This is the first of a series of posts inspired by the huge number of hours I’ve recently spent configuring my Mikrotik router to get VPN working. Although there is quite a lot of information on the web, I fell over a few trips that were not documented. I hope this saves you (or worst case future me some time).
After I followed the guides found on the other pages, technically the connection was working, but it was painfully slow and some pages weren’t loading at all. Here I’ll point out what’s important.
Just one more thing – my RouterOS version was 6.33.5.
Step 1 – Interfaces
First thing to do is add an interface. I tried some of the available protocols and results were following:
PPTP– Worked ok
SSTP– Worked ok
OpenVPN– did not work due to lack of TLS authentication support
- Others – did not try
An important decision here is
MTU. There are plenty of resources about that on the web, so I’ll just say I set my value at 1472 (1500 – 28), which caused no fragmentation when trying to ping sites from my computers.
Make sure your PPP profile has not been modified. It’s best to create a separate profile for this connection (with default settings – just copy
default-encryption) so that you don’t mess it up when setting your router as VPN server.
Step 2 – NAT
Just add masquerade on the outgoing interface.
Step 3 – Mangle
Setting up mangle consists of two parts.
Routing marking is optional. Use this if you want to route some of your traffic via one connection and the rest through other. For example your personal WiFi through VPN and Guest Wifi through unencrypted connection.
Mangle rules are processed sequentially in the order they appear on the . If you have multiple
mark routing rules make sure latter rules don’t overwrite the value in an unexpected way. Best practice is to have more specific rules follow the less specific ones.
This is the real magic! 99% of the guides recommend to play with the MTU value if you have connection problems. But I set that down to the minimum value of 512 and it didn’t help either. What solve my connection issues of low speed and some pages not loading at all was this magical MSS rule. Again, the value is a bit of try and see. 1400 was a bit too much so I finally ended with
1350. But the results we amazing – speed boosted from 2-3 Mbps to 60 Mbps nearly exhausting my bandwidth. Not sure though, if this ain’t just a way around some RouterOS bug.
Step 4 – Routes
Finally, if you did not select
Add Default Route in the interface setup and want to use some more sophisticated routing rules, you need to configure one. Don’t forget to use the routing mark.
Hope this little guide was useful. All comments and questions are welcome.
Next part will be on configuring a budget point-to-site SSTP connection to Azure virtual network.