How to Install MikroTik CHR on an SSD VPS: Step-by-Step Guide

Imagine having the most powerful network management tool at your fingertips, capable of handling heavy traffic, building complex firewalls, and precisely engineering Quality of Service (QoS). This tool is none other than MikroTik’s RouterOS, but tailored for cloud environments: the Cloud Hosted Router (CHR). To unleash its full potential, you need to install it on an SSD-based VPS. Curious how to install MikroTik CHR VPS ? Join us at 1gbits as we guide you through installing CHR on an SSD VPS and review key technical tips for performance optimization and security.

What Is CHR and Why Do We Install It on an SSD-Based VPS?

MikroTik CHR, short for Cloud Hosted Router, is a fully functional router designed to run in virtualized environments. While traditional routers rely on physical hardware, CHR operates virtually and lets you manage network services such as VPN, firewall, and advanced routing protocols. It fully supports the x86 64-bit architecture and works with popular hypervisors like KVM, VMware, Hyper-V, and VirtualBox.

The Vital Role of SSD/NVMe in CHR Performance

You might wonder why there is such an emphasis on install MikroTik CHR VPS with SSD storage. Although CHR itself needs only about 128 MB of disk space, its real-world performance, especially under heavy traffic, strongly depends on disk I/O speed. In addition:

• Log Management: A quick SSD writes logs and stats smoothly without slowing the CPU.
• Queuing System: SSD improves data handling for bandwidth and QoS control, reducing delays.
• Network Stability: With protocols like BGP or large routing tables, SSD/NVMe helps maintain speed and reliability.

So, the faster the storage, the more stable and responsive your router will be.

Understanding CHR Licenses and Throughput Limits

CHR’s performance in a virtual environment depends on its software license, not just VPS hardware. Even if your VPS supports a 10 Gbps connection, the license determines the maximum bandwidth you can actually use. Choose your license according to your VPS capacity and network needs.

If your VPS offers a 10 Gbps connection but you use a P1 license, you’ll lose about 90% of your available hardware capacity.

If you’re curious about the differences between Ubiquiti vs. MikroTik, you can read our blog post on this topic.

VPS Requirements for Installing MikroTik CHR

Thanks to the lightweight design of RouterOS, MikroTik CHR can run on minimal resources. However, for optimal performance, you’ll need more powerful specifications:

It’s important to note that CHR requires a 64-bit CPU with virtualization support.
For achieving 10 Gbps performance (if you have a P10 license or higher), the allocated resources must be scaled accordingly, since RouterOS v7 is optimized to handle high traffic loads by distributing processing across multiple cores.

Pre-Installation Checklist

The MikroTik Cloud Hosted Router installation process using dd is highly technical and sensitive. Before running any commands, you need to properly prepare your environment. any mistake at this stage can result in complete loss of access to your server.

1. Install a Temporary OS and Enable SSH Access: Ensure your VPS runs Linux (preferably Ubuntu 22.04 or newer) with full SSH access. This temporary operating system will be the platform for running the CHR installation script, which will overwrite the entire disk.

2. Gather Critical Network Information: After installation, CHR may not detect its IP or gateway. You should extract and note down your VPS’s current IPv4 address and gateway from the temporary Linux system. These details must be injected into CHR during setup to prevent loss of network connectivity.

3.Install Required Linux Tools: The installation script requires several tools for working with disk images:

sudo apt-get update 

sudo apt-get install curl gzip kpartx -y 

These commands install the necessary utilities for dynamic file downloads (curl), archive extraction (gzip), and partition management inside disk images (kpartx).

4.   Verify the Main Disk Name: The dd command (which is at the heart of this process) erases the entire contents of the disk it targets. On most KVM-based VPSs, the root disk is known as /dev/sda, but you should verify the name of your root disk using commands like lsblk or mount.

5.   Hypervisor Advanced Settings (Optional): In some panels (OpenStack, custom KVM), set disk driver to IDE and network driver to E1000 or Virtio. Virtio is preferred for RouterOS v7.20+.

Now you are ready to take the next step and install MikroTik CHR VPS.

Installing MikroTik CHR on an SSD VPS

Now that we’re in the proper installation environment and have identified the target disk, we can begin the setup process.

1. Download the RAW CHR Image

You need to download the RAW disk image of MikroTik CHR from the official MikroTik website. These images are usually distributed as compressed files with the .img.zip extension.
Always use the latest stable version of RouterOS v7. To download directly to your server:

# Example: Download the CHR image (replace 7.x.y with the latest version)

wget -O chr.img.zip https://download.mikrotik.com/routeros/7.x.y/chr-7.x.y.img.zip

# Extract the RAW image file

unzip chr.img.zip

After extraction, you’ll have a .img file ready for installation.

2. Upload and Install the Image on Your VPS (DD Command)

The dd (Data Duplicator) command is used to write the raw CHR image directly to your VPS disk. This operation overwrites the entire contents of the main drive, so be careful before proceeding. Installation command:

# Assuming your main disk is /dev/vda and the image file is chr-7.x.y.img

dd if=chr-7.x.y.img of=/dev/vda bs=4M oflag=sync

Explanation:

• if= → Input file (the CHR image)
• of= → Output device (your VPS disk, e.g., /dev/vda)
• bs=4M → Sets the block size to 4 MB for faster read/write
• oflag=sync → Ensures data is safely written and synced to the disk

After the dd operation completes, you’ll need to reboot the system. Note that your SSH session will disconnect automatically.

Reboot using the following commands:

echo 1 > /proc/sys/kernel/sysrq

echo b > /proc/sysrq-trigger

Alternatively, you can use your VPS control panel (e.g., KVM Control Panel) to issue a hard reboot.

3. First Boot and Access (VNC/KVM)

Once the reboot starts, immediately connect to your VPS console via VNC or KVM. RouterOS CHR should begin booting. Default login credentials:

Username: admin 

Password: (leave blank)

On your first login, RouterOS may ask whether you want to keep the default configuration. It’s recommended to choose n (No) so you can configure your system securely and manually.

Initial Configuration After Installation

Once you’ve successfully logged into CHR, you should immediately complete the initial setup and security configuration steps.

1. Change Username and Password

The first and most important task is to secure your router. Since your CHR instance is directly exposed to the internet, you should not use the default admin username. Change the username and set a strong password:

/user set [find name=admin] name="MyNewAdminName" password="YourUltraStrongPassword!"

Alternatively, you can keep the admin account but assign it no rights, then use your new user account for all management tasks.

2. Disable Insecure Services and Change Ports

Although autorun.scr already disabled Telnet, make sure other insecure services are also turned off and management ports are customized:

/ip service set telnet disabled=yes

/ip service set ssh port=12022

/ip service set winbox port=8292

/ip service set www disabled=yes

Changing the default SSH port (e.g., from 22 to 12022) helps reduce exposure to automated scans and brute-force attacks.

3. Activate CHR License

By default, CHR runs under a Free license, which limits throughput to 1 Mbps. If you require higher performance, you can upgrade to a p1 or p10 license via CLI or WinBox.

Check your current System ID:

/system license print

To register and upgrade (renew) your license using your MikroTik account:

/system license renew account:YourMikroTikUsername password:YourPassword level:p10

When you first register, you’ll automatically receive a 60-day trial period.

4. Network Connectivity and DHCP Client

After securing your CHR, make sure it can reach the internet.
If your VPS provides IP addresses via DHCP, enable the DHCP client on your main interface (usually ether1):

/ip dhcp-client add interface=ether1 disabled=no comment="Obtain Public IP"

Once the IP address is assigned, you can disconnect from the VNC console and access your router using SSH or WinBox via its new public IP.

5. Enable NAT for Outgoing Traffic

If you plan to route traffic from internal networks or VPN clients through this CHR, you’ll need a Source NAT (Masquerade) rule:

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1 comment="Basic Masquerade for Internet Access"

This rule translates all outgoing packets to the public IP of your CHR, enabling internet access for your internal or VPN clients.

6. Create an Initial Backup

After completing the essential network and security setup, it’s strongly recommended to create a backup. This gives you a safe restore point in case of misconfiguration later.

/export file=initial_setup_backup

✅ At this point, your MikroTik CHR is fully installed, secured, and connected to the internet. You can now begin configuring advanced features like VPNs, routing, or firewall rules.

Troubleshooting Common Installation Issues

Even with proper installation steps, certain technical issues may occur depending on your VPS provider or virtualization platform.

1. CHR Not Booting or Returning to Rescue Mode

After reboot, the system fails to boot into CHR and falls back to a rescue or temporary OS. Possible Causes & Fixes are:

• Incorrect dd target: Ensure the image was written to the main disk (e.g. /dev/vda or /dev/sda) — not a specific partition.

• Boot order issue: Some VPS panels revert to network boot or ISO boot after installation. Check your VPS control panel (KVM or similar) and make sure the boot order prioritizes the virtual disk.

• Disk driver incompatibility: Certain hypervisors may fail to boot CHR with advanced drivers. For initial boot, try setting the virtual disk controller to IDE or SATA. Once the system is running, switch back to VirtIO for best performance.

These tips should get the job done.

2. No Network Connectivity After Reboot

You lose network access right after rebooting, and CHR doesn’t respond via SSH or WinBox. In this situation, Possible Causes & Fixes include:

• Failed autorun script: The autorun file (autorun.scr) that sets the IP and gateway may not have been applied correctly.

• Temporary IP address: If your installation was based on a temporary DHCP lease from the rescue OS, that IP may have expired.

Solution: Access the CHR console via VNC or provider console and manually verify your network configuration:

/ip address print

/ip route print

If the IP or gateway is missing or incorrect, reconfigure it:

/ip address add address=X.X.X.X/24 interface=ether1

/ip route add gateway=Y.Y.Y.Y

Once the IP is restored, you can reconnect via SSH or WinBox normally.

3. Network Performance Bottlenecks (VirtIO Drivers)

Using outdated virtual NIC drivers like E1000 or RTL8139 can drastically limit throughput. To achieve optimal performance, ensure your VM uses VirtIO-Net for network interfaces.

Neglecting VirtIO can cause high CPU usage due to inefficient packet handling, especially under heavy traffic.nWith VirtIO and RouterOS v7.20+, CHR can reach near 10 Gbps performance depending on your VPS host.

4. Changed System ID or Lost License

Your CHR shows a new System ID after reboot or loses its license activation because the System ID is tied to the virtual disk’s MBR and UUID. If these identifiers change for example due to unstable storage, RAID controller issues, or disk cloning by the provider, CHR treats it as new hardware. Solution:

• Contact your VPS provider to verify storage stability.
• If the System ID change persists, your VPS host may have unreliable disk virtualization.
• To recover your license, log into your MikroTik account and use the License Transfer option.

 Finally, Always take a backup after a successful installation and configuration. Having an /export file or disk snapshot makes recovery much faster in case any of these issues occur again.

Performance Optimization Tips

To fully leverage the power of your SSD VPS, it’s essential to optimize CHR’s software settings. Here are the key points:

• Use RouterOS version 7.20 or newer: Recent versions, especially 7.20+, significantly optimize the VirtIO driver. These improvements allow CHR to handle high traffic with performance close to physical hardware. Always use the latest stable version of RouterOS.
• Enable RPS (Receive Packet Steering): RPS distributes the processing of incoming packets across multiple CPU cores, preventing overload on a single core and improving performance under heavy traffic.
• Use Multi-Queue on the network card: If your hypervisor and virtual NIC support Multi-Queue, enable it. This feature distributes traffic across multiple processing queues, enhancing speed and stability.
• Enable FastPath for faster packet forwarding: FastPath allows packets that don’t require deep firewall inspection to bypass Connection Tracking. This reduces latency and significantly increases throughput.
• Use the raw chain for firewall rules: Place firewall rules in the raw chain whenever possible. This ensures unwanted packets are dropped before hitting Connection Tracking, reducing CPU load and improving system responsiveness.

By applying these optimizations, your CHR VPS will be ready to handle higher traffic efficiently and reliably.

Best Security Practices for CHR VPS

After installing CHR, securing your router exposed to the public internet is essential.

1. Secure Management Ports and User Accounts

First, Create a new admin user and keep the default admin only for emergencies with a strong password and limited privileges. Then Change default ports; Default SSH (22) and WinBox (8291) ports are common targets. Change them to custom ports to prevent brute-force attacks:

/ip service set ssh port=22222

/ip service set winbox port=58291

2. Implement a Strict Input Chain Firewall

Allow Established/Related traffic and Ensure responses to router-initiated traffic (DNS, WinBox) are accepted. Also, Limit SSH/WinBox to trusted IP addresses only and Block any unsolicited inbound traffic.

Basic Firewall Script:

/ip firewall filter add chain=input connection-state=established,related action=accept comment="Allow Established/Related"

/ip firewall filter add chain=input protocol=tcp dst-port=58291 src-address=YOUR_TRUSTED_IP_RANGE action=accept comment="Allow MGMT Access"

/ip firewall filter add chain=input action=drop comment="Drop everything else to Router"

3. Keep RouterOS Updated

and finally, update to the latest stable version Regularly to stay protected against vulnerabilities and benefit from performance improvements.

Time to Harness Your VPS

We’ve reached the end of this guide, and if you’ve carefully followed the steps, you’ve successfully installed and configured MikroTik CHR on your SSD VPS. Running CHR on a high-speed VPS gives you an incredibly flexible platform. So, if you’re looking for a reliable and fast MikroTik VPS, you can count on 1gbits to enjoy benefits like Flexible and Customizable Plans, Superior Performance, Optimized for Scalability, and Expert Support Around the Clock.