Remote User VPN Config Template

Last updated on 
Remote User VPN Config Template

Module 3 Deliverable
RouterOS Version: 7.20.5 or later

Overview

This template provides configurations for remote user VPN access using both WireGuard and L2TP/IPsec.

Network Setup. For this setup, we are going to setup Wireguard on HQ router, IPsec/L2TP on Branch router

Choose your method:

Method Requires Client Software? Setup Complexity Performance Best For
WireGuard Yes (easy to install) Easy Fast Tech-savvy users
L2TP/IPsec No (built into OS) Moderate Moderate Non-technical users

We are going to use the configurations hq.rsc and branch.rsc from the previous modules to perform the base configurations on the routers.

Method 1: WireGuard Remote Access

Network Design

Office Network: 192.168.88.0/24
Office Server: 192.168.88.10/24
VPN User Subnet: 10.66.66.0/24
Router Public IP: 192.168.233.128/24

User IPs:
- User 1: 10.66.66.10
- User 2: 10.66.66.11
- User 3: 10.66.66.12

Router Configuration

Step 1: Create WireGuard Interface

/interface wireguard
add listen-port=13231 name=wg-remote-users \
    comment="Remote User VPN Access"

View router's public key:

/interface wireguard print

📋 Save this public key — you'll give it to users.

Step 2: Add IP Address

/ip address
add address=10.66.66.1/24 interface=wg-remote-users \
    network=10.66.66.0 comment="VPN user subnet"

Step 3: Create IP Pool (Optional, for tracking)

/ip pool
add name=wireguard-pool ranges=10.66.66.10-10.66.66.250 \
    comment="IPs for remote VPN users"

Step 4: Add Firewall Rules

Allow WireGuard inbound:

/ip firewall filter
add action=accept chain=input comment="Allow WireGuard VPN" \
    dst-port=13231 protocol=udp

Allow VPN users to access local network:

/ip firewall filter
add action=accept chain=forward comment="Allow VPN users to LAN" \
    dst-address=192.168.88.0/24 src-address=10.66.66.0/24

add action=accept chain=forward comment="Allow LAN to VPN users" \
    dst-address=10.66.66.0/24 src-address=192.168.88.0/24

Optional: Allow VPN users to access Internet through router:

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT for VPN users" \
    src-address=10.66.66.0/24

Make sure to place the firewall rules above any deny rules.

Step 5: Add Users as Peers

For each user:

User generates key pair in WireGuard client app.
User sends you their public key.

Add user on router:

/interface wireguard peers
add allowed-address=10.66.66.10/32 interface=wg-remote-users \
    public-key="<USER-1-PUBLIC-KEY>" \
    comment="John Doe - Laptop - Added 2025-01-15"

Repeat for each user with unique IPs:

/interface wireguard peers
add allowed-address=10.66.66.11/32 interface=wg-remote-users \
    public-key="<USER-2-PUBLIC-KEY>" \
    comment="Sarah Smith - Phone - Added 2025-01-20"

add allowed-address=10.66.66.12/32 interface=wg-remote-users \
    public-key="<USER-3-PUBLIC-KEY>" \
    comment="Mike Johnson - Tablet - Added 2025-01-22"

User Client Configuration

User downloads WireGuard client:

User creates new tunnel with this config:

Replace placeholders:

  • <USER-PRIVATE-KEY> = User's private key (from their WireGuard client)
  • <ROUTER-PUBLIC-KEY> = Router's public key (from Step 1)
  • <ROUTER-PUBLIC-IP> = Office router's public IP address
  • <USER-VPN-IP> = IP assigned to this user (e.g., 10.66.66.10)
[Interface]
PrivateKey = <USER-PRIVATE-KEY>
Address = <USER-VPN-IP>/32
DNS = 192.168.88.1

[Peer]
PublicKey = <ROUTER-PUBLIC-KEY>
Endpoint = <ROUTER-PUBLIC-IP>:13231
AllowedIPs = 192.168.88.0/24, 10.66.66.0/24
PersistentKeepalive = 25

Example filled in:

[Interface]
PrivateKey = yHjK9mL1nN3pP5qR7sT9uV2wW4xY6zA8bB0cC2dD4eE=
Address = 10.66.66.10/32
DNS = 192.168.88.1

[Peer]
PublicKey = 7aK9Lm1nO2pP5qR8sT0uV3wX6yZ9aB1cD4eF7gH0i=
Endpoint = 192.168.233.128:13231
AllowedIPs = 192.168.88.0/24, 10.66.66.0/24
PersistentKeepalive = 25

User activates tunnel in WireGuard client.

Testing

On router, check connected users:

/interface wireguard peers print

Expected output:

 # INTERFACE       PUBLIC-KEY      ENDPOINT           LAST-HANDSHAKE  RX      TX
 0 wg-remote-users 3bM8Jk6nL...    98.51.100.50:5432  5s ago          1.2MiB  3.4MiB
 1 wg-remote-users 9kP2Nm5oQ...    198.51.100.75:6789 12s ago         500KiB  200KiB

User pings office gateway:

ping 192.168.88.1

✅ If successful: User VPN is working!

User Management

View all users:

/interface wireguard peers print

Disable a user temporarily:

/interface wireguard peers disable [find comment~"John"]

Re-enable user:

/interface wireguard peers enable [find comment~"John"]

Remove user permanently:

/interface wireguard peers remove [find comment~"John"]

Advanced: Split Tunnel vs. Full Tunnel

Split tunnel (default): Only office traffic goes through VPN.

AllowedIPs = 192.168.88.0/24

Full tunnel: All traffic (including Internet) goes through VPN.

AllowedIPs = 0.0.0.0/0

If using full tunnel, add masquerade on router:

/ip firewall nat
add action=masquerade chain=srcnat src-address=10.66.66.0/24

Method 2: L2TP/IPsec Remote Access

Network Design

Office Network: 192.168.99.0/24
VPN User Subnet: 10.88.88.0/24
Router Public IP: 192.168.99.1

User IPs: 10.88.88.10 - 10.88.88.250

Router Configuration

Step 1: Enable L2TP Server

/interface l2tp-server server
set authentication=mschap2 default-profile=default-encryption \
    enabled=yes ipsec-secret="YourStrongIPsecSecret2025" \
    use-ipsec=yes

ipsec-secret: This is the pre-shared key. Make it strong!

Generate with:

openssl rand -base64 24

Step 2: Create IP Pool

/ip pool
add name=l2tp-pool ranges=10.88.88.10-10.88.88.250 \
    comment="L2TP VPN user IP pool"

Step 3: Configure PPP Profile

/ppp profile
set default-encryption local-address=192.168.99.1 \
    remote-address=l2tp-pool use-encryption=required

Step 4: Add User Accounts

/ppp secret
add local-address=192.168.99.1 name=john \
    password="JohnSecurePass123!" profile=default-encryption \
    remote-address=10.88.88.10 service=l2tp \
    comment="John Doe - Remote Access"

add local-address=192.168.99.1 name=sarah \
    password="SarahSecurePass456!" profile=default-encryption \
    remote-address=10.88.88.11 service=l2tp \
    comment="Sarah Smith - Remote Access"

add local-address=192.168.99.1 name=mike \
    password="MikeSecurePass789!" profile=default-encryption \
    remote-address=10.88.88.12 service=l2tp \
    comment="Mike Johnson - Remote Access"

Step 5: Add Firewall Rules

/ip firewall filter
add action=accept chain=input comment="Allow IPsec IKE" \
    dst-port=500 protocol=udp place-before=0

add action=accept chain=input comment="Allow IPsec NAT-T" \
    dst-port=4500 protocol=udp

add action=accept chain=input comment="Allow L2TP" \
    dst-port=1701 protocol=udp

add action=accept chain=input comment="Allow IPsec ESP" \
    protocol=ipsec-esp

add action=accept chain=forward comment="Allow L2TP users to LAN" \
    dst-address=192.168.99.0/24 src-address=10.88.88.0/24

add action=accept chain=forward comment="Allow LAN to L2TP users" \
    dst-address=10.88.88.0/24 src-address=192.168.99.0/24

User Client Configuration

Windows 11

  1. Settings → Network & Internet → VPN
  2. Add VPN
    • VPN provider: Windows (built-in)
    • Connection name: Office VPN
    • Server name or address: 192.168.233.129
    • VPN type: L2TP/IPsec with pre-shared key
    • Pre-shared key: YourStrongIPsecSecret2025
    • Type of sign-in info: User name and password
    • User name: john
    • Password: JohnSecurePass123!
  3. Save
  4. Connect

macOS

  1. System Settings → Network
  2. Click [+] button
  3. Interface: VPN
  4. VPN Type: L2TP over IPsec
  5. Service Name: Office VPN
  6. Fill in:
    • Server Address: 192.168.233.129
    • Account Name: john
  7. Authentication Settings:
    • Password: JohnSecurePass123!
    • Shared Secret: YourStrongIPsecSecret2025
  8. Connect

iOS / iPadOS

  1. Settings → General → VPN & Device Management → VPN
  2. Add VPN Configuration
  3. Type: L2TP
  4. Fill in:
    • Description: Office VPN
    • Server: 192.168.233.129
    • Account: john
    • Password: JohnSecurePass123!
    • Secret: YourStrongIPsecSecret2025
  5. Save and Connect

Android

  1. Settings → Network & Internet → VPN
  2. Add VPN
  3. Fill in:
    • Name: Office VPN
    • Type: L2TP/IPsec PSK
    • Server address: 192.168.233.129
    • IPsec pre-shared key: YourStrongIPsecSecret2025
    • Username: john
    • Password: JohnSecurePass123!
  4. Save and Connect

Testing

On router, check active connections:

/ppp active print

Expected output:

 # NAME  SERVICE CALLER-ID   ADDRESS    UPTIME
 0 john  l2tp    98.51.10... 10.88.88.10 00:05:23

User pings office gateway:

ping 192.168.99.1
ping 192.168.99.10

✅ If successful: L2TP VPN is working!

User Management

View all users:

/ppp secret print

View active connections:

/ppp active print

Disconnect a user:

/ppp active remove [find name=john]

Disable user account:

/ppp secret disable [find name=john]

Change user password:

/ppp secret set [find name=john] password="NewPassword123!"

Access Control

Limit VPN Users to Specific Resources

Allow VPN users to access file server only:

/ip firewall filter
add action=accept chain=forward comment="VPN to file server only" \
    dst-address=192.168.88.50 src-address=10.66.66.0/24

add action=drop chain=forward comment="Block VPN from rest of LAN" \
    dst-address=192.168.88.0/24 src-address=10.66.66.0/24

Place these rules BEFORE general accept rules.

Time-Based Access

Allow VPN access only during business hours:

/ip firewall filter
add action=accept chain=input dst-port=13231 protocol=udp \
    time=8h-18h,mon,tue,wed,thu,fri comment="VPN access business hours only"

add action=drop chain=input dst-port=13231 protocol=udp \
    comment="Block VPN outside business hours"

Security Best Practices

Strong Passwords

For L2TP users:

  • Minimum 12 characters
  • Mix of uppercase, lowercase, numbers, symbols
  • Unique per user

Generate with:

openssl rand -base64 12

Pre-Shared Key Security

For L2TP/IPsec:

  • Use strong, random pre-shared key
  • Change regularly (quarterly)
  • Don't reuse across systems

Monitor Connections

Daily check:

/interface wireguard peers print
# or
/ppp active print

Look for:

  • Unexpected users
  • Unusual connection times
  • Abnormal traffic volumes

Log Failed Attempts

Enable logging:

/system logging
add topics=l2tp,ppp,info action=memory
add topics=wireguard,info action=memory

Review logs weekly:

/log print where topics~"l2tp" or topics~"wireguard"

Troubleshooting

WireGuard: "Last Handshake: never"

  1. Check firewall allows UDP 13231
  2. Verify public keys match
  3. Check endpoint address is correct
  4. Verify allowed-address on router includes user IP

L2TP: Can't Connect

  1. Verify ipsec-secret matches on client and server
  2. Check username/password in /ppp secret
  3. Ensure firewall allows UDP 500, 4500, 1701, ESP
  4. Check logs: /log print where topics~"l2tp"

VPN Connects But Slow

  1. Check router CPU: /system resource print
  2. Test bandwidth without VPN
  3. Try reducing MTU on WireGuard interface
  4. Consider switching L2TP to WireGuard (faster)

Quick Reference

WireGuard - Check connected users:

/interface wireguard peers print

L2TP - Check active connections:

/ppp active print

View user accounts:

/ppp secret print

Disconnect all VPN users:

/ppp active remove [find]

View VPN logs:

/log print where topics~"wireguard" or topics~"l2tp"

Backup Configuration

After setup:

/system backup save name=remote-vpn-working
/export file=remote-vpn-config

Part of MikroTik First 30 Days — Module 3 Deliverable
RouterOS 7.20.5 Compatible