If you are using a Mikrotik router, you might have heard of VPN and its usage. This article does not discuss why you should use it, only about how to implement a L2TP/IPSec VPN server on Mikrotik RouterOS.
Precaution: If your WAN connection is PPPoE, Windows clients will not be able to reach the Internet once connected to this L2TP/IPSec VPN setup. They can ping public IP addresses and domains, but TCP and UDP connections will fail, so that means pretty much all traffic beyond the local network is cut off. This appears to be a problem with L2TP/IPSec implementation in Windows only, as my iPhone can connect just fine. Share your experience with other platforms if you can!
Change these to fit your setup:
- This router’s local IP address: 10.0.0.1/24
- WAN connection is PPPoE with the name pppoe-out1. If you use PPPoE, use the name of your PPPoE connection. If you use static configuration or DHCP client as WAN, use the name of that interface.
- Pool name for VPN clients is pool-vpn and gives addresses 10.0.0.80-10.0.0.85
- VPN profile: vpn-profile
- VPN username: remoteuser
- VPN password: yourpassword
- L2TP secret: yoursecret
Remember to use the longest and strongest password and secret you can use. And this article will use only command line – you can “translate” it to the GUI you use, either web interface or Winbox.
First of all, create a pool of addresses that VPN clients will get once connected:
/ip pool add name=pool-vpn ranges=10.0.0.80-10.0.0.85
Allow L2TP/IPSec to pass through the WAN interface. Make sure that these rules are above the firewall rule that blocks all traffic on the WAN interface:
/ip firewall filter add chain=input action=accept comment="VPN L2TP UDP 500" in-interface=pppoe-out1 protocol=udp dst-port=500 add chain=input action=accept comment="VPN L2TP UDP 1701" in-interface=pppoe-out1 protocol=udp dst-port=1701 add chain=input action=accept comment="VPN L2TP 4500" in-interface=pppoe-out1 protocol=udp dst-port=4500 add chain=input action=accept comment="VPN L2TP ESP" in-interface=pppoe-out1 protocol=ipsec-esp add chain=input action=accept comment="VPN L2TP AH" in-interface=pppoe-out1 protocol=ipsec-ah
Create a VPN profile that will determine the IP addresses of the router, VPN clients, and DNS server. You can set it to be outside of the local subnet, but make sure that your firewall allows the connection:
/ppp profile add change-tcp-mss=yes local-address=10.0.0.1 name=vpn-profile remote-address=pool-vpn dns-server=10.0.0.1 use-encryption=yes
We can now create VPN users:
/ppp secret add name="yourusername" password="yourpassword" profile=vpn-profile service=any
Configure IPSec settings, i.e. encryption standards, L2TP secret, who can connect, NAT traversal:
/ip ipsec peer add address=0.0.0.0/0 exchange-mode=main-l2tp nat-traversal=yes generate-policy=port-override secret="yourl2tpsecret" enc-algorithm=aes-128,3des /ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
Now that everything is in place, we can simply enable the VPN server and choose the right profile:
/interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes
You should now have a working L2TP/IPSec VPN setup, and it’s time to configure it on the clients. Keep in mind that there will be high CPU usage on the router, and my RB951G-2HnD can get about 20Mbps at 80% CPU usage.