How To Setup L2TP VPN Server on Mikrotik

How To Setup L2TP VPN Server on Mikrotik

L2tp/IPsec is a built-in VPN protocol on many operating systems and an efficient way to transmit your internet traffic through a VPN tunnel.

This may be one of the reasons you have decided to use L2TP/IPsec as your VPN protocol on a MikroTik VPS or router. Here we present you an L2TP VPN MikroTik step-by-step guide.

What do I need to set up L2TP on MikroTik?

Before stepping into the MikroTik L2TP server setup, we would better see and gather what we need for the MikroTik l2tp VPN setup.

Instructions for Installing an L2TP VPN on a MikroTik server

In this tutorial, we will show you how to set up an L2TP VPN server on Mikrotik VPS through the PSK (Pre-Shared Key) method in just four easy steps.

Step 1: Add Firewall Rule

First, we must set a firewall rule to allow the VPN’s traffic to go through the server.

  1. Connect to your MikroTik server or router, enter into Winbox, and from the left menu, go to IP ⇒ Firewall.
  2. In the Firewall window, go to the NAT tab and click on the blue plus (+) sign to create a new rule.
  3. Click on the Action tab in the “New NAT Rule” window. Then, click on the Action drop-down menu and select the “Masquerade” option.
  4. Click on the OK button to finish creating the rule.

Nat rule in MikroTik firewall

Step 2: Activate L2TP Server

Now, we need to enable the L2TP VPN protocol on the server.

  1. From the left menu in Winbox, open the PPP window.
  2. In the newly opened window, go to Interface ⇒ L2TP Server.
  3. In the “L2TP Server” window, check the “Enabled” and “IPsec Secret” boxes, or put “Use IPsec” on “required.”
  4. In the “Default Profile” section, select the default option.
  5. You need to provide a passphrase and put it in the “IPsec Secret” section. We will need it, so remember to write it down.

activate l2tp when you setup an L2TP VPN server on MikroTik VPS

Step 3: Activate Encryption In Profiles

In order to encrypt the data, we need to enable the encryption option. To do this:

  1. Go to the Profiles tab from the PPP section.
  2. Select the default profile. In the new window, go to the Protocols tab and choose the “yes” option under the “Use Encryption” section.
  3. Click the Apply then OK buttons to apply and save the changes.

edit profile in MikroTik VPS

Step 4: Create A Username

Now, it’s time to create a user profile to use the L2TP VPN on different operating systems such as Windows, Android, and IOS.

  1. Click on the PPP section on the left menu, go to the Secrets tab, and click on the blue plus sign (+).
  2. Enter the information below in the fields:
  • Name: Choose any name that you wish.
  • Password: choose any password that you wish.
  • Profile: Choose the default profile.
  • Local Address: 10.10.10.2
  • Remote Address: 10.10.10.3

add user after you setup an L2TP VPN server

Note:  The local address is the IP where the user sees the MikroTik IP when connected to the server.

The remote address is the IP where the user sees his IP when he connects to the MikroTik server.

Note that these values must be different for each user.

For example, for another user that you will create, you should select the value of the local address and remote address, respectively 10.10.10.4 and 10.10.10.5

To simplify things, you can create an IP Pool to evade creating IP addresses manually. Keep in mind after creating the IP pool, you have to change some settings.

However, we did not create an IP Pool to keep the process of setting up an L2TP VPN server on MikroTik VPS/Router short and simple in this article.

How To Connect To The L2TP VPN

After configuring the VPN server, it is time to create a client in your operating system.

To create a VPN connection in Windows 10, search for the “VPN” term in the search field, select “Add VPN Connection,” and in the VPN type menu, select “L2TP/IPsec with pre-shared key.”

Now you can fill in the empty fields. Note that you must enter the passphrase that you created when activating the L2TP server in the “Pre-shared key” section.

add l2tp vpn client in Windows 10

What ports are used by the MikroTik L2TP firewall?

The default ports used to access the MicroTik firewall are as follows:

  • UDP Port 1701 – for L2TP VPN Connection
  • UDP Port 500 – for IPSec Connection
  • UDP Port 4500 – for IPSec NAT Traversal
  • ESP (Protocol 50) – for IPSec ESP

What is the default port for L2TP in MikroTik?

L2TP uses UDP port 1701 for link establishment, and further traffic may go through this port or any other UDP port.

How do I change my L2TP port?

You can change the L2TP port through a Source-NAT rule, the direct configuration of the L2TP port is not possible.

What ports need to be open for L2TP VPN?

Without a NAT rule, the list of ports needed for L2TP/IPsec is as follows:

  • Protocol: UDP, port 500
  • Protocol: UDP, port 4500 (for IPSEC NAT-Traversal mode)

FAQ

In this situation, you must add static DNS to your VPN client. To do so, open the RUN page by pressing the Windows key + R.

Write the name of the VPN that you have created, click on it, and choose Properties.

On the new page, choose the Networking tab and double-click on Internet Protocol Version 4 (TCP/IPV4).

On the new page, choose "Use the following DNS server addresses" and fill them out, then press OK on both sections to apply the changes.

Summary

These are the steps required to create an l2tp VPN server on MikroTik. Keep in mind to set up an L2TP VPN server on MikroTik VPS faster and easier we did not cover some topics.

Also, if there is any problem, please mention it in the comments section, and we will definitely answer.

Leave a Reply

Your email address will not be published. Required fields are marked.