Virtual Private Networks
Virtual Private Networks
Section titled “Virtual Private Networks”MikroTik RouterOS provides comprehensive Virtual Private Network (VPN) capabilities to meet diverse deployment requirements ranging from simple remote access to complex site-to-site architectures. The platform supports multiple VPN protocols, each with distinct characteristics suited for different scenarios, security requirements, and compatibility needs.
VPN technology enables secure communication over untrusted networks by creating encrypted tunnels between endpoints. RouterOS implements industry-standard protocols alongside MikroTik-specific solutions, providing flexibility in deployment while maintaining interoperability with third-party equipment and client software.
VPN Protocol Overview
Section titled “VPN Protocol Overview”RouterOS supports numerous VPN protocols, each addressing specific use cases and offering different tradeoffs between security, performance, compatibility, and ease of configuration.
| Protocol | Type | Encryption | Use Case | RouterOS Version |
|---|---|---|---|---|
| WireGuard | Modern VPN | ChaCha20-Poly1305 | Site-to-site, remote access | v7+ |
| OpenVPN | SSL VPN | OpenSSL ciphers | Cross-platform compatibility | v6/v7 |
| IPsec | Layer 3 | AES, 3DES, SHA | Site-to-site, road warrior | v6/v7 |
| L2TP/IPsec | Layer 2 | MPPE, IPsec | Legacy client support | v6/v7 |
| PPTP | Layer 2 | MPPE | Legacy systems (not recommended) | v6/v7 |
| SSTP | SSL VPN | SSL/TLS | Firewall traversal | v6/v7 |
| ZeroTier | SD-WAN | ZeroTier encryption | Peer-to-peer mesh | v7+ |
Selecting a VPN Protocol
Section titled “Selecting a VPN Protocol”Choosing the appropriate VPN protocol depends on several factors including security requirements, client compatibility, network topology, and performance needs.
WireGuard
Section titled “WireGuard”WireGuard represents the modern standard for VPN connectivity, offering excellent performance through kernel-level implementation, minimal code base for reduced attack surface, and modern cryptographic primitives. It is recommended for new deployments where both endpoints support the protocol.
/interface wireguard add name=wg1 private-key=... listen-port=13231/interface wireguard peers add interface=wg1 \ public-key=... \ allowed-address=0.0.0.0/0 \ endpoint-address=203.0.113.1 \ endpoint-port=13231WireGuard excels in site-to-site connections between RouterOS routers and provides efficient remote access capabilities. Its simple configuration model reduces the likelihood of misconfiguration while maintaining strong security properties.
OpenVPN
Section titled “OpenVPN”OpenVPN provides broad compatibility across operating systems and devices, making it the preferred choice when connecting diverse client types. As an SSL-based solution, it tunnels traffic through TLS-encrypted channels, traversing most firewalls and NAT devices without special configuration.
/interface ovpn-client add \ connect-to=vpn.example.com \ user=username \ password=secret \ profile=default \ auth=sha1 \ cipher=aes128-cbcOpenVPN supports both routed (layer 3) and bridged (layer 2) modes, enabling flexibility in network design. However, performance is typically lower than WireGuard due to its userspace implementation.
IPsec provides robust security for site-to-site connectivity between routers, firewalls, and other network equipment. It offers extensive configuration options for security policies, perfect forward secrecy, and certificate-based authentication.
/ip ipsec profile set [find name=default] \ dh-group=modp2048 \ enc-algorithm=aes-256 \ hash-algorithm=sha256IPsec is the preferred choice for connecting RouterOS to third-party networking equipment from vendors like Cisco, Juniper, or pfSense. The protocol operates at the network layer, providing transparent handling of all IP traffic.
L2TP creates point-to-point tunnels at the data link layer, often combined with IPsec for encryption. While L2TP alone provides no encryption, the L2TP/IPsec combination offers reasonable security while maintaining compatibility with built-in VPN clients on Windows, macOS, iOS, and Android.
/interface l2tp-server server set enabled=yes/interface l2tp-client add connect-to=203.0.113.1 \ name=l2tp-out1 user=username password=secretL2TP is useful when supporting legacy clients that do not support modern protocols, though WireGuard or IPsec should be preferred for new deployments.
Secure Socket Tunneling Protocol uses SSL/TLS for transport, enabling it to traverse firewalls and proxies that block other VPN protocols. This makes SSTP particularly valuable in restrictive network environments where only HTTPS traffic is permitted.
/interface sstp-server server set enabled=yes \ certificate=server-cert \ verify-client-certificate=noSSTP provides strong security through TLS encryption while maintaining excellent firewall traversal characteristics.
ZeroTier
Section titled “ZeroTier”ZeroTier provides software-defined networking capabilities, creating virtual Ethernet networks that span multiple locations without traditional VPN concentrators. It uses a decentralized control plane and peer-to-peer data paths for efficient communication.
/zerotier interface add network=YOUR_NETWORK_ID instance=zt1/ip firewall filter add action=accept chain=forward in-interface=zerotier1 place-before=0/ip firewall filter add action=accept chain=input in-interface=zerotier1 place-before=0ZeroTier excels in scenarios requiring mesh connectivity between multiple sites without centralized VPN infrastructure, though it requires external ZeroTier network controller configuration.
Site-to-Site VPN
Section titled “Site-to-Site VPN”Site-to-site VPN connects entire networks at different locations, enabling hosts on each side to communicate transparently as if on the same local network.
WireGuard Site-to-Site
Section titled “WireGuard Site-to-Site”WireGuard provides high-performance site-to-site connectivity suitable for bandwidth-intensive applications:
/interface wireguard add name=wg-site1 \ private-key=LOCAL_PRIVATE_KEY \ listen-port=13231
/interface wireguard peers add \ interface=wg-site1 \ public-key=REMOTE_PUBLIC_KEY \ allowed-address=10.20.0.0/24 \ endpoint-address=203.0.113.10 \ endpoint-port=13231
/ip route add dst-address=192.168.20.0/24 gateway=wg-site1Each router requires generation of its own keypair, with the public key exchanged between sites before configuration.
IPsec Site-to-Site
Section titled “IPsec Site-to-Site”IPsec provides interoperability with third-party equipment:
/ip ipsec policy add \ src-address=10.10.0.0/24 \ dst-address=10.20.0.0/24 \ proposal=default \ template=yes
/ip ipsec peer add \ address=203.0.113.10 \ secret=PREShARED_SECRET \ profile=defaultIPsec requires careful attention to phase 1 and phase 2 proposals to ensure compatibility between endpoints.
Remote Access VPN
Section titled “Remote Access VPN”Remote access VPN enables individual clients to connect to the router, typically providing access to the internal network.
Creating User Accounts
Section titled “Creating User Accounts”VPN services require authentication. Local user accounts are created in the PPP secrets menu:
/ppp secret add name=username password=StrongPassword \ profile=default local-address=10.0.0.1 \ remote-address=pool1 service=anyFor enhanced security, consider RADIUS authentication for centralized user management.
WireGuard Remote Access
Section titled “WireGuard Remote Access”Configure WireGuard with a pool of client addresses:
/interface wireguard add name=wg-in \ private-key=SERVER_PRIVATE_KEY \ listen-port=51820
/interface wireguard peers add \ interface=wg-in \ public-key=CLIENT_PUBLIC_KEY \ allowed-address=10.0.10.2/32Each remote client requires its own peer entry with a unique allowed address.
L2TP/IPsec Remote Access
Section titled “L2TP/IPsec Remote Access”L2TP with IPsec provides broad client compatibility:
/interface l2tp-server server set enabled=yes \ use-ipsec=yes ipsec-secret=StrongSecret \ authentication=mschap1,mschap2,chapPerformance Considerations
Section titled “Performance Considerations”VPN throughput depends on multiple factors including CPU availability, encryption algorithm selection, and network characteristics.
WireGuard offers the best performance due to its kernel-level implementation and efficient cryptographic primitives. On RouterBOARD devices, it can achieve near-gigabit speeds even on mid-range hardware.
OpenVPN performance is significantly lower, typically limited to 50-100 Mbps on typical router hardware due to its userspace implementation and higher protocol overhead.
IPsec performance varies based on encryption algorithm and hardware acceleration support. RouterOS v7 includes optimized IPsec implementations that can achieve several hundred megabits per second on supported hardware.
Security Best Practices
Section titled “Security Best Practices”Always use strong authentication and encryption when configuring VPN services. Avoid deprecated protocols like PPTP, which provides no meaningful security. Use certificate-based authentication where possible rather than pre-shared keys for improved key management and forward secrecy.
Keep VPN software up to date to benefit from security patches and improvements. Regularly audit VPN configurations and user accounts, removing unnecessary accounts and revoking unused credentials.
Enable logging and monitoring to detect unusual access patterns or authentication failures. RouterOS provides comprehensive logging capabilities through the /log menu and can forward logs to remote syslog servers.
See Also
Section titled “See Also”- WireGuard Configuration - Detailed WireGuard setup guide
- L2TP VPN - L2TP and L2TP/IPsec configuration
- IPsec Tunnel - IPsec site-to-site setup
- PPTP - Legacy PPTP configuration (not recommended for new deployments)
- ZeroTier - ZeroTier SD-WAN integration