V2ray Mikrotik |verified| May 2026
Using V2Ray on MikroTik devices is a powerful way to bypass network restrictions like DPI (Deep Packet Inspection), which often blocks standard VPNs like OpenVPN or WireGuard. Since MikroTik's RouterOS does not support V2Ray natively, the primary method for implementation is using Docker Containers, a feature introduced in RouterOS 7.5. 1. Implementation Strategy: RouterOS Containers
To run V2Ray, you must deploy it as a container within RouterOS. This requires a MikroTik device with an ARM, ARM64, or x86 processor and enough RAM (typically 512MB+). Prerequisites: RouterOS 7.5+: Earlier versions do not support containers.
Container Package: Download the container extra package from the MikroTik Software page and install it by uploading the .npk file and rebooting.
Device Mode: You must explicitly enable container mode via terminal: /system/device-mode/update container=yes. 2. Technical Setup Workflow
Setting up a V2Ray client on MikroTik typically involves two containers to handle the proxying and the routing.
Step A: Virtual Networking: Create a veth (virtual ethernet) interface and a bridge to connect the container to the router's internal network.
Step B: Deployment: Use an image like teddysun/v2ray or xray. Step C: Routing (The "Transparent Proxy" Challenge):
RouterOS's kernel lacks certain modules (like TProxy) needed for a standard transparent proxy directly from a container. v2ray mikrotik
Solution: Use a second container (like Hev-Tun) to create a TUN device that converts SOCKS5 traffic from the V2Ray container into a routable interface.
Mangle Rules: Use firewall mangle rules to mark specific traffic (e.g., based on a destination address list) and route it through the TUN container's interface. 3. Key Advantages & Limitations
Set Up VPN services on MikroTik with VPNUK – Secure & Fast VPN Guide
Running V2Ray (or the more modern Xray-core) on MikroTik hardware is a game-changer for users in regions with heavy internet censorship. While MikroTik doesn't offer native support for these protocols yet, the introduction of Docker containers in RouterOS v7 has made it a viable, high-performance solution for power users. The "Why": Why use V2Ray on MikroTik?
Censorship Bypassing: V2Ray is significantly more effective than traditional VPNs (like WireGuard or OpenVPN) at defeating Deep Packet Inspection (DPI) used in countries like China, Iran, or Russia.
Centralized Control: Instead of configuring a VPN on every phone and laptop, you handle it once at the router level for your entire home or office.
Powerful Routing: You can use MikroTik’s advanced firewall and address lists to route only specific traffic (like YouTube or Google) through the tunnel while keeping local traffic direct. Implementation Methods There are two primary ways to get this working: catesin/Xray-vless-reality-MikroTik - GitHub Using V2Ray on MikroTik devices is a powerful
Вариант №2 без контейнера подойдёт к любому домашнему роутеру который хоть немного умеет работать с аналогичными в MikroTik адрес- V2ray Client on Mikrotik - GitHub Gist
"Router reboots randomly"
ARM devices with limited RAM (256MB) may OOM-kill the container. Add swap on USB:
/system/swap/add file=/disk1/swap size=512MB
Option B: SOCKS Proxy via MikroTik Firewall (Using dst-nat)
This is easier but less elegant. You redirect specific ports (80, 443) to the container’s SOCKS port. However, SOCKS requires protocol-aware clients (doesn’t work for UDP games).
Better approach: Use a local HTTP proxy on MikroTik
Set MikroTik’s web proxy to forward upstream to the container:
/ip proxy set enabled=yes parent-proxy=172.17.0.2:8080 parent-proxy-port=8080
/ip proxy set cache-administrator="admin" cache-on-disk=no
Then redirect HTTP traffic to the proxy:
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80,443 action=redirect to-ports=8080
Drawback: Only works for HTTP/HTTPS. No UDP, no non-web traffic. Option B: SOCKS Proxy via MikroTik Firewall (Using
Option C: Policy-Based Routing (The Professional Method)
Route specific IPs or countries through the V2Ray container's gateway.
First, give the container a static IP and enable IP forwarding inside the container. Then, on MikroTik:
- Add a route to use the container as gateway for a routing table:
/ip route add dst-address=0.0.0.0/0 gateway=172.17.0.2 routing-mark=v2ray-tunnel - Mark connections from LAN to go to that table:
/ip firewall mangle add chain=prerouting src-address=192.168.88.0/24 dst-address-list=!local_nets action=mark-routing new-routing-mark=v2ray-tunnel
This way, only traffic destined to blocked IPs goes through V2Ray.
Part 8: Alternative – Using MikroTik with External V2Ray Client (Raspberry Pi)
If your MikroTik does not support containers, use a Raspberry Pi running Raspbian and V2Ray.
- Install V2Ray on Pi (
bash <(curl -L https://raw.githubusercontent.com/v2fly/fhs-install-v2ray/master/install-release.sh)). - Configure Pi as a gateway (
sysctl net.ipv4.ip_forward=1). - On MikroTik, add a route to the Pi:
/ip route add dst-address=0.0.0.0/0 gateway=192.168.88.10 (Pi's IP) routing-mark=via-v2ray - Use firewall mangle to mark traffic for specific source IPs or ports.
This is more reliable than containers for heavy loads because the Pi has better RAM management.
6. Practical Deployment Example (Recommended: V2Ray server on VPS + MikroTik routing via local redsocks2)
Alternative: Use MikroTik Container (x86/ARM64 only)
RouterOS v7 with container support can run a Linux V2Ray client inside a container directly on the MikroTik device (e.g., CHR, RB5009, CCR2004).