Setting up various types of MikroTik tunnels to MikroTik or Ubuntu — features, security and speed

How do I set up a secure, fast, and stable tunnel between MikroTik and Ubuntu?

Setting up various types of MikroTik tunnels to MikroTik or Ubuntu is a common need. Network administrators, DevOps teams, traders, gamers, and AI teams. This guide will cover common practices in action, including WireGuard, IPsec (IKEv2), OpenVPN and Layer 2 tunnels like EoIP/GRE/VXLAN We will review and provide configuration examples for MikroTik RouterOS and Ubuntu, security tips, and optimizations to reduce latency and increase bandwidth.

Types of Tunnels and Choosing the Right One — Setting Up Different Types of MikroTik Tunnels to MikroTik or Ubuntu

The choice of tunnel type depends on your purpose and needs. Here is a summary of the options and use cases:

• Need for L2: EoIP (MikroTik), GRE, VXLAN — suitable for VLAN transport and L2 bridging.
• The need for secure, low-latency L3: WireGuard, IPsec (IKEv2) — Suitable for trading, gaming, and connecting cloud services.
• Firewall/port 443 bypass or client connection: OpenVPN (TCP/UDP), SSTP.
• Network sharing and internal BGP: Use L2 tunnel + BGP over tunnel or combination of IPsec+BGP.

1) WireGuard — Fast, Simple, and Secure

WireGuard is a lightweight implementation with modern cryptography, designed for Low latency And the simplicity of configuration is suitable for trading, gaming, and connecting cloud services.

MikroTik configuration example (RouterOS 7+)

/interface/wireguard add name=wg-site mtu=1420
/interface/wireguard peers add interface=wg-site public-key="PEER_PUBLIC_KEY" allowed-address=10.10.10.2/32 endpoint-address=203.0.113.20 endpoint-port=51820 persistent-keepalive=25
/ip/address add address=10.10.10.1/24 interface=wg-site

Ubuntu configuration example (wg-quick)

apt update && apt install wireguard -y

[Interface]
PrivateKey = YOUR_PRIVATE_KEY
Address = 10.10.10.2/24
ListenPort = 51820

[Peer]
PublicKey = MIKROTIK_PUBLIC_KEY
AllowedIPs = 10.10.10.1/32
Endpoint = 198.51.100.10:51820
PersistentKeepalive = 25

sysctl -w net.ipv4.ip_forward=1
systemctl enable --now wg-quick@wg0

Optimization tips:

• MTU is usually set to 1420 Or 1380 Set to prevent fragmentation.
• For TCP throughput on the server, use BBR settings:

sysctl -w net.core.default_qdisc=fq
sysctl -w net.ipv4.tcp_congestion_control=bbr

2) IPsec (IKEv2) — Industry standard for Site-to-Site and Mobile

IPsec with IKEv2 is a standard, reliable, and supported option in hardware and mobile. Using AES-GCM provides good performance and security.

MikroTik configuration example (site-to-site with IPsec)

# Phase1
/ip ipsec proposal add name=esp-aes262-prf1 auth-algorithms=sha256 enc-algorithms=aes256-cbc pfs-group=none
/ip ipsec peer add address=198.51.100.20/32 auth-method=pre-shared-key secret="PRESHARED" enc-algorithm=aes-256 exchange-mode=ike2
/ip ipsec policy add src-address=10.20.0.0/24 dst-address=10.30.0.0/24 sa-src-address=198.51.100.10 sa-dst-address=198.51.100.20 tunnel=yes proposal=esp-aes262-prf1

Example Ubuntu configuration with strongSwan

apt update && apt install strongswan strongswan-pki -y

config setup
  uniqueids=never

conn site-to-site
  left=198.51.100.20
  leftsubnet=10.30.0.0/24
  right=198.51.100.10
  rightsubnet=10.20.0.0/24
  ike=aes256-sha256-modp2048
  esp=aes256-sha256
  keyexchange=ikev2
  authby=psk
  auto=add

198.51.100.20 198.51.100.10 : PSK "PRESHARED_SECRET"

3) OpenVPN — High compatibility but higher latency

OpenVPN is suitable for a wide range of clients, but it usually has higher latency and overhead than WireGuard. If you need to get around strict firewalls, you can use TCP/443.

apt install openvpn easy-rsa -y
make-cadir ~/openvpn-ca

port 1194
proto udp
dev tun
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1 bypass-dhcp"
cipher AES-256-GCM
auth SHA256
keepalive 10 120

Tips:

• For best performance from UDP Use.
• Use of tls-auth Or tls-crypt Recommended to prevent port scanning.
• If you use TCP/443 you may experience increased latency and overhead.

4) EoIP/GRE/VXLAN — Layer 2 Tunnels and Use Cases

These tunnels are used for L2 transport between sites or data centers. Note that EoIP in MikroTik is not encrypted in its raw form and must be encrypted with IPsec or another method.

/interface eoip add name=eoip-tun remote-address=198.51.100.20 tunnel-id=10
/ip address add address=10.40.0.1/24 interface=eoip-tun
# then define IPsec policies for the L2 subnets

For VXLAN in datacenter or container environments, VXLAN is typically combined with IPsec or WireGuard to provide security.

Comparing security and performance — which one should I choose?

• Speed / Lowest Latency: WireGuard > IPsec (AES-GCM) > OpenVPN(UDP) > OpenVPN(TCP).
• Stability in NAT/Firewall networks: OpenVPN (TCP/443) and WireGuard work well with keepalive.
• Layer 2 Requirements: Use EoIP/GRE/VXLAN with encryption.
• Hardware acceleration: Some MikroTik models support HW-offload and fastpath; use appropriate models for high traffic.

Practical tips for increasing security and speed

• MTU and MSS clamping It is essential to prevent fragmentation.
• Disable weak encryption and enable AES-GCM or ChaCha20 (if supported).
• Restrict IP access to tunnel ports in the firewall.
• Monitoring and alerting with SNMP/Prometheus/Netflow to check latency and packet loss.
• HA and Failover with VRRP/Keepalived or BGP over tunnels.
• Use Anti-DDoS services to protect endpoints.

/ip firewall mangle add chain=forward protocol=tcp tcp-mss=0-1356 action=clamp-mss-to-pmtu

sysctl -w net.ipv4.tcp_congestion_control=bbr

BGP and Multi-Location Implementation — Design for Stability and Low Latency

For large enterprises or multihoming, it is better to use BGP over WireGuard/IPsec to advertise routes between sites and data centers.

• Running BGP over WireGuard/IPsec to advertise routes between locations.
• Leverage a wide network of locations for content delivery or CDN.
• For traders and gamers, choosing a location close to the destination server and using a VPS with anti-DDoS is crucial.

Practical tips for specific applications

For traders

• Use WireGuard or IPsec with a server in a location close to Exchange.
• A trading VPS with dedicated resources, low ping, and Anti-DDoS is recommended.
• Setting up latency and jitter monitoring.

For gamers

• WireGuard or SSTP (in case of heavy firewall); preferably use UDP.
• Gaming VPS with BGP network and location close to the game server is useful.
• If supported, use MTU Jumbo frames on internal data center networks.

For AI and rendering (GPU)

• Use a graphics server (GPU) and secure tunnel to transfer data or connect to clusters.
• Use configurations that support high throughput and low latency, such as WireGuard or IPsec with AES-GCM and hardware acceleration.

Practical checklist before launching

• Determine goals: L2 or L3, number of partners, amount of bandwidth and SLA required.
• Choose the type of tunnel based on your needs and compare security/speed.
• Check MTU and set mss-clamp.
• Enable ip_forward and set the appropriate sysctl.
• Configure the firewall (open only the necessary ports).
• Strong encryption and key rotation.
• Monitoring, logging and alerting.
• Testing with iperf3, ping, and tracepath to measure throughput and latency.

iperf3 -s
iperf3 -c 198.51.100.20 -p 5201 -R

Implementation Tips on MikroTik and Ubuntu — Technical Summary

• MikroTik: Use RouterOS 7+ for WireGuard support; enable HW-offload and fastpath on supported models; run EoIP only when L2 is needed and always with IPsec.
• Ubuntu: Use wg-quick for WireGuard and strongSwan for IPsec; adjust sysctl and BBR to increase throughput.
• Put sensitive traffic (database, rendering, transactions) in encrypted tunnels and use NAT and reverse-proxy for public services.

Company services and related offers

Our company provides services related to the implementation of secure and low-latency tunnels. Services include the following:

• Over 85 global locations to choose the center closest to your Exchanges, game server, or users.
• High-performance cloud servers with the option to choose BGP and CDN networks.
• VPS for trading with low ping and Anti-DDoS protection.
• Graphics server (GPU) for AI and rendering.
• Anti-DDoS servers and network solutions to ensure connection stability.
• Support in WireGuard/IPsec/OpenVPN implementation and BGP and HA network design.

To view plans or for more information, you can visit the relevant section: Contact/View Plans

Frequently Asked Questions