Overview: if we have provided you with a bespoke L2TP connection, perhaps to access a client device behind NAT or dynamic IP, then this article will show you how to connect a MikroTik device to the VPN.

You will need the following information before you begin:

  • Admin details to acces the MikroTik device via WinBox or WebFig
  • L2TP server IP: ---.---.---.---
  • L2TP username: _ _ _ _ _ _
  • L2TP password: _ _ _ _ _ _
  • IP Sec pre-shared key: _ _ _ _ _ _ 
  • Public HTTP port number: _ _ _ _ _

WARNING: Before you add this L2TP connection, please set a VERY complex "admin" password of at least 16 characters - including special symbols - in order to reduce your device security risks; the "admin" password is nothing to do with the L2TP password.

From WinBox or WebFig navigate to Interfaces > Add > L2TP client > [enter the details below and click OK]

"General" tab:

Max MTU: 1400

Max MRU: 1400

"Dial out" tab:

Connect To: {L2TP server IP}

User: {L2TP username} 

Password: {L2TP password} 

Use IPsec: Yes (enabled)

IPsec Secret: {IP Sec pre-shared key}

Once the link is up (check IP > Addresses, and you should see an IP such as 172.16.xxx.xxx) then you can test accessing the device publically:

http://xxx.xxx.xxx.xxx:yyyyy (replace xxx with the L2TP server IP, and replace yyyy with the public HTTP port number)

You should now have access to port 80 on the local device; if you need another port (such as HTTPS port 443) then simply ask us for the port forwarding rule to be modified for this VPN client).


The standard MikroTik firewall may block inbound traffic to the L2TP VPN. The recommended change to the firewall is to "inform" the firewall that this is legitimate traffic. Here's how:

 From WinBox or WebFig navigate to IP> Firewall> Address Lists tab > [Click + to add a new list]

Name: RemoteSupport

Address: [Click OK]

Navigate back to the Filter Rules tab, and look for a rule called "defconf: drop all not coming from LAN" [double-click to edit this rule] Note: some MikroTik models do not come with a default set of firewall rules, but most do.

On the Advanced tab select RemoteSupport from the "Scr. Address List", click the box (this places an exclamation mark ! in the box), then click OK.

Explanation: This firewall rule normally blocks all inbound traffic except from the LAN interface. We have also added the RemoteSupport (VPN) traffic to this exception; the ! mark is "not", in effect saying "only block traffic NOT from the RemoteSupport VPN, and NOT from the LAN."

Tip: you may find this Windows VPN article useful too - https://internetservices.freshdesk.com/en/support/solutions/articles/5000866097-windows-l2tp-vpn-client-allow-internet-browsing

By having an L2TP connection on your computer (or router) you can connect directly to the VPN clients via their 172.16.xxx.xxx IP address.