How to Setup VPN on MikroTik: A Comprehensive Guide

Introduction

Virtual Private Networks (VPNs) have become essential tools for businesses and individuals seeking to secure their internet connections, access remote networks, and protect sensitive data. MikroTik routers, known for their robust feature set and cost-effectiveness, offer several VPN implementation options that cater to different security needs and use cases.

In this comprehensive guide, we'll walk you through the process of setting up various VPN solutions on your MikroTik router. Whether you're a network administrator looking to establish secure site-to-site connections, or an individual wanting to access your home network remotely, this article will provide you with the knowledge and step-by-step instructions to successfully implement VPN services on your MikroTik device. TildaVPS offers optimized MikroTik servers that are perfect for implementing the VPN solutions we'll discuss in this guide, ensuring reliable and secure connections for your networking needs.

Section 1: Understanding VPN Types on MikroTik

VPN Options Available on MikroTik

MikroTik RouterOS supports several VPN protocols, each with its own strengths and ideal use cases. Before diving into configuration, it's important to understand which protocol best suits your needs.

OpenVPN is an open-source VPN protocol that offers a good balance of security and performance. It uses SSL/TLS for key exchange and can operate over both UDP and TCP. OpenVPN is highly configurable and can bypass most firewalls, making it a versatile choice for many scenarios.

IPsec (Internet Protocol Security) provides secure IP communication by authenticating and encrypting each IP packet. It's widely supported across platforms and is considered highly secure, making it ideal for site-to-site VPN connections between branch offices.

L2TP/IPsec combines Layer 2 Tunneling Protocol with IPsec encryption. This protocol is natively supported by most operating systems, including Windows, macOS, iOS, and Android, making it convenient for remote access VPNs.

PPTP (Point-to-Point Tunneling Protocol) is one of the oldest VPN protocols. While it's easy to set up and offers fast connections, its security has been compromised, making it suitable only for non-sensitive applications where convenience outweighs security concerns.

SSTP (Secure Socket Tunneling Protocol) uses SSL over TCP port 443, allowing it to pass through most firewalls and proxy servers. It provides a good level of security but is primarily supported on Windows platforms.

WireGuard is a newer protocol known for its simplicity, high performance, and modern cryptography. MikroTik has added support for WireGuard in RouterOS v7, making it an excellent option for those running the latest firmware.

Benefits of Using VPN on MikroTik

Enhanced Security: VPNs encrypt your data, protecting it from eavesdropping and man-in-the-middle attacks, especially when using public Wi-Fi networks.

Remote Access: Securely access your home or office network resources from anywhere in the world.

Site-to-Site Connectivity: Connect multiple office locations securely over the internet, creating a unified network.

Bypass Geo-restrictions: Access region-restricted content by connecting to VPN servers in different geographical locations.

Network Segmentation: Create secure, isolated network segments for different departments or purposes within your organization.

Choosing the Right VPN Protocol

The best VPN protocol for your MikroTik setup depends on your specific requirements:

• For maximum compatibility across devices: L2TP/IPsec
• For highest security in corporate environments: IPsec
• For flexibility and good security-performance balance: OpenVPN
• For modern, high-performance needs: WireGuard (RouterOS v7+)
• For simple setup with Windows clients: SSTP

Mini-FAQ

Which VPN protocol offers the best performance on MikroTik?

WireGuard generally offers the best performance due to its lightweight design and efficient cryptography, followed by OpenVPN with UDP. However, performance can vary based on your specific hardware and network conditions.

Can I run multiple VPN protocols simultaneously on my MikroTik router?

Yes, MikroTik RouterOS allows you to run multiple VPN protocols simultaneously. This is useful for supporting different client devices or providing fallback options if one protocol is blocked.

Section 2: Prerequisites for Setting Up VPN on MikroTik

Hardware and Software Requirements

Before setting up a VPN on your MikroTik router, ensure you have the following prerequisites in place:

Hardware Requirements:

• A MikroTik router with sufficient processing power for VPN encryption/decryption. For heavy VPN usage, consider models with multi-core processors like the RB4011 or CCR series.
• Adequate RAM (at least 256MB recommended for multiple VPN connections)
• Stable internet connection with sufficient bandwidth for your VPN needs

Software Requirements:

• RouterOS version compatible with your chosen VPN protocol (v6.45+ recommended, v7+ for WireGuard)
• Updated to the latest stable release to ensure security patches are applied
• Valid license level that supports your chosen VPN protocol (most VPN features require at least Level 4)

Network Requirements:

• Public IP address (static preferred) or properly configured DDNS service
• Appropriate port forwarding if your MikroTik is behind another router
• Properly configured firewall rules to allow VPN traffic

Initial Router Configuration

Before implementing a VPN, ensure your MikroTik router has a basic secure configuration:

1. Update RouterOS to the latest stable version
2. Change default admin password
3. Configure proper IP addressing for all interfaces
4. Set up basic firewall rules to protect your network
5. Configure DNS settings
6. Ensure NTP (Network Time Protocol) is properly configured, as accurate time is crucial for VPN authentication

Planning Your VPN Implementation

Take time to plan your VPN deployment by considering:

VPN Topology:

• Remote access VPN (clients connecting to your network)
• Site-to-site VPN (connecting multiple networks)
• Hub-and-spoke (central site connecting to multiple branch offices)
• Mesh (all sites connecting to each other)

IP Addressing Scheme:

• Determine the IP subnet for VPN clients
• Ensure no IP conflicts between local and remote networks
• Plan for proper routing between networks

Authentication Method:

• Username/password
• Certificate-based authentication
• Pre-shared keys
• Two-factor authentication

Security Considerations:

• Encryption strength requirements
• Traffic segregation needs
• Access control policies

Accessing Your MikroTik Router

To configure your MikroTik router, you'll need to access it using one of these methods:

1. WebFig (Web-based configuration interface):

   • Connect to your router's IP address via a web browser
   • Login with your credentials
   • Navigate through the menu to configure VPN settings

2. WinBox (Windows GUI application):

   • Download WinBox from MikroTik's website
   • Connect to your router via IP or MAC address
   • Use the graphical interface to configure settings

3. SSH/Telnet (Command-line interface):

   • Connect using an SSH client like PuTTY
   • Enter commands directly in RouterOS CLI
   • Useful for scripting and advanced configurations

4. The Dude (Network management application):

   • For managing multiple MikroTik devices
   • Provides a network-wide view of your infrastructure

Mini-FAQ

Do I need a static IP address to set up a VPN server on MikroTik?

While a static IP is ideal, you can use dynamic DNS services like no-ip.com or dyn.com if you have a dynamic IP. MikroTik supports automatic DDNS updates through scripts or the built-in DDNS client.

What license level do I need for VPN functionality on MikroTik?

Most VPN features require at least Level 4 license. However, basic PPTP and L2TP are available from Level 3. For advanced features and better performance, Level 5 or Level 6 is recommended, especially for enterprise deployments.

Section 3: Setting Up L2TP/IPsec VPN Server

L2TP/IPsec is one of the most widely supported VPN protocols, making it an excellent choice for environments with diverse client devices. Let's walk through the process of setting up an L2TP/IPsec VPN server on your MikroTik router.

Step 1: Configure IPsec Settings

First, we need to set up the IPsec portion of the VPN, which provides encryption for the L2TP tunnel:

1. Open WinBox and connect to your MikroTik router
2. Navigate to IP → IPsec → Profiles
3. Click the + button to add a new profile
4. Configure the following settings:
   • Name: L2TP-IPsec
   • Hash Algorithms: sha256
   • Encryption Algorithms: aes-256-cbc
   • DH Group: modp2048
   • Proposal Check: obey
   • Lifetime: 1d 00:00:00
5. Click OK to save the profile

Next, create the IPsec proposal:

1. Go to IP → IPsec → Proposals
2. Click the + button to add a new proposal
3. Configure the following:
   • Auth Algorithms: sha256
   • Encr Algorithms: aes-256-cbc
   • PFS Group: modp2048
4. Click OK to save

Now, set up the IPsec peer:

1. Go to IP → IPsec → Peers
2. Click the + button to add a new peer
3. Configure the following:
   • Name: L2TP-Peer
   • Address: 0.0.0.0/0 (to accept connections from any IP)
   • Profile: L2TP-IPsec (the profile we created earlier)
   • Exchange Mode: main
   • Send Initial Contact: yes
   • Nat Traversal: yes
   • Pre-shared Key: YourStrongSecretKey (use a strong, unique key)
4. Click OK to save

Step 2: Configure L2TP Server

Now, let's set up the L2TP server:

1. Navigate to PPP in the left menu
2. Go to the Profiles tab
3. Click the + button to add a new profile
4. Configure the following:
   • Name: L2TP-Profile
   • Local Address: Specify the router's IP to use for VPN (e.g., 10.0.0.1)
   • Remote Address: Specify the IP pool for clients (e.g., 10.0.0.2-10.0.0.254)
   • DNS Server: Your preferred DNS servers
   • Use Encryption: yes
5. Click OK to save the profile

Next, set up the L2TP server:

1. Go to the Interface tab
2. Click L2TP Server
3. Configure the following:
   • Enabled: yes
   • Max MTU: 1450
   • Max MRU: 1450
   • Keep Alive Timeout: 30
   • Default Profile: L2TP-Profile (the profile we created)
   • Authentication: mschap2, mschap1, chap (in that order for best compatibility)
   • Use IPsec: yes
   • IPsec Secret: YourStrongSecretKey (same as in the IPsec peer configuration)
4. Click OK to save

Step 3: Create VPN Users

Now, create user accounts for VPN access:

1. Go to PPP in the left menu
2. Click on the Secrets tab
3. Click the + button to add a new secret
4. Configure the following:
   • Name: username (the login username for the VPN user)
   • Password: password (a strong password for the user)
   • Service: l2tp
   • Profile: L2TP-Profile
5. Click OK to save
6. Repeat for additional users as needed

Step 4: Configure Firewall Rules

To allow VPN traffic through your firewall:

1. Navigate to IP → Firewall → Filter Rules

2. Add rules to allow L2TP and IPsec traffic:

   For IPsec:

   • Add a rule to allow UDP port 500 (IKE)
   • Add a rule to allow UDP port 4500 (IPsec NAT-T)
   • Add a rule to allow IP protocol 50 (ESP)
   • Add a rule to allow IP protocol 51 (AH)

   For L2TP:

   • Add a rule to allow UDP port 1701 (L2TP)

3. Add rules to allow traffic from the VPN subnet to access resources on your network as needed

Step 5: Test the VPN Connection

After completing the configuration, test the VPN connection from a client device:

1. On Windows:

   • Go to Settings → Network & Internet → VPN
   • Click "Add a VPN connection"
   • VPN Provider: Windows (built-in)
   • Connection name: MikroTik L2TP
   • Server name or address: Your MikroTik's public IP or DDNS
   • VPN type: L2TP/IPsec with pre-shared key
   • Pre-shared key: YourStrongSecretKey (the one you configured)
   • Username and password: The credentials you created in the PPP secrets

2. On Android/iOS:

   • Go to Settings → VPN
   • Add a new VPN connection
   • Select L2TP/IPsec
   • Enter your MikroTik's public IP or DDNS
   • Enter the pre-shared key, username, and password

Mini-FAQ

Why is my L2TP/IPsec VPN connection failing to establish?

Common issues include incorrect pre-shared key, firewall blocking VPN ports, NAT issues, or incompatible encryption settings. Check your router logs under System → Logs for specific error messages to troubleshoot the problem.

How many concurrent L2TP/IPsec VPN users can my MikroTik router support?

This depends on your router's hardware capabilities. Entry-level models might handle 5-10 concurrent users, while high-end models like the CCR series can support dozens or even hundreds of connections. CPU usage is the main limiting factor due to encryption overhead.

Section 4: Setting Up OpenVPN Server

OpenVPN is a highly configurable and secure VPN solution that works well across different platforms. Setting it up on MikroTik requires creating certificates and configuring the server properly. Let's walk through the process step by step.

Step 1: Create Certificates

OpenVPN uses certificates for authentication. We'll need to create a Certificate Authority (CA), a server certificate, and client certificates:

1. Navigate to System → Certificates

2. First, create a Certificate Authority (CA):

   • Click the Add button
   • Set Name: CA
   • Set Common Name: MikroTik-CA
   • Set Key Size: 2048
   • Set Days Valid: 3650 (10 years)
   • Check Key Usage: crl sign, key cert sign
   • Click Apply, then Sign
   • In the new dialog, select CA as the Certificate and click Sign

3. Create a server certificate:

   • Click the Add button
   • Set Name: Server
   • Set Common Name: MikroTik-Server
   • Set Key Size: 2048
   • Set Days Valid: 3650
   • Check Key Usage: digital signature, key encipherment, tls server
   • Click Apply, then Sign
   • In the new dialog, select CA as the Certificate Authority and click Sign

4. Create a client certificate:

   • Click the Add button
   • Set Name: Client1
   • Set Common Name: Client1
   • Set Key Size: 2048
   • Set Days Valid: 3650
   • Check Key Usage: tls client
   • Click Apply, then Sign
   • In the new dialog, select CA as the Certificate Authority and click Sign
   • Repeat this step for additional clients as needed

Step 2: Configure OpenVPN Server

Now, let's set up the OpenVPN server:

1. Navigate to PPP in the left menu
2. Go to the Profiles tab
3. Click the + button to add a new profile
4. Configure the following:
   • Name: OVPN-Profile
   • Local Address: Specify the router's IP to use for VPN (e.g., 10.1.0.1)
   • Remote Address: Specify the IP pool for clients (e.g., 10.1.0.2-10.1.0.254)
   • DNS Server: Your preferred DNS servers
   • Use Encryption: yes
5. Click OK to save the profile

Next, set up the OpenVPN server:

1. Go to PPP in the left menu
2. Click on the Interface tab
3. Click the OVPN Server button
4. Configure the following:
   • Enabled: yes
   • Port: 1194
   • Mode: ip
   • Protocol: tcp
   • Netmask: 24
   • Max MTU: 1500
   • Default Profile: OVPN-Profile
   • Certificate: Server (the server certificate we created)
   • Auth: sha1
   • Cipher: aes256
   • Require Client Certificate: yes
5. Click OK to save

Step 3: Configure Firewall Rules

To allow OpenVPN traffic through your firewall:

1. Navigate to IP → Firewall → Filter Rules

2. Add a rule to allow OpenVPN traffic:

   • Click the + button
   • Set Chain: input
   • Set Protocol: tcp
   • Set Dst. Port: 1194
   • Set Action: accept
   • Add a comment like "Allow OpenVPN"
   • Click OK to save

3. Add rules to allow traffic from the VPN subnet to access resources on your network as needed

Step 4: Export Client Certificates and Create Client Configuration

To connect clients to your OpenVPN server, you need to export the certificates and create a client configuration file:

1. Export the CA certificate:

   • Go to System → Certificates
   • Select the CA certificate
   • Click Export
   • Choose Export Type: PEM
   • Click Export and save the file as ca.crt

2. Export the client certificate and key:

   • Select the Client1 certificate
   • Click Export
   • Choose Export Type: PEM
   • Click Export and save the file as client1.crt
   • Click Export again
   • Choose Export Type: key
   • Enter the Export Passphrase if you want to password-protect the key
   • Click Export and save the file as client1.key

3. Create a client configuration file (client.ovpn) with the following content:

client
dev tun
proto tcp
remote your-mikrotik-public-ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA1
verb 3
key-direction 1

<ca>
# Paste the content of ca.crt here
</ca>

<cert>
# Paste the content of client1.crt here
</cert>

<key>
# Paste the content of client1.key here
</key>

Step 5: Connect Clients to OpenVPN

Now you can use the client configuration file to connect to your OpenVPN server:

1. On Windows:

   • Install OpenVPN client (from openvpn.net)
   • Copy the client.ovpn file to C:\Program Files\OpenVPN\config\
   • Right-click the OpenVPN GUI icon in the system tray and select "Connect"

2. On macOS:

   • Install Tunnelblick (from tunnelblick.net)
   • Import the client.ovpn file
   • Connect using the Tunnelblick menu

3. On Linux:

   • Install OpenVPN client (sudo apt install openvpn on Debian/Ubuntu)
   • Run sudo openvpn --config client.ovpn

4. On Android/iOS:

   • Install the OpenVPN Connect app
   • Import the client.ovpn file
   • Connect using the app

Mini-FAQ

How can I troubleshoot OpenVPN connection issues?

Check the logs on both the server (System → Logs) and client sides. Common issues include certificate problems, firewall blocks, or routing issues. Enable verbose logging on the client side by setting "verb 5" in the configuration file for more detailed logs.

Can I use UDP instead of TCP for OpenVPN?

Yes, UDP is often preferred for better performance. To use UDP, change the protocol setting in both the server configuration and client configuration file. UDP is generally faster but may be less reliable on unstable connections.

Section 5: Setting Up WireGuard VPN (RouterOS v7+)

WireGuard is a modern VPN protocol known for its simplicity, high performance, and strong security. It's available in RouterOS version 7 and later. Let's set up a WireGuard VPN server on your MikroTik router.

Step 1: Create WireGuard Interface

First, let's create the WireGuard interface on your MikroTik router:

1. Navigate to WireGuard in the left menu (or Interface → WireGuard in older v7 versions)
2. Click the + button to add a new interface
3. Configure the following:
   • Name: wireguard1
   • Listen Port: 13231 (or any other port of your choice)
   • MTU: 1420
4. Click OK to create the interface
5. After creation, note the Public Key that was generated - you'll need this for client configuration

Step 2: Configure IP Address for WireGuard Interface

Assign an IP address to the WireGuard interface:

1. Go to IP → Addresses
2. Click the + button to add a new address
3. Configure the following:
   • Address: 10.10.10.1/24 (this will be the VPN subnet)
   • Interface: wireguard1
4. Click OK to save

Step 3: Add WireGuard Peers (Clients)

For each client that will connect to your WireGuard VPN:

1. First, generate a key pair on the client device (we'll show how to do this in Step 5)
2. In your MikroTik router, go to WireGuard in the left menu
3. Click on the Peers tab
4. Click the + button to add a new peer
5. Configure the following:
   • Interface: wireguard1
   • Public Key: (paste the client's public key here)
   • Allowed Address: 10.10.10.2/32 (the IP address you want to assign to this client)
   • Persistent Keepalive: 25 (helps with NAT traversal)
6. Click OK to save
7. Repeat for additional clients, incrementing the IP address (10.10.10.3/32, etc.)

Step 4: Configure Firewall Rules

To allow WireGuard traffic through your firewall:

1. Navigate to IP → Firewall → Filter Rules

2. Add a rule to allow WireGuard traffic:

   • Click the + button
   • Set Chain: input
   • Set Protocol: udp
   • Set Dst. Port: 13231 (the port you configured for WireGuard)
   • Set Action: accept
   • Add a comment like "Allow WireGuard"
   • Click OK to save

3. Add rules to allow traffic from the WireGuard subnet to access resources on your network as needed

4. Optionally, add masquerade rule to allow VPN clients to access the internet through the VPN:

   • Go to IP → Firewall → NAT
   • Click the + button
   • Set Chain: srcnat
   • Set Src. Address: 10.10.10.0/24
   • Set Action: masquerade
   • Add a comment like "Masquerade WireGuard clients"
   • Click OK to save

Step 5: Configure WireGuard Clients

Now, let's set up a client to connect to your WireGuard VPN:

For Windows:

1. Download and install WireGuard from wireguard.com
2. Open the WireGuard application
3. Click "Add Empty Tunnel..."
4. Generate a new key pair (this happens automatically)
5. Configure the client with the following template:

[Interface]
PrivateKey = (client's private key)
Address = 10.10.10.2/24
DNS = 8.8.8.8, 8.8.4.4

[Peer]
PublicKey = (your MikroTik WireGuard interface's public key)
AllowedIPs = 0.0.0.0/0
Endpoint = your-mikrotik-public-ip:13231
PersistentKeepalive = 25

6. Click "Save" and then "Activate" to connect

For Android/iOS:

1. Install the WireGuard app from the app store
2. Tap the + button and select "Create from scratch"
3. Enter a name for the VPN
4. Configure using the same template as above
5. Tap "Save" and then tap the toggle to connect

For Linux:

1. Install WireGuard (sudo apt install wireguard on Debian/Ubuntu)
2. Generate keys: wg genkey | tee privatekey | wg pubkey > publickey
3. Create a configuration file at /etc/wireguard/wg0.conf using the template above
4. Connect with sudo wg-quick up wg0

Step 6: Test the Connection

After setting up both the server and client:

1. Activate the WireGuard connection on your client device
2. Verify connectivity by pinging the WireGuard interface IP on your MikroTik (10.10.10.1)
3. Try accessing other resources on your network
4. Check the WireGuard status on your MikroTik by going to WireGuard and looking at the Peers tab

Mini-FAQ

Is WireGuard more secure than OpenVPN or IPsec?

WireGuard uses modern cryptography with a much smaller codebase than OpenVPN or IPsec, which potentially means fewer security vulnerabilities. However, all three protocols are considered secure when properly configured. WireGuard's main advantages are its simplicity and performance.

How many WireGuard peers can my MikroTik router support?

This depends on your router's hardware capabilities. WireGuard is very efficient, so even entry-level MikroTik routers can handle dozens of peers. High-end models can support hundreds of connections with minimal performance impact.

Section 6: Setting Up Site-to-Site VPN with IPsec

IPsec is an excellent choice for establishing secure site-to-site VPN connections between branch offices or between your main office and a cloud environment. In this section, we'll configure a site-to-site VPN between two MikroTik routers using IPsec.

Step 1: Plan Your Network Topology

Before configuring IPsec, plan your network topology:

Site A (Main Office):

• Public IP: 203.0.113.1 (replace with your actual public IP)
• Local Network: 192.168.1.0/24
• MikroTik Router: 192.168.1.1

Site B (Branch Office):

• Public IP: 203.0.113.2 (replace with your actual public IP)
• Local Network: 192.168.2.0/24
• MikroTik Router: 192.168.2.1

Step 2: Configure IPsec on Site A (Main Office)

1. Create IPsec Profile:

   • Navigate to IP → IPsec → Profiles
   • Click the + button to add a new profile
   • Configure the following:
     • Name: site-to-site
     • Hash Algorithms: sha256
     • Encryption Algorithms: aes-256-cbc
     • DH Group: modp2048
   • Click OK to save

2. Create IPsec Proposal:

   • Go to IP → IPsec → Proposals
   • Click the + button to add a new proposal
   • Configure the following:
     • Name: site-to-site-proposal
     • Auth Algorithms: sha256
     • Encr Algorithms: aes-256-cbc
     • PFS Group: modp2048
   • Click OK to save

3. Create IPsec Peer:

   • Go to IP → IPsec → Peers
   • Click the + button to add a new peer
   • Configure the following:
     • Name: site-b-peer
     • Address: 203.0.113.2 (Site B's public IP)
     • Profile: site-to-site
     • Exchange Mode: main
     • Send Initial Contact: yes
     • Nat Traversal: yes
     • Pre-shared Key: YourStrongSecretKey (use a strong, unique key)
   • Click OK to save

4. Create IPsec Policy:

   • Go to IP → IPsec → Policies
   • Click the + button to add a new policy
   • Configure the following:
     • Src. Address: 192.168.1.0/24 (Site A's local network)
     • Dst. Address: 192.168.2.0/24 (Site B's local network)
     • Protocol: all
     • Action: encrypt
     • Level: require
     • IPsec Protocols: esp
     • Tunnel: yes
     • SA Src. Address: 203.0.113.1 (Site A's public IP)
     • SA Dst. Address: 203.0.113.2 (Site B's public IP)
     • Proposal: site-to-site-proposal
   • Click OK to save

Step 3: Configure IPsec on Site B (Branch Office)

Repeat the same steps on Site B's MikroTik router, but with the source and destination addresses reversed:

1. Create IPsec Profile (same as Site A)

2. Create IPsec Proposal (same as Site A)

3. Create IPsec Peer:

   • Configure with Site A's public IP (203.0.113.1)
   • Use the same pre-shared key as Site A

4. Create IPsec Policy:

   • Src. Address: 192.168.2.0/24 (Site B's local network)
   • Dst. Address: 192.168.1.0/24 (Site A's local network)
   • SA Src. Address: 203.0.113.2 (Site B's public IP)
   • SA Dst. Address: 203.0.113.1 (Site A's public IP)
   • Other settings same as Site A

Step 4: Configure Firewall Rules on Both Sites

On both MikroTik routers, add firewall rules to allow IPsec traffic:

1. Navigate to IP → Firewall → Filter Rules

2. Add rules to allow IPsec traffic:

   • Add a rule to allow UDP port 500 (IKE)
   • Add a rule to allow UDP port 4500 (IPsec NAT-T)
   • Add a rule to allow IP protocol 50 (ESP)
   • Add a rule to allow IP protocol 51 (AH)

3. Ensure that traffic between the local networks is allowed in your firewall rules

Step 5: Configure Routing (if needed)

If you have more complex networks with multiple subnets at either site, you may need to add static routes:

1. Navigate to IP → Routes
2. Click the + button to add a new route
3. Configure the route to the remote network through the IPsec tunnel
4. Repeat for any additional subnets that need to communicate through the tunnel

Step 6: Test the Connection

After completing the configuration on both sites:

1. Check the IPsec status by going to IP → IPsec → Active Peers

   • You should see an established connection between the two sites

2. Test connectivity by pinging devices across the tunnel:

   • From a device in Site A's network, ping a device in Site B's network
   • From a device in Site B's network, ping a device in Site A's network

3. If pings are successful, try accessing other services across the tunnel

Step 7: Monitor and Troubleshoot

To monitor and troubleshoot your IPsec tunnel:

1. Check IPsec statistics:

   • Go to IP → IPsec → Statistics
   • Look for active security associations (SAs)

2. View logs for IPsec-related messages:

   • Go to System → Logs
   • Filter for IPsec-related entries

3. Use the ping tool with routing options to test the tunnel:

   • Go to Tools → Ping
   • Enter the IP of a device at the remote site
   • Set the Src. Address to your local interface IP

Mini-FAQ

What should I do if the IPsec tunnel doesn't establish?

Check firewall rules on both sides to ensure IPsec traffic is allowed. Verify that the pre-shared keys match exactly. Check for NAT issues if either router is behind another NAT device. Review logs for specific error messages.

How can I verify that traffic is actually going through the IPsec tunnel?

Use the IP → IPsec → Statistics page to see if packets are being encrypted and decrypted. You can also use the Torch tool (Tools → Torch) to monitor traffic on your interfaces and see if packets are flowing through the IPsec interface.

Section 7: Advanced VPN Configurations and Best Practices

Now that we've covered the basic VPN setups, let's explore some advanced configurations and best practices to enhance security, performance, and manageability of your MikroTik VPN deployments.

Implementing Split Tunneling

Split tunneling allows VPN clients to access both the remote network and the internet directly, improving performance for internet-bound traffic:

1. For OpenVPN:

   • In the client configuration file, modify the redirect-gateway directive or use specific route statements
   • Example: route 192.168.1.0 255.255.255.0 (only routes traffic to the 192.168.1.0/24 network through VPN)

2. For WireGuard:

   • In the client configuration, modify the AllowedIPs setting
   • Instead of 0.0.0.0/0 (which routes all traffic), use specific networks:
   • Example: AllowedIPs = 10.10.10.0/24, 192.168.1.0/24

3. For L2TP/IPsec:

   • On Windows clients, edit the VPN connection properties
   • Go to Networking → IPv4 → Properties → Advanced
   • Uncheck "Use default gateway on remote network"

Implementing Two-Factor Authentication

Enhance security with two-factor authentication:

1. RADIUS Authentication:

   • Set up a RADIUS server (you can use MikroTik's User Manager package)
   • Configure your VPN server to use RADIUS:
     • Go to Radius in the left menu
     • Add a new RADIUS client for your VPN service
     • In your VPN server settings, enable RADIUS authentication

2. Certificate + Password Authentication:

   • For OpenVPN, require both certificate and username/password:
     • In the server configuration, set auth-user-pass-verify script
     • Ensure client-cert-not-required is NOT set

3. Time-based One-Time Passwords (TOTP):

   • Install the TOTP package on your MikroTik
   • Configure users with TOTP secrets
   • Set up your authentication to require TOTP codes

Optimizing VPN Performance

Improve VPN performance with these tweaks:

1. Adjust MTU Settings:

   • Find the optimal MTU for your connection using ping tests with the "don't fragment" flag
   • Set the appropriate MTU on your VPN interface
   • For OpenVPN, typical values are 1400-1450
   • For WireGuard, 1420 is often optimal

2. Enable Hardware Acceleration:

   • If your MikroTik model supports hardware encryption:
     • Go to System → Resources
     • Check if hardware encryption is available and enabled
     • For IPsec, go to IP → IPsec → Settings and enable hardware acceleration

3. Choose Efficient Protocols:

   • Use UDP instead of TCP for OpenVPN when possible
   • Consider WireGuard for better performance on RouterOS v7+
   • Use modern encryption algorithms that have hardware acceleration support

Implementing Failover and Load Balancing

For mission-critical VPN connections, implement failover or load balancing:

1. Dual WAN Failover:

   • Configure multiple WAN connections on your MikroTik
   • Set up failover routing using routing marks and policy-based routing
   • Configure your VPN to automatically reconnect if the primary connection fails

2. Site-to-Site VPN Redundancy:

   • Set up multiple tunnels between sites using different WAN connections
   • Use routing metrics to prioritize the primary tunnel
   • Configure dynamic routing protocols (OSPF or BGP) over the VPN tunnels for automatic failover

3. Load Balancing:

   • For multiple remote access users, distribute them across multiple VPN servers
   • Use DNS round-robin or a load balancer to distribute connection requests

Monitoring and Logging VPN Connections

Set up comprehensive monitoring for your VPN services:

1. Configure Detailed Logging:

   • Go to System → Logging
   • Add a new logging action for VPN-related events
   • Set the appropriate topics (e.g., ppp, ipsec, ovpn)

2. Set Up SNMP Monitoring:

   • Go to IP → SNMP
   • Enable SNMP service
   • Configure community strings and access lists
   • Use an SNMP monitoring tool to track VPN connections and performance

3. Create Connection Tracking Scripts:

   • Use RouterOS scripting to track VPN connections
   • Set up email alerts for failed connection attempts or tunnel down events
   • Example script to monitor IPsec tunnel status and send alerts

/system script
add name="monitor-ipsec" source={
    :if ([/ip ipsec policy find where dst-address="192.168.2.0/24" and invalid=yes] != "") do={
        /tool e-mail send to="[email protected]" subject="IPsec Tunnel Down" body="The IPsec tunnel to Branch Office is down."
    }
}

/system scheduler
add interval=5m name="check-ipsec" on-event=monitor-ipsec start-time=startup

Mini-FAQ

How can I securely allow remote management of my MikroTik router through VPN?

Create a separate VPN profile specifically for management access with stricter security settings. Use firewall rules to only allow management access (Winbox, SSH, WebFig) from the VPN subnet. Consider implementing IP-based access lists and two-factor authentication for additional security.

What's the best way to handle dynamic IP addresses for site-to-site VPNs?

Use dynamic DNS services to track changing IP addresses. Configure your IPsec or OpenVPN to use hostnames instead of IP addresses. For IPsec, you may need to use a script to update peer addresses when they change. Alternatively, consider using RouterOS's "mode-config" feature for IPsec to handle dynamic addressing.

Key Takeaways

• MikroTik routers support multiple VPN protocols including L2TP/IPsec, OpenVPN, WireGuard, and IPsec, giving you flexibility to choose the best solution for your specific needs.

• WireGuard (available in RouterOS v7+) offers the best performance and simplicity, while IPsec provides robust security for site-to-site connections, and L2TP/IPsec offers the widest device compatibility.

• Proper firewall configuration is essential for VPN security - always create specific rules to allow only necessary VPN traffic and implement proper access controls for your network resources.

• Advanced features like split tunneling, two-factor authentication, and redundant connections can significantly enhance the security and usability of your VPN implementation.

• Regular monitoring, logging, and maintenance of your VPN setup is crucial for maintaining security and ensuring reliable performance over time.

Glossary

IPsec (Internet Protocol Security): A protocol suite that authenticates and encrypts IP packets to provide secure encrypted communication between network devices.

L2TP (Layer 2 Tunneling Protocol): A tunneling protocol used to support VPNs, often combined with IPsec for encryption.

OpenVPN: An open-source VPN protocol that uses SSL/TLS for key exchange and can operate over both UDP and TCP.

WireGuard: A modern, faster, and simpler VPN protocol focused on performance and ease of implementation.

Split Tunneling: A VPN feature that allows a user to access different networks (public and private) at the same time through the same physical network connection.

Pre-shared Key (PSK): A shared secret that is used for authentication in VPN connections.

Certificate Authority (CA): An entity that issues digital certificates, which verify that a particular public key belongs to a specific entity.

MTU (Maximum Transmission Unit): The size of the largest protocol data unit that can be communicated in a single network layer transaction.

NAT Traversal: Techniques to establish and maintain connections across network address translators.

Two-factor Authentication (2FA): A security process in which users provide two different authentication factors to verify their identity.