Setting up L2TP VPN on Mirkotik (RouterOS)

Log in to the router's web interface. The password can be found on the sticker that comes with the router.

Go to Interfaces, open tab Interface, click on Add new and select L2TP Client.

Fill in the fields as follows:

• Connect To - the connection server, the list of servers can be found in readme.txt in the subscription archive.
• User and Password - the login and password of the subscription, can be found in readme.txt in the subscription archive.
• Add Default Route - enable the checkbox.
• Allow - enable only mschap2.

If you plan to use additional traffic encryption, you should fill in the following fields:

• Use IPsec - enable the checkbox.
• IPsec Secret - fill in a-secure-psk

If you do not plan to use traffic encryption (IPsec), you should go to step 8.

Go to IP - IPsec, open Proposals tab, click on default.

Set the checkboxes as shown in the screenshot, click ОК.

Go to IP - IPsec, open Profile tab, click on default.

Set the checkboxes as shown in the screenshot, click ОК.

Go to Interfaces, open Interface tab. After about a minute, the letter R should appear to the left of the l2tp-out1 interface created in step 2, which means running – the connection has taken place. If the connection failed, you can press the D button and then the E button to disable and enable the interface, and wait another minute. If you enter the interface by clicking on l2tp-out1, you can see the Connected status.

Go to IP - Firewall, open NAT tab, click Add New.

In the Out. Interface field specify the L2TP interface created in step 3. Select masquerade in the Action field, then click OK (for convenience, the other options are not shown in the screenshot).

If your Internet connection type is PPPoE, go to the Interfaces tab and click on the interface line with the PPPoE Client type.

Set the Default Route Distance to 10 and click OK.

If your Internet connection type is IPoE, go to the IP - Routes. At the top of the route list we see two routes with Dst. Address 0.0.0.0/0. The first route for our VPN traffic is inactive, as indicated by the absence of the letter A in the DS string. You also need to make sure that in the Gateway field for this route is specified "reacheble". The second route is standard, and it is active, as indicated by the letter A in the DAS line. In order for our traffic to go through the VPN, we need to lower the priority of the standard route by setting its Distance to 10. To do this, you need to remember the address of the gateway specified in the Gateway. In the screenshot, the gateway address is 192.168.10.1, it may be different for you. Next, click on the Add New button.

In the Gateway field specify the gateway address from the previous step, in the Distance set 10 and click OK.

We see that in the route table have two identical routes with different Distance fields. Now delete a route from Distance 1 by clicking on “-” button. This completes the setup.