Syed Jahanzaib Personal Blog to Share Knowledge !

November 25, 2013

Mikrotik Central VPN Server For Remote Branches Connectivity

Filed under: General IT Related, Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 1:54 PM




vpn connectivity

Consider following scenario:

An ISP have multiple locations all over the country. Main Mikrotik router at NOC have fixed public IP. Radius Billing system is connected with LAN. All remote locations have Mikrotik Router boards as NAS and have dynamic public IP. All locations have there own internet connectivity with various ISP’s but we want to use our main RADIUS server as a centralized billing solution for all the REMOTE locations. So this is a short guide on howto create central Radius Server and connected all remote branches/nases with it.


Basic Points:

Create PPTP server at your Head Office Mikrotik.
Create user account in secret section, nd assign him fix IP address like
Now at branch office, create a pptp client in mikrotik pptp section, and add head office IP / user id passwd, Dont forget to UNCHECK “add DEFAULT ROUTE” button. because if you do so it will override default route and will route every traffic including internet requests too to head office, which will overload head office internet connection, since we only want to route request for specific IP/subnet, so we will create a route at both end so that request for specific ip subent should go via vpn tunnel .

Head Office Mikrotik Config

LAN subnet =
WAN subnet =
Radius =

First add IP pool for VPN users, like same as LAN series but with specific series.

/ip pool
add name=PPP-Pool ranges=

Now add VPN Profile

/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
add change-tcp-mss=default dns-server= local-address= name=vpn-profile only-one=default remote-address=PPP-Pool \
use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
set 2 change-tcp-mss=yes name=default-encryption only-one=default use-compression=default use-encryption=yes use-mpls=default use-vj-compression=default

Now enable VPN server

/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled

Now add user so that we will be testing from remote location NAS.

/ppp secret
add caller-id=”” disabled=no limit-bytes-in=0 limit-bytes-out=0 name=aa password=aa profile=vpn-profile routes=”” service=any

Now add route for the subnet in IP ROUTE section , via pptp gateway.

Remote Branch Mikrotik Config

LAN subnet =
WAN subnet = DYNAMIC Public IP x.x.x.x

Now we want to connect remote NAS with head office VPN server so that it can use central radius server as a centralized billing system.

In short: Create a pptp dialer , pointing to Head Office Main RB (where vpn is configured) , enter valid user id password, Make sure you remove tick from add default route, after its connect, simply add a route for and its gateway pointing to pptp-out1 (pptp link we created above)

To be continued . . . will write soon about it , while writing guide,an issue in the network popedup . . 00-(


  1. Please also write an guide on Mangle Rule of MikroTik and their execution or the sequence in which it applies on a packet.


    Comment by Raheel — November 25, 2013 @ 1:57 PM

  2. Assalaam u alaikum Bro how are u i hope ur doing will i have interested the mikrotik taring so please sir koi timing sit karlain taring ki.

    On Mon, Nov 25, 2013 at 9:54 AM, Syed Jahanzaib Personnel Blog to Share

    Comment by Comnet_Solution — November 27, 2013 @ 12:09 PM

  3. sir i send a image plz tell me how can it possible

    Comment by monarech — November 30, 2013 @ 10:00 AM

  4. Hello,

    I did port forwarding to server within my network. I can reach the server with the public address specified whenever am on a different network.
    I can’t reach the local server with the public address whenever I am within my network.

    Kindly help provide possible reasons.

    Comment by olawale — December 11, 2013 @ 7:09 PM

  5. Sir mari b multiple locations hain jo aik he internet conection say chalti hain 3 locations different logon kay pass hain jo router board kay zareeay mary main network say connect hain aur alag alag hotspot bana howa hain main yeh chata ho kay central radius zareeay wo conect ho user main server pr say he banain lkn apni alag alag idanti kay sath aik location ka user dosri jaga say conect na ho aur her location ka alag alag refill card hoo jo sirf uss pr he chaly.

    Comment by Sardar Munawar — December 24, 2013 @ 12:30 PM

  6. jahanzaib Bhai, i want to access both side local network machines, then what routes are?

    Comment by nomi — January 25, 2014 @ 12:31 PM

  7. jahanzaib bhai,
    i need this complete script for centerlized billing.
    please send me at


    Comment by N0M1 — September 13, 2014 @ 6:31 PM

    • there is no script for it, lot of work is required to be done as per the network scenario.

      Comment by Syed Jahanzaib / Pinochio~:) — September 14, 2014 @ 10:33 AM

      • i can ping from home to office router, but not from office to home router.
        i also want to ping both side Local Network….
        help required


        Comment by n0m1 — September 18, 2014 @ 1:21 PM

      • create static routes on mikrotik.

        Comment by Syed Jahanzaib / Pinochio~:) — September 22, 2014 @ 3:44 PM

  8. Shukria

    Comment by N0M1 — September 28, 2014 @ 3:19 PM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at

%d bloggers like this: