Step by Step: How to configure a PPTP VPN Client on Mikrotik RouterOS

Intro

Last time I wrote how to configure a PPTP VPN Server on Mikrotik RouterOS

Today I will show you how to configure a PPTP VPN Client on Mikrotik RouterOS.

Before we start I will try to explain what I want to do…

My home network:

192.168.1.0/24 - Private
192.168.2.0/24 - Public

Remote location:

192.168.3.0/24

I would like to establish a VPN connection to the remote location on my Mikrotik router and allow computers (only!) from my private subnet to access computers on the remote location.

This tutorial will explain you how I did this. Here is a simple step by step tutorial with images and all information that you need to get PPTP VPN Client working…

Step 1: Create PPTP Client

Noting special on this step, so I think that the image is enough :)

slika 1

Step 2: Configure PPTP Client

After you created the PPTP Client you will need to enter some basic information:

  1. VPN server hostname or IP
  2. VPN username and password

slika 2

then you need a name for the client…

slika 3

If you enter the correct information you are already connected to the VPN server

You can now double-click on pptp-client and see the status

slika 4

Note

With the current configuration I can ping a remote computer from my Mikrotik:

[admin@MikroTik] > ping address=192.168.3.2 src-address=192.168.3.101 count=3 
HOST                                     SIZE TTL TIME  STATUS                                  
192.168.3.2                                56 127 42ms 
192.168.3.2                                56 127 44ms 
192.168.3.2                                56 127 41ms 
    sent=3 received=3 packet-loss=0% min-rtt=41ms avg-rtt=42ms max-rtt=44ms

but I can’t ping the same computer from any other location (other computers connected to my Mikrotik…

C:\Users\User>ping 192.168.3.2

Pinging 192.168.3.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.3.2:
    Packets: Sent = 3, Received = 0, Lost = 3 (100% loss)

to resolve this we need to add a NAT rule and one more route

Step 3: NAT configuration

[admin@MikroTik] > /ip firewall nat print
...

 1    ;;; pptp-client masquerade
      chain=srcnat action=masquerade src-address=192.168.1.2-192.168.1.254 
      out-interface=pptp-client log=no log-prefix="" 

...

slika 5

src-address is used to allow only computers from my private subnet

slika 6

In simple words… With this we allowed other computers to use VPN client interface.

Step 4: Add new route

route #4 is automatically added with pptp-client.
We need to add route #3…
Again… in simple words… With this route we route all request from 192.168.1.1 (router IP for private subnet) to remote subnet

[admin@MikroTik] > /ip route print 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 ...
 3 A S  192.168.3.0/24     192.168.1.1     pptp-client               1
 4 ADC  192.168.3.100/32   192.168.3.101   pptp-client               0
 ...

slika 7

Step 5: Finish

If you did all right, you now have access to the remote subnet from your private subnet.

A quick test…

C:\Users\User>ping 192.168.3.2
Pinging 192.168.3.2 with 32 bytes of data:
Reply from 192.168.3.2: bytes=32 time=41ms TTL=126
Reply from 192.168.3.2: bytes=32 time=41ms TTL=126
Reply from 192.168.3.2: bytes=32 time=86ms TTL=126

Ping statistics for 192.168.3.2:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 41ms, Maximum = 86ms, Average = 56ms

If you need any help or I did something wrong, leave a comment and I will try to do my best to help you.

(4) Comments

  • Arif Faheem
    06 Nov 2014

    Hello,

    There is requirement is to run the DATA & Internet on two computers at
    the same time on Mickrotik Router. Can you please confirm that is it possible on Microtik router?? Appreciate, if you can share step by step configuration for the same.
    LAN IP Pool (For Data) : 192.168.3.0/24
    IP Pool for Internet: 203.130.17.224/30
    WAN IP Pool: 192.168.110.52/30

    For Data connectivity we have already made GRE tunnel b/w branch & Head Office

    Tunnel Ip@ branch end router: 10.10.10.6
    Tunnel Ip@ HO router: 10.10.10.5
    Tunnel Destination: 10.50.55.162
    LAN IP Pool@HO: 192.168.10.0/24

  • prabin shrestha
    11 Jan 2018

    thank you very much. it helped me a lot

  • Martin Hlavicka
    27 Mar 2018

    Hello Uroš,
    Thank you very much for very comprehensive guide. But I can´t reproduce same as you.
    I´m able ping my remote router router to safe side, but others devices are not visible in remote network. Do you know, where should be the problem?
    Many thanks Martin

    • Uroš
      27 Mar 2018

      Hi Martin,

      maybe you need to setup something on your remote router? I’m not sure why is not working for you… maybe someone else here have some idea? :)

      Regards,
      Uroš

Leave a Comment