Month: January 2018

How-to VPN: Private Internet Access (PIA) and MikroTik Router

# First create a vpn profile to use when creating l2tp/pptp connections
# to privateinternetaccess.

/ppp profile add change-tcp-mss=yes comment="PIA VPN" \
dns-server=, name=privateinternetaccess \
only-one=no use-compression=no use-encryption=required use-ipv6=no \
use-mpls=no use-upnp=no

# Create the l2tp interface

/interface l2tp-client add comment="PIA VPN Germany" \ disabled=no \
name=pia-de-l2tp password=[l2tp-password] \
profile=privateinternetaccess user=[l2tp-username]
# [l2tp-username]
# Your PIA username for l2tp/pptp/socks connections
# beginning with 'x' (not 'p'!)
# [l2tp-password]
# Your PIA password for l2tp/pptp/socks connections 

# Create a firewall mangle rule to mark traffic we want to
# go through the vpn.

/ip firewall mangle add action=mark-routing \
chain=prerouting comment="PIA VPN Germany" \
new-routing-mark="PPTP RM" passthrough=yes \
# [ip-range-to-forward-through-vpn]
# Fx. or 

# Create the NAT rule and tell it to use the vpn interface.

/ip firewall nat add action=masquerade chain=srcnat \
comment="PIA VPN Germany" out-interface=pia-de-l2tp
# Create a corresponding default route to match the previous NAT
# rule. Which only get used when traffic has been marked with
# 'PPTP RM'.

/ip route add comment="PIA VPN Germany" disabled=yes \
distance=1 gateway=pia-de-l2tp routing-mark="PPTP RM"

# Now you should see traffic from clients in the ip range
# of [ip-range-to-forward-through-vpn] go through the vpn.