If you are using a Mikrotik router, you might have heard of VPN and its usage. This article does not discuss why you should use it, only about how to implement a L2TP/IPSec VPN server on Mikrotik RouterOS.

Change these to fit your setup:

  • This router’s local IP address: 10.0.0.1/24
  • WAN connection is PPPoE with the name pppoe-out1. If you use PPPoE, use the name of your PPPoE connection. If you use static configuration or DHCP client as WAN, use the name of that interface.
  • Pool name for VPN clients is pool-vpn and gives addresses 10.0.0.80-10.0.0.85
  • VPN profile: vpn-profile
  • VPN username: remoteuser
  • VPN password: yourpassword
  • L2TP secret: yourl2tpsecret

Remember to use the longest and strongest password and secret you can use. And this article will use only command line – you can “translate” it to the GUI you use, either web interface or Winbox.

First of all, create a pool of addresses that VPN clients will get once connected:

/ip pool add name=pool-vpn ranges=10.0.0.80-10.0.0.85

Allow L2TP/IPSec to pass through the WAN interface. Make sure that these rules are above the firewall rule that blocks all traffic on the WAN interface:

/ip firewall filter
add chain=input action=accept comment="VPN L2TP UDP 500" in-interface=pppoe-out1 protocol=udp dst-port=500 
add chain=input action=accept comment="VPN L2TP UDP 1701" in-interface=pppoe-out1 protocol=udp dst-port=1701
add chain=input action=accept comment="VPN L2TP 4500" in-interface=pppoe-out1 protocol=udp dst-port=4500
add chain=input action=accept comment="VPN L2TP ESP" in-interface=pppoe-out1 protocol=ipsec-esp
add chain=input action=accept comment="VPN L2TP AH" in-interface=pppoe-out1 protocol=ipsec-ah

Create a VPN profile that will determine the IP addresses of the router, VPN clients, and DNS server. You can set it to be outside of the local subnet, but make sure that your firewall allows the connection:

/ppp profile add change-tcp-mss=yes local-address=10.0.0.1 name=vpn-profile remote-address=pool-vpn dns-server=10.0.0.1 use-encryption=yes

We can now create VPN users:

/ppp secret add name="yourusername" password="yourpassword" profile=vpn-profile service=any

Configure IPSec settings, i.e. encryption standards, L2TP secret, who can connect, NAT traversal:

/ip ipsec peer add address=0.0.0.0/0 exchange-mode=main-l2tp nat-traversal=yes generate-policy=port-override secret="yourl2tpsecret" enc-algorithm=aes-128,3des
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc,3des

Now that everything is in place, we can simply enable the VPN server and choose the right profile:

/interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes

You should now have a working L2TP/IPSec VPN setup, and it’s time to configure it on the clients. Keep in mind that there will be high CPU usage on the router, and my RB951G-2HnD can get about 20Mbps at 80% CPU usage.

16 comments on “L2TP/IPSec VPN Server on Mikrotik RouterOS

  • I use instructions, VPN is ok, but i can ping only 10.0.0.1 and 10.0.0.85 in remote network. I have server on 10.0.0.100 and ping=request time out.
    May be i must put a GW?

    • From Mikrotik forum:

      • Add the pptp-server interface to the bridge
      • Set the bridge to use proxy-arp

      Or:

      • Remove the pptp-server interface
      • Set the bridge to use proxy-arp
      • Set your ppp profile to use the bridge
  • WAN interface X.X.X.X via DHCP from ISP
    local IP address : 192.168.88.1/24 , pool-vpn – 192.168.88.70-192.168.88.80
    I haven’t pptp-server and bridge / no need /. I’ve entered the script in router with my settings.
    I tuning L2TP client on my iPAD Pro and connecting with VPN through outside connection – LTE network. VPN connection is ok, but i can’t see any device in network.

  • My router ip is also 10.0.0.1 and a dhcp from 10.0.0.100-10.0.0.199
    So the posted configuration should perfectly work on my MikroTik.
    My WAN interface (port 1) is ether1-gateway. It’s connected to a bridge interface together with ether2-master-local, ether3-slave-local and ether4-slave-local
    5th port is seperated from the bridge and only working with 2 vlans.

    This is what I’ve entered:

    /ip pool add name=pool-vpn ranges=10.0.0.80-10.0.0.85

    /ip firewall filter
    add chain=input action=accept comment=”VPN L2TP UDP 500″ in-interface=ether1-gateway protocol=udp dst-port=500
    add chain=input action=accept comment=”VPN L2TP UDP 1701″ in-interface=ether1-gateway protocol=udp dst-port=1701
    add chain=input action=accept comment=”VPN L2TP 4500″ in-interface=ether1-gateway protocol=udp dst-port=4500
    add chain=input action=accept comment=”VPN L2TP ESP” in-interface=ether1-gateway protocol=ipsec-esp
    add chain=input action=accept comment=”VPN L2TP AH” in-interface=ether1-gateway protocol=ipsec-ah

    /ppp profile add change-tcp-mss=yes local-address=10.0.0.1 name=vpn-profile remote-address=pool-vpn dns-server=10.0.0.1 use-encryption=yes
    /ppp secret add name=”” password=”” profile=vpn-profile service=any

    /ip ipsec peer add address=0.0.0.0/0 exchange-mode=main-l2tp nat-traversal=yes generate-policy=port-override secret=”” enc-algorithm=aes-128,3des
    /ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc,3des

    /interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes

    When I try to connect I got the error: The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.

    • Did you put the firewall rules before the one that blocks everything? Try to check if UDP port 500 is open on your IP address with nmap.

      • Yep, moved the drop-rules to the end:

        Flags: X – disabled, I – invalid, D – dynamic
        0 D ;;; special dummy rule to show fasttrack counters
        chain=forward action=passthrough

        1 ;;; defconf: accept established,related,untracked
        chain=input action=accept connection-state=established,related,untracked

        2 ;;; defconf: accept ICMP
        chain=input action=accept protocol=icmp

        3 ;;; defconf: accept in ipsec policy
        chain=forward action=accept ipsec-policy=in,ipsec

        4 ;;; defconf: accept out ipsec policy
        chain=forward action=accept ipsec-policy=out,ipsec

        5 ;;; defconf: fasttrack
        chain=forward action=fasttrack-connection connection-state=established,related

        6 ;;; defconf: accept established,related, untracked
        chain=forward action=accept connection-state=established,related,untracked

        7 ;;; VPN L2TP UDP 500
        chain=input action=accept protocol=udp in-interface=ether1-gateway dst-port=500 log=no log-prefix=””

        8 ;;; VPN L2TP UDP 1701
        chain=input action=accept protocol=udp in-interface=ether1-gateway dst-port=1701 log=no log-prefix=””

        9 ;;; VPN L2TP 4500
        chain=input action=accept protocol=udp in-interface=ether1-gateway dst-port=4500 log=no log-prefix=””

        10 ;;; VPN L2TP ESP
        chain=input action=accept protocol=ipsec-esp in-interface=ether1-gateway log=no log-prefix=””

        11 ;;; VPN L2TP AH
        chain=input action=accept protocol=ipsec-ah in-interface=ether1-gateway log=no log-prefix=””

        12 chain=input action=accept protocol=gre

        13 chain=input action=accept protocol=tcp dst-port=1723

        14 chain=forward action=drop src-address=10.0.0.0/24 dst-address=192.168.1.0/24

        15 chain=forward action=drop src-address=192.168.1.0/24 dst-address=10.0.0.0/24

        16 chain=input action=reject reject-with=icmp-network-unreachable src-address=192.168.1.0/24 dst-address=10.0.0.1

        17 ;;; defconf: drop invalid
        chain=forward action=drop connection-state=invalid log=no log-prefix=””

        18 ;;; defconf: drop invalid
        chain=input action=drop connection-state=invalid log=no log-prefix=””

        19 ;;; defconf: drop all not coming from LAN
        chain=input action=drop in-interface-list=!LAN log=no log-prefix=””

        20 ;;; defconf: drop all from WAN not DSTNATed
        chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=””

        21 ;;; Block internet Xiaomi Aqara Gateway
        chain=forward action=drop src-mac-address=78:11:DC:B0:7A:DE log=no log-prefix=””

      • … and an online nmap tool is telling me my UDP port 500 is closed…
        So my previous posted firewall filters is blocking it one way or another

      • Update:
        Removed every setting for ppp/ipsec/l2tp/etc. Upgraded to latest firmware (6.41 > 6.41.2) upgraded firmware to latest version (3.x > 6.41.2)
        Than rebooted, added the conf again and I was able to connect.

      • It seems like I’ve no working DNS when connected with the VPN.
        I’d like to route _all_ traffic through this vpn.
        I can ping to external ip’s like 8.8.8.8 yet when I ping to a domain like google.com I got nothing.

        My ip-address in the VPN preferences is:
        IPv4 Address: 10.0.0.84
        Subnet Mask:
        Router: 10.0.0.84

        DNS: 10.0.0.1 (my router, what I’d prefer)

        • Is the router now working as a DNS server? You need to enable it and set the IP address of your DNS provider first.

          /ip dns set allow-remote-requests=yes
          /ip dns set servers=yourdnsipaddress

          But now you need to make a firewall that blocks UDP and TCP port 53 to the WAN interface, because it’ll be exposed to DDoS all day, every day (nmap this port just to be sure it’s really blocked). IMO just setting the DNS address for the VPN to something other than the router is easier.

          • Port 53 is filtered. I’m using my router as DNS because I use it for internal dns for internal devices. For example: when I go to sub.domain.com external, I want my external/public IP. If I got to the same domain in my wifi network, I need to go to 10.0.0.x (ip internal for my server)

            The dns is correct set:
            [*****@MikroTik] /ip dns> print
            servers: 10.0.0.1
            dynamic-servers: 84.116.46.21,84.116.46.20
            allow-remote-requests: yes
            max-udp-packet-size: 4096
            query-server-timeout: 2s
            query-total-timeout: 10s
            max-concurrent-queries: 100
            max-concurrent-tcp-sessions: 20
            cache-size: 2048KiB
            cache-max-ttl: 1w
            cache-used: 198KiB

            The thing I think is wrong, is:
            My ip-address in the VPN preferences is:
            IPv4 Address: 10.0.0.84 <<—
            Subnet Mask:
            Router: 10.0.0.84 <<—

          • This doesn’t seem correct. servers should be empty if you already have dynamic-servers.

            If you have nmap on your computer, try checking the port 53 on the router from the remote computer if it’s up. Make sure that you set dns-server to 10.0.0.1 for your VPN profile in /ppp profile (which is set in /interface l2tp-server server set default-profile=”yourvpnprofilename”). I’ve used this same configuration on multiple routers from fresh reset, there could be something like a firewall blocking the port in your case.

          • I’m keeping digging in the config, yet it seems to be fine, strange enough.
            If I enter another dns (8.8.8.8) on my Mac, I can reach any website. Everything but my router. I can ping my router (10.0.0.1) yet I cannot ssh to it through my VPN.

            I’m using my router as a dns forwarder. So my router needs an external dns. If the address isn’t know on my router, it forwards it to an external dns. It works perfectly on my network, exactly as I want it. Only not via the VPN.

            So I’m still figuring out what exactly is going on…

Comments are closed.