Configure a MikroTik CHR Router with a Virtual Private Cloud (VPC)

Updated on October 21, 2022
Configure a MikroTik CHR Router with a Virtual Private Cloud (VPC) header image

MikroTik Cloud Hosted Router (CHR) is a RouterOS version designed for cloud servers. CHR has full RouterOS features enabled by default but has a different licensing model. The free license has a speed limit of 1 Mbit. For higher speeds, you can activate a 30-day trial or pay for a full license.

Mikrotik CHR is useful as a VPN server or client. It can also perform bandwidth shaping, bridging, and act as a firewall. Mikrotik CHR is ideal for use as an IPsec gateway device in a multi-cloud network. This article explains how to install Mikrotik CHR and configure it with a Vultr Virtual Private Cloud (VPC).

Initial Installation

Mikrotik distributes CHR as a RAW disk image, which you'll download and write to a Vultr instance with the dd command.

Deploy a New Server

  1. Deploy a new Cloud Compute instance.
  2. Choose a server location best for your purposes.
  3. Select the ISO Library tab in the Server Image section.
  4. Choose the SystemRescue x64 version.
  5. Choose a server size. MikroTik CHR has low disk and RAM requirements that any Vultr instance meets, so you should choose a size based on your expected bandwidth requirements.
  6. Give the server a hostname and label, then click Deploy Now.

Optional: The new server will have a blank password after writing the RAW image in the next step. If you are cautious, consider protecting the server with a Vultr Firewall during the installation until you set a strong password.

Download and Install MikroTik CHR

Wait for the server to deploy, then:

  1. In another browser window, navigate to the MikroTik download page.

  2. Locate the RAW version of the latest 7.x Stable version in the Cloud Hosted Router section.

    Download CHR

  3. Right-click the floppy disk image and copy the URL to your clipboard.

  4. On the server's overview page, click View Console to connect to the web console.

  5. If SystemRescue hasn't finished booting, select the first option to boot with default options.

    System Rescue

  6. At the root prompt, type wget, then use the web console Send Clipboard feature to paste the Mikrotik download URL. Type Enter to start the download.


  7. Unzip the downloaded file. Yours may be a different 7.x Stable version than the one shown here.

     # unzip
  8. Write the disk image to the Vultr instance with dd. This image is small and only takes a few seconds to write to the disk.

     # dd if=chr-7.2.3.img of=/dev/vda
  9. Verify that the disk image was written successfully with lsblk. You should see two partitions: vda1 and vda2.

    The full session looks like this:


  10. Close the web console window.

  11. Navigate to the Settings section of the customer portal for your cloud server.

  12. Choose the Custom ISO menu, then click Remove ISO. The server will reboot.

  13. Open the web console again.

  14. At the MikroTik Login, type admin and Enter.

  15. The password is blank. Type Enter to continue.

  16. View the software license if desired when prompted.

  17. Choose a new strong password when prompted.

  18. Close the web console.

The basic installation is complete. Next, you'll connect to the server over SSH to finish the configuration.

Configure MikroTik CHR

Create a new administrator account on the server.

  1. Open a terminal on your local computer.

  2. SSH to the server's public IP address as admin.

     $ ssh admin@
  3. Enter the strong password you set earlier when deploying the server.

  4. Create a new administrative user different than the well-known "admin". Suppose you wanted to name it steve. At the prompt, type:

     /user add name=steve password=your-strong-password group=full
  5. Remove the default user "admin".

     /user remove admin

Disable down all services except SSH, and change the SSH port.

  1. Check the service list with /ip service print.

     [admin@MikroTik] > /ip service print
     Flags: X, I - INVALID
     0   telnet     23               main
     1   ftp        21
     2   www        80               main
     3   ssh        22               main
     4 X www-ssl   443  none         main
     5   api      8728               main
     6   winbox   8291               main
     7   api-ssl  8729  none         main
  2. Disable all services except SSH. (service number 3 from the list above).

     /ip service set 0,1,2,4,5,6,7 disabled=yes
  3. Change SSH to a port of your choice. For example, you could change it to 2299.

     /ip service set 3 port=2299
  4. Verify all services are disabled except SSH and that the port number is changed.

     [admin@MikroTik] > /ip service print
     Flags: X, I - INVALID
     0 X telnet     23               main
     1 X ftp        21
     2 X www        80               main
     3   ssh      2299               main
     4 X www-ssl   443  none         main
     5 X api      8728               main
     6 X winbox   8291               main
     7 X api-ssl  8729  none         main
  5. Use quit to log out of the SSH session.

     [admin@MikroTik] > quit
  6. Reconnect to the server on the new port, as steve, with the new password.

     $ ssh -p2299 steve@ -p2299
     steve@'s password:
     MikroTik RouterOS 7.2.3 (c) 1999-2022
     Press F1 for help
     [steve@MikroTik] >

Secure MikroTik CHR

The steps above are the bare minimum required to secure your MikroTik server. Please consult Securing Your Router in the MikroTik documentation to prepare your server for production use.

Configure the VPC Interface

One common use for MikroTik is to deploy it with a Virtual Private Cloud (VPC) as an IPsec VPN endpoint for multi-cloud connectivity. If you're using a VPC, you'll need to configure the server to use the VPC's IP address. If you didn't add a VPC when you first deployed the server, add one now before proceeding with these instructions.

  1. In the Vultr customer portal, navigate to the server's information page and select the Settings tab.

  2. Choose the IPv4 menu.

  3. Make a note of the server's VPC Network address, Netmask, and MAC address.

    In this example, the VPC network settings are:

    • MAC address: 00:00:5E:00:53:FF
    • Address:
    • Netmask:
  4. Connect to your MikroTik server via SSH.

  5. View the interfaces with /interface print.

     [steve@MikroTik] > /interface print
     Flags: R - RUNNING
     0 R ether1  ether        1500  00:00:5E:00:53:00
     1 R ether2  ether        1500  00:00:5E:00:53:FF

    The ether2 interface matches the MAC address of the VPC interface.

  6. Configure the IP address for the ether2 interface.

     [steve@MikroTik] > /ip address add address= interface=ether2
  7. Verify the IP address is configured.

     [steve@MikroTik] > /ip address print
     Flags: D - DYNAMIC
     #   ADDRESS            NETWORK        INTERFACE
     0 D  ether1
     1      ether2

Assume that you have an Ubuntu server on the same VPC with address You should now be able to ping each server from the other.

  • From the MikroTik server to Ubuntu:

      [steve@MikroTik] > ping count 4
        SEQ HOST                                     SIZE TTL TIME       STATUS
          0                                  56  64 935us
          1                                  56  64 950us
          2                                  56  64 801us
          3                                  56  64 822us
          sent=4 received=4 packet-loss=0% min-rtt=801us avg-rtt=877us max-rtt=950us
  • From the Ubuntu server to MikroTik:

      root@Ubuntu:~# ping -c 4
      PING ( 56(84) bytes of data.
      64 bytes from icmp_seq=1 ttl=64 time=1.62 ms
      64 bytes from icmp_seq=2 ttl=64 time=1.11 ms
      64 bytes from icmp_seq=3 ttl=64 time=1.39 ms
      64 bytes from icmp_seq=4 ttl=64 time=1.88 ms
      --- ping statistics ---
      4 packets transmitted, 4 received, 0% packet loss, time 3004ms
      rtt min/avg/max/mdev = 1.114/1.498/1.877/0.281 ms

More Information

To learn more about MikroTik and Vultr VPCs, see the following resources: