การติดตั้ง L2TP VPN on Mikrotik, Android

Router Steps

First, we need to configure the router.

Step 1 – Firewall Rules

Before we configure anything related to VPNs, we need to make sure we allow the right packets through the firewall. I’ve allowed traffic on UDP ports 500, 1701 and 4500, plus two IP protocols relating to IPSec: ipsec-esp (50) and ipsec-ah (51).

/ip firewall filter
add action=accept chain=input comment="Allow L2PT / IPSec VPN access" \
    dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah

Step 2 – Configure L2TP

Now we can configure the VPN!

L2TP allows you to tunnel between two endpoints. It doesn’t provide encryption on its own, but is usually combined with IPSec for security.

We need to add a profile and then a secretProfiles let you define behaviour for many connections, and then you can override some settings at the individual login level (secret).

Go to PPP > Profiles, and Add a new profile. All I add here are internal DNS servers, because I want to take advantage of my Pi-Hole. Everything else remains default.

add dns-server=192.168.1.19,192.168.130.31 name=l2tp-vpn

As mentioned above, if you’re on the most recent RouterOS firmware, IPSec will be configured correctly so it Just Works™. Of course, I noticed that it hadn’t turned the encryption up to 11 and decided to muck with it. Eventually, after breaking everything, I swallowed by pride, deleted all IPSec config and let the L2TP re-add it correctly.

My recommendation is to very carefully note the exact dynamic configuration, and use the Copy function to make changes.

Here’s what I have ended up with, for reference:

/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des

/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 \
    enc-algorithms="aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-192-gcm,aes-128-cbc,aes-128-gcm,3des" \
    pfs-group=modp2048

Android Steps

Now, to configure an Android device.

My phone is running Android 8.1 via Lineage OS 15.1; your device may be different.

Goto Settings > Network & Internet > VPN. And tap the plus / add button. And then the Show advanced options checkbox.