PIA L2TP/IPsec VPN Setup – Mikrotik

I’ve been using Private Internet Access for many years. Speeds are generally good on multiple servers, support for Linux is good and you can even setup and run a VPN from different routers, including Mikrotik.

Below is my config and winbox screenshots for connecting a single IP address to a PIA L2TP / IPsec VPN. Whether there’s something more optimal, I can’t say, but the below works.

Obviously, you’ll need a Private Internet Access account, and you can choose any of the networks shown on their networks page. You’ll also need a PPTP/L2TP/SOCKS Username and Password, which is different from your login / desktop / mobile VPN app login. PPTP/L2TP/Socks usernames and passwords begin with “x0” instead of “p0” from my understanding. You can get that from within your control panel when logging into the website.

L2TP Config

/interface l2tp-client
add connect-to=SERVER.privateinternetaccess.com disabled=no ipsec-secret=mysafety name=pia-out password=PASSWORD use-ipsec=yes user=USERNAME

IPsec Config

/ip ipsec proposal
set [ find default=yes ] pfs-group=none

IP Firewall NAT Config

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pia-out

IP Firewall Mangle Config

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=PIA passthrough=yes \
    src-address=192.168.88.123

IP Route Config

/ip route
add distance=1 gateway=pia-out routing-mark=PIA

 

Screenshots

L2TP Config

IPsec Config

IP Firewall NAT Config


IP Firewall Mangle Config


IP Route Config

I had to rebuild my PIA VPN recently due to moving to a new router, a MikroTik hAP AC, and couldn’t get it working by memory or some random guide I found online, so had to restore an old config. I figured it’d be helpful for some others as well.

Any critiques, recommendations or questions, let me know.

Related Articles:

Posted on Published

3 Replies to “PIA L2TP/IPsec VPN Setup – Mikrotik”

  1. L2TP is no longer supported by PIA as of mid-November 2020. I have spent a lot of time messaging PIA support. They are removing L2TP for our own good, of course – not to increase profitability or anything cynical like that.

    Wireguard isn’t (and may never be) supported on RouterOS. Their only recommendation was to set up OVPN on the router and use the config files for the next generation servers.

  2. Thanks for the heads up. I stopped using PIA the first of November and wanted to remove references to them, this will give me more incentive to act sooner.

    I’m certain I read it’s possible on v7 beta firmware and hap ac2 to use PIA / Wireguard, though I never got around to trying it out.

Leave a Reply

Your email address will not be published. Required fields are marked *