Setting Up L2TP VPN Client in Mikrotik WiFi Router
VPN? In a router? what for ?
If you are working from home, then Virtual Private Networking (VPN) will be a common term. VPN will encrypt all the communications between your laptop at home, through a server connected with your office network. This way, it will feel just like that you are working directly from office. Nobody out there will be able to sniff the data traffic in between. And normally you need to authenticate yourself to use office VPN, and even many companies would enforce a strong two-step-authentication process (i.e. sending code to your mobile phone).
Other way to benefit from VPN is when you are at public space, enjoying free public WiFi. To avoid your network traffic is seen by irresponsible person, VPN can help securing your internet.
Other benefits that are not common including:
Reaching out blocked websites
For example, one of the ISP in Indonesia back then was blocking Netflix. Although recently they finally gave up and decided to open Netflix, just like other ISP, it was pretty annoying for their subscribers. Many people were using paid VPN service to overcome this. All of your traffics will be encrypted, that the ISP even could not know you are trying to access Netflix. However, Netflix have their own reasons to block VPN.
By using VPN, if you are connected to US Server, it would mean that Netflix sees you as US citizens, hence allowing you to access specific contents licensed only in US/ Canada, but not in another country.
Most of public, paid, VPN server addresses are already blocked by Netflix though. Therefore if you still experience this kind of issue, you may try a small VPN service whose names haven’t been heard by Netflix.
As for myself, I sometimes use VPN to access my favorite manga sites 😙
Speed up your download speed
Theoretically this is not possible. If you subscribe to “up-to” 20 Mbps internet plan, it will not be possible for VPN to increase your speed more than 20 Mbps. However, please take a note on “up-to” word. This is a marketing gimmick in advertising that indicates they are actually overselling the bandwidth. During off peak hours, I believe your speed test will always hit 20 Mbps or more. But try doing that during on peak hours, like Saturday night. It is not surprising that the speed may drop.
However, not many people realize that, intra-country or local internet connection within same country — is actually cheap. The speed reduction during on peak hours most likely won’t be caused by this. But this is the “internet” that we are talking about, means of course it would be normal for us to access international websites right? Yes that is correct. It is the international bandwidth that the ISPs are restricting.
If you have a VPN server sitting in local data center, and have a reserved international bandwidth, you can try setting up VPN connection there. Then your download speed will be full again (depends on your data center bandwidth) during on peak hours.
Overcoming the NAT restriction for online gaming
If you play “Animal Crossing New Horizons” on Nintendo Switch, online with your friends, you may realize that not all ISP are the same. Not everybody can be online in ACNH or generally in Nintendo online games.
I have two ISPs at home. One ISP actually is kind enough to give me public IP address for free. This would mean, if setup correctly, then any of you can actually reach my house, or even reach my Nintendo Switch console from internet. ACNH game, during only play, is using peer-to-peer concept. Means instead of connecting to Nintendo server, you will be connected to your friend’s switch directly.
What does that mean? It means, your friend’s ISP must have public IP address, or at least have NAT configuration that allows connection back to your wireless router. If you have dedicated public IP address and configured properly, during connection test in Nintendo Switch, you will get NAT A as result. This is the highest compatibility NAT type. Common ISP will not give you dedicated IP address, but they are lenient enough in their network configuration that will give you NAT B as result. Others, if the test results yield NAT C or D, means their network configuration really blocks any outside traffic to your router. In this case, you can try VPN to a dedicated server, which at least will grant you NAT B.
But hey, Nintendo Switch does not have VPN client right? Correct.
This is why we need to install VPN in our WiFi router.
What I was trying to do at home is, I can have another dedicated WiFi router, with VPN client setup inside. Therefore if I need any perks mentioned above, I can just connect to different access point. Easy right ? Then we don’t have to bother with any of the VPN client for the devices we have, television, Switch, PS4, PC, etc.
So, what are the WiFi router types which have VPN built in ?
There are many. When you are looking at product specification in market place, just search for VPN capability. However you may be surprised that, they can only mostly support these types:
- PPTP without encryption
- L2TP without encryption
Ah yes, I forgot to mention that, encryption is actually optional in VPN standards. Many routers don’t support VPN with encryption because they may need bigger processor to do so (read: makes the price higher). Even if they support encryption, the stability is being questioned. You may experienced many disconnects, or even trouble to connect from the cheap routers out there.
I will just save your time and money in researching what is the best router for VPN.
Seek no other, get a Mikrotik.
This Mikrotik RB941–2nD costs around USD 20. Pretty much affordable. It is indeed powerful, however the configuration is not as easy as other common routers.
Step 1: setup PPP
Router address in mikrotik is a bit different, usually you go to http://192.168.1.1, but in here you need to go to http://192.168.88.1. After logged in, go to PPP settings.
As you see, actually I already setup two types of VPN (L2TP) clients there. If brand new, you will see no row, and you need to click Add New, then choose the VPN type expected. It supports many range of clients, including PPTP, L2TP, SSTP and even OpenVPN. You can also setup VPN server instead of client here. Very neat.
As per this article goes, we will setup L2TP type, because this is the most common one, supported by almost all of commercial VPN providers.
Enter the name of connection, the server address, user, password, and optionally if your VPN must use IPSec pre shared key, enter it as well there. In my case the IPsec PSK is not required. For MTU please enter like suggested, otherwise you may meet some issues.
Step 2: edit firewall setting
Go to Firewall menu, choose tab NAT, then add new rule as follows.
The rule tells us to chain the source of NAT, before the traffic goes out it has to pass the out interface l2tp-mozfactor that we created in PPP page. Scroll down the page to find out masquerade action.
Still on firewall page, go to tab Mangle, then add new. In the screenshot below I actually added the item, just for your information.
Please administer the new Mangle as follows.
This means the rule will apply for local addresses from 10 to dot 254.
Scroll down to see action mark routing, and enter whatever name you choose as New Routing Mark. It is important to NOT CHECKLIST the passthrough option, as in this case will slow down your traffic.
Step 3: edit routes
Go to menu Routes, then add new.
Note: in above screenshot shows I actually already added it as 2nd line.
Destination address is the outgoing address that has to use VPN, pick VPN gateway that we already created, then chose routing mark that we also created beforehand.
Step 4 : Update DNS
Go to the DNS menu under IP section.
Fill in the DNS servers we want to use, and tick allow remote requests.
Then go to DHCP Client page to uncheck “Use Peer DNS”. If checked then the DNS we set above will become useless.
Finally, check if the traffic is ok
Go back to PPP page to see the result. If you have values of both Tx and Rx then we should be good. Please try connect your device to this access point and then access https://whatismyipaddress.com/ to see if you have been using VPN IP or not.
Cheers mate 🍻
