Multi-arch Docker container for MikroTik RouterOS based on the official WhatsApp Proxy project.
This image keeps the container RouterOS-friendly: HAProxy starts as root, certificates are generated under /root/certs, and the original upstream scripts are adapted so RouterOS can expose privileged ports such as 80, 443 and 587.
- Multi-arch image:
amd64,arm64,arm/v7. - Based on the latest WhatsApp Proxy release tracked in
VERSIONS. - Runs HAProxy as root for RouterOS privileged-port publishing.
- Supports IPv4 and IPv6 public IP detection for HAProxy
set-dst. - Can monitor public IP changes and softly reload HAProxy after the new IP is stable.
- Resets
haproxy.cfgfrom the template on every container start.
Images are published to:
ghcr.io/medium1992/wa-proxy-rosmedium1992/wa-proxy-ros
Available tags:
| Tag | Purpose |
|---|---|
latest |
Latest built WhatsApp Proxy release for RouterOS. |
whatsapp-proxy-chart-X.Y.Z |
Image built from a specific upstream WhatsApp Proxy release tag. |
The GitHub Actions workflow publishes images to GHCR and Docker Hub only when a new upstream version appears or when the workflow is started manually.
For normal WhatsApp client use, point WhatsApp to the container IP as a proxy. You usually do not need to expose every HAProxy listener.
| Port | Purpose |
|---|---|
443/tcp |
Main WhatsApp Proxy port for chats. |
587/tcp |
WhatsApp Proxy port for media. |
80/tcp |
Additional HTTP entrypoint kept for upstream compatibility. |
5222/tcp |
Additional XMPP entrypoint kept for upstream compatibility. |
7777/tcp |
Alternative whatsapp.net entrypoint kept by upstream. |
8080/tcp, 8443/tcp, 8222/tcp |
PROXY protocol entrypoints. Regular WhatsApp clients do not use these directly. |
8199/tcp |
HAProxy stats and healthcheck endpoint. Do not publish it to WAN. |
The primary target scenario for this image is LAN-only use. If you need access from outside your LAN, publish only the ports your clients actually need, usually 443/tcp and 587/tcp. Keep 8199/tcp local.
| ENV | Default | Description |
|---|---|---|
PUBLIC_IP_MODE |
fixed |
fixed always uses PUBLIC_IP and disables external IP checks. auto periodically detects the current public IP and reloads HAProxy when a non-empty IP changes. |
PUBLIC_IP |
empty | Fixed public IP or fallback value when automatic detection fails. IPv4 and IPv6 are supported. |
IP_CHECK_INTERVAL |
15 |
Seconds between public IP checks in auto mode. |
IP_CHANGE_STABLE_SECONDS |
45 |
New IP must stay unchanged for this many seconds before HAProxy reload. |
SSL_DNS |
empty | Optional DNS SAN values passed to upstream certificate generation. |
SSL_IP |
empty | Optional IP SAN values passed to upstream certificate generation. |
DEBUG |
1 |
Upstream certificate script debug mode. |
If no public IP can be detected and PUBLIC_IP is empty, the container starts HAProxy without the set-dst rule instead of failing.
For local-only use without public IP detection, keep the default PUBLIC_IP_MODE=fixed and leave PUBLIC_IP empty.
Enable container support first:
/system/device-mode/print
/system/device-mode/update mode=advanced container=yes
Confirm the change by power-cycling the device or pressing the physical confirmation button.
Example container interface and environment:
/interface/veth/add name=WaProxyRoS address=192.168.255.22/30 gateway=192.168.255.21
/ip/address/add address=192.168.255.21/30 interface=WaProxyRoS
/container/envs/add list=WaProxyRoS key=IP_CHECK_INTERVAL value=15
/container/envs/add list=WaProxyRoS key=IP_CHANGE_STABLE_SECONDS value=45
/container/add remote-image=ghcr.io/medium1992/wa-proxy-ros:latest interface=WaProxyRoS envlists=WaProxyRoS root-dir=/Containers/WaProxyRoS start-on-boot=yes comment="WaProxyRoS"
The main intended scenario is local network use: clients inside your LAN connect to the container through the RouterOS veth address or through local RouterOS forwarding rules.
If you need access to this proxy from outside your local network, publish only the required WAN ports to the container IP with your normal RouterOS firewall/NAT rules.
For a static public IP, use:
/container/envs/set [find list=WaProxyRoS key=PUBLIC_IP_MODE] value=fixed
/container/envs/add list=WaProxyRoS key=PUBLIC_IP value=203.0.113.10
For dynamic public IP detection, set:
/container/envs/add list=WaProxyRoS key=PUBLIC_IP_MODE value=auto
PUBLIC_IPdoes not make HAProxy listen on that address. It controls HAProxytcp-request connection set-dst ..., which helps when traffic is forwarded through NAT, a load balancer, or another edge path.- In WhatsApp, use the container address or the external forwarded address in
Settings -> Storage and data -> Proxy. - WhatsApp Proxy is intended for chats and media; this image does not claim WhatsApp call support.
- In
automode the image detects public IPv4 through common check-IP services everyIP_CHECK_INTERVALseconds. If detection returns an empty value, the current HAProxy config is kept unchanged. - If your environment is IPv6-only, set
PUBLIC_IP_MODE=fixedand providePUBLIC_IP. - HAProxy intentionally runs as root for RouterOS privileged-port publishing; the config declares
user rootandchroot /explicitly to avoid misleading startup warnings. - HAProxy reload is soft: new connections move to the new process, while existing sessions are allowed to drain.
- The image follows upstream WhatsApp Proxy config, but keeps process ownership and paths suitable for RouterOS containers.
If this project saved you time configuring MikroTik:
- USDT (TRC20):
TWDDYD1nk5JnG6FxvEu2fyFqMCY9PcdEsJ - boosty.to/petersolomon/donate
