NordVPN with Mikrotik

Why use VPN?!

Every Internet user should be familiar with privacy and security. Internet providers, browsers, applications can all keep track of what you are doing online. We have serval options to keep our privacy on higher level. In my opinion the best solutions, and some kind of “must have” is VPN. I cannot imagine surffing the Internet without using VPN, especially on hotels, restaurants, vacation, dont trust any Free WiFi spot. Have you ever wondered how google knows what ads to show you? Your every move is monitored, but we can hide behind VPN. Normally we have to install vpn application on all devices in network, but it is not necessary when using Mikrotik router with RouterOS. The RouterOS system on Mikrotik’s device gives almost infinite configuration possibilities, we can convert the entire router into a VPN client. All connected devices will automatically work “behind the VPN”. You can find the available variants of NordVPN configuration at this address. Additionally, the minimum RouterOS version supporting IKEv2 is 6.45 and when using SHA-384 it is min. 6.48.


Im using NordVPN from many years, and i can safely recommended it. First of all, we have to choose what server we want connect to. Go to and choose country and server. Go back to user panel and save username and password. Write it down, we will use it later.

Mikrotik NordVPN

In the next step we have to download and install root CA from NordVPN. Using drag&drop copy certificate to Files on Mikrotik. On the left menu click System->Cetificates and Import new CA.

Mikrotik NordVPN IKEv2
Mikrotik NordVPN IKEv2

IPSec Profile

IPSec connection we will start by adding new IPSec Profile. Go to IP->IPSec and add new entry:

  • Name: set NordVPN
  • Hash Algo.: SHA384(support from RouterOS 6.48)
  • PRF Algo.: leave auto
  • Encryption Algo.: aes-256
  • DH Group: modp3072

You can use default setting, it also will work, but i would recommend higher security options. Remember to check hardware acceleration site. You can check what encryption you can use.

Mikrotik NordVPN IKEv2

IPSec Proposals

In the next step we will prepare IPSec Phase 2 by clicking on Proposals tab.

  • Name: NordVPN
  • Auth Alog.: sha256
  • Encr. Algo.: aes-256 cbc
  • Lifetime: change to 00:30
  • PFS Group: change to none
Mikrotik NordVPN IKEv2

IPSec Policy i Policy Group

  • Src. Address: put to pass all traffic thru ipsec tunnel
  • Dst. Address:
  • Group: NordVPN
  • Action: encrypt
  • IPsec Protocols: esp
  • Proposal: NordVPN
Mikrotik NordVPN IKEv2
Mikrotik NordVPN IKEv2
Mikrotik NordVPN IKEv2

IPSec Modeconfig

We can override IPSec Policy(Src. Address by using Modeconfig and Connection Mark. In modeconfig we can choose what IP address we want to passthought to vpn tunnel.

Mikrotik NordVPN IKEv2

IPSec Peer

  • Name: NordVPN
  • Address: address from
  • Profile: NordVPN
  • Exchange Mode: IKE2
Mikrotik NordVPN IKEv2

IPSec Identity

Login to NordVPN panel account and copy credentials.

Mikrotik NordVPN IKEv2

Add a Comment

Your email address will not be published. Required fields are marked *