Basic L2TP VPN Setup on MikroTik

 Here we will configure L2TP VPN on our MikroTik routerboard.

Server Side Configuration (MikroTik "VPN Only" Routerboard)

1) Login to VPN-Server MikroTik

2) Create a VPN Network

We will decide a range of IP addresses for server side VPN Network creation to give IP to client router.
( Example: 172.16.22.0/24 )

Currently you are logged in to server-side MikroTik, and submit the command below from here in server-side MikroTik terminal:

Create a bridge for VPN network

/interface bridge

add name=vpn-bridge

/ip address

add address=172.16.22.1/24 interface=vpn-bridge

 

Add VPN IP address Pool

/ip

pool add name="vpn-pool" ranges=172.16.22.2-172.16.22.254

Create a VPN Authentication (Auth) profile.

/ppp

profile add name="vpn-profile" local-address=172.16.22.1 remote-address=vpn-pool bridge=vpn-bridge dns-server=8.8.8.8,1.1.1.1 use-encryption=yes

4) Create VPN Users/Client

Your VPN network Host is the server-side MikroTik's real IP.

Create a VPN User (Currently you are logged in to server-side MikroTik, and submit the command below from here in server-side MikroTik terminal):

/ppp

secret add name=khulnarouter password=dSw3eVcRt profile=vpn-profile remote-address=172.16.22.2

If you have more home/office router available then create more users as needed. Just remember that the remote IP address remote-address= will increment by 1 to each user.

Example (in terminal, /ppp):

secret add name=faridpurrouter password=dRk8vHa5j profile=vpn-profile remote-address=172.16.22.3

secret add name=ctgrouter password=gWk2vLa4c profile=vpn-profile remote-address=172.16.22.4

5) Keep Note of VPN-User Credentials

So, from the above config, you get the VPN username and password.

When configure a VPN in your site office (Client router MikroTik) use the example below as we configured above:

VPN Host/Connect to: xx.xx.xx.xx (VPN-Server side MikroTik's Real IP)
User: khulnarouter
Password: dSw3eVcRt

VPN Network (Private):
IP-Range: 172.16.22.0/24
Subnet Mask: 255.255.255.0
Gateway: 172.16.22.1

6) Configure L2TP Server

Currently you are logged in to server-side MikroTik, and do the job from here in server-side MikroTik:

You must enable IPsec and set a IPsec Secret. (needed each time you create a vpn client interface)

Important ! Please create/enable “L2TP Server” from the Winbox GUI, not by command line input. Keep the below information handy.

Enabled = yes
Keepalive Timeout = 14400
Default Profile = vpn-profile
Authentication = mschap2,mschap1,chap,pap
Use IPsec = yes
IPsec Secret = rAh8mTc (choose your own secret)
Caller ID Type = ip address

7) Configure Firewall to Accept VPN Connections

* Currently you are logged in to server-side MikroTik, and submit the command below from here in server-side MikroTik terminal:

/ip firewall filter

add chain=input protocol=tcp dst-port=8291,58291 action=accept comment="Allow MikroTik Access"

add chain=input protocol=udp dst-port=500,1701,4500 action=accept comment="Allow VPN Connect"

add chain=input protocol=ipencap action=accept comment="L2TP IPSec Pass"

add chain=forward src-address=172.16.22.0/24 action=accept comment="Allow VPN Clients, reach to each other services"

add chain=forward src-address=172.16.22.0/24 in-interface=all-ppp action=accept comment="Allow remote vpn users to reach to this router/services"

add chain=forward dst-address=172.16.22.0/24 out-interface=all-ppp action=accept comment="Allow Local/Lan users to reach to other vpn routers/services"

/ip firewall nat

add chain=srcnat dst-address=172.16.22.0/24 out-interface=all-ppp action=masquerade comment="Allow Local/Lan users to reach to other vpn routers/services"

 

Remember ! Drag and drop the allow rules move above the drop rules.

Done ! Server side configuration is ok.

Client Side MikroTik Config (Login to a Client MikroTik)

 

8) Create a L2TP Client interface

 Currently you are logged in to client-side MikroTik, and do the job from here in client-side MikroTik:

Keep the below information handy. As you get the credentials from Server side MikroTik.

Currently you are logged in to client-side MikroTik, and do the job from here in client-side MikroTik:

Connect to = xx.xx.xx.xx (VPN Server side MikroTik's Real IP)
User = khulnarouter
Password = dSw3eVcRt
Profile = default-encryption
Keepalive Timeout = 14400
Use IPsec = yes
IPsec Secret = rAh8mTc (choose your own secret)
Dial on demand = yes
Allow = mschap2,mschap1,chap,pap

If you want to set  Add Default Route = NO then add the route manually (Winbox > IP > Routes) by using gateway l2tp-out1

Apply the settings.

9) Set Client Side Firewall

* Currently you are logged in to client-side MikroTik, and submit the terminal command here in client-side MikroTik.

/ip firewall filter

add chain=input protocol=tcp dst-port=8291,58291 action=accept comment="Allow MikroTik Access"

add chain=forward src-address=172.16.22.0/24 in-interface=l2tp-out1 action=accept comment="Allow remote vpn users to reach to this router/services"

add chain=forward dst-address=172.16.22.0/24 out-interface=l2tp-out1 action=accept comment="Allow Local/Lan users to reach to other vpn routers/services"

/ip firewall nat

add chain=srcnat dst-address=172.16.22.0/24 out-interface=l2tp-out1 action=masquerade comment="Allow Local/Lan users to reach to other vpn routers/services"

Done, and enjoy !