First, I will describe the first simple option for setting up a PPTP (VPN) server on Mikrotik via the web interface or Winbox. In this embodiment, only one client can connect to the server.
1) Activate the server by opening the menu “PPP” – “PPTP Server”, where we check the “Enabled” box.
2) Add the parameters for connecting to the server, for this, open “PPP” – “Secrets” and add:
Local Address: internal IP of the router, for example 192.168.88.1
Remote Address: IP to be assigned to the client, e.g. 192.168.88.2
3) Add a rule to the firewall so that you can connect to the server from outside, for this, open the “IP” – “Firewall” menu and add the rule in the “Filter Rules” tab:
Dst. Address: external IP address of the router
Dst. Port: 1723
In. Interface: WAN port of the router, for example ether1-gateway
click OK, this completes the simple setup.
Now I will describe the configuration option from the command line. Many clients can connect to the server and they will receive IP addresses via DHCP.
Enabling pptp server:
interface pptp-server server set enabled=yes
View pptp server settings:
interface pptp-server server print
Adding the pptp server interface:
interface pptp-server server add add name=pptpserver user=USERNAME
Setting the pool of addresses that will be issued to connected users:
ip pool add name="pptp-pool" ranges=172.20.1.10/28
Adding a profile for pptp server:
ppp profile add name="pptp" local-address=172.20.1.11 remote-address=pptp-pool use-compression=no use-vj-compression=no use-encryption=default only-one=default change-tcp-mss=yes
Adding authentication data:
ppp secret add name="USERNAME" service=pptp caller-id="" password="PASSWORD" profile=pptp
You must also enable TCP traffic to port 1723 from outside and enable GRE.
To do this, add the first rule, chain = input, protocol = tcp, Dst.Port = 1723, action = accept.
And second, chain = input, protocol = gre, action = accept.
These two rules must be placed before the standard prohibition rules, otherwise they will not work.
In the parameters of the created VPN connection in Windows, you must select the PPTP type and encryption “optional, they will connect even without encryption”.
Some useful information:
PAP (Password Authentication Protocol) – authentication protocol that verifies the name and password.
CHAP (Challenge Handshake Authentication Protocol) is a widespread protocol in which the server does not transmit the user’s password, but indirect information about it.
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) is a protocol from Microsoft for authenticating remote computers.