Mikrotik Remote VPN Setup (L2TP/IPsec & PPTP) – Complete Step-by-Step Guide
Introduction
In today's connected world, being able to securely access your office or home network from anywhere is essential. Mikrotik routers offer robust VPN capabilities that allow remote access using L2TP/IPsec or PPTP protocols. This step-by-step guide will walk you through the process of setting up both options, so you can choose the one that best fits your needs.
What is Remote VPN?
A Remote VPN enables users to connect to a private network from a remote location over the internet. This ensures encrypted communication, secure data exchange, and access to network resources as if you were physically present.
Why L2TP/IPsec and PPTP?
- L2TP/IPsec – More secure, uses strong encryption, and works well with most devices.
- PPTP – Easier to configure but less secure; suitable for legacy devices or basic connectivity needs.
Prerequisites
- Mikrotik router with RouterOS v6 or later.
- Public IP address on WAN interface.
- Basic knowledge of Winbox or WebFig.
- PC or smartphone for testing the VPN connection.
Step 1 – Assign WAN and LAN Interfaces
/ip address add address=192.168.88.1/24 interface=bridge comment="LAN" add address=203.x.x.x/30 interface=ether1 comment="WAN"
Step 2 – Configure L2TP/IPsec Server
We will first set up L2TP/IPsec, as it provides better security.
Enable L2TP Server
/interface l2tp-server server set enabled=yes use-ipsec=yes ipsec-secret=YourIPSecKey default-profile=default
Create VPN User
/ppp secret add name=vpnuser password=StrongPass profile=default-encryption service=l2tp
Adjust IP Pool for VPN Clients
/ip pool add name=vpn-pool ranges=192.168.89.2-192.168.89.20 /ppp profile set default-encryption local-address=192.168.89.1 remote-address=vpn-pool use-encryption=yes
Step 3 – Configure PPTP Server (Optional)
If you want to support older devices, enable PPTP as follows:
/interface pptp-server server set enabled=yes default-profile=default-encryption
/ppp secret add name=pptpuser password=StrongPass2 profile=default-encryption service=pptp
Step 4 – Firewall Rules for VPN
Allow L2TP/IPsec and PPTP traffic through your firewall:
/ip firewall filter add chain=input protocol=udp port=500,1701,4500 action=accept comment="Allow L2TP/IPsec" add chain=input protocol=ipsec-esp action=accept comment="Allow IPsec ESP" add chain=input protocol=tcp port=1723 action=accept comment="Allow PPTP" add chain=input protocol=gre action=accept comment="Allow PPTP GRE"
Step 5 – Test from a Windows PC
To connect from a Windows PC:
- Open Control Panel → Network & Internet → Network Connections.
- Click Set up a new connection or network.
- Select Connect to a workplace → Use my Internet connection (VPN).
- Enter the public IP of your Mikrotik.
- Enter VPN username and password.
- Under Security tab, choose L2TP/IPsec with pre-shared key.
- Click Connect.
Step 6 – Test from Android/iOS
On a smartphone:
- Go to VPN settings.
- Choose L2TP/IPsec PSK.
- Enter server IP, username, password, and IPsec key.
- Save and connect.
Step 7 – Security Tips
- Always use strong passwords.
- Change IPsec key periodically.
- Limit VPN user accounts to necessary personnel.
- Enable logging for VPN connections.
Conclusion
With this setup, your Mikrotik router can now securely handle remote VPN connections using L2TP/IPsec or PPTP. This allows employees, administrators, or home users to securely access internal network resources from anywhere in the world.
