How to Set Up a PPTP Server on MikroTik Router (And Why You Should Think Twice)

Warning: PPTP is broken and obsolete. Attackers can crack MS-CHAPv2 in minutes. Only use this for legacy devices or lab tests. For a production‑ready VPN, follow our WireGuard setup guide instead.

Prerequisites

• MikroTik router (RouterOS v6 or v7)
• Public IP or forwarded ports: TCP 1723 + IP protocol 47 (GRE)
• WinBox, WebFig, or SSH access

Step 1: Enable PPTP Server

/interface pptp-server server set enabled=yes
/interface pptp-server server print

Step 2: Create IP Pool for VPN Clients

/ip pool add name=vpn-pool ranges=192.168.100.2-192.168.100.100

Step 3: Configure PPP Profile

/ppp profile add name=pptp-profile local-address=192.168.100.1 remote-address=vpn-pool dns-server=8.8.8.8 use-encryption=required

Step 4: Add User Account

/ppp secret add name=john.doe password=StrongP@ssw0rd service=pptp profile=pptp-profile

Step 5: Firewall Rules

/ip firewall filter add chain=input protocol=tcp dst-port=1723 action=accept comment="Allow PPTP"
/ip firewall filter add chain=input protocol=gre action=accept comment="Allow GRE"

Step 6: NAT Masquerade for Internet Access

/ip firewall nat add chain=srcnat src-address=192.168.100.0/24 action=masquerade comment="VPN Internet Access"

Client Connection

1. Create a VPN connection, type = PPTP.
2. Server = your router’s WAN IP.
3. Username/password from Step 4.

Security Verdict – Please Don’t Use PPTP in Production

PPTP was cracked in 2012. Microsoft removed it from Windows 10. For a safe remote access solution:

• WireGuard – fastest, built into RouterOS v7 (see our full WireGuard tutorial).
• L2TP/IPSec – better than PPTP, but slower.
• OpenVPN – heavy but can bypass firewalls.

If you’re new to MikroTik, start with our beginner’s router setup guide before diving into VPNs.