Step by Step: How to configure a PPTP VPN Server on Mikrotik RouterOS

Intro

Before I started to wrote this post, I thought that would be nice to say some word about PPTP VPN and Mikrotik RouterOS, but then I realized that if you are reading this, there is no need to explain what is PPTP VPN server or Mikrotik RouterOS.

Here is a simple step by step tutorial with images and all information that you need to get a fully working PPTP VPN server…

Step 1: create VPN pool

IP pools are used to define range of IP addresses that will be used for your PPTP VPN server

[admin@MikroTik] > /ip pool print
 NAME      RANGES
 VPN-pool  192.168.1.101-192.168.1.110

VPN pool

Step 2: create a VPN user

In this step you will create a user that can connect to your VPN Server. In this example only one user is created, but you can add as many user as you need…

[admin@MikroTik] > /ppp secret print
 # NAME SERVICE CALLER-ID PASSWORD PROFILE     REMOTE-ADDRESS
 0 ppp1 pptp    ppp1      ****     VPN-profile

VPN secrets

Step 3: create a VPN profile

From wiki.mikrotik.com

PPP profiles are used to define default values for user access records stored under /ppp secret submenu. Settings in /ppp secret User Database override corresponding /ppp profile settings except that single IP addresses always take precedence over IP pools when specified as local-address or remote-address parameters.

[admin@MikroTik] > /ppp profile print
 1    name="VPN-profile" local-address=192.168.1.1 remote-address=VPN-pool bridge=br1 use-mpls=default
      use-compression=default use-vj-compression=default use-encryption=yes only-one=default
      change-tcp-mss=yes address-list="" dns-server=8.8.8.8,8.8.4.4

VPN Profile

Step 4: Create PPTP Server Binding (Optional)

This step is optional, because your VPN server will work even if you skip this.

In this step you bind user ppp1 to interface pptp-in1. This is very useful if you need to create firewall rules for a specific user.

VPN interface

Step 5: Enable VPN Server

In this step we just need to enable our PPTP server and set default profile…

[admin@MikroTik] > /interface pptp-server server print
           enabled: yes
           max-mtu: 1450
           max-mru: 1450
              mrru: 1600
    authentication: mschap1,mschap2
 keepalive-timeout: 30
   default-profile: VPN-profile

VPN enable PPTP

Step 6: Configure bridge (Optional)

Like step 4, even this step is optional. This step is the main reason that I’m writing this tutorial, so it deserves a few word :)

If you skip this step, you will be able to connect to your VPN server, you will have the same public IP as your VPN server, but you will not see any other devices connected on this subnet. If this is OK for you, you don’t need to do anything else.

If you want to see other devices in your subnet, you must change ARP mode for your Bridge. For more details about ARP modes go to mikrotik documentation

 

[admin@MikroTik] > /interface bridge print
Flags: X - disabled, R - running
  0    R name="br1" mtu=1500 l2mtu=1598 arp=proxy-arp mac-address=4C:5E:0C:21:A4:85 protocol-mode=rstp
         priority=0x8000 auto-mac=no admin-mac=4C:5E:0C:21:A4:85 max-message-age=20s forward-delay=15s
         transmit-hold-count=6 ageing-time=5m

VPN bridge configuration

Step 7: Finish

If you did all right, you now have a working PPTP VPN server.

Important: Don’t forget to open port 1723 (tcp) in your firewall settings:

/ip firewall filter add chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp

If you need any help or I did something wrong, leave a comment and I will try to do my best to help you.

(31) Comments

  • Prasong
    10 Jul 2014

    Great guide. Can we allow specific hostname (not ip) to connect pptp server?

    • Uroš
      11 Jul 2014

      Yes, you can do this with some little “tricks”… here is a complete tutorial: Use host names in firewall rules

      After that you just need to add rules like this:
      /ip firewall filter add chain=input src-address-list=host_hostname1 dst-port=1723 protocol=tcp

  • Branko
    14 Sep 2014

    Great guide, it helped a LOT!
    one little thing for all the guys like me that are using Mikrotik for the first time:
    —–CHANGE THE CLOCK ASAP!!!!—-
    it took me 3 frustrating hours to get this working and only thing i had to do was to change the time…i could see that my pc is connecting but it disconnected rightaway. I tryed everything and at the last time that i was looking in the log i was so frustrated and looked on the time and said to me “F#$%it at least i’ll correct the time” and it started working…

    Have a sunny day everyone and smile :)

    PS: sorry for my english…trying my best :)

  • laxmi
    18 Sep 2014

    awesome site it’s very easy to understand see more http://mikrotikroutersetup.blogspot.com

  • OKKKKKKKK
    05 Jan 2015

    Hi there, how can we set the security/encryption level of our VPN server following this steps?

    • Uroš
      05 Jan 2015

      Hi, I’m not sure if you are looking for this settings, but you can check if is this what you need…

      In step 3 we created a new VPN profile, but almost all values are set to default. There is a tab “Protocols”. In this tab you can force the use of encryption. This is all I know… Maybe someone here will tell you more :)

  • Bill Winston
    18 Mar 2015

    I spent 6 hrs trying to figure out why I couldn’t communicate with computers on the local subnet.

    Thanks for taking the time to document this.

  • agung
    14 Jul 2015

    nice post

  • Hasan
    27 Jul 2015

    Great Guilde… Thanks

  • Robert
    19 Aug 2015

    Hi, there is an mistake in your settings: local address and remote address should be both set to dhcp pool. If you set local address to 192.168.1.1 (gateway) you will cause loop in bridge interface and packet drops.

  • laxmi
    28 Sep 2015

    great configuration see more http://mikrotikroutersetup.blogspot.com

  • Sugiharto
    21 Oct 2015

    I followed your step-by-step but still cannot connect to VPN
    is this setting able to work with load-balanced 2 wan?

    • Uroš
      06 Jan 2016

      sorry, I can’t say if it work in balanced 2 wan, because I never tried this…

  • Sendze Martin
    01 Apr 2016

    Hello have this question can it be configured without having a public ip address help me out with the instructions if possible we could talk privately. Thanks

  • Marcos
    04 May 2016

    Gostaria de saber se tem como fazer uma vpn entre um mikrotik com ip real da publica e um mikrotik com ip dinamico?

  • saly
    10 May 2016

    I have used ddns and I am able to reach the router inside my network, but connection closed after username and password verfying appeared in my client.
    anyone can help please…

  • bernardo
    30 May 2016

    everything worked perfeclty!! but i loose the internet conection when i connect to the vpn,,, how do i fix it???

    thanks

    • Uroš
      30 Jun 2016

      just create a new NAT rule (masquerade) for your VPN interface

  • FAyon
    02 Aug 2016

    Hi, i don’t know if you stell working about this, but,i need some help.
    I have a RB750 and i use two adsl to make a balance and it’s working and i setup pptp server and i can conect to thenetworfrom outside but i cant conect to thelocal computers, i’m trying to use vnc to control but it looks like i’m alone in the network. Thanks

  • Denis
    26 Aug 2016

    Is it possible to call server in LAN 2 from PC in LAN 1 via VPN with server name not IP address?

    I have VPN tunnel and I get to the server with IP but I need because of programs to connect server via name like SERVER_1.

    Thanks!

    • azrel
      13 Dec 2016

      Yes,great question. IP access is working but names are not.

  • vasanth
    28 Sep 2016

    No connection could be made because the target machine actively refused it. connection field with error 2147952461

  • Sanddy
    16 Aug 2017

    Thanks for the great article. Yours is the ONLY guide I have come across which has explained how to configure the Bridge so that we can see other network devices. Have been searching for this info like crazy. Thanks a ton!

  • Chris
    07 Sep 2017

    I agree with Sanddy’s comment. Your article as the only one explains the Bridge interface should be configured as arp-proxy. Thank you so much. I’ve been going nuts for the last few days…

  • Nick
    23 May 2018

    Thank you very much for that incredible guide ! God Bless you , that step 6 save my Job today :)

  • JODAL
    26 Sep 2018

    Hola, he seguido paso a paso tu post y no he logrado acceder a los recursos locales para los clientes. Logro loguarme con la VPN y me asigna una IP sin problemas. Supongo que tengo algun problema entre el bridge y el profile del ppp. SOS

  • cleidson
    18 Sep 2019

    arp-proxy stop my local lan

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.