Configuring a Mikrotik router to speak to AdGuard VPN is quite straight forward, once it’s all figured out. It provides an alternative to the AdGuard VPN client.
Adguard.com Configuration
After logging into the AdGuard account, navigate to the AdGuard VPN page and click the “+ Add Router” button. Give the connection a name under Device Name (or stick with the default of Router), select the protocol as IPSec and choose the location you wish your VPN to break out to the internet from, then click Add.
The pop-up box will refresh and display some important information: username, password, IP address, remote server ID. Take a note of all of these. Next download the certificate file comodo.crt to your device.
Mikrotik Configuration
Upload the certificate file to the root storage of the Mikrotik device, this can be completed via FTP, SFTP or via Winbox.
Next, SSH, telnet, or open a terminal window in Winbox to the Mikrotik device.
Importing the certificate
Navigate to /certificate and type import file-name=comodo.crt. Press enter to import the certificate from Mikrotik storage into the certificate store on the device.
Firewall Configuration
Address List
Navigate to /ip/firewall/address-list
Create a new list that will specify the addresses to be routed over the new AdGuard VPN. In this example 192.168.1.55 will utilise the AdGuard VPNadd address=192.168.1.55 list=vpn_include
Mangle Rules
Navigate to /ip/firewall/mangle
Create two rules, one to mark any connections to route over the VPN tunnel utilising the address list we created earlier, and another to adjust the TCP MSS to avoid MTU issues, such as websites and services not loading properly.
add action=mark-connection chain=forward new-connection-mark=adguard_ipsec passthrough=yes src-address-list=vpn_include
add action=change-mss chain=forward connection-mark=adguard_ipsec new-mss=1350 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=!0-1350
Firewall Rules
Navigate to /ip/firewall/filter
As every Mikrotik will likely have different firewall rules, there can’t be a foolproof guide on adding the required rules.
As a general rule UDP Port 500 and 4500 will need permitted through the firewall.
IPSec Configuration
Mode Configuration
Navigate to /ip/ipsec/mode-config
add connection-mark=adguard_ipsec name=mode-adguard responder=no src-address-list=vpn_include use-responder-dns=no
IPSec Profile (Phase 1)
Navigate to /ip/ipsec/profile
add dh-group=ecp256 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128 name=profile-adguard proposal-check=strict
IPSec Peer
Navigate to /ip/ipsec/peer
Values to substitute from the details obtained from the AdGuard side are IP address, and the routers WAN IP in local-address.
add address=<adguard-ip-address> exchange-mode=ike2 local-address=<routers-wan-address> name=adguard profile=profile-adguard
IPSec Proposal (Phase 2)
Navigate to /ip/ipsec/proposal
add enc-algorithms=aes-128-cbc name=proposal-adguard pfs-group=none
IPSec Policy Group
Navigate to /ip/ipsec/policy/group
add name=adguard_group_policy
IPSec Identity
Navigate to /ip/ipsec/identity
Values to substitute are the remote server ID, certificate, username, and password.
add auth-method=eap certificate=comodo eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=mode-adguard password=<adguard_password> peer=adguard policy-template-group=adguard_group_policy remote-id=fqdn:<adguard_remote_server_id> username=<adguard_username>
IPSec Policy
Navigate to /ip/ipsec/policy
add dst-address=0.0.0.0/0 group=adguard_group_policy proposal=proposal-adguard src-address=0.0.0.0/0 template=yes
Verifying Mikrotik Configuration
Inside of /ip/ipsec/active-peers it is possible to check the status of the VPN connection. State should be ‘established’ if the connection was successful.
It is important to note that AdGuard appears to block ICMP, including pings. This is a rare case that is it not possible to determine whether a connection was succcesful via a ping packet. Instead test browsing from a device that was included in the address list earlier.
Leave a Reply