Follow this tutorial to configure your Mikrotik router with IKEv2 tunnel to Surfshark servers.
Please note, that you will need to have the Router OS 6.45 version at least because older versions do not have some required functions.
At first, you will need to collect some details to set up the VPN client.
Log in to the Surfshark website, click VPN -> Manual setup -> Router.
Under the Files tab, you will see the full list of Surfshark servers. You will need one server's hostname that you will find under its name (for example, al-tia.prod.surfshark.com, which is a hostname of Albania - Tirana).
Scroll down and you will find Other configuration files. Download the IKEv2 certificate.
Click the Credentials tab on top of the page and you will find credentials that you will need to use for this connection method. Write it down or keep in a quickly reachable place.
Once you collect these details, we can start with the router.
- Open your router settings. You can open it by entering the IP of your router to the URL bar of your browser (or using a WinBox).
- Click Files then click Upload
- Go to the folder in which you have saved the IKEv2 certificate you have downloaded previously. Choose the IKEv2 certificate and upload it.
- Go to System -> Certificates
- Click the Import button. Open the drop-down menu on the new pop-up window and choose the uploaded IKEv2 certificate. Click Import.
You will see the imported profile listed there. - Now open a new terminal.
- Enter commands to create a new profile:
/ip ipsec profile
add name=FRBD
We will name this new profile FRBD, because it stands for France Bordeaux, but you can choose your preferred name. - Enter commands to create a new proposal:
/ip ipsec proposal
add name=FRBD pfs-group=none - Enter commands to add the policy group:
/ip ipsec policy group
add name=FRBD - Enter commands to create a new policy:
/ip ipsec policy
add dst-address=0.0.0.0/0 group=FRBD proposal=FRBD src-address=0.0.0.0/0 template=yes
- Enter commands to create a new config mode:
/ip ipsec mode-config
add name=FRBD responder=no - Enter commands to add peer:
/ip ipsec peer
add address=fr-bod.prod.surfshark.com exchange-mode=ike2 name=FRBD profile=FRBD
You will need to enter the name of your chosen server to the command above (fr-bod.prod.surfshark.com in this case). - Now you will need to create a new identity. It is easier to do that manually than via terminal, so close the terminal and go to IP - > IPsec
- Open the Identity tab, click on a blue plus icon and fill the Identity windows as in the picture below.
Here you will need to use the Surfshark service credentials that you have found on our website at the beginning of this tutorial.
Perr: FRBD
Auth. Method: eap
EAP Methods: MS-CHAPv2
Certificate: choose the imported IKEv2 certificate
Remote Certificate: none
Username: Surfshark service username
Password: Surfshark service password
Policy Template Group: FRBD
Notrack Chain: -
My ID Type: auto
Remote ID Type: auto
Match By: remote id
Mode Configuration: FRBD
Generate Policy: port strict
Click Apply and OK. Close the window. - Now you will need to decide what to send via VPN. You can choose to route a specific device via VPN, or all devices connected to this network.
In order to make all devices go via VPN you will need to set the firewall for the IP range on this network. In our case, the IP range is 192.168.10.0/24, so if we wish all devices connected to the Mikrotik router go via the VPN tunnel, you can use this command:
/ip firewall address-list
add address=192.168.10.0/24 list=local
Please note that the range of IP addresses will be different on your network.
For example, let's use the internal IP address of the computer connected to this router. The IP address of this PC is 192.168.10.254
Open the new terminal and use commands:
/ip firewall address-list
add address=192.168.10.254 list=local - Now you will need to assign the Firewall address list to the mode config.
Usee commands:
/ip ipsec mode-config
set [ find name=FRBD ] src-address-list=local
Great, you have connected your PC to the Surfshark VPN server in Bordeaux, France. - To make sure the connection was successful, open the ipleak.net website and check if it shows the IP and DNS addresses of the Surfshark server.
The connection was successful!
If something is not going according to the tutorial, feel free to contact our Customer Success Sharks and they will help you out!