How To Create A Site To Site VPN Connection Between A On-Premise Mikrotik Router And An AWS Cloud Hosted Mikrotik Router (CHR).

Coming up with a reliable VPN solution should not be something that is difficult, time consuming and costly when  creating a connection to a remote site, connecting multi branch offices in different locations, towns , cities or even counties! together or extending and bridging on-premises networks to the cloud. In just about ten minutes or less,  this tutorial will show you how to create a simple site to site VPN solution between an on-premise Mikrotik router and an AWS cloud hosted Mikrotik Router that can link an on-premise network to the cloud and even link multiple branch offices together. Click on the button below to watch the video tutorial.


In order to complete this tutorial successfully the following items are required. Please ensure to have these items available before taking implementation action on this tutorial:
1) A desktop, laptop or virtual machine with Windows 7, 8 or Windows 10
2) The Winbox mikrotik router configuration utility.
3) A Mikrotik router on you on-premise network.
4) An Amazon AWS IAM user account with access rights to provision and manage AWS instances
5) An Amazon AWS Elastic IP Address.


1) Login to your Amazon AWS account and create a new Mikrotik Cloud Hosted Router Instance.
2) Connect to the Mikrotik Cloud Hosted Router Using Winbox, Download and install RouterOS updates and configure brute force login prevention
3) Set a static Elastic IP address on the Mikrotik cloud router and set the instance to permit incoming connections on port 443
4) Configure the Mikrotik Cloud Hosted Router to work as an SSTP VPN server.
5) Connect to the on-premise mikrotik router using Winbox and create an SSTP client interface
6) Create an IP >ROUTE to the AWS virtual private cloud network and test connectivity
7) Create SSTP VPN Connections to connect branch offices using the Mikrotik Cloud Hosted Router.

Network Diagram.

The diagram on the rights shows three components which are the Main office mikrotik router, The AWS Cloud and Branch offices. These three components are linked together through an SSTP Site to Site / Site To Multi site VPN whereby the Mikrotik Cloud Hosted router runs as the VPN server whilst the Main Office Mikrotik router and Mikrotik routers at branch offices run as SSTP VPN Clients. In this setup allo office locations are able to access resources on the AWS CLOUD and are also able to communicate directly with each other via the same SSTP VPN.

Cloud computing services such as AWS are highly reliable and using the Mikrotik Cloud Hosted router as the SSTP server means that a reliable VPN solution is archieved. Secondly the Mikrotik Cloud Hosted router is assigned with a static IP address and this means that client routers can have almost any type of WAN connection type (STATIC / DHCP / PPPOE)

Step 1: Sign into The AWS Management Console And Create A New Mikrotik CHR Instance.

1) Go to and sign in using your AWS IAM credetials.Click on SERVICES then click on EC2.

Click on the orange LAUNCH INSTANCE button and click on the AWS MARKETPLACE tab. Search for MIKROTIK on the “Choose an Amazon Machine Image (AMI)” search bar.

Click on the blue select button next to the CLOUD HOSTED ROUTER search result then click on CONTINUE.

2) On STEP 2: CHOOSE AN INSTANCE TYPE, select the t3.micro instance type that has the green FREE TIER eligible  flag and click on REVIEW AND LAUNCH.


On Step 7: Review Instance Launch click on the blue LAUNCH button.

3) An AWS key pair is a set of a private and public key and together they ensure secure communications each time an SSH  connection to an EC2 instance is made. A popup message will be displayed prompting you to select an existing key pair or to create a new key pair.

Select the CREATE A NEW KEY PAIR option, type in any name for the keypair on the KEY PAIR NAME text input box and click on the DOWNLOAD KEY PAIR button.

Click on the LAUNCH INSTANCES button to proceed.

Step 2: Set An Elastic IP, Connect To The Mikrotik Router Using Winbox, Set A Password For The Router, Download Updates And Set Brute Force Login Prevention.

4) The next step is to set a FREE static IP address for the newly created AWS CLOUD HOSTED ROUTER. To do this click on the ELASTIC IPs option just below NETWORK & SECURITY and click on the ALLOCATE ELASTIC IP ADDRESS button.

On the ALLOCATE ELASTIC IP ADDRESS page, simply click on the ALLOCATE button.

5) The next step is to ASSOCIATE the newly allocated public IP address to the CLOUD HOSTED ROUTER. Go back to the ELASTIC IPs page then click on ACTIONS >ASSOCIATE ELASTIC IP ADDRESS.

On the ASSOCIATE ELASTIC IP ADDRESS page, set the resource type to INSTANCE and choose the CLOUD HOSTED ROUTER on the INSTANCE search box. Click on the ASSOCIATE button to proceed.

6) Next, set the CLOUD HOSTED ROUTER. to accept inbound connections on https port 443 and the WINBOX tcp port 8291.

Click on the SECURITY GROUPS option just below NETWORK & SECURITY and click on. the CLOUD HOSTED ROUTER security group ID.

Click on the EDIT INBOUND RULES button and click on ADD RULE and make the following selections:

To permit inbound https port 443 traffic, create a second rule and set the PORT RANGE to 443.

7) Open WINBOX and on the CONNECT TO field enter the ELASTIC IP ADDRESS that was associated to the CLOUD HOSTED ROUTER, type in the word “admin” on the USERNAME field, leave the password field blank and click on CONNECT.

Start by setting a password for the cloud hosted router admin account by clicking on SYSTEM > PASSWORD. Do not type anything on the OLD PASSWORD FIELD. Type in a password on the NEW PASSWORD and CONFIRM PASSWORD fields and click on CHANGE.

8) The next step is to install RouterOS updates so as to get all the latest bug fixes, improvements and new features. Click on SYSTEM > PACKAGES > CHECK FOR UPDATES.

RouterOS will automatically check for any new updates and if there are any updates available click on the DOWNLOAD & INSTALL button.

The next step is to configure brute force login prevention so as to protect the router from unauthorised or forcefull access.Click HERE to go to the official billysoft web page will a full list of bruteforce login prevention commands and how to run them.

Step 3: Configure The SSTP Server On The Cloud Hosted Router

9) SSTP is a VPN technology that was developed by Microsoft. The concept behind SSTP is similar to the Point To Point tunneling protocol however SSTP transmissions happen over a secure SSL/TLS connection.

To set the Mikrotik Cloud Hosted Router to work as an SSTP Server, click on PPP > INTERFACE > SSTP SERVER.

Click on the ENABLE check box, set the DEFAULT PROFILE to DEFAULT-ENCRYPTION then click on APPLY and OK. 

10) Create the login credentials that the SSTP client router will use when connecting to the SSTP server by click on PPP > SECRETS. Click on the blue “+” button to open the NEW PPP SECRETE window

Type in a NAME and PASSWORD then set the SERVICE option to SSTP. When setting the password, w recommend using a password generator such as the AVAST ONLINE PASSWORD GENERATOR. On the LOCAL ADDRESS input box type in the IP Address and on the REMOTE ADDRESS input box type in the IP Address

On the ROUTE text input box type the network address of your LAN network and the IP ADDRESS of Click on APPLY then click on OK.

Step 4: Add An SSTP Client Interface On The On-Premise Mikrotik Router.

11) The final step is to create an SSTP INTERFACE on the on-premise router that will connect to the AWS CLOUD HOSTED router. This will essentially create a bridge such that devices , apps and IT services can communicate with resources on the AWS CLOUD.

Connect to the on-premise Mikrotik Router and click on INTERFACES.