VPN Configuration - Mikrotik Router

Log in to your router, start the browser or use the application WINBOX.
Enter the default router address: http://192.168.88.1
Go to "PPP" (1) and add (2) new interface "PPTP Client" (3)
In "General" (4), in the "Name" (5) field, enter the interface name: VPNonline-PPTP
In the "Max MTU" (6) and "Max MRU" (7) enter a value: "1400"
Go to "Dial Out" (8) tab and fill in the following fields:
In the "Connect to:" (9) field, enter the name of one of our VPN servers.
The list of available VPN servers can be found in the client panel: https://portal.vpnonline.pl
In the "User:" (10) field, enter your login name
In the "Password:" (11) field, enter your password
To confirm the entered data, click "OK" (12)
Click the "IP" (13), then "Firewall" (14)
In the "Firewall" select the "NAT" (15) tab, then add new rule (16)
In the "General" (17) tab, select "Chain: srcnat" (18) then "Out. Interface: VPNonline-PPTP" (19)
Go to "Action" (20) tab, in the "Action" (21) field, select "masquerade".
Click "OK" (22)
Go to "Mangle" (23) tab and add new rule (24)
In the "New Mangle Rule", select "General" (25) tab, then select "Chain: prerouting" (26)
In the "Src Address" (27) field, enter the IP addresses of the computers that are to pass through the VPN tunnel.
In the example, we have entered the entire pool of IP addresses 192.168.88.2 - 192.168.88.254, but you can enter here the single IP address of the host, e.g. 192.168.88.10. Only this host will go through the VPN and its public IP address will change to the IP address of the VPN server (e.g Poland). The other hosts from the 192.168.88.0 pool, will go through a local Internet connection and will be visible on the Internet under a local public IP address.
Go to "Action" (28) tab, in the "Action" field, select "mark routing" (29)
In the "New Routing Mark" (30) field, select "VPNonline"
To approve changes, click "Apply: (31) and "OK" (32)
Go to "IP" (33) and "Routes" (34)
In the "Route List", select "Routes" (35) tab and add new rule (36)
In the "New Route" window, go to "General" (37) tab and select:
"Dst. Address" (38) - 0.0.0.0/0
"Gateway" (39) - VPNonline-PPTP
"Routing Mark" (40) - VPNonline
To approve changes, click "OK" (41)
A new routing route has been added (42) and the VPN connection should be established.
Log in to your router, start the browser or use the application WINBOX.
Enter the default router address: http://192.168.88.1
Go to "PPP" (1) and add (2) new interface "L2TP Client" (3)
In "General" (4), in the "Name" (5) field, enter the interface name: VPNonline-L2TP
Go to "Dial Out" (6) tab and fill in the fields below:
In the "Connect to:" (7) enter the name of one of our VPN servers
The list of available VPN servers can be found in the client panel: https://portal.vpnonline.pl
In the "User:" (8) field, enter your user name
In the "Password:" (9) field, enter your password
Check "Use IPsec" and, in the "IPsec Secret:" (10) field, enter: vpnonline.pl
Check "Allow mschap2" (11)
To confirm the entered data, click "OK" (12)
Go to "IP" (13) tab, then "Firewall" (14)
In the "Firewall" select the "NAT" (15) tab, then add new rule (16)
In the "General" (17) tab, select "Chain: srcnat" (18) , then "Out. Interface: VPNonline-L2TP" (19)
Go to "Action" (20) tab, in the "Action" (21) field, select "masquerade".
Click "OK" (22)
Go to "Mangle" (23) and add new rule (24)
In the "New Mangle Rule", select "General" (25) tab, then select "Chain: prerouting" (26)
In the "Src Address" (27) field, enter the IP addresses of the computers that are to pass through the VPN tunnel.
In the example, we have entered the entire pool of IP addresses 192.168.88.2 - 192.168.88.254, but you can enter here the single IP address of the host, e.g. 192.168.88.10. Only this host will go through the VPN and its public IP address will change to the IP address of the VPN server (e.g Poland). The other hosts from the 192.168.88.0 pool, will go through a local Internet connection and will be visible on the Internet under a local public IP address.
Go to "Action" (28) tab, in the "Action" field, select "mark routing" (29)
In the "New Routing Mark" (30) field, select "VPNonline"
To approve changes, click "OK" (31)
Go to "IP" (32) and "Routes" (33)
In the "Route List", "Routes" (34) tab, add new rule (35)
In the "New Route", "General" (36) tab, select:
"Dst. Address" (37) - 0.0.0.0/0
"Gateway" (38) - VPNonline-L2TP
"Routing Mark" (39) - VPNonline
To confirm the entered data, click "OK" (40)
A new routing route has been added (41) and the VPN connection should be established.
Log in to your router, start the browser or use the application WINBOX.
Enter the default router address: http://192.168.88.1
Go to "PPP" (1) and add (2) new interface "SSTP Client" (3)
In the "General" (4) tab, "Name" (5) field, enter the interface name: VPNonline-SSTP
Go to "Dial Out" (6) tab, and fill in the fields below:
In the "Connect to:" (7) enter the name of one of our VPN servers
The list of available VPN servers can be found in the client panel: https://portal.vpnonline.pl
In the "Port:" (8) filed, enter: "443"
Uncheck: "Verify Server Certificate" and others (9)
In the "User:" (10) field, enter your user name
In the "Password:" (11) field, enter your password
In the "Allow:" (12) field, select "mschap2" only
To confirm the entered data, click "OK" (13)
Click the "IP" (14) then "Firewall" (15)
In the "Firewall" , select the "NAT" (16) tab, then add new rule (17)
In the "General" (18), select "Chain: srcnat" (19) and "Out. Interface: VPNonline-SSTP" (20)
Go to "Action" (21) tab, in the"Action" (22) field, select "masquerade".
Click "OK" (23)
Go to "Mangle" (24) tab, add new rule (25)
In the "New Mangle Rule", select "General" (26) tab, then select "Chain: prerouting" (27)
In the "Src Address" (28) field, enter the IP addresses of the computers that are to pass through the VPN tunnel.
Go to "Action" (29) tab, in the "Action" field, select "mark routing" (30)
In the "New Routing Mark" (31) select "VPNonline"
To approve changes, click "OK" (32)
Go to "IP" (33) and "Routes" (34)
In the "Route List", "Routes" (35), add new rule (36)
In the "New Route", "General" (37) tab, select:
"Dst. Address" (38) - 0.0.0.0/0
"Gateway" (39) - VPNonline-SSTP
"Routing Mark" (40) - VPNonline
To approve changes, click "OK" (41)
A new routing route has been added (42) and the VPN connection should be established.
Log in to your router, start the browser or use the application WINBOX.
Enter the default router address: http://192.168.88.1
In the "General" (4) tab, "Name" (5) field, enter the interface name: VPNonline-OpenVPN
Go to "Dial Out" (6) tab, and fill in the fields below:
In the "Connect to:" (7) enter the name of one of our VPN servers
The list of available VPN servers can be found in the client panel: https://portal.vpnonline.pl
In the "Port:" (8) field, enter: 993 or 443 depending on the selected VPN server
In the "User:" (9) field, enter your user name
In the "Password:" (10) field, enter your password
In the "Auth:" (11) field, select: sha1
In the "Cipher:" (12) field, select: aes128
To confirm the entered data, click "OK" (13)
Click the "IP" (14), then "Firewall" (15)
In the "Firewall", select the "NAT" (16) tab, then add new rule (17)
In the "General" (18), select "Chain: srcnat" (19) and "Out. Interface: VPNonline-OpenVPN" (20)
Go to "Action" (21) tab, in the"Action" (22) field, select "masquerade".
Click "OK" (23)
Go to "Mangle" (24) tab, add new rule (25)
In the "New Mangle Rule", select "General" (26) tab, then select "Chain: prerouting" (27)
In the "Src Address" (28) field, enter the IP addresses of the computers that are to pass through the VPN tunnel.
Go to "Action" (29) tab, in the "Action" field, select "mark routing" (30)
In the "New Routing Mark" (31) select "VPNonline"
To approve changes, click "OK" (32)
Go to "IP" (33) and "Routes" (34)
In the "Route List", "Routes" (35), add new rule (36)
In the "New Route", "General" (37) tab, select:
"Dst. Address" (38) - 0.0.0.0/0
"Gateway" (39) - VPNonline-OpenVPN
"Routing Mark" (40) - VPNonline
To approve changes, click "OK" (41)
A new routing route has been added (42) and the VPN connection should be established.
(The fixed IP address will be assigned by VPNonline on one of the VPN servers
Access to the router, it works very well on GSM / LTE links)
Only the ports defined below will pass through the VPN tunnel.
Any other Internet traffic will go through local internet connection.
Winbox - TCP 8291 (default port)
SSH - TCP 22 (default port)
Interface VPN - VPNonline-PPTP (sample VPN interface)
1. Mangle traffic (Mark Routing) for the selected service or ports used for access to the router (Chain Prerouting and Output).
The entries below must be the first of the Mangle rules.
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=VPNonline passthrough=no protocol=tcp dst-port=8291 log=no log-prefix=""
add chain=prerouting action=mark-routing new-routing-mark=VPNonline passthrough=no protocol=tcp dst-port=22 log=no log-prefix=""
add chain=output action=mark-routing new-routing-mark=VPNonline passthrough=no protocol=tcp src-port=8291 log=no log-prefix=""
add chain=output action=mark-routing new-routing-mark=VPNonline passthrough=no protocol=tcp src-port=22 log=no log-prefix=""
2. Static route to the Internet via VPN interface with selected Mark Routing
/ip route
add distance=1 gateway=VPNonline-PPTP routing-mark=VPNonline
3. Rule on the Firewall allowing traffic to the router from the Internet via the VPN interface (VPNonline-PPTP)
/ip firewall filter
add chain=input action=accept protocol=tcp routing-mark=VPNonline in-interface=VPNonline-PPTP dst-port=8291 log=no log-prefix=""
add chain=input action=accept protocol=tcp routing-mark=VPNonline in-interface=VPNonline-PPTP dst-port=22 log=no log-prefix=""
Only the ports defined below will be redirected from the Internet through the VPN tunnel.
Ports to redirect - WWW server - TCP 80, 8080 (sample ports)
Internal IP address - WWW server - 192.168.88.200
Interface VPN - VPNonline-PPTP ( sample VPN interface)
1. Add DST NAT rules for specific ports and add Masquerade for hosts going through VPN
The order of the lines is important!
/ip firewall nat
add action=dst-nat chain=dstnat comment="Access to server WWW via VPNonline" dst-port=80 in-interface=VPNonline-PPTP protocol=tcp to-addresses=192.168.88.200 to-ports=80
add action=dst-nat chain=dstnat dst-port=8080 in-interface=VPNonline-PPTP protocol=tcp to-addresses=192.168.88.200 to-ports=8080
add action=masquerade chain=srcnat comment="Masqarade for VPN" out-interface=VPNonline-PPTP
2. Mark traffic to the server (192.168.88.200) in the Mangle section (New Routing Mark)
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Server WWW" new-routing-mark=VPNonline passthrough=yes src-address=192.168.88.200
3. Static route to the Internet via the VPN interface with selected Mark Routing
/ip route
add distance=1 gateway=VPNonline-PPTP routing-mark=VPNonline
4. Firewall rule allows traffic from the Internet to the WWW server (192.168.88.200)
For redirection, we use the FORWARD CHAIN, the order of the lines is important!
/ip firewall filter
add action=accept chain=forward comment="Access to server WWW via VPNonline" dst-port=80 in-interface=VPNonline-PPTP protocol=tcp routing-mark=VPNonline
add action=accept chain=forward dst-port=8080 in-interface=VPNonline-PPTP protocol=tcp routing-mark=VPNonline