MikroTik CHR How to set-up L2TP VPN Server. VPN server for Apple devices - Iphone, MacBook.

As we know, Apple does not support PPTP VPN protocol on its own devices. 
One of the protocols supported by Apple devices is L2TP/IPsec.

In this Knowledgebase article, we will show you how to configure a MikroTik VPN server with L2TP with IPSec.

First of all, You have to choose one of our MikroTik CHR VPS packets https://www.bgocloud.com/hosting/mikrotik-vps

When you already have your own MikroTik CHR, you have to access the router and set a password to the admin account and made some security updates. 
Please follow this article for necessary system protection for your MikroTik Router https://www.bgocloud.com/knowledgebase/34/mikrotik-chr-basic-system-protection.html.

An example diagram gives an idea of ​​what needs to be done
We will try to follow this diagram. Unfortunately, the Public IP address of our router will be different. In our scenario, it is

Open your browser and access MikroTik CHR and login with your admin account and your password. 
If you access the router through a web browser you will see this:

Press only the WebFig button:

It is essential to make sure that our router is up to date.
Please, follow these steps and make the update of your router: (If your router is already up to date you can skip this step)

From left-side menu we choose: System --> Packages --> Press Check for Update
When you click Check for Update, if your router OS is not lates version, you can choose Download and Install option. 
This option will download the latest version of Router OS and install it. The router will be restarted automatically. 
After the restart, you have to login again and press the WebFig button.   

In our case, I will add a bridge interface to our router and name it "local."

Maybe you already have some bridge and local IP address. You can use it. It is not mandatory to do this if you already have configured network topologies. 

You can add fast and easy the new bridge with this command in Router OS terminal: 

[admin@MikroTik] > interface bridge add name=lcoal 

Or you can make it from Web interface or Winbox: 

We can see the result in the Interfaces tab

Now it is time to set an IP address for our Local network. 
We are looking from the first pictures, and the IP address will be: with netmask (  and place it on the "local" interface. 
If you have your IP address configured, you can skip these steps. You can use the IP address from your network topology.

It can be done easily with this command in MikroTik OS terminal: 

[admin@MikroTik] > ip address add address= interface=local

You can add it thought WEB or Winbox. 

Now we have our Mikrotik Router with Public IP address and Private One. 

It is a good idea to add IP Pool from where our L2TP customers will receive their IP addresses. 

The easiest way to do this is with this command in MikroTik Router Os Terminal. You can change the IP address range. 

[admin@MikroTik] > ip pool add name=L2TP ranges=

I choose from our local IP address network.

Here is how it looks  in MikroTik WebFig 

It is time to configure the L2TP server. 
First of all, we have to еnable the L2TP server. 

It is crucial to enable IPsec and set IPsec Secret!

The command for this in MikroTik Router OS Terminal is:

[admin@MikroTik] > interface l2tp-server server set enabled=yes default-profile=default-encryption use-ipsec=yes ipsec-secret=bgocloud authentication=chap,mschap1,mschap2,pap

Let's take a look at Default Profile - Default-Encryption and make some changes there. 

Comand for this in MikroTik Router OS terminal:

[admin@MikroTik] > ppp profile set default-encryption local-address= remote-address=L2TP dns-server=, bridge=local

Maybe it is a good Idea here to enable DNS service on the router; otherwise, our L2TP client will not be able to access DNS server, and they can not open any website. 

If you do not want to use your MikroTik as a DNS server, you can set DNS-servers of google and
But If you want to be able to make some static DNS records you have to enable DNS to your router, here is how this can be done:

The Router OS command for terminal: 

[admin@MikroTik] > ip dns set allow-remote-requests=yes

What we have?
We have a router with Public IP address and  Local IP address, enabled L2TP service, and enabled DNS service. 
It is time to add our clients/users who will be able to connect to our router. 

Here is the terminal command: 

[admin@MikroTik] > ppp secret add name=bgocloud password=bgocloud profile=default-encryption service=l2tp comment="our first account"

Now we have a user with username bgocloud and password bgocloud. 
Of course, you can change it with whatever you want! It is just an example! 

There is only one thing that we have to do, and it is very, very important! 
We have to enable our NAT in Firewall! 
Here is how it can be done:

Here is the Router OS command for terminal:

[admin@MikroTik] > ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade

And that's it. We are ready to go!
Now it is time to set up our Apple devices L2TP clients how we can do this follow on this article:


Opt for hosting services with user-friendly client area.

Get Started!