Step by Step: How to configure a PPTP VPN Server on Mikrotik RouterOS
Intro
Before I started to wrote this post, I thought that would be nice to say some word about PPTP VPN and Mikrotik RouterOS, but then I realized that if you are reading this, there is no need to explain what is PPTP VPN server or Mikrotik RouterOS.
Here is a simple step by step tutorial with images and all information that you need to get a fully working PPTP VPN server…
Step 1: create VPN pool
IP pools are used to define range of IP addresses that will be used for your PPTP VPN server
[admin@MikroTik] > /ip pool print NAME RANGES VPN-pool 192.168.1.101-192.168.1.110
Step 2: create a VPN user
In this step you will create a user that can connect to your VPN Server. In this example only one user is created, but you can add as many user as you need…
[admin@MikroTik] > /ppp secret print # NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS 0 ppp1 pptp ppp1 **** VPN-profile
Step 3: create a VPN profile
From wiki.mikrotik.com
PPP profiles are used to define default values for user access records stored under /ppp secret submenu. Settings in /ppp secret User Database override corresponding /ppp profile settings except that single IP addresses always take precedence over IP pools when specified as local-address or remote-address parameters.
[admin@MikroTik] > /ppp profile print 1 name="VPN-profile" local-address=192.168.1.1 remote-address=VPN-pool bridge=br1 use-mpls=default use-compression=default use-vj-compression=default use-encryption=yes only-one=default change-tcp-mss=yes address-list="" dns-server=8.8.8.8,8.8.4.4
Step 4: Create PPTP Server Binding (Optional)
This step is optional, because your VPN server will work even if you skip this.
In this step you bind user ppp1 to interface pptp-in1. This is very useful if you need to create firewall rules for a specific user.
Step 5: Enable VPN Server
In this step we just need to enable our PPTP server and set default profile…
[admin@MikroTik] > /interface pptp-server server print enabled: yes max-mtu: 1450 max-mru: 1450 mrru: 1600 authentication: mschap1,mschap2 keepalive-timeout: 30 default-profile: VPN-profile
Step 6: Configure bridge (Optional)
Like step 4, even this step is optional. This step is the main reason that I’m writing this tutorial, so it deserves a few word :)
If you skip this step, you will be able to connect to your VPN server, you will have the same public IP as your VPN server, but you will not see any other devices connected on this subnet. If this is OK for you, you don’t need to do anything else.
If you want to see other devices in your subnet, you must change ARP mode for your Bridge. For more details about ARP modes go to mikrotik documentation
[admin@MikroTik] > /interface bridge print Flags: X - disabled, R - running 0 R name="br1" mtu=1500 l2mtu=1598 arp=proxy-arp mac-address=4C:5E:0C:21:A4:85 protocol-mode=rstp priority=0x8000 auto-mac=no admin-mac=4C:5E:0C:21:A4:85 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
Step 7: Finish
If you did all right, you now have a working PPTP VPN server.
Important: Don’t forget to open port 1723 (tcp) in your firewall settings:
/ip firewall filter add chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
If you need any help or I did something wrong, leave a comment and I will try to do my best to help you.
10 Jul 2014
Great guide. Can we allow specific hostname (not ip) to connect pptp server?
11 Jul 2014
Yes, you can do this with some little “tricks”… here is a complete tutorial: Use host names in firewall rules
After that you just need to add rules like this:
/ip firewall filter add chain=input src-address-list=host_hostname1 dst-port=1723 protocol=tcp
14 Sep 2014
Great guide, it helped a LOT!
one little thing for all the guys like me that are using Mikrotik for the first time:
—–CHANGE THE CLOCK ASAP!!!!—-
it took me 3 frustrating hours to get this working and only thing i had to do was to change the time…i could see that my pc is connecting but it disconnected rightaway. I tryed everything and at the last time that i was looking in the log i was so frustrated and looked on the time and said to me “F#$%it at least i’ll correct the time” and it started working…
Have a sunny day everyone and smile :)
PS: sorry for my english…trying my best :)
18 Sep 2014
awesome site it’s very easy to understand see more http://mikrotikroutersetup.blogspot.com
05 Jan 2015
Hi there, how can we set the security/encryption level of our VPN server following this steps?
05 Jan 2015
Hi, I’m not sure if you are looking for this settings, but you can check if is this what you need…
In step 3 we created a new VPN profile, but almost all values are set to default. There is a tab “Protocols”. In this tab you can force the use of encryption. This is all I know… Maybe someone here will tell you more :)
18 Mar 2015
I spent 6 hrs trying to figure out why I couldn’t communicate with computers on the local subnet.
Thanks for taking the time to document this.
14 Jul 2015
nice post
27 Jul 2015
Great Guilde… Thanks
19 Aug 2015
Hi, there is an mistake in your settings: local address and remote address should be both set to dhcp pool. If you set local address to 192.168.1.1 (gateway) you will cause loop in bridge interface and packet drops.
28 Sep 2015
great configuration see more http://mikrotikroutersetup.blogspot.com
21 Oct 2015
I followed your step-by-step but still cannot connect to VPN
is this setting able to work with load-balanced 2 wan?
06 Jan 2016
sorry, I can’t say if it work in balanced 2 wan, because I never tried this…
01 Apr 2016
Hello have this question can it be configured without having a public ip address help me out with the instructions if possible we could talk privately. Thanks
04 May 2016
Gostaria de saber se tem como fazer uma vpn entre um mikrotik com ip real da publica e um mikrotik com ip dinamico?
10 May 2016
I have used ddns and I am able to reach the router inside my network, but connection closed after username and password verfying appeared in my client.
anyone can help please…
30 May 2016
everything worked perfeclty!! but i loose the internet conection when i connect to the vpn,,, how do i fix it???
thanks
30 Jun 2016
just create a new NAT rule (masquerade) for your VPN interface
02 Aug 2016
Hi, i don’t know if you stell working about this, but,i need some help.
I have a RB750 and i use two adsl to make a balance and it’s working and i setup pptp server and i can conect to thenetworfrom outside but i cant conect to thelocal computers, i’m trying to use vnc to control but it looks like i’m alone in the network. Thanks
26 Aug 2016
Is it possible to call server in LAN 2 from PC in LAN 1 via VPN with server name not IP address?
I have VPN tunnel and I get to the server with IP but I need because of programs to connect server via name like SERVER_1.
Thanks!
13 Dec 2016
Yes,great question. IP access is working but names are not.
28 Sep 2016
No connection could be made because the target machine actively refused it. connection field with error 2147952461
16 Aug 2017
Thanks for the great article. Yours is the ONLY guide I have come across which has explained how to configure the Bridge so that we can see other network devices. Have been searching for this info like crazy. Thanks a ton!
07 Sep 2017
I agree with Sanddy’s comment. Your article as the only one explains the Bridge interface should be configured as arp-proxy. Thank you so much. I’ve been going nuts for the last few days…
23 May 2018
Thank you very much for that incredible guide ! God Bless you , that step 6 save my Job today :)
26 Sep 2018
Hola, he seguido paso a paso tu post y no he logrado acceder a los recursos locales para los clientes. Logro loguarme con la VPN y me asigna una IP sin problemas. Supongo que tengo algun problema entre el bridge y el profile del ppp. SOS
18 Sep 2019
arp-proxy stop my local lan