I’ve been using Private Internet Access for many years. Speeds are generally good on multiple servers, support for Linux is good and you can even setup and run a VPN from different routers, including Mikrotik.
Below is my config and winbox screenshots for connecting a single IP address to a PIA L2TP / IPsec VPN. Whether there’s something more optimal, I can’t say, but the below works.
Obviously, you’ll need a Private Internet Access account, and you can choose any of the networks shown on their networks page. You’ll also need a PPTP/L2TP/SOCKS Username and Password, which is different from your login / desktop / mobile VPN app login. PPTP/L2TP/Socks usernames and passwords begin with “x0” instead of “p0” from my understanding. You can get that from within your control panel when logging into the website.
L2TP Config
/interface l2tp-client add connect-to=SERVER.privateinternetaccess.com disabled=no ipsec-secret=mysafety name=pia-out password=PASSWORD use-ipsec=yes user=USERNAME
IPsec Config
/ip ipsec proposal set [ find default=yes ] pfs-group=none
IP Firewall NAT Config
/ip firewall nat add action=masquerade chain=srcnat out-interface=pia-out
IP Firewall Mangle Config
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=PIA passthrough=yes \
src-address=192.168.88.123
IP Route Config
/ip route add distance=1 gateway=pia-out routing-mark=PIA
Screenshots
L2TP Config
IPsec Config
IP Firewall NAT Config
IP Firewall Mangle Config
IP Route Config
I had to rebuild my PIA VPN recently due to moving to a new router, a MikroTik hAP AC, and couldn’t get it working by memory or some random guide I found online, so had to restore an old config. I figured it’d be helpful for some others as well.
Any critiques, recommendations or questions, let me know.
L2TP is no longer supported by PIA as of mid-November 2020. I have spent a lot of time messaging PIA support. They are removing L2TP for our own good, of course – not to increase profitability or anything cynical like that.
Wireguard isn’t (and may never be) supported on RouterOS. Their only recommendation was to set up OVPN on the router and use the config files for the next generation servers.
Thanks for the heads up. I stopped using PIA the first of November and wanted to remove references to them, this will give me more incentive to act sooner.
I’m certain I read it’s possible on v7 beta firmware and hap ac2 to use PIA / Wireguard, though I never got around to trying it out.
wireguard is in routeros v7.