How-to VPN: Private Internet Access (PIA) and MikroTik Router

⚠ Information in this post is outdated since the launch of PIA's ‘Next-Gen' VPN network in , sunsetting the then-existing set-up

First create a vpn to use when creating l2tp/pptp connections
to privateinternetaccess.

/ppp profile add change-tcp-mss=yes \
comment="PIA VPN" \
dns-server=, \
name=privateinternetaccess only-one=no \
use-compression=no use-encryption=required \
use-=no use-=no use-upnp=no

Create the l2tp interface

/interface l2tp-client add \
comment="PIA VPN " \ \
disabled=no name=pia-de-l2tp \
profile=privateinternetaccess \
user=[l2tp-username] \
  • [l2tp-username] Your PIA username for l2tp/pptp/socks connections beginning with ‘x' (not ‘p'!)
  • [l2tp-password] Your PIA password for l2tp/pptp/socks connections

Create a mangle rule to mark traffic we want to
go through the VPN.

/ip firewall mangle add \
action=mark-routing \
chain=prerouting \
comment="PIA VPN Netherlands" \
new-routing-mark="PPTP RM" \
passthrough=yes \


      Fx. or

    Create the NAT rule and tell it to use the VPN interface.

    /ip firewall nat add \
    action=masquerade chain=srcnat \
    comment="PIA VPN Netherlands" \

    Create a corresponding default route to match the previous NAT
    rule. Which only get used when IPv4 traffic has been marked with
    ‘PPTP RM'.

    /ip route add \
    comment="PIA VPN Netherlands" \
    disabled=yes distance=1 \
    gateway=pia-de-l2tp routing-mark="PPTP RM"

    Now you should see traffic from clients in the IPv4 range
    of [ip-range-to-forward-through-vpn] go through the VPN.

    NB: If you want to use another country apart from Netherlands. Check out Private Access list of locations here: PIA VPN Tunnel Network

    2 thoughts on “How-to VPN: Private Internet Access (PIA) and MikroTik Router”

    Comments are closed.