How to set up PPTP VPN on your Mikrotik

Don’t get overwhelmed by the long list below.  Here is all you are trying to accomplish:

  1. Turn on PPTP Server in the router
  2. Set up a login and password for the VPN connection
  3. Tell the router what IP addresses you want to use for this connection
  4. Opening port 1723 and gre protocol in the Firewall
  5. That’s it.

Basic setup

  1. Click PPP
  2. Click PPTP Server
  3. In the PPTP Server window, click the Enabled checkbox and click OK
  4. Click the Secrets tab
  5. Click the + to add a new Secret
  6. In Name, enter the login you want to use for your VPN connection
  7. In Password, enter the password you want to use
  8. In Service, click the drop-down and select pptp
  9. In Profile, select default-encryption
  10. In Local Address, enter an address on the LAN that you want to send your traffic through.  I’ve used the router’s LAN IP, a ‘random’ IP address on the subnet, etc.  Haven’t seen that one is better than the other…yet…
  11. In Remote Address, enter the IP address that you want your device to get when it establishes a connection.  Pick an IP address on a different subnet from your LAN.  Trust me, it will work.
  12. Enter a Comment if you want
  13. Click OK
  14. Click on IP, then Firewall, then the Filter Rules tab
  15. Add a new rule with the + sign
  16. Set Chain to input
  17. Set Protocol to tcp
  18. Set Dst. Port to 1723
  19. Click on the Action tab and make sure Action is set to accept
  20. Give it a Comment of “VPN” or something meaningful to you
  21. Click OK
  22. Drag this rule ABOVE THE DEFAULT “drop” RULE
  23. Add another new Firewall Filter rule
  24. Set Chain to input
  25. Set Protocol to gre
  26. Click on the Action tab and make sure Action is set to accept
  27. Give it a Comment of “VPN” or something meaningful to you
  28. Click OK
  29. Drag this rule ABOVE THE DEFAULT “drop” RULE
  30. Done

I know it looks like a lot, but once you’ve done this a few times, you can do all these steps in about 2 minutes.

  • Cory

    So PPTP is required for VPN? This has nothing to do with PPPOE WAN connections right?

    • admin

      Yup, PPTP is a ‘version’ of VPN. Point to Point Tunneling Protocol. You have to set up a PPTP Server and that is what you connect to remotely from your VPN Client. PPTP is supported in every major OS right out of the box, so there is no client software you have to run to connect to it. There are more secure and more recent versions of VPN, but that is another whole story…

      You’ll only really run into PPPoE on DSL jobs. That is where you need the login and password to connect to the ISP. Two totally different things.

  • Cory

    Isn’t there a script I can copy and past in to do everything you listed above ;-p

    With VPN, i read once that you have to have the same router on both, sides, but it sounds like that isn’t the case with this method or maybe anymore at all.

    • admin

      Yes, there is a script, actually, I just haven’t written it yet…lol…

      I think you’re talking about a site-to-site VPN… like if you have a Main Office and a Remote Office, you can keep a VPN connection open between them so they’re working off of the same LAN and sharing files, etc. What most of us talk about is a way for you to connect to a client site from your laptop, or office PC, or from an iPod/iPad/etc.

      Chris has done some site-to-site VPNs with Mikrotik using IPSec VPN between them. He logged into a job I was doing in Miami and set it up so we had an IPSec VPN to the clients other home in Baltimore and I could be on one network at either site and talk to everything at the other site. It’s pretty slick.

      • Ross

        I was just wondering if you have an article on how to setup the site to site VPN but not using IPSEC but rather a EOIP PPTP tunnel betwen RB750s ?

        • admin

          I do not, but Chris who replies on here often has done some testing on that. Maybe he can chime in. I remember him saying that the main provider in our area does something that inadvertently breaks EOIP so I don’t know how far he persued it.

  • Cory

    Okay, so after its all setup in the router, what do you do on the remote device? I was just going to setup in my iPad as a test and it requires a SERVER field and Account. I’m guessing the account is my login that I chose on the router side, but not sure.

  • Cory

    I figure the Server is either the WAN IP address of the router or a DNS hostname?

  • scott

    the server is your public IP address.

    the account and password is what you setup on the server side for user and password.

  • Jason

    I must be missing one thing here. After setting up the Mikrotik, I’m trying to connect with the VPN built into Windows 7. I keep getting “verifying user name and password” but then it jumps to “disconnected, error 619, a connection to the remote computer could not be established, so the port for this connection was closed”.

    If I’m on the local network, The VPN connect without a problem which tells me it’s setup correctly??


    • admin

      Funny, I never tried connecting locally, but I just tried it and it does work.

      So you’re trying to connect from the internet to your Mikrotik and it’s not working… what are you using as the VPN ‘server’ address? It should be set to your WAN IP from the site with the Mikrotik.

      • Jason

        Wow, lots of actions since I was last here.

        I’m using a dyndns for my VPN server address.

  • Cory

    Okay, So i have this setup and working (I think) from my iPad. It shows VPN connected. However, I can’t figure out how to establish the same connection from my W7 machine. Is there a VPN setup setting to dictate that its PPTP?

    Side questions, the point of this is so that my computer acts as if its on the local network of my client, right? So that I could log-in to their AVR or power switch or control processor…right? Would I just type in the IP address of the device as if I was on their local network?

    • admin

      I think in W7 it automatically picks what type of VPN connection it is. I just enter the server address (“Internet address:”) and name it something, then click Next, then enter the user name and credentials and hit Connect.

      Once you’re connected, yes you can access an AVR or processor as if you were on site. So if the processor on the job’s IP is, and you’re at your house, you VPN to the job and go to

      There are some caveats to PPTP VPN… such as broadcasting won’t work across the VPN. So with Control4 the programming software “sees” the processor on the network when you’re connected locally. When connected over a VPN it can’t see the broadcast. You can still access it, though, by simply entering the IP address.

  • Cory

    I keep getting this error (and I know the username & password are good because I’m able to select PPTP and make a connection from my iPad)
    The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.

  • Cory

    I do notice while it is try to connect it says using “WAN miniport (SSTP)”. Not sure if that means anything.

    • admin

      Open a Terminal and go to /ppp and do an export and post it here. When you paste it, make sure you delete/mask out your login and password credentials.

      (open a New Terminal connection in Winbox. Type ‘PPP’ and hit enter. Type ‘export’ and hit enter. Copy and paste the text it spits out. Delete your login and password.)

  • Cory

    Okay. it’s long as hell. Maybe you can point out anything obvious you notice that I’m not doing that I should be…if you notice. THanks!

    [CODE]# oct/08/2012 23:16:28 by RouterOS 5.16
    # software id = UB2U-EHT1
    /interface ethernet
    set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 mac-address=00:0C:42:E6:88:D6 master-port=none mtu=1500 \
    name=ether1-gateway speed=100Mbps
    set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 mac-address=00:0C:42:E6:88:D7 master-port=none mtu=1500 \
    name=ether2-master-local speed=100Mbps
    set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 mac-address=00:0C:42:E6:88:D8 master-port=\
    ether2-master-local mtu=1500 name=ether3-slave-local speed=100Mbps
    set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 mac-address=00:0C:42:E6:88:D9 master-port=\
    ether2-master-local mtu=1500 name=ether4-slave-local speed=100Mbps
    set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no \
    full-duplex=yes l2mtu=1598 mac-address=00:0C:42:E6:88:DA master-port=\
    ether2-master-local mtu=1500 name=ether5-slave-local speed=100Mbps
    /interface ethernet switch
    set 0 mirror-source=none mirror-target=none name=switch1
    /ip hotspot profile
    set [ find default=yes ] dns-name=”” hotspot-address= html-directory=hotspot \
    http-cookie-lifetime=3d http-proxy= login-by=cookie,http-chap name=default \
    rate-limit=”” smtp-server= split-user-domain=no use-radius=no
    /ip hotspot user profile
    set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default \
    shared-users=1 status-autorefresh=1m transparent-proxy=no
    /ip ipsec proposal
    set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=\
    30m name=default pfs-group=modp1024
    /ip pool
    add name=default-dhcp ranges=
    /ip dhcp-server
    add address-pool=default-dhcp authoritative=after-2sec-delay bootp-support=static \
    disabled=no interface=ether2-master-local lease-time=3d name=default
    /ppp profile
    set 0 change-tcp-mss=yes name=default only-one=default use-compression=default \
    use-encryption=default use-mpls=default use-vj-compression=default
    set 1 change-tcp-mss=yes name=default-encryption only-one=default use-compression=\
    default use-encryption=yes use-mpls=default use-vj-compression=default
    /queue type
    set 0 kind=pfifo name=default pfifo-limit=50
    set 1 kind=pfifo name=ethernet-default pfifo-limit=50
    set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
    set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 \
    red-max-threshold=50 red-min-threshold=10
    set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
    set 5 kind=none name=only-hardware-queue
    set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
    set 7 kind=pfifo name=default-small pfifo-limit=10
    /routing bgp instance
    set default as=65530 client-to-client-reflection=yes disabled=no ignore-as-path-len=no \
    name=default out-filter=”” redistribute-connected=no redistribute-ospf=no \
    redistribute-other-bgp=no redistribute-rip=no redistribute-static=no router-id=\ routing-table=””
    /routing ospf instance
    set [ find default=yes ] disabled=no distribute-default=never in-filter=ospf-in \
    metric-bgp=auto metric-connected=20 metric-default=1 metric-other-ospf=auto \
    metric-rip=20 metric-static=20 name=default out-filter=ospf-out redistribute-bgp=no \
    redistribute-connected=no redistribute-other-ospf=no redistribute-rip=no \
    redistribute-static=no router-id=
    /routing ospf area
    set [ find default=yes ] area-id= disabled=no instance=default name=backbone \
    /snmp community
    set [ find default=yes ] address= authentication-password=”” \
    authentication-protocol=MD5 encryption-password=”” encryption-protocol=DES name=\
    public read-access=yes security=none write-access=no
    /system logging action
    set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
    set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 disk-stop-on-full=no \
    name=disk target=disk
    set 2 name=echo remember=yes target=echo
    set 3 bsd-syslog=no name=remote remote-port=514 syslog-facility=daemon syslog-severity=\
    auto target=remote
    /user group
    set read name=read policy=”local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,se\
    nsitive,api,!ftp,!write,!policy” skin=default
    set write name=write policy=”local,telnet,ssh,reboot,read,write,test,winbox,password,web,\
    sniff,sensitive,api,!ftp,!policy” skin=default
    set full name=full policy=”local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pass\
    word,web,sniff,sensitive,api” skin=default
    /interface bridge settings
    set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
    /interface ethernet switch port
    set 0 vlan-header=leave-as-is vlan-mode=disabled
    set 1 vlan-header=leave-as-is vlan-mode=disabled
    set 2 vlan-header=leave-as-is vlan-mode=disabled
    set 3 vlan-header=leave-as-is vlan-mode=disabled
    set 4 vlan-header=leave-as-is vlan-mode=disabled
    set 5 vlan-header=leave-as-is vlan-mode=disabled
    /interface l2tp-server server
    set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=\
    no max-mru=1460 max-mtu=1460 mrru=disabled
    /interface ovpn-server server
    set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default \
    enabled=no keepalive-timeout=60 mac-address=FE:78:98:22:7D:57 max-mtu=1500 mode=ip \
    netmask=24 port=1194 require-client-certificate=no
    /interface pptp-server server
    set authentication=mschap1,mschap2 default-profile=default-encryption enabled=yes \
    keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
    /interface sstp-server server
    set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default \
    enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled port=443 \
    /ip accounting
    set account-local-traffic=no enabled=no threshold=256
    /ip accounting web-access
    set accessible-via-web=no address=
    /ip address
    add address= comment=”default configuration” disabled=no interface=\
    ether2-master-local network=
    /ip dhcp-client
    add add-default-route=yes comment=”default configuration” default-route-distance=1 \
    disabled=no interface=ether1-gateway use-peer-dns=yes use-peer-ntp=yes
    /ip dhcp-server config
    set store-leases-disk=5m
    /ip dhcp-server lease
    add address= client-id=1:0:1f:d0:97:2f:39 comment=”Service Computers” \
    disabled=no lease-time=428w4d23h59m59s mac-address=00:1F:D0:97:2F:39 server=default
    add address= comment=”Crestron Processors” disabled=no mac-address=\
    add address= comment=”Media Players” disabled=no mac-address=\
    add address= comment=”Game Systems” disabled=no mac-address=\
    add address= client-id=1:0:23:32:34:f4:10 disabled=no mac-address=\
    00:23:32:34:F4:10 server=default
    add address= client-id=1:0:4:20:29:77:1 disabled=no mac-address=\
    00:04:20:29:77:01 server=default
    add address= comment=”POWER & UPS” disabled=no lease-time=42w6d20h20m20s \
    add address= client-id=1:0:1f:5b:84:e8:d disabled=no mac-address=\
    00:1F:5B:84:E8:0D server=default
    add address= client-id=1:70:73:cb:e0:96:c2 disabled=no mac-address=\
    70:73:CB:E0:96:C2 server=default
    add address= client-id=1:0:27:22:8c:ee:c8 comment=WAP disabled=no \
    mac-address=00:27:22:8C:EE:C8 server=default use-src-mac=yes
    add address= client-id=1:0:e0:6f:10:69:ce disabled=no mac-address=\
    00:E0:6F:10:69:CE server=default
    /ip dhcp-server network
    add address= comment=”default configuration” dhcp-option=”” dns-server=\ gateway= ntp-server=”” wins-server=””
    /ip dns
    set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=\
    512 servers=,
    /ip dns static
    add address= disabled=no name=router ttl=1d
    add address= comment=” Crestron DNS Internal” disabled=no name=\ ttl=1d
    add address= disabled=no ttl=1d
    /ip firewall connection tracking
    set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s \
    tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
    /ip firewall filter
    add action=accept chain=input comment=”default configuration” disabled=no protocol=icmp
    add action=accept chain=input comment=”default configuration” connection-state=\
    established disabled=no in-interface=ether1-gateway
    add action=accept chain=input comment=”default configuration” connection-state=related \
    disabled=no in-interface=ether1-gateway
    add action=accept chain=input comment=”VPN CONNECTION” disabled=no dst-port=1723 \
    add action=accept chain=input comment=”VPN CONNECTION 2″ disabled=no protocol=gre
    add action=drop chain=input comment=”default configuration” disabled=no in-interface=\
    /ip firewall nat
    add action=masquerade chain=srcnat comment=”default configuration” disabled=no \
    out-interface=ether1-gateway to-addresses=
    add action=dst-nat chain=dstnat comment=”rule for crestron” disabled=no dst-port=8081 \
    in-interface=ether1-gateway protocol=tcp to-addresses= to-ports=8081
    add action=dst-nat chain=dstnat comment=”rule for crestron 2″ disabled=no dst-port=\
    41790-41795 in-interface=ether1-gateway protocol=tcp to-addresses= \
    add action=dst-nat chain=dstnat comment=”Rule for Xbox Live 1″ disabled=no dst-port=\
    88 in-interface=ether1-gateway protocol=udp to-addresses= to-ports=88
    add action=dst-nat chain=dstnat comment=”Rule for Xbox Live 2″ disabled=no dst-port=\
    3074 in-interface=ether1-gateway protocol=tcp to-addresses= to-ports=\
    add action=dst-nat chain=dstnat comment=”Rule for Xbox Live 3″ disabled=no dst-port=\
    3074 in-interface=ether1-gateway protocol=udp to-addresses= to-ports=\
    add action=dst-nat chain=dstnat comment=”Rule for Digital Loggers” disabled=no dst-port=\
    8050 in-interface=ether1-gateway protocol=tcp to-addresses= to-ports=80
    add action=dst-nat chain=dstnat comment=”IOS CAM” disabled=no dst-port=8065 \
    in-interface=ether1-gateway protocol=tcp to-addresses= to-ports=80
    /ip firewall service-port
    set ftp disabled=no ports=21
    set tftp disabled=no ports=69
    set irc disabled=no ports=6667
    set h323 disabled=no
    set sip disabled=no ports=5060,5061 sip-direct-media=yes
    set pptp disabled=no
    /ip hotspot service-port
    set ftp disabled=no ports=21
    /ip neighbor discovery
    set ether1-gateway disabled=yes
    set ether2-master-local disabled=no
    set ether3-slave-local disabled=no
    set ether4-slave-local disabled=no
    set ether5-slave-local disabled=no
    /ip proxy
    set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no \
    enabled=no max-cache-size=none max-client-connections=600 max-fresh-time=3d \
    max-server-connections=600 parent-proxy= parent-proxy-port=0 port=8080 \
    serialize-connections=no src-address=
    /ip service
    set telnet address=”” disabled=no port=23
    set ftp address=”” disabled=no port=21
    set www address=”” disabled=no port=80
    set ssh address=”” disabled=no port=22
    set www-ssl address=”” certificate=none disabled=yes port=443
    set api address=”” disabled=yes port=8728
    set winbox address=”” disabled=no port=8291
    /ip smb
    set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=all
    /ip smb shares
    set [ find default=yes ] comment=”default share” directory=/pub disabled=no \
    max-sessions=10 name=pub
    /ip smb users
    set [ find default=yes ] disabled=no name=guest password=”” read-only=yes
    /ip socks
    set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
    /ip traffic-flow
    set active-flow-timeout=30m cache-entries=4k enabled=no inactive-flow-timeout=15s \
    /ip upnp
    set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
    set dynamic-label-range=16-1048575 propagate-ttl=yes
    /mpls interface
    set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
    /mpls ldp
    set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no lsr-id=\ path-vector-limit=255 transport-address= use-explicit-null=no
    /port firmware
    set directory=firmware
    /ppp aaa
    set accounting=yes interim-update=0s use-radius=no
    /ppp secret
    add caller-id=”” comment=”Home VPN” disabled=no limit-bytes-in=0 limit-bytes-out=0 \
    local-address= name=LOGIN password=PASSWORD profile=\
    default-encryption remote-address= routes=”” service=pptp
    /queue interface
    set ether1-gateway queue=ethernet-default
    set ether2-master-local queue=ethernet-default
    set ether3-slave-local queue=ethernet-default
    set ether4-slave-local queue=ethernet-default
    set ether5-slave-local queue=ethernet-default
    /radius incoming
    set accept=no port=3799
    /routing bfd interface
    set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s multiplier=\
    /routing mme
    set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m gateway-selection=\
    no-gateway origination-interval=5s preferred-gateway= timeout=1m ttl=50
    /routing rip
    set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
    metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
    redistribute-connected=no redistribute-ospf=no redistribute-static=no routing-table=\
    main timeout-timer=3m update-timer=30s
    set contact=”” enabled=no engine-id=”” location=”” trap-generators=”” trap-target=”” \
    /system clock
    set time-zone-name=America/Los_Angeles
    /system clock manual
    set dst-delta=+00:00 dst-end=”jan/01/1970 00:00:00″ dst-start=”jan/01/1970 00:00:00″ \
    /system console
    set [ find ] disabled=no term=vt102
    /system identity
    set name=MikroTik
    /system logging
    set 0 action=memory disabled=no prefix=”” topics=info
    set 1 action=memory disabled=no prefix=”” topics=error
    set 2 action=memory disabled=no prefix=”” topics=warning
    set 3 action=echo disabled=no prefix=”” topics=critical
    /system note
    set note=”” show-at-login=yes
    /system ntp client
    set enabled=yes mode=unicast primary-ntp= secondary-ntp=
    /system resource irq
    set 0 cpu=auto
    /system routerboard settings
    set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=40
    force-backup-booter=no silent-boot=no
    /system scheduler
    add disabled=no interval=1h name=NTP_Update_Schedule on-event=Update_NTP policy
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api start
    /system script
    add name=Update_NTP policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api sourc
    \n/system ntp client set primary-ntp=[:resolve]\r\
    \n/system ntp client set secondary-ntp=[:resolve]”
    /system upgrade mirror
    set check-interval=1d enabled=no primary-server= secondary-server=0.0.0.
    /system watchdog
    set auto-send-supout=yes automatic-supout=yes no-ping-delay=5m send-email-from= watch-address watchdog-timer=yes
    /tool bandwidth-server
    set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
    /tool e-mail
    set address= from= password=”” port=25 user=””
    /tool graphing
    set page-refresh=300 store-every=5min
    /tool mac-server
    add disabled=no interface=ether2-master-local
    add disabled=no interface=ether3-slave-local
    add disabled=no interface=ether4-slave-local
    add disabled=no interface=ether5-slave-local
    /tool mac-server mac-winbox
    set [ find default=yes ] disabled=yes interface=all
    add disabled=no interface=ether2-master-local
    add disabled=no interface=ether3-slave-local
    add disabled=no interface=ether4-slave-local
    add disabled=no interface=ether5-slave-local
    /tool mac-server ping
    set enabled=yes
    /tool sms
    set allowed-number=”” channel=0 keep-max-sms=0 receive-enabled=no secret=””
    /tool sniffer
    set file-limit=1000KiB file-name=”” filter-ip-address=”” filter-ip-protocol=””
    filter-mac-address=”” filter-mac-protocol=”” filter-port=”” filter-stream=y
    interface=all memory-limit=100KiB memory-scroll=yes only-headers=no \
    streaming-enabled=no streaming-server=
    /tool traffic-generator
    set latency-distribution-scale=10 test-id=0
    /user aaa
    set accounting=yes default-group=read exclude-groups=”” interim-update=0s use-r

  • Cory

    whoops – typed the code tags wrong…sorry, not sure how to edit?

  • J.O.

    I used these instructions to add the VPN and afterwards did a check using GRC Shields Up on port 1723 ( and it now shows that port as open and not secure. Trying to make sure I don’t mess up and do anything to make the router unsecure. Is this a problem or typical?

    • admin

      I would say that’s normal, since you’re opening up port 1723 to allow PPTP traffic through.

      That GRC site is cool!

      Your Internet port 139 does not appear to exist!
      One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that’s very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
      Unable to connect with NetBIOS to your computer.
      All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

      • J.O.

        GRC is an odd little site that is always useful for an outside check. Thanks for the feedback. Can you use a less common port than 1723 or is that where every client looks so you can’t change it.

        Where did you get the information on port 139? I didn’t see that on GRC.

  • Cory

    Just to confirm, steps 10/11. If my network is, router at And I have a few addresses set aside for VPN. For step 10 I would do, then for step 11 I would do

    To use a different subnet, I’m changing the third section from “0” to “5”, right?

  • Jason

    So I’ve got things working but can’t connect to some devices on the remote site. For example I can get into the mikrotik and network switches over VPN but that’s it. I can’t get into access points, receivers, or master controller. Any thoughts??

    • Jason

      Weird. I can ping some devices also but not others. I thought PPTP would act like I’m physically on the network.

      • admin

        Do you have proxy-arp enabled on ether2? And what subnet are you on on the VPN side compared to the LAN itself?

        • Jason

          Got it working with help from you guys over at IP. Changing VPN to a different subnet from the LAN allowed me to ping everything. Didn’t enable proxy-arp because of what Jayson said. Still don’t understand why I have to be on a different subnet though. Other VPN’s I’ve used worked perfectly on the same subnet.

  • cory

    yay! finally got it to work!

  • Pingback: How to run multiple networks from a Mikrotik | Networking For Integrators()

  • Cams

    Is this good for doing a site to site VPN? With a 750 at each end?
    Or would IPSEC be better?

  • nik

    One thing I am curious about is why does the firewall rule need to be on there. I’ve followed the instructions and the set up works, however it lets me in with or without the rule enabled. What does this rule do exactly?

    • admin

      With the default firewall rule in place, you should not be able to get in via VPN without adding those rules. The traffic on port 1723 doesn’t match any of the “accept” rules in the default firewall, so it hits each one until it hits the “drop” rule and gets dropped.

      You sure your firewall is set up the way you think it is?

  • nik

    Thats the thing, there is no default set of rules on there. Are those rules something that gets created when the router is brought to default or there is another way to put them in place? Thanks for the reply btw!

    • admin

      It’s definitely created by default with the RB750GL, RB450G, and RB2011UAS-RM… You can add whatever rules you want, though. Check this page:

      • nik

        Mine is rb500 so i guess it wont create them by defaulting. Could you re-add the link because it doesn’t seem to be displaying in your last post. Much appreciated once again!

  • Jemp

    Hello, tnx for the explanation, works fine, but I make it with a Dhcp Pool, and i can connect easily, but once connected, I can not ping any workstation, on the inside.
    I can not connect to any local station on my private network.
    Any solution
    Tnx Jemp

    • admin

      Did you add a dhcp network for the subnet you’re connecting to?

  • Krisken

    Why do yo have to user another subnet for VPN? Can’t you do that on the same subnet as your LAN?

    EG at my home i use the subnet. But hey i don’t have 254 computers here :)

    • admin

      You don’t have to, and in fact it causes problems with some devices that will only accept connections from devices on the same subnet.

      If you’re going to put your VPN pool on the same subnet, you have to go into your LAN interface (ether2) and enable proxy-arp.

  • Allen

    Hi, I recently got a MT RB2011UHnD I think it’s called and configured it exactly as instructed above. Yet, when the client connects to the vpn, no network resources are visible in network (client is win7). I have a dns windows server at the main site because i read that the vpn client needs a naming resolution service in order to see network resources yet still nothing. I can ping the resources and access them in windows explorer like this : //192.168.2.x but not when i do this //server. Any ideas?

    • admin

      Hmm. Let me see if I can get some insight in that.

  • anas

    Hello sir …
    i need to make connection between 2 mikrotik ( site to site ) by VPN ( over internet )
    can you help me what the steps to creat it .. thank you a lot

  • laxmi
  • Steve

    I can’t seem to get this to work… after adding the rules, I try to connect via windows VPN and it just hangs on Verifying username and password, and it never actually connects.

    • admin

      Make sure you drag the firewall rules above the drop rule(s)

    • admin

      actually check your settings in the Profiles, too

    • Travis Bartnes

      I know this is old but I am running into the same issue as the poster above. What needs to be set in the Profiles secion?

  • Houman.H

    hi all,
    i configured my Mikrotik router as PPTP server.i already connected to server via VPN connection in W7.
    everything seems is fine and i can ping the and tracert command shows erverything is fine.
    when i open my browser and want to visit :
    DNS is working find and i am geeting the below message in status bar.
    connected to
    But i can not see google page in my browser and does not happen any more.
    Please advise. Thanks.