How to configure a VPN on MikroTik Routers

Step-by-step instructions

Connection via L2TP or PPTP protocol

1. Go to IP->DNS , setup DNS Google ( и,then click Apply-> OK

2. Go to IP->DHCP Client open ether1 and uncheck Use Peer DNS and Use Peer NTP , setup Default Route Distance equal to 100,then click Apply-> OK

3. Go to IP->DNS, make sure that Dynamic Servers is now empty

4. Create a VPN server with L2TP connection protocol

Open the program installation manual

5. Go to Interfaces and create a new L2TP Client interface

6. Configure it using the data of the created L2TP server in accordance with the image below, setup Default Route Distance equal to 10 ,then click Apply-> OK

7. Make sure your new interface is up and running.

8. Go to Interface List and select the WAN interface

9. Switch all traffic to your L2TP connection,then click Apply-> OK

10. This completes the setup, the PPTP connection is configured in the same way, but we do not recommend using it, since it provides much less protection.


With this setting, if the VPN connection is broken, the network will completely disappear and you need to reconfigure it manually!

In addition - make sure that your device does not have other active Wi-Fi networks, otherwise the operating system itself can change the connection to an insecure connection.

Using the WireGuard protocol

To configure the MikroTik router using the WireGuard protocol, you need to change the firmware of the router, since RouterOS does not support the WireGuard protocol

1. Download firmware for the router

Go to the site to the firmware download section and select your router model.

You can see the model’s compliance with its marketing name and image on the website

For this device, we need 2 files:|elf

Download both files: Install and Upgrade.

2. Network setup, loading and setting up a PXE server

Download Tiny PXE Server latest version

Unzip to a separate folder. In the config.ini file, add the parameter rfc951 = 1 section [dhcp]. This parameter is the same for all Mikrotik models.

We turn to the network settings: you need to register a static ip address on one of the network interfaces of your computer.

IP address


Launch Tiny PXE Server and select the server with the address in the DHCP Server field

Important! РXE Server run as Administrator

Important! On some versions of Windows, this interface may only appear after an Ethernet connection. We recommend connecting the router and immediately connecting the router and PC using a patch cord.

Click the «...» button (bottom right) and indicate the folder into which you downloaded the firmware files for Mikrotik.

Choose a file whose name ends with «initramfs-kernel.bin|elf»

Downloading a router from a PXE server

We connect the PC wire and the first port (wan, internet, poe in, ...) of the router.

After that we take a toothpick, stick it into the hole with the inscription «Reset».

Turn on the power of the router and wait 20 seconds, then release the toothpick.

Over the next minute, the following messages should appear in the Tiny PXE Server window:

Firmware update on Mikrotik

Wait another minute and connect to the LAN ports of the Mikrotik router (2 ... 5 in our case) using the same patch cord. Just switch it from port 1 to port 2.

Set the network adapter to obtain the address dynamically (via DHCP) and go to the address through the browser.

Enter the OpenWRT administrative interest and go to the menu section «System -> Backup/Flash Firmware»

In the subsection «Flash new firmware image» click on the button «Select file (Browse)».

Specify the path to the file whose name ends with «-squashfs-sysupgrade.bin».

After that, click the «Flash Image» button.

In the next window, click the «Proceed» button. The firmware download to the router will begin.


After flashing and rebooting the router, you will receive Mikrotik with OpenWRT firmware.

Possible problems and solutions

Many 2019 Mikrotik devices use the FLASH-NOR memory chip type GD25Q15 / Q16. The problem is that flashing does not save device model data.

If you see the error «The uploaded image file does not contain a supported format. Make sure that you choose the generic image format for your platform.» Then most likely the problem is in flash.

This is easy to verify: run the command to verify the model ID in the device terminal

[email protected]:~# cat /tmp/sysinfo/board_name

And if you get the answer «unknown», then you need to manually specify the device model in the form of «rb-951-2nd»

To get the device model, run the command

[email protected]:~# cat /tmp/sysinfo/model
MikroTik RouterBOARD RB951-2nd

Having received the model of the device, we install it manually:

echo 'rb-951-2nd' > /tmp/sysinfo/board_name

After that, you can flash the device through the web interface or using the «sysupgrade» command

Configuring WireGuard Client on OpenWRT

1. Connect to the router using SSH protocol

ssh [email protected]

2. Install WireGuard:

opkg update
opkg install wireguard

3. Prepare the configuration (copy the code below to the file, replace the specified values with your own and run in the terminal)

WG_SERV="" # server ip address from wireguard configuration file (Endpoint = without port

WG_KEY="xxxxx" # private key (PrivateKey) from wireguard configuration file
WG_PUB="xxxxx" # public key (PublicKey) from wireguard configuration file

# Configure firewall
uci rename [email protected][0]="lan"
uci rename [email protected][1]="wan"
uci rename [email protected][0]="lan_wan"
uci del_list"${WG_IF}"
uci add_list"${WG_IF}"
uci commit firewall
/etc/init.d/firewall restart

# Configure network
uci -q delete network.${WG_IF}
uci set network.${WG_IF}="interface"
uci set network.${WG_IF}.proto="wireguard"
uci set network.${WG_IF}.private_key="${WG_KEY}"

uci add_list network.${WG_IF}.addresses="${WG_ADDR}"

# Add VPN peers
uci -q delete network.wgserver
uci set network.wgserver="wireguard_${WG_IF}"
uci set network.wgserver.public_key="${WG_PUB}"
uci set network.wgserver.preshared_key=""
uci set network.wgserver.endpoint_host="${WG_SERV}"
uci set network.wgserver.endpoint_port="${WG_PORT}"
uci set network.wgserver.route_allowed_ips="1"
uci set network.wgserver.persistent_keepalive="25"
uci add_list network.wgserver.allowed_ips=""
uci add_list network.wgserver.allowed_ips=""
uci add_list network.wgserver.allowed_ips="::/0"
uci commit network
/etc/init.d/network restart

3. Done!