Introduction

A Virtual Private Network extends a private network over shared or public infrastructure, allowing geographically separated devices to communicate as though they share a direct private connection. The traffic traverses whatever network sits between the endpoints - typically the internet—but from the perspective of the hosts involved, it behaves like a dedicated link. The mechanism is a tunnel: one packet is encapsulated inside another, carried across the public network using the tunnel endpoints as the outer addresses, then decapsulated at the far end to reveal the original packet.

There are two distinct types of VPNs. A site-to-site VPN connects two entire networks permanently. Once the tunnel is up, any host on either network can reach any host on the other through normal routing—no VPN software is required on the end devices. A remote access VPN connects individual devices on demand. A user initiates a connection from wherever they happen to be, authenticates to a VPN server, receives a virtual IP address on the private network, and maintains access for the duration of the session. The distinction drives different choices of protocol, authentication model, scalability approach, and management overhead.

RouterOS supports a broad range of VPN technologies suited to both categories. GRE creates a simple unencrypted tunnel interface between two routers and is the clearest way to see how a tunnel works as a routable virtual link. PPTP and L2TP extend the PPP protocol over IP for remote access. IPsec provides authentication and encryption and can operate standalone for policy-based site-to-site connections or as a security wrapper under GRE or L2TP. WireGuard, available in RouterOS 7, is a modern cryptographic tunnel well suited to both site-to-site and remote access use. Each technology involves trade-offs between simplicity, compatibility, and security that are explored in later labs; this lab focuses on the structural concepts using the simplest representative of each category.

This lab builds two VPN connections on the same infrastructure. R1 is a headquarters router, R2 is a branch office router, and R3 simulates a remote worker using RouterOS as a VPN client. You will configure a GRE tunnel between R1 and R2, establish routed connectivity between their LANs, then configure R1 as a PPTP server and R3 as a PPTP client. By the end you will understand the operational difference between the two VPN types, be able to read tunnel interface state in RouterOS, verify end-to-end routing through a tunnel, and diagnose the failure modes common to both scenarios.

Terminology Definitions

Virtual Private Network (VPN): A technology that creates a logical private connection over a shared or public network. The connection is software-defined and has no dedicated physical path; privacy is achieved through encapsulation, authentication, or encryption depending on the protocol.

Tunnel: An encapsulation mechanism that wraps one packet inside another. The outer packet carries the tunnel endpoints as its addresses and crosses the public network. The inner packet carries the original source and destination and is only visible after decapsulation at the far endpoint.

Site-to-Site VPN: A permanent VPN connection between two routers that links two entire networks. End hosts on either network are unaware of the tunnel; the routers handle encapsulation and decapsulation transparently. Also called a LAN-to-LAN VPN.

Remote Access VPN: An on-demand VPN connection initiated by an individual device. The device authenticates to a VPN server, receives a virtual IP address on the target network, and accesses resources for the duration of the session. Also called a client-to-site VPN.

GRE (Generic Routing Encapsulation): A tunneling protocol defined in RFC 2784 that encapsulates any network-layer protocol inside an IP packet, creating a virtual point-to-point link between two routers. GRE provides no encryption or authentication and is used in this lab to demonstrate site-to-site tunnel concepts.

PPTP (Point-to-Point Tunneling Protocol): A remote access protocol that carries PPP frames over TCP. RouterOS supports PPTP as both server and client. PPTP has known cryptographic weaknesses in its MS-CHAPv2 authentication and is not recommended for production environments. It is used in this lab because it is the simplest protocol to configure and clearly demonstrates how remote access VPNs work.

Tunnel Interface: A virtual network interface created by a tunneling protocol. In RouterOS, GRE creates a gre interface and PPTP creates pptp-server or pptp-client interfaces. These virtual interfaces appear in the routing table alongside physical interfaces and can be assigned IP addresses and used as route gateways.

Underlay and Overlay: The underlay is the physical or routed network that carries the tunnel traffic (the WAN). The overlay is the virtual network built on top of it (the tunnel and its inner addresses). Routing at the overlay layer is independent of the underlay, allowing private address spaces to be carried transparently.

PPP (Point-to-Point Protocol): A data link layer protocol used by PPTP and L2TP to establish a connection between two nodes. PPP handles IP address assignment via IPCP and authentication via PAP or CHAP.

VPN Pool: A range of IP addresses that a VPN server assigns to connecting clients. Defined in RouterOS with /ip pool.