{"id":13,"date":"2015-09-09T19:08:45","date_gmt":"2015-09-09T19:08:45","guid":{"rendered":"https:\/\/blog.koffie.co.za\/?p=13"},"modified":"2026-01-03T20:28:43","modified_gmt":"2026-01-03T18:28:43","slug":"how-to-setup-an-l2tp-vpn-server-on-mikrotik","status":"publish","type":"post","link":"https:\/\/blog.koffie.co.za\/?p=13","title":{"rendered":"How to setup an L2TP\/IPSec VPN server on MikroTik"},"content":{"rendered":"

If you own a mikrotik router and would like to access your home network from anywhere in the world, or while at work then you can follow this guide.<\/p>\n

IMO, this is a much better option than having to use TeamViewer to access your PC remotely. You could setup a VPN server on your home network instead for free, and then access whatever PC you want to on your home network with Remote Desktop, VNC or whatever you want to use. You could even use this to access files on your network, or even access your printer at home from the internet, or whatever you want to. The important thing is that it will be as if your PC is on your home network when you’re not at home.<\/p>\n

 <\/p>\n

There are multiple different types of VPN connections you could create, like PPTP, SSTP, OpenVPN and L2TP.<\/p>\n

I have found that PPTP is the most simple to setup, but apprently it isn’t secure.<\/p>\n

An OpenVPN server is probably the hardest to setup out of all of them, and haven’t ever set it up on a mikrotik router before, but it is probly the most secure. So I thought I would use an L2TP VPN as its quite secure, and not that hard to setup.<\/p>\n

This guide assumes that your router already has the basics setup (can access the internet, etc).<\/p>\n

Step 1: First we need to create an IP Pool<\/span><\/h3>\n

This is what is going to determine what IP addresses get handed out to the clients connecting to your VPN server.<\/p>\n

You can find this by clicking on IP on the left, then Pool.<\/p>\n

\"MikroTik-Image1\"<\/a><\/p>\n

Step 2: Now we need to create a profile<\/span><\/h3>\n

On the left click on PPP, then go to the “Profiles” tab.<\/p>\n

\"MikroTik-Image2\"<\/a><\/p>\n

The local address is going to be the IP that the VPN clients can use to communicate with the router. (I<\/span>n the screenshot I used 192.168.0.253, but it should have been 192.168.0.254 instead since 253 is part of the IP Pool<\/span>)<\/p>\n

The remote address will be the IPs that get handed out to the VPN clients, over here you select the IP Pool that you created in step 1.<\/p>\n

The DNS Server will be the dns server your VPN clients use, you can make it use your router’s DNS (192.196.0.254<\/span> in this case) or you can just set it to Google’s DNS or whatever DNS servers you want to use.<\/p>\n

Step 3: We will now create a username and password<\/span><\/h3>\n

Now in the PPP window go to the “Secrets” tab.<\/p>\n

\"MikroTik-Image3\"<\/a><\/p>\n

Name: This will be the username to log in to the VPN.<\/p>\n

Password: The password to log in to the VPN.<\/p>\n

Profile: Change this to the profile that you created in step 2.<\/p>\n

Step 4: Setting up the L2TP Interface
<\/span><\/h3>\n

In the PPP window changes to the “Interface” tab.<\/p>\n

\"MikroTik-Image4\"<\/a><\/p>\n

    \n
  1. Check the enabled block.<\/li>\n
  2. Change the profile to the one you created in step 2.<\/li>\n
  3. Untick all the authentication methods except mschap2.<\/li>\n
  4. I have only ever used mschap2 authentication, never tried any of the others but mschap2 works just fine.<\/li>\n<\/ol>\n

    Step 5: Setting up the IPSec peer
    <\/span><\/h3>\n

    On the left click on IP, then IPSec and change to the “Peers” tab.<\/p>\n

    \"MikroTik-Image5\"<\/a><\/p>\n

      \n
    1. Fill in the secret (this is a password you will share with all the VPN clients)<\/li>\n
    2. Change the Exchange Mode to “main l2tp”<\/li>\n
    3. Enable “Send Initial Contract” and “NAT Traversal”<\/li>\n
    4. Enable “Generate Policy”<\/li>\n
    5. Change the hash algorithm to “sha” it is better than md5.<\/li>\n<\/ol>\n

      Step 6: Change the default proposal
      <\/span><\/h3>\n

      In the IPSec window change to the “Proposals” tab.<\/p>\n

      \"MikroTik-Image6\"<\/a><\/p>\n

        \n
      1. Choose sha1 for Auth. Algorithms.<\/li>\n
      2. Choose 3des for Encr. Algorithms.<\/li>\n
      3. Set PFS Group to “none”<\/li>\n<\/ol>\n

        Step 7: Create a NAT rule
        <\/span><\/h3>\n

        Im not sure if this step is really necessary or not, but I had to do this on my router before it would work.<\/p>\n

        On the left click IP, then select Firewall and go to the “NAT” tab.<\/p>\n

        Create a NAT rule that looks like my example below:<\/p>\n

        \"MikroTik-Image7\"<\/a><\/p>\n

        and under the “Action” tab set the action to “redirect” like my example below,:<\/p>\n

        \"MikroTik-Image8\"<\/a><\/p>\n

        Step 8: Set up the client (Windows 10)
        <\/span><\/h3>\n

        Go to Start >> Settings >> Network & Internet >> VPN >> Add a VPN connection<\/p>\n

        \"MikroTik-Image9\"<\/a><\/p>\n

          \n
        1. VPN Provider: Windows (built-in)<\/li>\n
        2. Connection name: Whatever you want.<\/li>\n
        3. Server name or address: The IP of the WAN Interface (This is the external IP of your router, usually this will be your no-ip, dyndns, duckdns, etc)<\/li>\n
        4. VPN type: Layer 2 Tunnelling Protocol with IPsec (L2TP\/IPsec)<\/li>\n
        5. Type of sign-in info: Username and password<\/li>\n
        6. Username: The username you created in step 3.<\/li>\n
        7. Password The password you created in step 3.<\/li>\n
        8. Click Save.<\/li>\n
        9. Now click on “Change adapter options”<\/li>\n
        10. Right click on your VPN connection, then click properties.<\/li>\n
        11. Go to the Security Tab.<\/li>\n
        12. Click on “Advanced settings”<\/li>\n
        13. Check the “Use pre-shared key for authentication” radio button, then enter the shared key you made in step 5.<\/li>\n
        14. Make sure your settings look like mine in the example below:<\/li>\n<\/ol>\n

          \"MikroTik-Image10\"<\/a><\/p>\n

           <\/p>\n

          Thats it! You should be able to connect to your VPN server with this configuration.<\/p>\n\n\n

          <\/p>\n","protected":false},"excerpt":{"rendered":"

          If you own a mikrotik router and would like to access your home network from anywhere in the world, or while at work then you can follow this guide. IMO, this is a much better option than having to use TeamViewer to access your PC remotely. You could setup a VPN server on your home […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-13","post","type-post","status-publish","format-standard","hentry","category-tutorials"],"_links":{"self":[{"href":"https:\/\/blog.koffie.co.za\/index.php?rest_route=\/wp\/v2\/posts\/13","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.koffie.co.za\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.koffie.co.za\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.koffie.co.za\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.koffie.co.za\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=13"}],"version-history":[{"count":10,"href":"https:\/\/blog.koffie.co.za\/index.php?rest_route=\/wp\/v2\/posts\/13\/revisions"}],"predecessor-version":[{"id":133,"href":"https:\/\/blog.koffie.co.za\/index.php?rest_route=\/wp\/v2\/posts\/13\/revisions\/133"}],"wp:attachment":[{"href":"https:\/\/blog.koffie.co.za\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=13"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.koffie.co.za\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=13"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.koffie.co.za\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=13"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}