Router access over vpn

RouterOS Beginner Basics
1

Hello, i’m running hap ac on default configuration. I added l2tp server and a different address range for vpn. I can access devices on the network over vpn but not the router. What else i need to do?

I added the l2tp as such:

/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128 lifebytes=1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 pfs-group=modp2048

/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255

/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn

/interface l2tp-server server
set enabled=yes use-ipsec=yes ipsec-secret=test

/ip firewall filter
add action=accept chain=input comment=“allow ESP” protocol=ipsec-esp
add action=accept chain=input comment=“allow IPsec NAT” dst-port=4500 protocol=udp
add action=accept chain=input comment=“allow IKE” dst-port=500 protocol=udp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=accept chain=input comment=“allow pptp” dst-port=1723 protocol=tcp

/ip firewall nat
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=192.168.89.0/24

/ppp secret
add name=vpn password=test profile=default-encryption remote-address=192.168.89.254
add name=remote password=test profile=default-encryption remote-address=192.168.89.253

2

If you mean to VPN into the device and then be able to configure the device,
then you need to allow access to those VPN addresses to the input chain.

add chain=input action=accept in-interface=name-of-vpn-interface src-address-list=authorized

Where authorized is a firewall address list of those admin IPs that you want to be able to config the router via VPN.
I am assuming you dont want the entire vpn subnet identified to be able to do that??

/ip firewall address list
add address=IP of admin laptop list=authorized
add address=IP of admin ipad/tablet list=authorized
etc…

where the IPs are in the range of 192.168.89.2-255

3

yeah basically i forgot:

add action=accept chain=input comment=“accept PPP” in-interface=all-ppp

but you should restrict access to only certain users if you have multiple users connecting over vpn