This guide was created by a community member and reviewed by us. Firmware and router interfaces may change over time, so some steps may differ depending on your device or version.
Prerequisites
- Ensure that you have RouterOS Version 7.23.1 or newer.
- Winbox Version 4 or newer.
- Connect to your router using Winbox.
This guide assumes your WAN interface is configured via DHCP. If not, pre-configure your internet connection as instructed by your ISP.
The commands in this guide assume that your local network is on the "192.168.88.0/24" subnet, and the bridge for LAN interfaces is named "bridge". If this is not the case, replace the values in the commands with those relevant to your network.
In the video, I will show you how to set up via the WinBox GUI. The terminal commands are an alternative way to configure the router.
Setup
Plug the WAN cable into port 1, and the cable from your PC into port 2 of the router.
Set your PC's network adapter to obtain an IP address automatically via DHCP.
Launch WinBox and find your router in the list on the right. Default login: admin, password is empty.
Upon first login, accept the default configuration (click OK in the pop-up window).
The system will prompt you to change the administrator password. Enter a new password and confirm it.
Change the DNS servers that will be issued to clients via DHCP.
/ip dhcp-server network set [find address=192.168.88.0/24] dns-server=8.8.8.8,1.1.1.1Assign an IP address to the device(s) that will route traffic through the VPN. Go to IP -> DHCP Server -> Leases tab, find your device, and click Make Static. Remember its IP address (in the following steps, we will use 192.168.88.254 as an example).
Disable FastTrack:
/ip firewall filter disable [find action=fasttrack-connection]
After this, be sure to reboot the router. Reconnect via WinBox; you will need to enter the password you created.
Create an address list for devices that should use the VPN.
/ip firewall address-list add address=192.168.88.254 list=xeovo_vpn_listDownload the OpenVPN configuration from the Xeovo website.
To do this, log in to your Xeovo account and open the OpenVPN generator. Set Platform to Linux, Select Country to All countries. Select an existing key or generate a new one. Navigate to Advanced settings.
Choosing the connection protocol. Xeovo offers two options: UDP and TCP. The UDP protocol is faster, while TCP is slower. However, TCP has two advantages: it implements delivery confirmation, making the connection more reliable, and it connects through port 443, which can help bypass basic port-based blocking.
Select the protocol that works for you (I'll use TCP) and download the configuration files by clicking the "Download" button.
In WinBox, open the Files menu, create a folder named
flash/xeovo_ovpn_configs, and upload the downloaded.conffile for your desired location into it.Import the configuration.
Navigate to PPP → click the "Import .ovpn" button, select your
.conffile, and enter your Xeovo login and password in the OVPN Client User and OVPN Client Password fields.On the Interfaces tab, double-click the created interface and change the automatically generated name in the Name field to
xeovo-ovpn. Click the OK button to confirm the changes.Enable the created interface by clicking the Enable button.
If you have done everything correctly, the interface status will change to R (Running).
Our goal is to route devices included in a specific list to the internet via VPN. We will create a separate routing table and a set of rules for these devices, thereby directing devices from our VPN list into this table. Devices not included in this list should access the internet the standard way, through the ISP's network.
Create a new routing table.
/routing/table/add disabled=no fib name=xeovo_route_tableAdd routes to the new table.
/ip/route/add dst-address=0.0.0.0/0 gateway=xeovo-ovpn routing-table=xeovo_route_table /ip/route/add dst-address=192.168.88.0/24 gateway=bridge routing-table=xeovo_route_tableAdd the device that should access the internet via VPN to the xeovo_vpn_list. I'm adding my PC, the one I'm using for this setup.
/ip/firewall/address-list/add address=192.168.88.254 list=xeovo_vpn_listAdd a rule to allow traffic within the local network.
/ip/firewall/mangle/add chain=prerouting action=accept dst-address=192.168.88.0/24Add a rule for connection marking.
/ip/firewall/mangle/add chain=prerouting action=mark-connection \ src-address-list=xeovo_vpn_list \ new-connection-mark=xeovo_vpn passthrough=yesAdd a rule for routing marking.
/ip/firewall/mangle/add chain=prerouting action=mark-routing \ connection-mark=xeovo_vpn new-routing-mark=xeovo_route_table passthrough=yesConfigure NAT for the VPN interface.
/ip firewall nat add action=masquerade chain=srcnat out-interface=xeovo-ovpnConfigure a Kill Switch to block internet access for devices in the list if the VPN connection suddenly drops or if the marking rules stop working for some reason.
/ip firewall filter add action=drop chain=forward out-interface=!xeovo-ovpn \ dst-address=!192.168.88.0/24 src-address-list=xeovo_vpn_list place-before=0You are done. Now, devices that you have added to
xeovo_vpn_listwill access the internet through the Xeovo network. Other devices on the local network will remain accessible to them. Devices not included inxeovo_vpn_listwill access the internet as usual — through the ISP's network.
To verify the connection, visit DoesMyVPN.work from a device added to the xeovo_vpn_list.