Configure PureVPN on Mikrotik with dedicated Wi-Fi SSID

Today, we are going to take you on a journey with the winning duo PureVPN / Mikrotik. These two guys get along great together. PureVPN provides a powerful and steady PPTP Client whereas Mikrotik will allow us to tweak the configuration to perfectly suit our needs.

The objective of this tutorial is the following:

  • Create a new Wi-Fi Network into your home router that will be dedicated for VPN connectivity to PureVPN US server
  • Create the PPTP tunnel between Mikrotik router and PureVPN server

Prerequisites:

  • You have a working internet connection with Mikrotik as the gateway
  • You own a Premium PureVPN account and if you don’t, click HERE

Create a new Wireless Security Profile

So first of all, you need to create a new wireless security profile and create a passphrase for your Wifi. You can disable WPA if you do not have any legacy device in your home network.

/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=VPN_US supplicant-identity="" \
wpa-pre-shared-key=yourwirelesskey wpa2-pre-shared-key=yourwirelesskey

Create a Virtual AP

To do this, simply go to Wireless -> Interfaces and then add a Virtual AP

Mikrotik VirtualAP PurePVN SSID Network Online Privacy

On the General tab, enter a name for the network interface: I used Tsunami_US

On the Wireless tab, enter an SSID to identify your network: Tsunami_US and select your security profile

/interface wireless
add disabled=no keepalive-frames=disabled \
master-interface=wlan1 multicast-buffering=disabled name=Tsunami_US \
security-profile=USVPN ssid=Tsunami_US wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled

Create a new bridge

The thing is, you cannot attach a DHCP server directly to a Virtual AP. If you try that, it will generate the following error: “cannot run DHCP server on slave interface”. What you need to do is to create a bridge and attach your Virtual AP to it. Then you will assign the DHCP server to the bridge and you are good to go!

/interface bridge
add name=bridge_VPN_US
/interface bridge port
add bridge=bridge_VPN_US interface=Tsunami_US

Create the IP Pool and DHCP Server

Every user that connects to the new SSID will get an IP address from a separate pool. Then we will create a policy route to force all these IPs through the VPN.

/ip pool
add name=TsunamiUS_Pool ranges=192.168.89.50-192.168.89.200
/ip address
add address=192.168.89.1/24 interface=bridge_VPN_US network=192.168.89.0
/ip dhcp-server
add address-pool=TsunamiUS_Pool disabled=no interface=bridge_VPN_US lease-time=\
1d name=DHCP_VPN
/ip dhcp-server network
add address=192.168.89.0/24 dns-server=1.1.1.1 gateway=\
192.168.89.1 netmask=24 ntp-server=192.168.89.1

PureVPN tutorial, beware of your DNS privacy!

At this point, we will start to follow the tutorial from PureVPN website with some minor deviations.

If you strictly follow their tutorial, PureVPN is going to suggest that you change the DNS servers of your DHCP to 208.67.222.222, 208.67.220.220. This is just WRONG.

These IPs belong to OpenDNS which possesses a blurry privacy policy. Since its take-over by Cisco, OpenDNS simply refers to Cisco’s standard privacy policy, which is extremely generic.

By using OpenDNS as DNS servers, you are handing over your DNS records to Cisco i.e. every site you visit, every application you use is logged and sold to third parties.

As PureVPN server is a fully qualified domain name that needs to be resolved before the PPTP session is established, it also means that OpenDNS will be well aware that you are using a VPN.

Unfortunately, there is no DNS provider that respects your online privacy 100%. Every single DNS solution is sharing your data with third parties. When you choose a DNS provider, make sure at least that this data is anonymized and only used for statistics / marketing purposes.

Dnsprivacy.org has an excellent comparison table that compares the top DNS provider privacy policy.

Based on this stable, we would recommend using Cloudflare DNS which presents the highest level of privacy, though they still sell anonymized data to partners. Plus, their DNS IP is super easy to remember: 1.1.1.1

Coming back to our tutorial,

Create the PPTP Client

Mikrotik PPTP PureVPN Personal VPN Dedicated Wifi SSID

You need to decide at this point which server you are going to use. You can find the complete list of PureVPN servers here. We pick a server in Florida for this tutorial. You also need to input in this command your PureVPN login and password. When you bought PureVPN, you should have received an email called: “Welcome to PureVPN [Credentials]”. The login and password you need to use are in there.

/interface pptp-client
add connect-to=usfl1.pointtoserver.com dial-on-demand=no disabled=no name=\
PureVPN_US password=yourpassword user=yourusername

Configure firewall, NAT and routing

At this point, we are going to configure the NAT and mark the packets so that all the local devices that connect to Tsunami_US go out the router through the VPN.

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=PureVPN_US \
passthrough=yes src-address=192.168.89.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PureVPN_US
add action=masquerade chain=srcnat src-address=192.168.89.0/24
/ip route
add distance=1 gateway=PureVPN_US routing-mark=PureVPN

Note that you do not need to delete any of your existing rules.

And that is it!

If it does not work, check the following:

Check 1: PPTP Status

On Winbox, click Interfaces from the main menu, open the PureVPN-PPTP interface, and disable / enable the connection from the status tab.

Double click on the interface and check on the status bar that is connected.

If the VPN is not connected, check your login / password and the server address.

If the status is: waiting for packet, review your firewall and routing configuration, something is missing and the packets do not hit the VPN.

Check 2: DHCP Allocation

Connect to your newly created SSID and verify your computer IP address. Make sure the IP address is allocated in the correct subnet. If not, review your bridge and DHCP configuration.

Check 3: DNS Resolution

From your computer connected to the new SSID, check if you can ping 8.8.8.8. If you can ping 8.8.8.8 and not www.google.com, make sure the DNS settings of your new DHCP server is correct. Note that with this configuration, you cannot set the router address as the DNS server, it does not work.

You will find below the complete configuration to configure PureVPN for a dedicated WiFi network on Mikrotik RouterOS.

/interface bridge
add name=bridge_VPN_US
/interface pptp-client
add connect-to=usfl1.pointtoserver.com dial-on-demand=no disabled=no name=\
PureVPN_US password=yourpass user=yourusername
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=USVPN supplicant-identity="" \
wpa-pre-shared-key=yourwirelesskey wpa2-pre-shared-key=yourwirelesskey
/interface wireless
add disabled=no keepalive-frames=disabled \
master-interface=wlan1 multicast-buffering=disabled name=Tsunami_US \
security-profile=USVPN ssid=Tsunami_US wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
/ip pool
add name=TsunamiUS_Pool ranges=192.168.89.50-192.168.89.200
/ip dhcp-server
add address-pool=TsunamiUS_Pool disabled=no interface=bridge_VPN_US lease-time=\
1d name=DHCP_VPN
/interface bridge port
add bridge=bridge_VPN_US interface=Tsunami_US
/ip address
add address=192.168.89.1/24 interface=bridge_VPN_US network=192.168.89.0
/ip dhcp-server network
add address=192.168.89.0/24 dns-server=1.1.1.1 gateway=\
192.168.89.1 netmask=24 ntp-server=192.168.89.1
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=PureVPN_US \
passthrough=yes src-address=192.168.89.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=PureVPN_US
add action=masquerade chain=srcnat src-address=192.168.89.0/24
/ip route
add distance=1 gateway=PureVPN_US routing-mark=PureVPN

So now that you have configured your first WiFi SSID dedicated for PureVPN, you can create a second one! Yes you can create a new SSID called Tsunami_VPN_FR that will be connected to a VPN server in France.

To do so, you will have to strictly repeat the previous configuration:

  1. Create a new Virtual AP with a new security profile
  2. Create a new DHCP server with a brand new local subnet
  3. Configure new firewall/NAT/routing rules
  4. Create a new PPTP server

Config, test, repeat.

Remember PureVPN gives you 5 concurrent connections which means that you can configure a maximum of 5 dedicated Wifi SSID connected to PureVPN. Should be good enough to cover your needs.

If you are considering to buy a Mikrotik router for this setup, you should definitely be looking at Mikrotik hAP ac lite which for less than 50 bucks is a steal. This little guy supports both 2.4Ghz and 5Ghz simultaneously and embeds 5 ethernet ports.

If you are looking for a bigger Mikrotik with external antennas, Mikrotik RB2011 is a very popular product that should fully suit your needs.

Both routers are running RouterOS and fully support the configuration presented in this tutorial.

Leave a Comment