Learn How to set up MikroTik L2TP VPN. Although Mikrotik is one of the leading technology companies in providing products that facilitate secure and reliable Internet connectivity and is well-known in the IT community for their famous RouterOS program, at the same time, they have been much more or less a rather obscure company. Their fame is mostly confined to the catacombs of the aforementioned IT and online communities.
However, with online geo-blocks and government-mandated internet censorship taking hold, people are increasingly turning to using VPNs to combat these ongoing issues. And once those mid-level VPNs themselves are targeted, then the need for more advanced options like Mikrotik L2TP VPN and the like is felt more than ever.
So whether you are affected by ongoing internet censorship in your home region, geo-blocks imposed by various tech companies and online services, or if you want to run a private VPN server of your own accord, this article is for you.
In this context, I will go over the definition of a VPN and its L2TP variant before providing a step-by-step guide for the L2TP VPN Mikrotik setup.
What is a VPN?
VPN, as an abbreviation, stands for a virtual private server. In short, a VPN consists of two parts, a tunnel, and a host. When connecting to a VPN, you are using a specific protocol as a tunnel to connect to another host or server, which can be either a network such as a site-to-site VPN, or a dedicated server such as a traditional remote access VPN.
Once this connection is established, your original IP address is masked and restrictions once applied to that IP address no longer affect you. This isn’t the only use case for a VPN. Most VPN services also encrypt your data making it unreadable to your Internet Service Provider (ISP), as well as any potential intruder who might gain access by hacking your network or luring you into their own unsecured network connection. There are different types of VPNs and many other connection protocols.
In this article, we are going to use the L2TP protocol to run L2TP Mikrotik VPN on RouterOS. But if you want to run another VPN with a different setup and protocol, check out our other articles. Also check out our Obfuscated VPN article, if you’re looking to deploy a more secure solution than normal VPNs.
What is L2TP protocol: advantages and disadvantages
Back to the topic at hand and protocol of choice for today’s endeavor, what exactly is the L2TP VPN Mikrotik protocol and what are its main pros and cons? L2TP stands for Layer 2 Tunneling Protocol and is a branch of the more well-known PPTP VPN protocol, originally developed and published by Microsoft in 1999.
However, what separates L2TP from PPTP is that the protocol is mixed with elements of the famous Cisco Layer 2 protocol, making it a really nice combination. L2TP relies heavily on advanced encryption to transfer data, making it one of the most secure VPN protocols, yet it must be noted that the protocol is not secure on its own merits. Now let’s quickly move on to the main pros and cons of an L2TP Mikrotik VPN in context.
Advantages
Here are three main advantages of the L2TP VPN protocol.
L2TP security
One of its creative inspirations Like IPsec, L2TP has highly secure and highly breakable 256-bit encryption as part of its base code, making it one of the most secure VPN protocols in the world. This makes it a highly desirable option for users who prioritize security over connection speed since L2TP sacrifices some speed in exchange for greater security. It can be confidently said that apart from certain aspects, which we will cover later in the article, L2TP is sufficient to protect you from most online threats, especially man-in-the-middle attacks.
L2TP VPN compatibility
L2TP is one of the most widely supported VPN programs built-in with many of the main default options we use including macOS, iOS, Android, Windows, Linux, etc. This is one of the main reasons for its massive popularity. But beyond that, it’s pretty useful because you can easily configure it as an end-user on most devices you own, and it’s a good protocol to learn if you’re a coder because it’s the most accessible. protocol of the world. You can benefit from this in this guide as the process of setting up your own Mikrotik L2TP VPN will be rather simple.
L2TP protocol stability
As a protocol L2TP is extremely stable across all operational quotas. It provides a stable connection without any interruptions and also comes with world-class NAT compatibility, which will make problems like NAT incompatibility with various online services very rare. As mentioned above, it also exhibits incredible stability in the face of online attacks like DDoS and man-in-the-middle attacks. L2TP is one of the most secure VPN protocols available.
Disadvantages
Here are three main disadvantages of the L2TP VPN protocol.
L2TP VPN speed
A large part of what makes L2TP so secure involves its advanced 256-bit AES encryption and double encapsulation of data transfers. While this brings world-class security, it severely hampers the connection’s ability to use bandwidth effectively and significantly slows down connection speeds. So, if you use a VPN for security reasons and only to circumvent Internet restrictions, then L2TP may not be the best protocol for you. Although you can combine L2TP connectivity with OpenVPN to remedy this somewhat, it’s just not worth the trouble.
Poor port
L2TP arguably has the worst support for multiple ports out of any VPN protocol, an inherent problem that also affects PPTP’s mother protocol. Only a select number of ports are supported that can be used to transmit packets over an L2TP connection. If these ports are affected by the firewall, you must manually make exceptions for them. But the real problem is when these ports are directly blocked by your ISP. Then there is very little that can be done to connect your VPN with the L2TP protocol. This makes it easier for tyrannical governments to shut down L2TP.
Potentially already violated
Two credible and famous sources, Edward Snowden, the famous CIA leaker, and John Gilmore, the founder of the EFF, have both come out in the past and suggested that the L2TP protocol has already been configured and breached by American intelligence forces. CIA and NSA. If this is true, then the VPN protocol base level has been compromised. While this doesn’t really affect the average user, it’s something to consider if you specifically want to stay off the radar with L2TP VPNs.
RouterOS: Our main tool
RouterOS is the name of the primary Mikrotik L2TP client product that we are going to use as part of today’s guide. This is a control panel for a comprehensive connection interface that allows you to turn your computer into a powerful router with various functions. With this program installed, you can use your Mikrotik L2TP Server VPN machine as a server. RouterOS is available for Windows and Linux. However, it is better to run it on a Linux machine because it allows you to manage the network better than Windows.
RouterOS comes with a 60-day free trial offer; However, after that, you need to purchase a paid plan license from them to run your L2TP server; However, given the high quality of the program, I personally think it is worth our payment, especially since it allows you to perform all the tasks that a router does with your computer, including managing a personalized network firewall.
MikroTik L2TP VPN Setup: Step-by-Step Guide
Now, let’s create your Mikrotik L2TP VPN setup process. First, go to the system that has your version of RouterOS (your Mikrotik L2TP client) and log in to the program, and get ready to start. RouterOS is going to be all you need in this program and there are no other prerequisites. Simply follow the steps, and you’ll have your own Mikrotik L2TP VPN in no time.
Step 1: Create a PPP profile
Once you are logged into your version of RouterOS, go to the PPP section and then go to “Profile” and click on the “Add New” option. Here select any name you like for the profile and then fill in the local address with your router interface on the private network; In my case, this code was 10.0.0.1, and the remote address with the “instance pool option”. Finally, set the bridge to “Internal”. Click Apply and the first step is done.
Step 2: Create a PPP user
Now it’s time to create a user that you will use in the profile you just created. So go to the PPP section again, but this time navigate to the “Secrets” tab and once again click on the “Add New” option. In the User input, put the username you used in the previous step and then add a strong password of your choice.
Set the Service input to “Any” and finally, in the Profile input, select the profile you created in step one. Tap to Apply and your new PPP user will be created.
Step 3: Establish L2TP server bindings
Again, browse the PPP section and go to “Interfaces” and then click on “Add New” and select the L2TP Server Binding option. Enter the name you want for the server, but in the user input, you must enter the username from step two. Click Apply and the L2TP server binding will be configured.
Step 4: Enable the L2TP server
Again go to the PPP section and from there go to Interfaces and L2TP Server. By default, the profile input selects the profile you created in step one. Enable the “Use IPsec” option by selecting the “Yes” option and finally, create a strong password of your choice for the L2TP server. Click on Apply.
Step 5: Add Firewall Configuration (Optional)
If your firewall blocks ports that are normally used by the L2TP protocol, here you need to make exceptions to the rules for them. However, if you are positive that this is not the case, skip this step.
Go to the IP section and from there click on Firewall and then click on “Add New”. Here you need to create two rules. Make sure to prioritize these rules above any other drop rules. The configuration for the first rule is the following:
- Chain: input
- Protocol: 50 (IPsec-esp)
- In. Interface: ether1
- Action: accept
And then, for the second rule, arrange this:
Chain: input
Protocol: 17 (udp)
Dst. Port: 500,1701,4500
In. Interface: ether1
Action: accept
Step 6: Set IPsec Default Policies (Optional/Required for Mac)
You need an IPsec peer to connect to this new VPN, so we need to edit the default IPsec offer policy to make it possible to connect to the VPN with a Mac device. If you aren’t using a Mac to connect to this VPN, you can skip this step.
Go to the IP section & then go to Policy Proposals and click on Defaults. “In the certificate. In the Algorithm” section, tick the ha1 & sha256 options. Then tick the “Encr. Algorithm”, aes-128 cbc and aes-256 cbc options. In the “PFS Group”, chosse the modp 1024 option. Click Apply, and you completed.
Step 7: Edit the IPsec peer profile
This is the last step, and in this, we are going to edit the IPsec default peer profile to facilitate the connection for all devices without any issues. So, lastly go to IPS section and from there go to IPsec, then peer profile and finally click on default. Set the hash algorithm input to sha256. Then in Encryption Algorithm, tick aes-256 option. Set the DH group to modp 1024 and finally, set the proposal check to accept and tick the NAT traversal option.
Congratulations! You have now successfully configured your own Mikrotik L2TP VPN from scratch on RouterOS and now you can use any device with L2TP support to connect to it!
Conclusion
Mikrotik L2TP VPN is a highly reliable and easy-to-configure self-hosted VPN option, and should you decide to go for it; It certainly won’t disappoint. However, I would highly recommend that instead of running the server on a secondary computer, you use a dedicated server or a VPS server to host it. This way, your own personal computer won’t be a burden to run the server constantly, and you can potentially set up VPN much easier.
