If you need a VPN that every device can connect to without installing anything, L2TP/IPsec is your best bet. Windows, macOS, iOS, Android, and Linux all have built‑in L2TP clients. While WireGuard is faster and more modern, it requires a separate app on every client. L2TP/IPsec trades a bit of speed for universal compatibility – and MikroTik makes the server setup straightforward.
Why L2TP/IPsec?
- Zero client software – Every major OS has a built‑in L2TP/IPsec client. No WireGuard app, no OpenVPN config files.
- Strong encryption – IPsec wraps L2TP in AES‑256 encryption. Much safer than PPTP (which is broken).
- Wide compatibility – Works behind most firewalls and NAT devices with NAT‑T (UDP 4500).
- Per‑user authentication – Each user gets a unique username/password, plus a shared IPsec pre‑shared key (PSK).
- RADIUS integration – Pair with MikroRadius for centralised billing and account management.
When to Use L2TP/IPsec vs. WireGuard
| Feature | L2TP/IPsec | WireGuard |
|---|---|---|
| Client app required | ❌ No (built‑in) | ✅ Yes (WireGuard app) |
| Speed | 🐢 Moderate (double encapsulation) | 🚀 Very fast |
| Security | ✅ Good (AES‑256 + SHA256) | ✅ Excellent (ChaCha20) |
| RouterOS version | v6 and v7 | v7.1+ only |
| NAT traversal | ✅ Built‑in (NAT‑T) | ✅ Built‑in |
| Best for | BYOD, guest access, legacy devices | Permanent tunnels, performance |
Use L2TP/IPsec when you can't install apps on client devices, or when you need to support older systems (Windows 7, legacy phones). Use WireGuard when speed matters and you control the client devices.
Prerequisites
- A MikroTik router with RouterOS v6 or v7 (L2TP works on both).
- A public IP address (static or dynamic with DDNS).
- WinBox or SSH access.
- Ports open: UDP 500 (IKE), UDP 4500 (NAT‑T), and UDP 1701 (L2TP).
- Basic router setup complete (see our beginner's guide).
Step 1: Create an IP Pool for VPN Clients
Each connected VPN user needs a unique private IP. Use a subnet that doesn't conflict with your existing LAN.
/ip pool add name=l2tp-pool ranges=10.10.10.2-10.10.10.100
WinBox: IP → Pool → Add New → Name l2tp-pool, ranges 10.10.10.2-10.10.10.100.
Step 2: Create a PPP Profile for L2TP Users
The profile defines the gateway IP, DNS, and encryption settings for all VPN connections.
/ppp profile add name=l2tp-profile local-address=10.10.10.1 remote-address=l2tp-pool dns-server=1.1.1.1,8.8.8.8 use-encryption=required use-compression=no change-tcp-mss=yes
WinBox: PPP → Profiles → Add New.
local-address= the VPN gateway IP (this router's tunnel endpoint).remote-address= the pool name (clients pick from this range).use-encryption=required= force IPsec encryption; reject unencrypted connections.change-tcp-mss=yes= prevents MTU issues that cause websites to load partially.
Step 3: Add VPN User Accounts (PPP Secrets)
Create a username and password for each VPN user.
/ppp secret add name=alice password=StrongP@ss2026 service=l2tp profile=l2tp-profile
/ppp secret add name=bob password=An0therStr0ng! service=l2tp profile=l2tp-profile
WinBox: PPP → Secrets → Add New → Service = l2tp, Profile = l2tp-profile.
Tip: For large deployments, use MikroRadius instead of local secrets – it handles account creation, expiry, and billing automatically (see Step 9).
Step 4: Enable the L2TP Server
/interface l2tp-server server set enabled=yes default-profile=l2tp-profile authentication=mschap2 use-ipsec=required ipsec-secret="YourIPsecPSK2026"
WinBox: PPP → Interface → L2TP Server → Check Enabled.
Key settings:
use-ipsec=required– Critical. This forces all L2TP connections to be wrapped in IPsec encryption. Without this, L2TP traffic is sent in cleartext.ipsec-secret– The pre‑shared key (PSK) that all clients must enter. Make it strong (20+ characters). This is not the user password – it's a shared secret for the IPsec layer.authentication=mschap2– The most secure PPP authentication method for L2TP. Avoid PAP/CHAP.
Note: When you set use-ipsec=required, RouterOS v6.44+ automatically creates the necessary IPsec peer, policy, and proposal entries. You do not need to configure IPsec manually. If you're running an older version, see the Advanced section below.
Step 5: Firewall Rules – Allow L2TP/IPsec Traffic
Add these rules before your final drop rule in the input chain.
/ip firewall filter add chain=input protocol=udp dst-port=500 action=accept comment="Allow IKE (IPsec)"
/ip firewall filter add chain=input protocol=udp dst-port=4500 action=accept comment="Allow NAT-T (IPsec)"
/ip firewall filter add chain=input protocol=udp dst-port=1701 action=accept comment="Allow L2TP"
/ip firewall filter add chain=input protocol=ipsec-esp action=accept comment="Allow ESP"
WinBox: IP → Firewall → Filter Rules → Add New for each rule.
Important: Place these rules above your chain=input action=drop rule. See our firewall basics guide for proper rule ordering.
Step 6: NAT Masquerade for VPN Clients
Allow VPN clients to access the internet through the router.
/ip firewall nat add chain=srcnat src-address=10.10.10.0/24 action=masquerade comment="L2TP VPN masquerade"
Step 7: (Optional) Allow VPN Clients to Access LAN
If VPN users need to reach devices on your local network (e.g., file servers, printers), add forward chain rules.
/ip firewall filter add chain=forward src-address=10.10.10.0/24 dst-address=192.168.88.0/24 action=accept comment="L2TP to LAN"
/ip firewall filter add chain=forward src-address=192.168.88.0/24 dst-address=10.10.10.0/24 action=accept comment="LAN to L2TP"
Replace 192.168.88.0/24 with your actual LAN subnet.
Step 8: Connect Clients
Now configure VPN on each client device. You need three things:
- Server address: Your router's public IP (or DDNS hostname).
- Pre‑shared key: The
ipsec-secretfrom Step 4. - Username/password: From Step 3.
8.1 Windows 10/11
- Settings → Network & Internet → VPN → Add VPN.
- VPN provider: Windows (built‑in).
- Connection name: anything (e.g., "Office VPN").
- Server name: your public IP or DDNS hostname.
- VPN type: L2TP/IPsec with pre‑shared key.
- Pre‑shared key: enter your
ipsec-secret. - Username/password: your PPP secret credentials.
- Save and connect.
Windows fix: If the connection fails with Error 809 and you're behind a NAT, open Registry Editor and create/set this DWORD:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
AssumeUDPEncapsulationContextOnSendRule = 2
Reboot after the change.
8.2 macOS
- System Settings → Network → Add VPN Configuration → L2TP over IPSec.
- Server Address: your public IP.
- Account Name: your PPP username.
- Authentication Settings → Machine Authentication: Shared Secret → enter the PSK.
- User Authentication: Password → enter your PPP password.
- Connect.
8.3 iOS (iPhone/iPad)
- Settings → General → VPN & Device Management → Add VPN Configuration.
- Type: L2TP.
- Description: "Office VPN".
- Server: your public IP.
- Account: PPP username.
- Password: PPP password.
- Secret: the IPsec PSK.
- Save and toggle VPN on.
8.4 Android
- Settings → Network & Internet → VPN → Add VPN.
- Name: "Office VPN".
- Type: L2TP/IPSec PSK.
- Server address: your public IP.
- IPSec pre‑shared key: enter the PSK.
- Username/password: PPP credentials.
- Save and connect.
8.5 Linux
Install the L2TP client packages:
sudo apt install network-manager-l2tp network-manager-l2tp-gnome
Then: Settings → Network → VPN → Add → Layer 2 Tunneling Protocol (L2TP). Fill in server, username, password, and PSK under IPsec Settings.
Step 9: RADIUS Integration (MikroRadius)
For production deployments with many users, managing PPP secrets locally becomes painful. Point your router to a RADIUS server for centralised authentication, billing, and session control.
9.1 Add RADIUS Server
/radius add address=YOUR_RADIUS_IP secret=shared_secret service=ppp authentication-port=1812 accounting-port=1813
9.2 Enable RADIUS for PPP
/ppp aaa set use-radius=yes accounting=yes interim-update=5m
9.3 Fallback to Local Secrets
/ppp aaa set use-radius=yes interim-update=5m
Now MikroRadius handles user creation, bandwidth limits, session expiry, and usage tracking – all from a web dashboard. No more editing PPP secrets manually for every new user.
Step 10: Test the VPN
- Connect from a client device using the instructions in Step 8.
- Check your public IP at
whatismyip.com– it should show the router's WAN IP. - On the router, verify active sessions:
/ppp active print
/interface l2tp-server print
You should see the connected user with their assigned IP from the pool.
- Verify IPsec encryption is active:
/ip ipsec active-peers print
/ip ipsec installed-sa print
You should see SAs with state=established and traffic counters increasing.
Troubleshooting
- Error 809 (Windows): The client is behind NAT and needs the registry fix (see Step 8.1). Also verify UDP 500 and 4500 are open on your router's firewall.
- Error 789 (Windows): The IPsec PSK doesn't match. Double‑check the
ipsec-secreton the server and the pre‑shared key on the client – they must be identical. - Connection times out: Ensure your ISP isn't blocking UDP 500/4500. Some mobile carriers and corporate firewalls block IPsec. Try using mobile data to test.
- Connects but no internet: Verify the NAT masquerade rule (Step 6) exists and covers
10.10.10.0/24. Also check that the router itself has working internet. - Can't reach LAN devices: Add the forward rules from Step 7. Also ensure LAN devices have a route back to 10.10.10.0/24 (they usually do, since the router is their gateway).
- Slow speeds: L2TP/IPsec uses double encapsulation, which adds overhead. On low‑end MikroTik routers (hEX lite, RB750), you may see 50–100 Mbps max. For faster VPN, use WireGuard.
- Multiple clients behind same NAT: Only one L2TP client can connect from behind the same NAT by default (Windows limitation). To fix, apply the
AssumeUDPEncapsulationContextOnSendRuleregistry fix on all clients. - IPsec SAs not establishing: Run
/ip ipsec active-peers print. If empty, the IKE negotiation is failing. Check that the pre‑shared key and proposals match. On RouterOS v7, run/log print where topics~"ipsec"for detailed errors.
Advanced: Manual IPsec Configuration (RouterOS < 6.44)
On older RouterOS versions, use-ipsec=required may not auto‑generate IPsec entries. Configure manually:
IPsec Proposal
/ip ipsec proposal set [find default=yes] auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h pfs-group=modp2048
IPsec Peer (accept from any address)
/ip ipsec peer add address=0.0.0.0/0 exchange-mode=main-l2tp secret="YourIPsecPSK2026" send-initial-contact=no
IPsec Policy
/ip ipsec policy set [find default=yes] src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=udp src-port=1701 dst-port=1701 action=encrypt level=require ipsec-protocols=esp
This manually wraps all L2TP traffic (port 1701) in IPsec.
Advanced: Bandwidth Limits for VPN Users
You can limit each VPN user's speed via the PPP profile or per‑user secret, just like PPPoE.
Limit all VPN users equally
/ppp profile set l2tp-profile rate-limit="20M/10M"
This gives 20 Mbps download / 10 Mbps upload to every L2TP user.
Limit a specific user
/ppp secret set alice rate-limit="50M/20M"
Advanced: Split Tunnelling vs. Full Tunnel
By default, most clients send all traffic through the VPN (full tunnel). If you only want to route traffic to your office LAN through the VPN (split tunnel):
- Windows: In the VPN adapter properties → Networking → IPv4 → Advanced → uncheck "Use default gateway on remote network".
- macOS: Not natively supported for L2TP. Use a routing script or WireGuard for split tunnel.
- On the router: Don't add the masquerade rule (Step 6) if you only want LAN access, not internet via VPN.
Security Best Practices
- Use a long IPsec PSK – At least 20 characters, random. The PSK is shared among all users, so make it strong.
- Use unique PPP passwords – Each user should have their own credentials. Never share accounts.
- Restrict management access – Block VPN clients from accessing the router's management ports (WinBox, SSH) unless needed:
/ip firewall filter add chain=input src-address=10.10.10.0/24 protocol=tcp dst-port=8291,22 action=drop comment="Block VPN from router mgmt"
- Monitor active sessions – Regularly check
/ppp active printfor unexpected connections. - Consider WireGuard for new deployments – If all your clients can install the WireGuard app, it's faster and has a smaller attack surface.
Complete Copy‑Paste Script
Here's the entire L2TP/IPsec server setup in one block. Change the IPs, passwords, and PSK to match your network.
# IP Pool for VPN clients
/ip pool add name=l2tp-pool ranges=10.10.10.2-10.10.10.100
# PPP Profile
/ppp profile add name=l2tp-profile local-address=10.10.10.1 remote-address=l2tp-pool dns-server=1.1.1.1,8.8.8.8 use-encryption=required change-tcp-mss=yes
# User accounts
/ppp secret add name=alice password=StrongP@ss2026 service=l2tp profile=l2tp-profile
/ppp secret add name=bob password=An0therStr0ng! service=l2tp profile=l2tp-profile
# Enable L2TP Server with IPsec
/interface l2tp-server server set enabled=yes default-profile=l2tp-profile authentication=mschap2 use-ipsec=required ipsec-secret="YourIPsecPSK2026"
# Firewall – allow L2TP/IPsec traffic (add BEFORE your drop rule)
/ip firewall filter add chain=input protocol=udp dst-port=500 action=accept comment="Allow IKE"
/ip firewall filter add chain=input protocol=udp dst-port=4500 action=accept comment="Allow NAT-T"
/ip firewall filter add chain=input protocol=udp dst-port=1701 action=accept comment="Allow L2TP"
/ip firewall filter add chain=input protocol=ipsec-esp action=accept comment="Allow ESP"
# NAT for VPN internet access
/ip firewall nat add chain=srcnat src-address=10.10.10.0/24 action=masquerade comment="L2TP masquerade"
# (Optional) Allow VPN to LAN
/ip firewall filter add chain=forward src-address=10.10.10.0/24 dst-address=192.168.88.0/24 action=accept comment="L2TP to LAN"
/ip firewall filter add chain=forward src-address=192.168.88.0/24 dst-address=10.10.10.0/24 action=accept comment="LAN to L2TP"
Comparison: L2TP/IPsec vs. Other MikroTik VPN Options
| Feature | L2TP/IPsec | WireGuard | PPTP | SSTP |
|---|---|---|---|---|
| Security | ✅ Good (AES‑256) | ✅ Excellent | ❌ Broken | ✅ Good (SSL) |
| Speed | 🐢 Moderate | 🚀 Very fast | ⚡ Fast | 🐢 Moderate |
| Built‑in client | ✅ All OS | ❌ App required | ⚠️ Removed from Win11 | ✅ Windows only |
| RouterOS version | v6 + v7 | v7.1+ only | v6 + v7 | v6 + v7 |
| NAT friendly | ✅ NAT‑T | ✅ Native | ⚠️ GRE issues | ✅ TCP 443 |
| RADIUS support | ✅ Full | ❌ No (static peers) | ✅ Full | ✅ Full |
| Best use case | BYOD / no‑app VPN | Performance | Never | Firewall bypass |
Conclusion
L2TP/IPsec on MikroTik gives you a universally compatible VPN that works on every device without installing anything. It's the ideal choice when you need to provide VPN access to employees using personal devices, guests, or clients running older operating systems.
For permanent site‑to‑site tunnels or high‑throughput scenarios, consider our WireGuard guide or site‑to‑site IPsec tutorial. And if you're managing more than a handful of VPN users, MikroRadius will save you hours of manual PPP secret management.
Need help choosing the right VPN for your network? Start with our beginner's MikroTik setup guide to get the foundation right, then layer on the VPN that fits your use case.