A quick hardware and software mention:
model: hex
RouterOS version: 7.8 stable
I have recently implemented a remote access VPN on my mikrotik router so that I can access my home network anywhere I am, to do this I have used the guide below: https://www.cloudbrigade.com/mikrotik-l2tp-vpn-setup/
and I have set pretty difficult passwords to brute force
Also, forwarded only 500 4500 and 1701 UDP ports through provider’s ONT device and nothing more.
This configuration works flawlessly, however, as I have looked through the logs, I could see two IP addresses registered within the US which were trying to access my VPN, both of them got the “failed to get valid proposal” error.
I want to ask if there is any possibility of doing this on a mikrotik router, if not, I want to ask which is the character number and type limit for the ipsec secret also for username itself and its password, as I wish to generate unique strong random strings to use for the passwords as well as the username itself to make it impossible to brute force. I have already set pretty strong passwords but I would like to make them even stronger while also making the username itself impossible to brute force.
With readily available VPN services that will make a device appeal to be almost anywhere, trying to filter based on county IP blocks would likely be of little value.
Likely a better solution would be to set up the VPN or firewall rules so that after some number of wrong attempts, the source IP is dropped for some amount of time. Depending on how you are setting up your inbound VPN will dictate how you accomplish this.
First the entry is checked versus a whitelist (add there already the addresses you know you will use yourself)
If it does not match, that IP address is placed on a list called stage1 for 1m.
If within that period there is a 2nd time, again, move to stage 2 for 1 m.
If within that period he tries a 3th time, move to bl_blacklist and RAW blocked for a week. Done.
Adjust your time periodes as you see fit (I use something similar and use 1m, 15m, 28d).
From time to time I check the address list bl_blacklist and move what’s in there to a separate Blacklist without expiration time (a list which gets dropped without further checking or comment in RAW rules).
/ip firewall raw
add action=drop chain=prerouting src-address-list=Blacklist
But to be honest, I use wireguard as VPN and rarely see offenders trying to use those ports (I have 3 WG interfaces on my device, so 3 ports opened). I have current RB5009 as main router for almost a month, nothing was added again (on my Hex I had quite a few but that was also from before using wireguard, other VPN-ports are more standard and therefor a lot more popular targets for attempts).
Should give you some material to construct your own setup.
Thank you guys for the help.
The logs look like this:
apr/09 23:36:20 ipsec,info respond new phase 1 (Identity Protection): x.x.x.x[ff]<=>y.y.y.y[dd]
apr/09 23:36:20 ipsec,error no suitable proposal found.
apr/09 23:36:20 ipsec,error y.y.y.y failed to get valid proposal.
apr/09 23:36:20 ipsec,error y.y.y.y failed to pre-process ph1 packet (side: 1, status 1).
apr/09 23:36:20 ipsec,error y.y.y.y phase1 negotiation failed.
(x.x.x.x and y.y.y.y, ff and dd are replacing the IP’s and ports shown in the logs)
After digging for a little bit and waiting to see the behavior I see they attempt this about 1 to 3 times a day, most of these attempts are from IP’s registered in the US and one from Germany and they belong to companies like Akamai, The Shadow Server Foundation Hurricane Electric and so on, but this don’t look like a brute-force attempt, it it was so, that’d count in way more attempts per day.
@holvoetn wireguard seems interesting, could you share some documentation and configuration guide to see if it can be used in a client-server fashion and if yes if it can be used with windows/mac/linux built-in client or 3rd party which VPN client should be used with it
Port knock… Add IP to Whitelist.
Allow VPN connection from whitelist only.
Whitelist last 60 seconds.
If connected… the connection keeps going until you server it as an established connection.
Maybe you can try wireguard. It is very easy to use on platforms such as windows and linux. Moreover, the performance of mikrotik’s equipment exceeds that of most VPN protocols. It is only slightly inferior to the unencrypted vpn protocol performance of l2tp.
It requires both ends to exchange keys generated based on the device, and the length of the key almost limits the possibility of brute force cracking. What’s more, there are other configurations that need to be the same to be able to communicate.
The security is very solid, I guess unless there is a zero-day incident on wireguard itself, it will be almost impossible to crack.
The disadvantage is that it uses a proprietary encryption protocol, so it may not be very friendly to corporate use, but since your usage scenario is to go home. It’s clearly a good fit.
I will try the wireguard option at some point of time, the compatibility thing does not affect me as long as there is a wireguard VPN client for OS’s that I use (macos and ubuntu).
I do use the VPN for accessing my home network remotely, so no corporate-related issues from my side.
filtering by country is not a infalible solution but reduces exposure, for those of us in small countries allowing only our country ips, filters out most of internet
Item #1 is not about memory usage ... both static and dynamic list entries reside in RAM while ROS is running. The main difference is that static entries get written to configuration database ... so when updating there are plenty of flash writes and consume flash storage (which can be a showstopper on devices with small flash disks). Dynamic entries don't get stored into configuration database ... but that means that they are lost at boot time and have to be re-loaded (manually, from scheduled script or some other way) after ROS start.