I recently bought some Mikrotik devices for my home network, including a Mikrotik HexS.
I have a fibre connection coming to my house, which goes directly into the SFP port of the HexS and I connect to the internet using pppoe.
The initial setup was actually quite easy, since it was all possible using QuickSet but still I managed to shut down my connection (twice) because I accidentaly checked the (pretty prominent) “Bridge all LAN ports” checkbox. My connection was shut down by my ISP (“storm_control”) and has been reenabled after a call with an operator.
The fact that it was just that easy to completely shut down my connection makes me a little afraid to change anything. I mean, it’s okay, if I destroy my local network as I can simply restore the backup of the current (working) state, but I don’t want to call my ISP every other day to reenable my connection.
So thats why I am here, asking for an advice to enable VPN on MikroTik.
My goal is to be able to securely access my home network from the internet mainly using an Android phone. I don’t have a static ip but I have enabled MiktroTiks DDNS service.
I have seen that MikroTik has a VPN checkbox in the QuickSet but the address there always shows 0.0.0.0 to me, while all tutorials show the public domain *.sn.mynetname.com there.
I also checked other tutorials but there seem to be too many options for me to know which one to choose here. Also some tutorials show how to create a site-to-site VPN connection, which is, as much as I understand, not what I need.
So if anyone could guide me in the right direction, I would be very happy.
Thanks in advance and regards 
You may consider setting up a Wireguard tunnel to accomplish your goal. Check out this guide or Mikrotik’s official roadwarrior Wireguard setup docs
Side note: avoid QuickSet! Get your hands dirty, it’ll be way more fun and give you more confidence for any future configurations you may want to add. Plus, it’ll be way harder to screw up (QuickSet hides several operations, many of which you may not really need or want at all, behind innocent-looking checkboxes - not ideal)
I just wanted to let you know, that I just configured WireGuard successfully using the tutorial on the official MikroTik Youtube Channel (https://www.youtube.com/watch?v=vn9ky7p5ESM).
It was actually quite simple as soon, I just had to overcome my fear of messing up everything.
The configuration of the clients on both sides is a little tricky as you need to copy around the keys but fortunately there are some tools to generate config files and even QR-Codes.
Thank you again for your help!
Before I had fibre connection, I set up everything by hand (following a tutorial of course) to use my smartphones hotspot.
Now since I shit down my connection I am afraid to just “play around”. I already had to call my ISP twice in one day and thats really not what I want to do daily 
I agree that you usually should do many things manually and I guess playing around with VPN won’t cause any big problems.
Regarding Wireguard: For this I have to use an app on android. Is that correct? What are the advantages agains L2TP/IPSec as that would be included natively on Android (at least on my phone).
Thank you for yor response, I really appreciate it!
cool, glad you got it working have a nice day!
Yes, there’s the official app for Android. You may very well go for L2TP/IPSec, but I’ve had Wireguard perform better for me. Furthermore it’s a more modern, stronger (cryptography-wise) alternative. I also think it’s more straightforward to configure, but it really boils down to your personal preference. Use whichever you think suits your needs best.
In the guide you linked, there is another router between the MikroTik and the internet. Does the guide still work for the direct fibre connection I use?
Also the official MikroTik guide creates an IP for the Wireguard but it never states how to choose it. I am using a 192.168.1.1/24 local network. Should the Wireguard IP be part of that network or does it need to be outside of it?
Sorry for this probably stupid questions but I am pretty new to all of this networking stuff.
Thanks
Outside of 1.0/24. Use for example 192.168.100.0/24 for wireguard addresses for clinents.
Thank you for your answer! I’ll give it a try
