MikroTik L2TP VPN Setup: A Basic VPN Guide 🔐

mikrotik l2tp vpn setup guide

0 Comment

9 mins Read

mikrotik l2tp vpn setup guide
Get your Mikrotik VPS

Get your Mikrotik VPS

Starting from $7.95/month.

Check it Out

While Mikrotik has been one of the preeminent tech companies in the provision of products facilitating secure and reliable internet connection and is well known in the IT community for their renowned RouterOS program, at the same time, they have been more or less a rather obscure company, with their fame mostly confined to the catacombs of the aforementioned IT and online community. However, as the grip of online geo-blocks and government-mandated internet censorship tightens, people have turned more and more to using VPNs to combat these ongoing issues. And once those intermediate-level VPNs themselves are targeted, then the need for more advanced options such as the Mikrotik L2TP VPN and the like is felt more than ever.

So whether you are swayed by the ongoing internet censorship of your home region, by the geo-blocks imposed by different tech companies and online services, or if you simply wish to run a private VPN server on your own accord, then this article is for you. In this article, I will go over the definition of a VPN and its L2TP variant before providing a step-by-step guide for L2TP VPN Mikrotik Setup. Let’s get to it!

What is a VPN?

VPN, as an acronym, stands for Virtual Private Server. In essence, a VPN is composed of two parts, a tunnel and a host. When connecting to a VPN, you are utilizing a specific protocol as a tunnel in order to connect to another host or server, which can either be a network such as in a site-to-site VPN or a dedicated server such as the traditional remote access VPN. Once this connection is established, your original IP address is masked, and the restrictions that once applied to that IP address no longer affect you.

Why Should I Get A VPN? A Comprehensive Answer To "Why Use A VPN?"

This is not the only use case for a VPN. Most VPN services also encrypt your data which makes them unreadable to your internet service provider (ISP), as well as to any potential intruder that may have either gained access by hacking your network or by simply having lured you into their own unsafe network connection. There are many different types of VPNs out there and many more connection protocols. 

In this article, we are going to use the L2TP Protocol to run a L2TP Mikrotik VPN on RouterOS. But if you want to run another VPN on a different setup and Protocol, then check out our other articles. Also check out our Obfuscated VPN article, if you rather establishing a more secure solution than normal VPNs.

What is the L2TP Protocol: Advantages and Disadvantages

Back to the subject at hand and the Protocol of choice for today’s endeavor, what exactly is the L2TP VPN Mikrotik Protocol, and what are its main advantages and disadvantages? L2TP stands for Layer 2 Tunneling Protocol, and it is an offshoot of the more well-known PPTP VPN protocol, which itself was originally developed and released by Microsoft back in 1999. However, what distinguishes L2TP from PPTP is the fact that the Protocol is also imbued with elements from the renowned Cisco Layer 2 protocol, making it a really nice combination. L2TP heavily relies on advanced encryption to transfer data, making it one of the most secure VPN protocols, still it must be noted that the protocol is not safe on its own merits. Now let’s quickly go over its main advantages and disadvantages in the context of a L2TP Mikrotik VPN.


Here are the three main advantages of the L2TP VPN protocol. 

L2TP Security

Similar to one of its creative inspirations IPsec, L2TP has highly secure and high unbreachable 256-bit encryption as part of its base code, making it one of the most, if not the most, secure outright VPN protocols in the world. This makes it a highly desirable option for users who prioritize security over connection speed since L2TP does sacrifice some speed in exchange for greater security. It can be said with confidence that apart from certain parties, which we will cover later in the article, L2TP is sufficient to protect you against the majority of online threats, especially attacks such as the man-in-the-middle attack.

L2TP VPN Compatibility

L2TP is also one of the most widely supported VPN programs that come built-in with many of the main primary options we use, including macOS, iOS, Android, Windows, Linux, etc. This is one of the main reasons for its widespread popularity. But beyond this, it is also quite useful as you can easily configure it as an end-user on most of the devices you own, and it’s also a good protocol to learn if you are a coder since it is one of the most readily available protocols in the world. You can also benefit from this in this guide since the process of establishing your own Mikrotik L2TP VPN will be rather straightforward.

L2TP Protocol Stability

L2TP as a protocol is highly stable across all operational quotas. It offers a steady connection without interruption, and it also comes with world-class NAT compatibility, which will make issues such as NAT incompatibility with different online services very rare. As noted above, it also showcases incredible stability in the face of online attacks such as DDoS and man-in-the-middle attacks. L2TP is one of the most stable VPN protocols out there.

Shadowsocks Config: Shadowsocks Client & Server Setup Guide


Here are the three main disadvantages of the L2TP VPN protocol. 

L2TP VPN Speed

A large part of what makes L2TP highly secure has to do with its advanced 256-bit AES encryption and its double encapsulation of data transfers. While this brings about world-class security, it also severely hampers the ability of the connection to use the bandwidth effectively and causes the speed of the connection to slow down significantly. So, if you are using a VPN not for security reasons and solely for circumventing internet restrictions, then L2TP may not be the best Protocol for you. Although You can combine the L2TP connection with OpenVPN to somewhat remedy this, it simply is not worth the trouble.

Poor Ports

L2TP arguably has one of the worst support for different ports out of any VPN protocol, an inherent issue that also affects its mother protocol of PPTP. There are only a selected number of ports supported that can be used to transmit the packets over an L2TP connection. If these ports are affected by firewalls, then you have to manually make exceptions for them. But the real trouble is when these ports are outright blocked by your ISP. Then there is little that can be done to connect to your VPN with the L2TP Protocol. This makes L2TP easy to shut down at the hands of oppressive governments. 

Potentially Already Breached

Two credible and famous sources, Edward Snowden, the famous CIA leaker, and John Gilmore, the founder of EFF, have both come out in the past and have suggested that the L2TP Protocol is already configured and breached by major American intelligence forces such as the CIA and the NSA. If this is true, then the VPN protocol is compromised at the base level. Although this really does not affect the average user, if you specifically want to stay off the radar with an L2TP VPN, this is something to consider.

RouterOS: Our Main Tool

RouterOS is the name of the primary Mikrotik L2TP client product that we are going to be using as part of today’s guide. RouterOS is a control panel for the broad connection interface that allows your computer to turn into a powerful router with many different functionalities. With this program installed, you can use the machine as a server for your Mikrotik L2TP server VPN. RouterOS is available for Windows and Linux. However, it’s best to run it on a Linux machine since it will allow you to manage the network compared to Windows. 

RouterOS comes with a 60-day free trial offer; however, after this, you need to purchase one of their paid plan licenses in order to run your L2TP server; however, given the high qualifications of the program, I personally think this is worth the money we pay especially since it allows you to perform all the tasks that a router can with your computer, including managing a personalized network firewall.

MikroTik L2TP VPN Setup: Step-by-Step Guide

Now, let’s get to creating your Mikrotik L2TP VPN setup process. First, head into the system that houses your version of RouterOS (your Mikrotik L2TP client) and login into the program, and get ready to start. The RouterOS on this program is going to be all you need, and there are no other prerequisites. Simply follow the steps, and you will have your own Mikrotik L2TP VPN in no time.

Step 1: Create a PPP Profile

Once you have logged into your RouterOS version, head to the PPP section and then to “profiles” and click on the “add new” option. Here choose any name you like for the profile and then fill in the local address with your router interface on the private network; in my case, this code was, and the remote address with the “example pool option.” Finally, set the bridge to “Internal.” Click on apply, and the first step is done.

Step 2: Create a PPP User

Now it’s time to create a user that you would use on the profile you just made. So head into the PPP section again, but this time navigate to the “secrets” tab and click on the “add new” option once more. In the user input, place the username you used in the previous step, and then add a strong password of your choosing. Set the services input to “any,” and finally, in the profile input, select the profile you created in step one. Click apply, and your new PPP user will be created.

Step 3: Establish the L2TP Server Binding

Once again, browse the PPP section and go to the “interface” and then click on “add new,” and select the L2TP Server Binding option. Enter whatever name you want for the server, but in the user input, you need to enter the username from step two. Click on apply, and the L2TP server binding will be configured.

Step 4: Enable The L2TP Server

Head into the PPP section once again and from there to the interface and L2TP server. In the default, profile input selects the profile you created in step one. Enable the “Use IPsec” option by choosing the “Yes” option, and finally, create a strong password of your choice for the L2TP server. Click on apply.

Step 5: Add Firewall Configurations (Optional)

If your firewall is hindering the ports that are commonly used by the L2TP Protocol, here you need to make exceptions in the rules for them. However, if you are positive that this is not the case, then skip this step.

Head into the IP section, and from there, click on the firewall and then on “add new.” Here you need to create two rules. Make sure that these rules are above any other drop rules in order for them to have priority. The configuration for the first rule is as follows:

Chain: input
Protocol: 50 (IPsec-esp)
In. Interface: ether1
Action: accept

And then, for the second rule, make this arrangement:

Chain: input
Protocol: 17 (udp)
Dst. Port: 500,1701,4500
In. Interface: ether1
Action: accept

Step 6: Set the IPsec Default Policies (Optional/Needed for Mac)

You need an IPsec peer in order to connect to this new VPN, so we need to edit the default policy of the IPsec proposal in order to make it possible to connect to the VPN with a Mac device. If you are not using a Mac to connect to this VPN, then you can skip this step.

Head into the IP section and then go to policy proposals and click on default. In the “Auth. Algorithms” section, tick the ha1 and sha256 options. Then in the “Encr. Algorithm”, tick the aes-128 cbc and the aes-256 cbc options. In the “PFS group”, select the modp 1024 option. Click on apply, and you’re done.

Step 7: Edit the IPsec Peer Profile

This is the last step, and in it, we are going to edit the IPsec default peer profile in order to make sure the connection will be facilitated for all devices without a problem. 

So, head to the IPs section for the last time, and from there, go to IPsec, then Peer Profile, and finally click on default. Set the hash algorithm input to sha256. Then in the Encryption Algorithm, tick the aes-256 option. Set the DH Group to modp 1024, and finally, set the Proposal check to obey and tick the NAT Traversal option.

Congratulations! You now have successfully configured your very own Mikrotik L2TP VPN from scratch on RouterOS, and now you can use any device with L2TP support to connect to it!

Mikrotik IPsec Site to Site VPN: A Comprehensive Compendium 🕴️


The Mikrotik L2TP VPN is a very reliable and easy-to-configure self-hosted VPN option, and should you decide to go for it; it will certainly not disappoint. However, I would highly advise that instead of running the server on a secondary computer, you use either a dedicated server or a VPS server to host it. This way, your own personal computer will not be burdened with constantly running the server, and you can potentially establish the VPN much easier as well.

In this case, I recommend Cloudzy’s Mikrotik VPS. This package is tailored for self-hosting Mikrotik L2TP server and comes with RouterOS preconfigured and preinstalled on the server itself, featuring a Linux distro of your choosing. Starting as cheap as $4.95 a month, Cloudzy’s Mikrotik VPS supports more than 15 locations and features high security and excellent connection latency. The payment is also quite accommodating, with flexible billing and different payment options such as cryptocurrencies, and you’ll even get a sweet 7-day money-back guarantee as the cherry on top.

Turn Your Server into a Router Turn Your Server into a Router

Use our MikroTik VPS and get a remote MikroTik Cloud Hosted Router with all the powerful features of MikroTik. Create VPNs, load balancers, and much more.

Get a MikroTik VPS


What Do I Need to Run a MikroTik L2TP VPN Setup?

In order to self host Mikrotik L2TP VPN, all you need is a computer that acts as a server for your VPN with the RouterOS program installed on it. A VPS is the best option for this.

Is L2TP the Same as IPsec?

No. While the two are more or less similar in their performance and security level, the notable difference between the two of them is the fact that L2TP can transfer data in forms other than IP addresses, making it more configurable and reliable.

What Are Some of the Other Options for an L2TP VPN?

If self-hosting an L2TP VPN is not really your cup of tea, there are many VPN providers that render L2TP services as part of their VPN packages. Some of the most well-known of these are PIA, Express VPN, and Private VPN.

I look to bring back elegance and decency to the art of producing audience-friendly content, one article at a time.


Leave a Comment

Your email address will not be published. Required fields are marked *

Latest Posts