Mikrotik VPN: Cloud Admin server

This guide is designed to teach you how to link your Admin router to your site routers through a cloud VPN so that adding additional sites require minimal configuration, this guide assumes that you already have the VPN server set up on the 'cloud' router and that your clients can connect up successfully, if not please have a look at https://shop.duxtel.com.au/help/en-gb/5-configuration-guides-and-tools/9-l2tp-with-ipsec-configuration-guide 

First thing you will want to do is go to go to the VPN server and go to IP >pool, in here add a new pool and assign a group of addresses that you will be giving out to the VPN clients but
you can also skip this step if you would like to add a static address to the clients instead. 

The next thing you will need to do is go to interfaces>interface list>lists and then add a new list, do not worry about adding any interfaces to this as the VPN interfaces will be added dynamically.

The next step is to go to the PPP>profile I would suggest not editing any of the default profiles and instead opening one up and clicking the copy button then using the copy, in here you want to select the pool you made under the remote address if you made one before as well as you will want to select the interface list we just made

Make sure that your secrets are set to use the new profile

Once this is done you will need to go to IP>firewall>nat and set a masquerade rule, you want the chain to be srcnat, the out interface list as the interface list we made and the action the be masquerade

That is all that is needed for the server side, next you will need to go to the router that will be on the admin side and set a route to the IP pool that was created by going to IP>route, in here you can set the VPN interface as the gateway as it is a point to point address from here to the server so the traffic will be able to pass correctly. if you are using a PC as the admin client you will not need to add a route as most VPN clients by default will add a route going out the vpn interface.

Optional: adding romon for further access

Rather than having to add routes to each internal subnet on the remote side of the VPN what you can do is enable romon on the Mikrotik devices to forward the connection, for instance if site a is where the admin pc is on and the remote site b has a router on the local lan on you wont be able to contact the device. Enabling romon will mean that you can connect to the device with the vpn client on it and log into the mirkotik routers behind it.
To get this set up you will need to enable romon on the device you are going to use as the romon gateway as well as the device you will be connecting into that have layer 2 connection to the romon gateway. You can enable this by going to tools>romon and simply ticking the enabled box, we would recommend putting in a secret as it will only allow devices with the same secret to connect through romon as well as you can set allows and forbids per port to lock this service down further if needed:

Once this has been enable don the routers you can then open up a new winbox, put in the IP address of the VPN client but instead of clicking connect you will click the connect to romon button, from there winbox should refresh and you will be presented with all the devices on the remote site that have romon enabled and are on the same layer 2 network as the device you connected through.