CyberGhost: MikroTik Router Configuration for VPN

This guide details how to configure a MikroTik router to connect to CyberGhost VPN, ensuring all traffic is routed through the VPN. We will focus on WireGuard, offering better performance compared to OpenVPN.

WireGuard Configuration

1. Import CyberGhost WireGuard Configuration:

   • Download the WireGuard configuration file (.conf) for your desired server location from the CyberGhost website.

   • Open Winbox and navigate to Interfaces > WireGuard.

   • Click the "+" button and import the downloaded .conf file.

   • Rename the interface (e.g., wg-cyberghost).

2. Configure WireGuard Interface:

   • Set the listen-port to a random unused port (e.g., 51820).

   • Endpoint Address: This is the server's IP from the .conf file.

   • Endpoint Port: This is the server's port from the .conf file (usually 51820).

   • Allowed Address: 0.0.0.0/0 (allows all traffic through the tunnel).

   • Persistent Keepalive: Set to 25 seconds to maintain the connection.

   • PrivateKey: This is from the .conf file.

   • PublicKey: This is from the .conf file under [Peer].

3. Add a Peer:

   • Go to the Peers tab within the WireGuard interface.

   • Click the "+" button to add a new peer.

   • Public Key: This is from the .conf file under [Interface].

   • Allowed Address: 0.0.0.0/0.

4. Configure IP Addresses:

   • Navigate to IP > Addresses.

   • Add a new address for the WireGuard interface. The IP address is specified in the .conf file under [Interface] (e.g., 10.14.0.2/32).

Routing Configuration

1. Create a New Routing Mark:

   • Navigate to Mangle under IP > Firewall.

   • Create a new rule with the following settings:

     • Chain: prerouting

     • Src. Address: Your LAN network (e.g., 192.168.88.0/24)

     • Action: mark routing

     • New Routing Mark: cyberghost_route

     • Passthrough: Unchecked

2. Configure Route:

   • Navigate to IP > Routes.

   • Add a new route with the following settings:

     • Dst. Address: 0.0.0.0/0

     • Gateway: The WireGuard interface (wg-cyberghost).

     • Routing Mark: cyberghost_route

3. Masquerade Traffic:

   • Navigate to IP > Firewall > NAT.

   • Add a new rule with the following settings:

     • Chain: srcnat

     • Out. Interface: Your WireGuard interface (wg-cyberghost)

     • Action: masquerade

DNS Configuration

• Set DNS Servers:

  • Navigate to IP > DNS.

  • Set Servers to CyberGhost's DNS servers, or use a privacy-focused alternative like Cloudflare (1.1.1.1, 1.0.0.1) or Google (8.8.8.8, 8.8.4.4).

  • Check Allow Remote Requests.

Quick Checks and Pitfalls

• Firewall Rules: Ensure your firewall rules allow traffic through the WireGuard interface.

• Routing Order: Verify that the routing rule for the VPN has higher priority than the default gateway.

• Connection Stability: Use Persistent Keepalive to maintain a stable connection.

• DNS Leaks: Test for DNS leaks after configuration using a third-party online tool.

• MTU Issues: If experiencing connection problems, adjust the MTU size of the WireGuard interface (try 1420).

Checklist

• Download WireGuard configuration file from CyberGhost.

• Import and configure WireGuard interface in MikroTik.

• Add WireGuard peer.

• Configure IP addresses for the WireGuard interface.

• Create routing mark and routing rule.

• Set DNS servers.

• Test for DNS leaks.

• Verify connection.