Configuring PPTP (VPN) server on Mikrotik

First, I will describe the first simple option for setting up a PPTP (VPN) server on Mikrotik via the web interface or Winbox. In this embodiment, only one client can connect to the server.

1) Activate the server by opening the menu “PPP” – “PPTP Server”, where we check the “Enabled” box.
2) Add the parameters for connecting to the server, for this, open “PPP” – “Secrets” and add:
Name: USERNAME
Password: PASSWORD
Service: pptp
Local Address: internal IP of the router, for example 192.168.88.1
Remote Address: IP to be assigned to the client, e.g. 192.168.88.2
click OK.
3) Add a rule to the firewall so that you can connect to the server from outside, for this, open the “IP” – “Firewall” menu and add the rule in the “Filter Rules” tab:
Chain: input
Dst. Address: external IP address of the router
Protocol: tcp
Dst. Port: 1723
In. Interface: WAN port of the router, for example ether1-gateway
Action: accept
click OK, this completes the simple setup.

Now I will describe the configuration option from the command line. Many clients can connect to the server and they will receive IP addresses via DHCP.

Enabling pptp server:

interface pptp-server server set enabled=yes

View pptp server settings:

interface pptp-server server print

Adding the pptp server interface:

interface pptp-server server add add name=pptpserver user=USERNAME

Setting the pool of addresses that will be issued to connected users:

ip pool add name="pptp-pool" ranges=172.20.1.10/28

Adding a profile for pptp server:

ppp profile add name="pptp" local-address=172.20.1.11 remote-address=pptp-pool use-compression=no use-vj-compression=no use-encryption=default only-one=default change-tcp-mss=yes

Adding authentication data:

ppp secret add name="USERNAME" service=pptp caller-id="" password="PASSWORD" profile=pptp

You must also enable TCP traffic to port 1723 from outside and enable GRE.
To do this, add the first rule, chain = input, protocol = tcp, Dst.Port = 1723, action = accept.
And second, chain = input, protocol = gre, action = accept.
These two rules must be placed before the standard prohibition rules, otherwise they will not work.

In the parameters of the created VPN connection in Windows, you must select the PPTP type and encryption “optional, they will connect even without encryption”.

Some useful information:
PAP (Password Authentication Protocol) – authentication protocol that verifies the name and password.
CHAP (Challenge Handshake Authentication Protocol) is a widespread protocol in which the server does not transmit the user’s password, but indirect information about it.
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) is a protocol from Microsoft for authenticating remote computers.

See also my articles:
Configuring the VPN IPSec / L2TP server on Mikrotik
Installing and configuring PPTPd server
Configuring a VPN Server in Windows Server

Leave a comment

Leave a Reply