Hello everyone,
I wanna connect two mikrotek routers through vpn internet connection. How to link both side scince it needs static ip.
Please clarify that to me.
And you do have static public IPs? On both sides, on just one side, neither, … ?
no Static ip’s on both sides
Cloud feature may be useful in this case.
Is at least one of addresses public, i.e. NOT 10.x.x.x, 192.168.x.x, 172.16-31.x.x?
As pietroscherer wrote, you could use (any) DynDNS service, maybe in combination with port forwarding on an intermediate router, and use openVPN–one MikroTik is client, one server.
Or maybe you could get yourself a virtual server and install openVPN as server on it, both MikroTik would be clients in that scenario.
best
Thanks for reply. Does that work for more than two sites? I need a full mesh in all sites.
Well, I’m afraid I cann’t get one public ip for such service according to isp companies policies 
Thanks terraformer for reply, I’m confued a little. correct me if I’m wrong. So According to first suggestion you said I need to assign an account in DDNS assume no-ip domain website and then,
enable that service in my router -same Mikrotek routers I’ll configure it to be Server and client- or get the DDNS account and enable it in suppose ubnt routers and forward the port to mikrotek devices. I’m afraid I’m not on the map
You mention ubnt routers, are those under your control and do they have public address? If so, you can surely forward port to internal RB and then use it as VPN server this way.
<not_immediately_helpful_rant>
The right way of course is to complain to ISP. Fact is, if you have connection without public IP address, you’ve been cheated by ISP all along, because they are not providing you with full internet access. Public IP address is important part of internet connection, and if you don’t have it, you’re very limited in what you can do with that connection (as you can see now). Demand public IP addresses. If ISP doesn’t have enough IPv4 addresses for everyone, it can happen. The more reason to provide IPv6 ones. Even though both at not directly compatible with each other, they can help you with connecting your routers, if you have them on both sides. The good thing is, unlike IPv4 addresses, there’s enough public IPv6 addresses for everyone. ISPs just need to leave stone age and come to present time. They often delay deployment, because “there’s no demand from users”. There’s only one way how to change it - let them know you want it.
</not_immediately_helpful_rant>
I agree with you strongly but I’ve got connection for transfering the data through the isp and the internet actually is coming from two dsl lines connection -shared line- like home use. I don’t think so they would give me a public ip in this case sorry for confusing you. Now if I will use the ubnt devices that would be a long trip so far I know I’ll get ddns account activate it in ddns ubnt devices and forward the port …and then back again into the mikrotek is that right?
I’ve red what Mr.pietroscherer post about the manual ip through the cloud but I think this would work for two sites not full mesh three sites and above ain’t?
Thank you Sob for reply again with informative information.
What I understand guys about the Manual:IP/Cloud the mikrotek could be 3rd party.So Mikrotek will save both mac adress with/or key and update the devices every minute.
Is that possible for three sites comunicate full mesh topology.
Is there any post explain the whole senario. I’m a new fish in mikrotek technology but very interested in it 
Cloud will set DDNS hostname to whatever public address your device uses for outgoing connections. If you’re behind NAT, it will be public address of device doing NAT. It won’t save you by itself, because if you don’t control that device, all connection attempts to this hostname will end up there and won’t go to you. But if you’re able to forward at least one port from there to your internal device, you’re in business, because that’s all what you need to run some publicly accessible VPN server.
Sorry for the late reply.
You mostly got how I meant it. I’ll try to elaborate a bit. You have at least two choices depending on your hardware/accessibility.
First scenario: you have control over a router (let’s name it PF) that can forward ports.
- Get yourself a DDNS service and configure PF to use it. Example: asdf12.ddns.net
- Configure a port forward for OpenVPN traffic, e.g. 1194, to the device in your LAN that you want to use as OpenVPN server, possibly a MikroTik router. Have a look here.
- Generate as many client account as you need. You can have multiple clients connect over the asdf12.ddns.net:1194.
- Export all the certificates etc. and you are done.
Second scenario: you cannot forward port to your OpenVPN server in your LAN.
- Get yourself a virtual server, prepare firewall etc.
- Create a user that “manages” the ssh tunnel from next step.
- Use ssh to create an internal port tunnel/redirect on your virtual server, please see ssh manual. First “in-port”, e.g. 1199, is for clients, the second “in-port”, e.g. 1299, is for the OpenVPN server.
- Configure clients connect to virtual server ip on port 1199. Configure OpenServer to establish a ssh redirect between virtual server ip on port 1299 and it’s 1194 port.
- Create OpenVPN server and clients etc.
Hope this clarifies the principle behind my idea.
Maybe some expert can add some details to this.
Best!