This is the first of a series of posts inspired by the huge number of hours I’ve recently spent configuring my Mikrotik router to get VPN working. Although there is quite a lot of information on the web, I fell over a few trips that were not documented. I hope this saves you (or worst case future me some time).
After I followed the guides found on the other pages, technically the connection was working, but it was painfully slow and some pages weren’t loading at all. Here I’ll point out what’s important.
Just one more thing – my RouterOS version was 6.33.5.
Step 1 – Interfaces
First thing to do is add an interface. I tried some of the available protocols and results were following:
PPTP– Worked okSSTP– Worked okOpenVPN– did not work due to lack of TLS authentication support- Others – did not try
An important decision here is MTU. There are plenty of resources about that on the web, so I’ll just say I set my value at 1472 (1500 – 28), which caused no fragmentation when trying to ping sites from my computers.
Make sure your PPP profile has not been modified. It’s best to create a separate profile for this connection (with default settings – just copy default-encryption) so that you don’t mess it up when setting your router as VPN server.
Step 2 – NAT
Just add masquerade on the outgoing interface.
Step 3 – Mangle
Setting up mangle consists of two parts.
Mark routing
Routing marking is optional. Use this if you want to route some of your traffic via one connection and the rest through other. For example your personal WiFi through VPN and Guest Wifi through unencrypted connection.
Mangle rules are processed sequentially in the order they appear on the . If you have multiple mark routing rules make sure latter rules don’t overwrite the value in an unexpected way. Best practice is to have more specific rules follow the less specific ones.
Change MSS
This is the real magic! 99% of the guides recommend to play with the MTU value if you have connection problems. But I set that down to the minimum value of 512 and it didn’t help either. What solve my connection issues of low speed and some pages not loading at all was this magical MSS rule. Again, the value is a bit of try and see. 1400 was a bit too much so I finally ended with 1350. But the results we amazing – speed boosted from 2-3 Mbps to 60 Mbps nearly exhausting my bandwidth. Not sure though, if this ain’t just a way around some RouterOS bug.
Step 4 – Routes
Finally, if you did not select Add Default Route in the interface setup and want to use some more sophisticated routing rules, you need to configure one. Don’t forget to use the routing mark.
Wrap up
Hope this little guide was useful. All comments and questions are welcome.
Next part will be on configuring a budget point-to-site SSTP connection to Azure virtual network.
Fantastic!
Hi. I have good result with this config: https://support.hidemyass.com/hc/en-us/articles/204558497-Mikrotik-Client-Setup
cheers!
The really tough part was MSS. I spent about 3 days to get the VPN connection running in a reasonable way. Though, this might be specific to PureVPN
Great article. Thanks to your post I was able to find out what was the issue. I had issues before with MTU so I was kind of close what may be the problem but with your post and a little of research was able to make it work!!!! Just wanted to add this line for reference to others.
/ip firewall mangle
add out-interface=pppoe-out protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 chain=forward tcp-mss=1301-65535
Thank you