enabled=yes
/ppp profile add name=pptp_profile local-address=192.168.88.1 remote-address=192.168.88.200-192.168.88.210
/ppp secret add name=testuser password=strongpassword service=pptp profile=pptp_profile

3.2 Firewall Rules for PPTP

PPTP uses TCP port 1723 and GRE protocol. If you have a “drop all” rule on your input chain (to protect the router itself), you need to allow these PPTP ports:

1. Go to IP -> Firewall -> Filter Rules.
2. Add a rule to accept traffic on TCP 1723 (destination port).
3. Add another rule to allow the GRE protocol (protocol number 47).

Example:

• Rule 1: Allow TCP 1723

  • Chain: input
  • Protocol: tcp
  • Dst. Port: 1723
  • Action: accept
  • Comment: “Allow PPTP control connection”

• Rule 2: Allow GRE

  • Chain: input
  • Protocol: gre
  • Action: accept
  • Comment: “Allow GRE for PPTP”

If you’re setting up PPTP for remote access to internal networks (and not just to the router itself), you’d place corresponding rules in the forward chain. For a quick test, you can keep it open, or more securely, allow only PPTP traffic from specific IP ranges.

3.3 Client-Side Setup (Windows Example)

1. Go to Control Panel -> Network and Sharing Center -> Set up a new connection or network.
2. Choose Connect to a workplace -> Use my Internet connection (VPN).
3. Internet address: The public IP of your CHR (or domain name).
4. Destination name: Something like “MyPPTP”.
5. User name: testuser (from our secret).
6. Password: strongpassword.
7. After creating the connection, go into its Properties, and under Security, choose PPTP as the VPN type (or set it to “Automatic” if you want it to try PPTP first).
8. Connect and check if you get an IP from 192.168.88.200-192.168.88.210.

Troubleshooting Tip: If you can’t connect, make sure your ISP or network environment isn’t blocking GRE protocol. Some NAT devices can break PPTP connections.

4. Moving Beyond PPTP: L2TP/IPsec or OpenVPN

PPTP is quick to set up but not the most secure. If you need stronger encryption, consider:

• L2TP/IPsec: Combines Layer 2 Tunneling Protocol with IPsec for encryption.
• OpenVPN: Uses SSL/TLS, can be configured for TCP or UDP, widely supported.

4.1 L2TP/IPsec (High-Level Steps)

1. Enable L2TP Server under PPP -> L2TP Server.
2. Create a profile with the local/remote addresses.
3. Create a secret (username/password) for the L2TP service.
4. Go to IP -> IPsec -> Peer and IP -> IPsec -> Policy to configure Phase 1 & Phase 2.
5. Make sure your firewall allows UDP ports 500 (ISAKMP), 4500 (NAT-T), and ESP (protocol 50).

5. Testing and Monitoring

Once your CHR is up and VPN is configured, you can monitor connections in PPP or IPsec (depending on which VPN type you’re using). Some useful WinBox sections and tools:

• PPP -> Active Connections: See who’s connected via PPTP, L2TP, etc.
• IP -> IPsec -> Active Peers: Monitor IPsec peers and policies.
• Logs: Go to System -> Logging and add a topic like ipsec or ppp for detailed information.

6. Real-World Use Cases

1. Remote Workforce: Employees can connect to the company LAN securely from home.
2. Site-to-Site: Connect multiple branch offices to a main office using CHR in the cloud.
3. Lab Environments: Spin up a CHR instance to test new features without buying hardware.
4. Secure Internet Access: Use a CHR VPN server to encrypt traffic on untrusted networks.

7. Wrapping Up and Next Steps

You’ve now seen how to deploy CHR on a virtual platform and set up a basic PPTP VPN. While PPTP isn’t the most secure, it’s a perfect stepping stone to L2TP/IPsec or OpenVPN. Feel free to experiment with different protocols and advanced routing scenarios.

In our next article, we’ll take a deeper dive into L2TP/IPsec—covering both the server and client-side configurations, plus advanced tips like split tunneling and certificate-based authentication.

Until then, keep exploring, stay curious, and let me know if you have any questions. I’m here to help you master MikroTik—physical or virtual—from a friendly, down-to-earth viewpoint.

Written by:
Emmanuel Corels, Admin
Emmanuel Corels Creatives