How to Set Up a Secure VPN on a MikroTik Router
In today’s world, remote access to your network is crucial. A Virtual Private Network (VPN) allows secure access to your MikroTik router from anywhere while maintaining privacy and security. This guide will walk you through setting up an L2TP/IPsec VPN on your MikroTik router with strong credentials and best security practices.
Scenario Overview
- Router WAN IP:
103.0.113.10/30(Example public IP) - VPN Subnet:
172.16.100.0/24(VPN clients will receive IPs from this range) - VPN Authentication: L2TP/IPsec with a strong username, password, and pre-shared key
Step 1: Configure the VPN Server
1.1. Create a VPN User
/ppp secret add name="vpn_user_123" password="Xy7#pK3vW!dM" service=l2tp profile=default-encryption comment="VPN user for remote access"
- Username:
vpn_user_123(Strong and unique) - Password:
Xy7#pK3vW!dM(Randomized for security)
1.2. Enable L2TP Server with IPsec
/interface l2tp-server server set enabled=yes use-ipsec=yes ipsec-secret="8Fg&Tb3@xZa9" default-profile=default-encryption
- Pre-Shared Key:
8Fg&Tb3@xZa9(Secure IPsec secret)
1.3. Assign IP Pool for VPN Clients
/ip pool add name=VPN_Pool ranges=172.16.100.100-172.16.100.200 comment="VPN client IP pool"
/ppp profile set default-encryption local-address=172.16.100.1 remote-address=VPN_Pool dns-server=8.8.8.8,8.8.4.4 comment="Profile for VPN clients"
- VPN Clients will receive:
172.16.100.100 - 172.16.100.200 - Router’s VPN Address:
172.16.100.1
Step 2: Configure Firewall & NAT Rules
2.1. Allow VPN Traffic
/ip firewall filter
add chain=input protocol=udp port=500,1701,4500 action=accept comment="Allow L2TP/IPsec VPN traffic"
add chain=input protocol=ipsec-esp action=accept comment="Allow IPsec ESP"
add chain=input protocol=ipsec-ah action=accept comment="Allow IPsec AH"
add chain=input src-address=172.16.100.0/24 action=accept comment="Allow VPN clients"
add chain=input action=drop comment="Drop all other input traffic for security"
2.2. Enable NAT for VPN Clients
/ip firewall nat add chain=srcnat src-address=172.16.100.0/24 out-interface=wan1 action=masquerade comment="Enable internet access for VPN clients"
- Allows VPN users to browse the internet securely through MikroTik
Step 3: Connect from Your Computer
Windows Setup
- Open Settings → Network & Internet → VPN → Add VPN
- VPN Provider: Windows (Built-in)
- Server Address:
103.0.113.10 - VPN Type: L2TP/IPsec with pre-shared key
- Pre-shared key:
8Fg&Tb3@xZa9 - Username:
vpn_user_123 - Password:
Xy7#pK3vW!dM
macOS Setup
- System Preferences → Network → + (Add VPN)
- VPN Type: L2TP over IPsec
- Server Address:
103.0.113.10 - Account Name:
vpn_user_123 - Password:
Xy7#pK3vW!dM - Shared Secret:
8Fg&Tb3@xZa9
Step 4: Testing the VPN Connection
4.1. Verify IP Assignment
/ppp active print
4.2. Ping the VPN Gateway
ping 172.16.100.1
4.3. Verify Public IP
Visit https://www.whatismyip.com/ to confirm that your VPN is working and your traffic is routed securely.
Summary
✅ Secure VPN setup using L2TP/IPsec ✅ Strong authentication and encryption ✅ Firewall and NAT rules for secure connectivity ✅ Step-by-step configuration for Windows & macOS
By following these steps, you can securely access your MikroTik router and local network from anywhere in the world using a reliable VPN connection. Let us know if you need additional help!