Production MikroTik setup
Kafunda's default onboarding is router-to-cloud. It is designed for real operators whose routers sit behind NAT, CGNAT, LTE links, or changing public addresses.
Create organisationCreate a MikroTik site
Name the location, keep router API credentials empty, and let Kafunda allocate the WireGuard and RADIUS details.
Run the generated RouterOS script
The script creates the `wg-stella` interface, adds the RADIUS client, enables hotspot and PPP AAA, and writes the external captive redirect page.
Wait for activation
The router posts its WireGuard public key to Stella, Stella installs the server peer, and the site moves through tunnel verification.
Open paid access
Voucher redemptions and mobile money package purchases create RADIUS credentials, then the client browser posts back to the router login URL.
RouterOS API
Optional diagnostics use TCP 8728 or secure TCP 8729 over the WireGuard tunnel.
HotSpot portal
The router redirects unauthenticated clients to `portal.kafunda.net` with client and login URL parameters.
Walled garden
Provisioning allows the portal and Kafunda domains before the client is authenticated.