GUIDE / VPN
VPN.
RouterOS supports five VPN protocols natively (WireGuard, IPsec, L2TP, SSTP, OpenVPN) plus PPTP for legacy compatibility. This hub picks the three you should be choosing between in 2026 and links the per-protocol setup walkthroughs.
Which protocol
| Use case | Pick | Why |
|---|---|---|
| Road-warrior client (laptop, phone) → home router | WireGuard | Modern crypto, tiny config, every major OS has a client. RouterOS v7 only. |
| Site-to-site (office ↔ office) | IPsec | Industry-standard interop with non-MikroTik gear. Stable on long-lived tunnels. |
| Road-warrior on RouterOS v6, or Windows-builtin clients | L2TP/IPsec | WireGuard doesn't ship on v6; Windows / iOS / macOS have native L2TP/IPsec clients. |
Quick comparison
| Protocol | Throughput | RouterOS support | Client support | Setup cost |
|---|---|---|---|---|
| WireGuard | Highest (kernel-mode, single UDP socket) | v7 only | Native on Linux, Windows, macOS, iOS, Android via official client | Low — generate keypair, paste config |
| IPsec (IKEv2) | High | v6 + v7 (syntax differs) | Native on Windows, macOS, iOS, Android, strongSwan on Linux | Medium — proposals, peers, policies, NAT-T |
| L2TP/IPsec | Medium | v6 + v7 | Native on Windows, macOS, iOS — Android dropped it in 12 | Medium — PSK + per-user secrets, two-layer encap overhead |
| OpenVPN | Low to medium (userspace, single-threaded) | v6 + v7 | Excellent (official clients everywhere) | High — PKI, server config, separate client config per user |
| SSTP | Low | v6 + v7 | Native Windows; awkward elsewhere | Medium — TLS cert + PPP user setup |
| PPTP | Medium | v6 + v7 (deprecated upstream guidance) | Was native everywhere; dropped from most OSes | Don't. Cryptographically broken. Listed for completeness. |
What this guide skips
- OpenVPN. Works, but setup cost is high and WireGuard replaces it for everything except "I already have an OpenVPN PKI in production". If that's you, MikroTik's own wiki has a workable walkthrough — we don't duplicate it here.
- SSTP. Niche — useful when you have a Windows shop and a strict firewall that allows only outbound 443. If that's not you, pick something else.
- PPTP. Cryptographically broken since 2012. Listed in the comparison table only so a search for "RouterOS PPTP" lands on "use anything else".