Hello,

When I used WinBox on RouterOS V6.18 and switched to the Quick Set: Home AP mode, there was a section for vpn access. After I ticked the box for vpn access, the section expanded to allow me to type in VPN Password.

My question is how do we use this feature? How to use this feature? I attempted to use MS Windows pptp client to access the routerboard but failed to connect. It seems we need to use other kind of vpn client to make the connection but there is no information describing this function.


Regards,

Eric

no, it will work from windows with regular PPTP client. of course you need to connect from the internet side, not from the local network. this is for connecting from public places to your home

This video walks through the menus of both the Mikrotik home VPV setup but also windows setup to establish the connection.

https://www.youtube.com/watch?v=gzPFGVnrEeQ
.

First of all, thank normis’s and jebz’s information.

Finally, I got the method to get the vpn working. Once you tick “VPN Access”, the Routers does the following things for you

1. Create the ppp secret (vpn login credentials) (/ppp secret pirint)

2. Create the firewall for you as follows:

3 ;;; allow l2tp
chain=input action=accept protocol=udp dst-port=1701

4 ;;; allow pptp
chain=input action=accept protocol=tcp dst-port=1723

5 ;;; allow sstp
chain=input action=accept protocol=tcp dst-port=443

3. Create the ppp profile (/ppp profile print)

As you have seen the routeros has already prepared all the things that you need in order to let you have the vpn access. The last step is your turn, i.e., you have to choose which vpn service that you want. The easiest way is to use pppt vpn.

How to make the routeros to have pptp vpn service provided to you?

Use the command

/interface pptp-server server set enabled=yes

With the above command, this enables you to have pptp vpn access using the login name “vpn” and the password that you entered.

I am using hap ac lite router with router os 6.34.3 stable and I want to connect my hap ac lite as server vpn and my android phone as client vpn. I use a broadband internet connection with dynamic Ip given by isp. I have already done with your step and it works only with pptp. How about using l2tp with ipsec psk ?
Please help me creating vpn connection with other barrier/protocol like l2tp or openvpn or sstp (maybe sstp just windows environment )
Thanks

I have already use default mikrotik ip cloud (ddns provided by who?mikrotik?) which is xxxserial number.sn.mynetname.net. I also have already set up in /ppp interface l2tp server enable and tick the ip sec and fill ip sec secret. I hadn’t find way out since yesterday. Did I incomplete configuration ?
Or maybe that default mikrotik ip cloud/ddns just support only pptp vpn ?
How about to set up other ip cloud like duckdns.org because it can’t be change via winbox ? Or it should be changed via terminal ?

Sorry, I ask many question and out of topic but it still connected.

Please,anybody help me ?

mynetname.net is provided by MikroTik. All it does is maps this DNS name to your public IP address. It has nothing to do with VPN at all.

You must allow VPN connections in your router firewall and do proper configuration for the server and profiles.

Ok, Could you please help me in configuring my hap ac lite router…
This is the configuration :

[admin@Router] > export hide-sensitive

mar/17/2016 13:32:11 by RouterOS 6.34.3

software id = xxxxxxxxx

/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf

name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] disabled=yes master-port=ether2-

master
set [ find default-name=ether4 ] disabled=yes master-port=ether2-

master
set [ find default-name=ether5 ] disabled=yes master-port=ether2-

master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-

width=20/40mhz-Ce
country=indonesia disabled=no distance=indoors frequency=auto

hw-retries=4
mode=ap-bridge ssid=“@net ( b/g/n )” wireless-protocol=802.11

wps-mode=
disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-

width=20/40/80mhz-Ceee
country=indonesia disabled=no distance=indoors frequency=auto

hw-retries=4
mode=ap-bridge ssid=“@net ( a/n/ac )” wireless-protocol=802.11

wps-mode=
disabled
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-

methods=“” mode=
dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.102.2-192.168.102.100
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface l2tp-server server
set authentication=mschap2 enabled=yes max-mru=1460 max-mtu=1460

use-ipsec=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.102.1/24 comment=defconf interface=ether2-master

network=
192.168.102.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no

interface=ether1
/ip dhcp-server network
add address=192.168.102.0/24 comment=defconf gateway=192.168.102.1

netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.102.1 name=router
/ip firewall filter
add chain=input comment=“defconf: accept ICMP” protocol=icmp
add chain=input comment=“defconf: accept establieshed,related”
connection-state=established,related
add chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add chain=input comment=“allow pptp” dst-port=1723 protocol=tcp
add chain=input comment=“allow sstp” dst-port=443 protocol=tcp
add action=drop chain=input comment=“defconf: drop all from WAN” in

-interface=
ether1
add action=fasttrack-connection chain=forward comment="defconf:

fasttrack"
connection-state=established,related
add chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid”

connection-state=
invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-

state=!dstnat
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”

out-interface=
ether1
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-

address=
192.168.89.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Asia/Jakarta
/system identity
set name=Router
/system leds
set 0 leds=led1,user-led
set 2 disabled=yes
set 3 disabled=yes
set 4 disabled=yes
add interface=wlan1 leds=led4 type=wireless-status
add interface=wlan2 leds=led5 type=wireless-status
add leds=led3 type=on
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

Is there something incomplete configuration ?
Please help me, thanks very much

I have already created l2tp connection between my router and my brother windows 10 laptop.It works !! But it looked like windows didn’t use ipsec with psk because windows didn’t ask psk key.
Now, how about if the client is android. I have tried so many times,the connection always unsucceed but the firewall detect packet data received from l2tp.
I think the problem is with ipsec psk encryption.
Are anyone can help me solving my problem and the configuration about ipsec encryption on hap ac lite that android wants to connect to hap ac lite?

You can make a L2TP tunnel without IPsec. For IPsec you need a lot more configuration:
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Ipsec.2FL2TP_behind_NAT

Will this work if its behind another router? Or do I have to create a passthrough and map ports, etc?

I have routers that are behind other non-mikrotik routers inside an internal network. Was hoping to create a VPN so I could connect to them somehow remotely with winbox.

the DNS name is not connected with the VPN feature. It just gives a domain name to the IP address of the router. If the device is in some internal network, you still have to make routing or NAT on the gateway device.

We do not have any kind of reverse VPN functionality yet

What I would like to do is setup a VPN server, and have all my routers maintain an active VPN connection to my VPN server for remote access, but also for communication with my radius server through the VPN. I am currently using Windows 2008 R2, with tekradius. Is this possible? Can you help me with a proper config for this? I have over 100 routers i want to maintain this way.