Need Mikrotik L2TP No other way. Please help..!

miankamran7100 · August 22, 2023, 6:24pm

Dear,
Mikrotik Behind the ISP router.ISP router has static public IP. I want to set up L2TP VPN Server in Mikroitk.
Is it possible with port forwarding in the ISP router?

anav · August 22, 2023, 6:35pm

WIreguard is possible, dont use L2TP…

miankamran7100 · August 22, 2023, 6:40pm

thanks for reply Sir,
can you please tell me what is the way?
Actually, I want to access my local network remotely. Is it the best option for remote access?

miankamran7100 · August 22, 2023, 6:48pm

wire guard is possible with port forwarding or without port forwarding?

anav · August 22, 2023, 6:50pm

It is not possible if you are missing a public IP address at the MT Device AND you cannot forward a port.
In this case you can forward the port and very much possible and is an excellent way to
a. access your router for config purposes
b. access your LAN devices.

anav · August 22, 2023, 7:04pm

Example additions to config.

MT ROUTER (server)
/interface wireguard
add listen-port=15831 mtu=1420 name=WG
/interface list members
add interface=WG list=LAN
/interface wireguard peers
add allowed-address=10.20.30.2/32 public-key=“+…”
add allowed-address=10.20.30**.3**/32 public-key=“+…”
/ip address
add address=10.20.30.1/24 interface=WG network=10.20.30.0
/ip firewall filter
add action=accept chain=input comment=“Wireguard handshake” dst-port=15831 protocol=udp
add action=accept chain=input comment=“Admin router access” in-interface=WG
add action=accept chain=forward comment=“Admin lan access” in-interface=WG out-interface-list=LAN

MOBILE WIREGUARD CLIENT SETTINGS… ( if windows, ensure you get from wireguard website not microsoft )
Will assume you have TWO CLIENT DEVICES

LAPTOP
Settings → interface name=WireguardL / ip-address=10.20.30**.2**/32
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=ISPpublicIP endpoint-port=158311
interface=WireguardL persistent-keepalive=25s public-key=“…”
SMARTPHONE
Settings → interface name=WireguardS / ip-address=10.20.30.3/32
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=ISPpublicIP endpoint-port=15831
interface=WireguardS persistent-keepalive=35s public-key=“-------”

Normally, the allowed IPs at the client device includes the wireguard subnet, and any subnets on the server router you are visiting.
0.0.0.0/0 covers both of those and also allows the mobile remote user to access the internet of the server router.

Tons of reading here → https://forum.mikrotik.com/viewtopic.php?t=182340

miankamran7100 · August 22, 2023, 7:12pm

Example additions to config.

MT ROUTER (server)
/interface wireguard
add listen-port=15831 mtu=1420 name=WG
/interface list members
add interface=WG list=LAN
/interface wireguard peers
add allowed-address=10.20.30.2/32 public-key=“+…”
add allowed-address=10.20.30**.3**/32 public-key=“+…”
/ip address
add address=10.20.30.1/24 interface=WG network=10.20.30.0
/ip firewall filter
add action=accept chain=input comment=“Wireguard handshake” dst-port=15831 protocol=udp
add action=accept chain=input comment=“Admin router access” in-interface=WG
add action=accept chain=forward comment=“Admin lan access” in-interface=WG out-interface-list=LAN

MOBILE WIREGUARD CLIENT SETTINGS… ( if windows, ensure you get from wireguard website not microsoft )
Will assume you have TWO CLIENT DEVICES

LAPTOP
Settings → interface name=WireguardL / ip-address=10.20.30**.2**/32
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=ISPpublicIP endpoint-port=158311
interface=WireguardL persistent-keepalive=25s public-key=“…”
SMARTPHONE
Settings → interface name=WireguardS / ip-address=10.20.30.3/32
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=ISPpublicIP endpoint-port=15831
interface=WireguardS persistent-keepalive=35s public-key=“-------”

Normally, the allowed IPs at the client device includes the wireguard subnet, and any subnets on the server router you are visiting.
0.0.0.0/0 covers both of those and also allows the mobile remote user to access the internet of the server router.

Tons of reading here → https://forum.mikrotik.com/viewtopic.php?t=182340

Sir EOIP tunnel can be established on wireguard VPN?

anav · August 22, 2023, 11:19pm

Example here… The first half is EOIP over wireguard…
https://forum.mikrotik.com/viewtopic.php?p=990837#p990836