If you are using a Mikrotik router, you might have heard of VPN and its usage. This article does not discuss why you should use it, only about how to implement a L2TP/IPSec VPN server on Mikrotik RouterOS.

Change these to fit your setup:

  • This router’s local IP address:
  • WAN connection is PPPoE with the name pppoe-out1. If you use PPPoE, use the name of your PPPoE connection. If you use static configuration or DHCP client as WAN, use the name of that interface.
  • Pool name for VPN clients isĀ pool-vpn and gives addresses
  • VPN profile: vpn-profile
  • VPN username: remoteuser
  • VPN password: yourpassword
  • L2TP secret: yourl2tpsecret

Remember to use the longest and strongest password and secret you can use. And this article will use only command line – you can “translate” it to the GUI you use, either web interface or Winbox.

First of all, create a pool of addresses that VPN clients will get once connected:

/ip pool add name=pool-vpn ranges=

Allow L2TP/IPSec to pass through the WAN interface. Make sure that these rules are above the firewall rule that blocks all traffic on the WAN interface:

/ip firewall filter
add chain=input action=accept comment="VPN L2TP UDP 500" in-interface=pppoe-out1 protocol=udp dst-port=500 
add chain=input action=accept comment="VPN L2TP UDP 1701" in-interface=pppoe-out1 protocol=udp dst-port=1701
add chain=input action=accept comment="VPN L2TP 4500" in-interface=pppoe-out1 protocol=udp dst-port=4500
add chain=input action=accept comment="VPN L2TP ESP" in-interface=pppoe-out1 protocol=ipsec-esp
add chain=input action=accept comment="VPN L2TP AH" in-interface=pppoe-out1 protocol=ipsec-ah

Create a VPN profile that will determine the IP addresses of the router, VPN clients, and DNS server. You can set it to be outside of the local subnet, but make sure that your firewall allows the connection:

/ppp profile add change-tcp-mss=yes local-address= name=vpn-profile remote-address=pool-vpn dns-server= use-encryption=yes

We can now create VPN users:

/ppp secret add name="yourusername" password="yourpassword" profile=vpn-profile service=any

Configure IPSec settings, i.e. encryption standards, L2TP secret, who can connect, NAT traversal:

/ip ipsec peer add address= exchange-mode=main-l2tp nat-traversal=yes generate-policy=port-override secret="yourl2tpsecret" enc-algorithm=aes-128,3des
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc,3des

Now that everything is in place, we can simply enable the VPN server and choose the right profile:

/interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes

You should now have a working L2TP/IPSec VPN setup, and it’s time to configure it on the clients. Keep in mind that there will be high CPU usage on the router, and my RB951G-2HnD can get about 20Mbps at 80% CPU usage.

Leave a Reply

Your email address will not be published. Required fields are marked *