MikroTik Cloud DDNS and L2TP IPsec VPN Setup Guide.

MikroTik Router Model: MikroTik hAP AX2 Dual Band Router (C52iG-5HaxD2HaxD-TC)

MikroTik’s Cloud feature is a free Dynamic DNS (DDNS) service that’s easy to enable in RouterOS. DDNS is helpful when your ISP gives you a dynamic public IP (common unless you pay for static). If you want to run a VPN server, port-forward to a gaming/media server, or remotely access an IP camera, you’ll need either a static public IP or DDNS.

Note: This won’t work if your WAN uses CGNAT (addresses 100.64.0.1–100.127.255.254) because those aren’t public-facing.

In a previous post, Why Replace Your Home Router With a MikroTik hAP AX2 Dual Band Router?, we set up the MikroTik as the gateway router terminating the internet connection and receiving a public IP. Below we’ll enable Cloud DDNS, then configure a basic L2TP/IPsec VPN server (natively supported on Windows and macOS).

1) Enable MikroTik Cloud DDNS

1. Log in to your MikroTik.
2. Go to IP → Cloud.
   
3. Tick Enable DDNS and click Apply.
   
   
4. A DNS Name will appear—this is your DDNS address. If your WAN has a public IP, you should be able to ping this DNS name.
   
   

You now have a public-facing address to use for services like VPN.

2) Turn On the L2TP/IPsec Server

1. Go to PPP → L2TP Server.
2. Enable the server.
3. Set Use IPsec to required.
   
4. In IPsec Secret, set a strong pre-shared key (avoid weak phrases). Click OK.

3) Create a VPN IP Pool

1. Go to IP → Pool.
   
   
2. Click New, name the pool, and in Addresses enter a range for VPN clients, e.g. 192.168.99.2–192.168.99.100 (up to 99 clients). For ~10 clients, use 192.168.99.2–192.168.99.11.
   
   
3. Use a private IP range that doesn’t overlap with your router’s LAN subnet.
   

4) Set the VPN Profile

1. Go to PPP → Profiles.
   
2. Edit the default profile:
   • Local Address: 192.168.99.1 (the VPN server’s address)
   • Remote Address: select the VPN pool you created
3. Click OK.

5) Add VPN Users

1. Go to PPP → Secrets.
   
   
2. Click New and create a username and password for each user/client.
3. Click OK.

6) Open the Firewall for L2TP/IPsec

1. Go to IP → Firewall → Filter Rules → New.
   • Chain: input
   • Protocol: 17 (udp)
   • Dst. Port: 1701,500,4500
   Click OK.
   
   
2. Create another rule:
   • Chain: input
   • Protocol: 50 (ipsec-esp)
   Click OK.
   
   
3. Drag these new rules to the top of the Filter Rules list so they take effect (rules are processed top-down).
   
   

7) Optional: Access the Router GUI via VPN

To allow router access when connected over VPN, add the VPN interface to the LAN list:

1. Go to Interfaces → Interface List.
2. Click New, set List to LAN, and Interface to your VPN user interface.
   
   
3. Click OK.
   
   

8) Set Up the Windows VPN Client

1. On Windows, open VPN Settings → Add VPN.
   
   
   
2. Fill in:
   • Connection name: anything you like
   • Server name or address: your DDNS address from Step 1
   • VPN type: L2TP/IPsec with pre-shared key
   • Pre-shared key: your IPsec secret
   • Username/Password: the VPN user you created (e.g., user1 / ********)
     
     
     
3. Click Save, then Connect (from Settings → Network & Internet → VPN or the taskbar network icon).
   

You should now be able to connect to your network securely from anywhere.