Mikrotik L2tp Server Setup - Full

Here is a complete script to configure L2TP/IPsec from scratch. Replace IP ranges and secrets.

# Pool
/ip pool add name=l2tp-pool ranges=192.168.100.10-192.168.100.100

VPN clients need IP addresses from your local network range. Create a dedicated pool to avoid conflicts with DHCP leases.


Using CLI:


/ip pool add name=l2tp-pool ranges=192.168.100.10-192.168.100.100



Using WinBox:





Note: This pool should be on a different subnet than your LAN if you don't want routing complexity. For full LAN access, use a subnet within your LAN range (e.g., 192.168.1.200-250) and ensure proxy-ARP or proper routing.






If you want VPN clients to access the internet through your MikroTik, add a source NAT rule. mikrotik l2tp server setup full


/ip firewall nat add chain=srcnat src-address=192.168.100.0/24 action=masquerade comment="VPN Internet Access"



If you want clients to access the internet through the router (full tunnel), add masquerade rule:


/ip firewall nat
add chain=srcnat src-address=192.168.89.0/24 out-interface=ether1 action=masquerade comment="NAT VPN clients to internet"


If you want split-tunnel only to LAN, omit NAT.


Firewall: allow UDP/500, UDP/4500, and protocol 50 (ESP) to the router, but restrict source addresses where possible.


Example minimal rules:


/ip firewall filter
add chain=input protocol=udp dst-port=500,4500 action=accept comment="Allow IPsec/IKE"
add chain=input protocol=ipencap action=accept comment="Allow ESP"
add chain=input protocol=udp dst-port=1701 action=accept comment="Allow L2TP"
(add additional rules to drop/limit, and always keep established/related accept rules)


Ensure these rules appear before any generic drop rules.


This write-up shows a full, practical L2TP over IPsec server setup on MikroTik RouterOS (assumes RouterOS v6.45+ or v7.x). It covers network design, step-by-step configuration (both RouterOS CLI and WebFig/Winbox equivalents noted), common client settings, security considerations, and troubleshooting tips. Assumptions made: router has a public IPv4 on interface ether1 (WAN), local LAN is 192.168.88.0/24 on bridge1/ether2+, and you want remote clients to receive addresses from 192.168.89.0/24 (L2TP pool). Adjust names/subnets to your environment.


By default, all internet traffic from the VPN client will go through your MikroTik (full tunneling). This increases latency but provides security.


For split tunneling (only LAN traffic goes through VPN, internet goes direct from client), do not send a default gateway via the L2TP profile. Instead, push local routes. Here is a complete script to configure L2TP/IPsec


Modify the PPP profile:


/ppp profile set l2tp-profile use-ipv6=no 
# Don't set any default route. Instead, add routes on client side manually or via DHCP options.



However, push route support via L2TP is limited. Most admins either use full tunnel or configure static routes on each client.




Registry fix for Windows (if behind NAT):

Set AssumeUDPEncapsulationContextOnSendRule = 2 to enable NAT-T.

(Google for exact reg path; common issue.)


RouterOS auto-creates proposals for PPP/IPsec L2TP but you should tighten them. Example for IKE1/main mode with strong algorithms:


/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h pfs-group=none Using WinBox:


For v7 and advanced setups, prefer aes-256-gcm if supported; adjust to your RouterOS version.