Mikrotik L2tp Server Setup Full May 2026

We need a pool of IPs to hand out to remote clients. This must not conflict with your local LAN.

Navigate to IP → Pool (or CLI):

/ip pool add name=vpn-pool ranges=192.168.100.2-192.168.100.254

Ensure these rules are placed above any action=drop rules on the input chain. mikrotik l2tp server setup full

Check rule order:

/ip firewall filter print

If your default policy is drop, you must also allow established/related traffic: We need a pool of IPs to hand out to remote clients

/ip firewall filter add chain=input connection-state=established,related action=accept comment="Allow established/related"

Create credentials for each remote user.

/ppp secret add name=johndoe password=StrongPass123 service=l2tp profile=l2tp-profile

Repeat for additional users. Use strong passwords. Ensure these rules are placed above any action=drop

/ip ipsec proposal add name=l2tp-proposal enc-algorithms=aes-256-cbc auth-algorithms=sha256 pfs-group=none lifetime=30m

/ip ipsec policy add src-address=0.0.0.0/0 dst-address=0.0.0.0/0 sa-src-address=YOUR_WAN_IP sa-dst-address=0.0.0.0/0 protocol=udp proposal=l2tp-proposal template=yes

Replace YOUR_WAN_IP with your actual public IP (e.g., 203.0.113.5). If you have a dynamic IP, you can use 0.0.0.0 but it’s less secure. Better to use a script to update it or set a DDNS hostname (RouterOS supports DDNS).

This ties the authentication methods together.

# Profile
/ip ipsec profile add name=vpn-profile dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256