MikroTik
MikroTik VPN : IPsec, WireGuard, and Site-to-Site Tunnel Configuration Guide
Complete guide to MikroTik VPN setup including IPsec, WireGuard, OpenVPN, SSTP, and site-to-site tunnels. Learn secure remote access and network integration.
Raza RehmanNovember 12, 2025
8 min read
1084 views
MikroTik VPN Mastery: IPsec, WireGuard, and Site-to-Site Tunnel Configuration Guide
Master MikroTik's comprehensive VPN capabilities with this complete guide covering IPsec, WireGuard, OpenVPN, SSTP, and enterprise site-to-site tunnel configurations for secure network connectivity.
Introduction: MikroTik's VPN Ecosystem
MikroTik RouterOS provides one of the most comprehensive VPN solutions available, supporting multiple protocols to meet various security and performance requirements. Whether you need site-to-site connectivity, remote access for mobile users, or secure client connections, MikroTik has a VPN solution that fits your needs.
This guide covers all major VPN protocols available in RouterOS, from enterprise-grade IPsec to modern WireGuard implementations.
IPsec VPN: Enterprise-Grade Site-to-Site Tunnels
Basic IPsec Configuration
# Phase 1 configuration (IKE)
/ip ipsec proposal add \
name=default \
auth-algorithms=sha256 \
enc-algorithms=aes-256-cbc \
pfs-group=modp2048
/ip ipsec profile add \
name=default \
dh-group=modp2048 \
dpd-interval=2m \
dpd-maximum-failures=5
# Phase 2 configuration (ESP)
/ip ipsec policy add \
src-address=192.168.88.0/24 \
dst-address=192.168.89.0/24 \
sa-src-address=1.2.3.4 \
sa-dst-address=5.6.7.8 \
proposal=default \
profile=default \
tunnel=yes
IKEv2 with Certificate Authentication
# Generate certificates
/certificate add name=ca-template common-name="Company CA" key-usage=key-cert-sign,crl-sign
/certificate add name=server-template common-name="vpn.company.com"
/certificate add name=client-template common-name="client@company.com"
/certificate sign ca-template
/certificate sign server-template ca=ca-template
/certificate sign client-template ca=ca-template
# IKEv2 configuration
/ip ipsec peer add \
address=0.0.0.0/0 \
auth-method=rsa-signature \
certificate=server-template \
exchange-mode=ike2 \
send-initial-contact=yes
/ip ipsec policy group add name=ike2-policies
/ip ipsec policy add \
group=ike2-policies \
template=yes
Road Warrior IPsec Setup
# Mobile client configuration
/ip ipsec mode-config add \
name=road-warrior \
address-pool=vpn-pool \
address-prefix-length=32 \
split-include=192.168.88.0/24
/ip ipsec policy group add name=road-warrior
/ip ipsec policy add \
src-address=0.0.0.0/0 \
dst-address=192.168.88.0/24 \
group=road-warrior \
template=yes
/ip pool add name=vpn-pool ranges=10.0.1.100-10.0.1.200
WireGuard: Modern VPN Performance
WireGuard Server Configuration
# Create WireGuard interface
/interface wireguard add \
name=wg-server \
listen-port=13231 \
private-key="[generate or paste private key]"
# Add IP address to WireGuard interface
/ip address add \
address=10.0.2.1/24 \
interface=wg-server
# Firewall rules for WireGuard
/ip firewall filter add \
chain=input \
protocol=udp \
dst-port=13231 \
action=accept \
comment="Allow WireGuard"
/ip firewall nat add \
chain=srcnat \
out-interface=wg-server \
action=masquerade \
comment="NAT for WireGuard clients"
WireGuard Peer Configuration
# Add peer (client)
/interface wireguard peers add \
interface=wg-server \
public-key="[client public key]" \
allowed-address=10.0.2.2/32 \
comment="Mobile Client 1"
# Additional peer
/interface wireguard peers add \
interface=wg-server \
public-key="[client public key]" \
allowed-address=10.0.2.3/32 \
comment="Mobile Client 2"
WireGuard Site-to-Site Tunnel
# Site A Configuration
/interface wireguard add name=wg-site-a listen-port=51820
/ip address add address=10.0.3.1/30 interface=wg-site-a
/interface wireguard peers add \
interface=wg-site-a \
public-key="[site-b-public-key]" \
allowed-address=10.0.3.2/32 \
endpoint-address=5.6.7.8 \
endpoint-port=51820
# Site B Configuration
/interface wireguard add name=wg-site-b listen-port=51820
/ip address add address=10.0.3.2/30 interface=wg-site-b
/interface wireguard peers add \
interface=wg-site-b \
public-key="[site-a-public-key]" \
allowed-address=10.0.3.1/32 \
endpoint-address=1.2.3.4 \
endpoint-port=51820
OpenVPN: Flexible SSL VPN Solution
OpenVPN Server Setup
# Generate OpenVPN certificates
/certificate add name=ovpn-ca common-name="OpenVPN CA" key-usage=key-cert-sign,crl-sign
/certificate add name=ovpn-server common-name="ovpn.server.com"
/certificate sign ovpn-ca
/certificate sign ovpn-server ca=ovpn-ca
# OpenVPN server configuration
/interface ovpn-server server \
set certificate=ovpn-server \
auth=sha256 \
cipher=aes256-cbc \
default-profile=ovpn-client \
enabled=yes
# Client profile
/ppp profile add name=ovpn-client \
local-address=10.0.4.1 \
remote-address=ovpn-pool
/ip pool add name=ovpn-pool ranges=10.0.4.100-10.0.4.200
OpenVPN Client Configuration
# Client connection to remote server
/interface ovpn-client add \
name=ovpn-to-hq \
connect-to=ovpn.company.com \
port=1194 \
user="client1" \
password="clientpassword" \
certificate=ovpn-client-cert \
auth=sha256 \
cipher=aes256-cbc \
add-default-route=yes
SSTP: Microsoft-Compatible SSL VPN
SSTP Server Configuration
# SSTP server setup
/interface sstp-server server \
set enabled=yes \
certificate=webcert \
default-profile=sstp-client \
authentication=mschap2
# Client profile
/ppp profile add name=sstp-client \
local-address=10.0.5.1 \
remote-address=sstp-pool
/ip pool add name=sstp-pool ranges=10.0.5.100-10.0.5.200
# Firewall rules
/ip firewall filter add \
chain=input \
protocol=tcp \
dst-port=443 \
action=accept \
comment="Allow SSTP"
SSTP Client Connection
# SSTP client to remote server
/interface sstp-client add \
name=sstp-to-office \
connect-to=sstp.company.com \
user="username" \
password="password" \
certificate=none \
add-default-route=yes
PPTP and L2TP: Legacy Protocol Support
PPTP Server Setup
# PPTP server configuration
/interface pptp-server server \
set enabled=yes \
default-profile=pptp-client
/ppp profile add name=pptp-client \
local-address=10.0.6.1 \
remote-address=pptp-pool
/ip pool add name=pptp-pool ranges=10.0.6.100-10.0.6.200
L2TP/IPsec Configuration
# L2TP with IPsec
/interface l2tp-server server \
set enabled=yes \
default-profile=l2tp-client \
use-ipsec=required
/ip ipsec peer add \
address=0.0.0.0/0 \
auth-method=pre-shared-key \
secret="sharedsecret123" \
exchange-mode=main
/ppp profile add name=l2tp-client \
local-address=10.0.7.1 \
remote-address=l2tp-pool
/ip pool add name=l2tp-pool ranges=10.0.7.100-10.0.7.200
Advanced VPN Scenarios
Multi-Site Hub-and-Spoke VPN
# Hub router configuration (main office)
/interface wireguard add name=wg-hub listen-port=51820
/ip address add address=10.255.255.1/24 interface=wg-hub
# Branch office 1
/interface wireguard peers add \
interface=wg-hub \
public-key="[branch1-public-key]" \
allowed-address=10.255.255.2/32 \
endpoint-address=192.168.1.1
# Branch office 2
/interface wireguard peers add \
interface=wg-hub \
public-key="[branch2-public-key]" \
allowed-address=10.255.255.3/32 \
endpoint-address=192.168.2.1
# Routing between sites
/ip route add dst-address=192.168.10.0/24 gateway=10.255.255.2
/ip route add dst-address=192.168.20.0/24 gateway=10.255.255.3
VPN Load Balancing and Failover
# Multiple VPN connections with routing marks
/ip firewall mangle add \
chain=prerouting \
src-address=192.168.88.0/24 \
dst-address=192.168.99.0/24 \
action=mark-routing \
new-routing-mark=vpn-route-1 \
passthrough=no
/ip firewall mangle add \
chain=prerouting \
src-address=192.168.88.0/24 \
dst-address=192.168.99.0/24 \
per-connection-classifier=both-addresses:2/0 \
action=mark-routing \
new-routing-mark=vpn-route-2 \
passthrough=no
# Routing table setup
/ip route add dst-address=0.0.0.0/0 gateway=10.0.1.1 routing-mark=vpn-route-1
/ip route add dst-address=0.0.0.0/0 gateway=10.0.2.1 routing-mark=vpn-route-2
VPN Security Best Practices
Certificate Management
# Create Certificate Authority
/certificate add name=root-ca common-name="Company Root CA" key-usage=key-cert-sign,crl-sign
/certificate sign root-ca
# Create server certificate
/certificate add name=vpn-server common-name="vpn.company.com"
/certificate sign vpn-server ca=root-ca
# Create client certificate
/certificate add name=vpn-client common-name="client.device.com"
/certificate sign vpn-client ca=root-ca
# Revoke certificate if compromised
/certificate revoked add serial="00"
Firewall Rules for VPN Security
# IPsec specific rules
/ip firewall filter add \
chain=input \
protocol=udp \
dst-port=500,4500 \
action=accept \
comment="IPsec IKE"
/ip firewall filter add \
chain=input \
protocol=esp \
action=accept \
comment="IPsec ESP"
# WireGuard rules
/ip firewall filter add \
chain=input \
protocol=udp \
dst-port=13231 \
action=accept \
comment="WireGuard"
# General VPN security
/ip firewall filter add \
chain=forward \
in-interface=wg-server \
connection-state=established,related \
action=accept \
comment="Allow established VPN traffic"
/ip firewall filter add \
chain=forward \
in-interface=wg-server \
action=drop \
comment="Drop other VPN traffic"
VPN Monitoring and Troubleshooting
Monitoring Commands
# Check IPsec status
/ip ipsec active-peers print
/ip ipsec installed-sa print
/ip ipsec policy print
# Monitor WireGuard
/interface wireguard print
/interface wireguard peers print
# Check OpenVPN/SSTP
/interface ovpn-server print
/interface sstp-server print
# Monitor all VPN interfaces
/interface print where type~"ovpn|sstp|wireguard|pptp|l2tp"
Troubleshooting Common Issues
# Reset IPsec connections
/ip ipsec remote-peers flush
/ip ipsec installed-sa flush
# Check VPN routing
/ip route print
# Monitor traffic through VPN
/tool torch interface=wg-server
# Check certificate validity
/certificate print
Performance Optimization
Hardware Acceleration
# Check for hardware crypto support
/system resource print
# Enable hardware acceleration if available
/ip ipsec set hardware-crypto-aes=yes
MTU and MSS Configuration
# Adjust MTU for VPN overhead
/interface set wg-server mtu=1420
# Set MSS clamping for TCP
/ip firewall mangle add \
chain=forward \
protocol=tcp \
tcp-flags=syn \
action=change-mss \
new-mss=1360 \
passthrough=yes
Enterprise Deployment Examples
Multi-Protocol VPN Gateway
# Complete VPN server configuration supporting multiple protocols
# IPsec for site-to-site
/ip ipsec proposal set default enc-algorithms=aes-256-gcm
/ip ipsec profile set default dh-group=ecp256
# WireGuard for performance-critical links
/interface wireguard add name=wg-main listen-port=51820
# OpenVPN for compatibility
/interface ovpn-server server set enabled=yes certificate=server-cert
# SSTP for Windows clients
/interface sstp-server server set enabled=yes certificate=server-cert
# Client isolation
/ip firewall filter add \
chain=forward \
in-interface=wg-main \
out-interface=wg-main \
action=drop \
comment="Isolate WireGuard clients"
Remote Access VPN with User Management
# User database for VPN access
/ppp secret add name=user1 password=pass1 profile=ovpn-client
/ppp secret add name=user2 password=pass2 profile=ovpn-client
/ppp secret add name=user3 password=pass3 profile=sstp-client
# Bandwidth limits per user
/queue simple add \
name=user1-limit \
target=10.0.4.100/32 \
max-limit=10M/10M
/queue simple add \
name=user2-limit \
target=10.0.4.101/32 \
max-limit=5M/5M
Conclusion: Choosing the Right VPN Protocol
Protocol Selection Guide
- IPsec: Best for site-to-site, enterprise networks, high security
- WireGuard: Modern choice for performance, mobile clients, simplicity
- OpenVPN: Flexible, cross-platform, good balance of security and compatibility
- SSTP: Best for Windows environments, bypasses firewalls
- PPTP/L2TP: Legacy support only, avoid for new deployments
Key Implementation Tips
- Use certificates for authentication when possible
- Implement proper firewall rules for VPN security
- Monitor performance and adjust MTU/MSS as needed
- Plan for scalability in multi-site deployments
- Regularly update and maintain VPN configurations
MikroTik's versatile VPN capabilities make it an excellent choice for everything from small business remote access to enterprise multi-site connectivity.
Follow for more networking insights: Connect on LinkedIn | Join our WhatsApp Channel
mikrotik vpn
ipsec vpn
wireguard
openvpn
site-to-site vpn
remote access vpn
vpn configuration
routeros vpn
ikev2
sstp vpn
