NordVPN on Mikrotik

NordVPN on Mikrotik

Every internet user should be aware of privacy and security. Internet providers, browsers and applications can all keep track of what you do online. We have several options to keep our privacy on a higher level. In my opinion, the best solution and a kind of “must have” is VPN. I cannot imagine surfing the internet without using VPN, especially in hotels, restaurants, on holiday, and remember do not trust any free WiFi spot and start using NordVPN on Mikrotik.

Ever wondered how Google knows which ads to show you? Your every move is being watched, but we can hide behind VPN. Normally we have to install a VPN application on every device in the network, but with Mikrotik’s router and RouterOS this is not necessary. The RouterOS system on Mikrotik’s device gives almost infinite configuration possibilities, we can turn the whole router into a VPN client. All connected devices will automatically work “behind the VPN”. The available NordVPN configuration variants can be found at this address. In addition, the minimum RouterOS version supporting IKEv2 is 6.45 and when using SHA-384 it is at least 6.48..


Im using NordVPN from many years, and i can safely recommended it. First of all, we have to choose what server we want connect to. Go to then choose country and server. Go back to user panel and save username and password. Write it down, we will use it later.

Mikrotik NordVPN

In the next step we have to download and install root CA from NordVPN. Using drag&drop copy certificate to Files on Mikrotik. On the left menu click System->Cetificates and Import new CA.

Mikrotik NordVPN IKEv2
Mikrotik NordVPN IKEv2

IPSec Profile

IPSec connection we will start by adding new IPSec Profile. Go to IP->IPSec and add new entry:

  • Name: set NordVPN
  • Hash Algo.: SHA384(support from RouterOS 6.48)
  • PRF Algo.: leave auto
  • Encryption Algo.: aes-256
  • DH Group: modp3072

You can use the default setting, it also will work, but i would recommend higher security options. Remember to check the hardware acceleration page. You can check what encryption you can use.

Mikrotik NordVPN IKEv2

IPSec Proposals -NordVPN on Mikrotik

In the next step we will prepare IPSec Phase 2 by clicking on Proposals tab.

  • Name: NordVPN
  • Auth Alog.: sha256
  • Encr. Algo.: aes-256 cbc
  • Lifetime: change to 00:30
  • PFS Group: change to none
Mikrotik NordVPN IKEv2

IPSec Policy i Policy Group

  • Src. Address: put to pass all traffic thru ipsec tunnel
  • Dst. Address:
  • Group: NordVPN
  • Action: encrypt
  • IPsec Protocols: esp
  • Proposal: NordVPN
Mikrotik NordVPN IKEv2
Mikrotik NordVPN IKEv2
Mikrotik NordVPN IKEv2

IPSec Modeconfig

We can override IPSec Policy(Src. Address by using Modeconfig and Connection Mark. In modeconfig we can choose what IP address we want to passthought to vpn tunnel.

Mikrotik NordVPN IKEv2

IPSec Peer

  • Name: NordVPN
  • Address: address from
  • Profile: NordVPN
  • Exchange Mode: IKE2
Mikrotik NordVPN IKEv2

IPSec Identity

Login to NordVPN panel account and copy credentials.

Mikrotik NordVPN IKEv2

Add a Comment

Your email address will not be published. Required fields are marked *