How do i solve Error 0x8007274C in windows 7 when connecting vpn from windows 7 to mirotik hap lite router?

router configuration

Generate certificates on RouterOS

/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
add name=server-template common-name=35.22.112.151
add name=client1-template common-name=91.13.2.14
add name=client2-template common-name=192.168.1.253
/certificate
sign ca-template ca-crl-host=35.22.112.151 name=myCa
sign server-template ca=myCa name=server
sign client1-template ca=myCa name=client1
sign client2-template ca=myCa name=client2

set myCa trusted=yes
set server trusted=yes

/certificate export-certificate myCa
/certificate export-certificate client1 export-passphrase=xxxxxxxx
/certificate export-certificate client2 export-passphrase=xxxxxxxx

print

to create a user

/ppp secret add name=rt3453453desg service=sstp password=345asg4tt local-address=35.22.112.151
remote-address=91.13.2.14

/ppp secret print detail


/interface sstp-server server set certificate=server
/interface sstp-server server set enabled=yes
/interface sstp-server server set authentication=mschap2


/interface sstp-server server print



/interface sstp-server monitor 0

/interface ethernet print

from local windows from 192.168.1.253 we can connect but from address from internet we cannot why?

You need to allow access to TCP port 443 in the input chain for traffic from internet.

we open tcp and udp 443 port in nat and also we make command
/ip firewall filter
add action=accept chain=input dst-port=443 protocol=tcp comment=“Permit SSTP”

how do we solve the poblem?
how do we allow access in input chain?

do we need to make

/ip firewall nat add chain=dstnat in-interface=ether1 dst-port=443 protocol=tcp action=dst-nat to-addresses=91.13.2.14
/ip firewall filter add chain=forward connection-state=established,related action=accept

You only need yo allow traffic to port 443 (or the port you set on /interface sstp-server server) in the input chain. Do not add a nat rule for the port.

Second, make sure you have disabled the www-ssl service on “/ip service” (or change the port at /ip service) so the port does not conflict with the one you set for SSTP.

Third, you can post the output of the following commands for us to check if the firewall rules are in the right order:

/ip firewall export hide-sensitive
/ip service export hide-sensitive
/interface sstp-server server export hide-sensitive

[admin@MikroTik] > /ip firewall export hide-sensitive

sep/05/2019 14:55:45 by RouterOS 6.45.1

software id = SEYH-HLMS

model = RouterBOARD 941-2nD

serial number = 8AFE08FFCDCE

/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="Permit SSTP" dst-port=443 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=21 in-interface=ether1 protocol=tcp
to-addresses=192.168.1.222 to-ports=0-65535
add action=dst-nat chain=dstnat disabled=yes dst-port=3489 in-interface=ether1
protocol=tcp to-addresses=192.168.1.222 to-ports=0-65535
add action=dst-nat chain=dstnat disabled=yes dst-port=3589 in-interface=ether1
protocol=tcp to-addresses=192.168.1.22 to-ports=0-65535
add action=dst-nat chain=dstnat disabled=yes dst-port=3390 in-interface=ether1
protocol=tcp to-addresses=192.168.1.168 to-ports=0-65535
add action=return chain=dstnat dst-port=3389 in-interface=ether1 protocol=tcp
add action=accept chain=dstnat dst-port=5060-5072 in-interface=ether1
protocol=udp to-ports=0-65535
add action=accept chain=dstnat dst-port=5004-5024 in-interface=ether1
protocol=udp to-ports=0-65535
add action=accept chain=dstnat dst-port=10000-20000 in-interface=ether1
protocol=udp to-ports=0-65535
add action=accept chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp
to-addresses=192.168.1.1-192.168.1.245 to-ports=0-65535
add action=accept chain=dstnat dst-port=443 in-interface=ether1 protocol=udp

[admin@MikroTik] > /ip services export hide-sensitive
bad command name services (line 1 column 5

[admin@MikroTik] > /interface sstp-server server export hide-sensitive

sep/05/2019 14:58:00 by RouterOS 6.45.1

software id = SEYH-HLMS

model = RouterBOARD 941-2nD

serial number = 8AFE08FFCDCE

/interface sstp-server server
set authentication=mschap2 certificate=server enabled=yes
[admin@MikroTik] >

Start by moving this rule:

add action=accept chain=input comment="Permit SSTP" dst-port=443 protocol=tcp

before this other rule:

add action=drop   chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

That’s why the router is dropping the connections from WAN side (order matters).

I’m sorry, the command is:

/ip service export hide-sensitive

For better security, please add the following:

/interface sstp-server server set authentication=mschap2 force-aes=yes tls-version=only-1.2

[admin@MikroTik] > /ip service export hide-sensitive

sep/05/2019 16:26:29 by RouterOS 6.45.1

software id = SEYH-HLMS

model = RouterBOARD 941-2nD

serial number = 8AFE08FFCDCE

[admin@MikroTik] >

Ok, so you will need to desable the www-ssl service or change its port:

To disable it:

/ip service set www-ssl port=443 disabled=yes

To keep it enabled and change its port

/ip service set www-ssl port=8443 disabled=no

we made all changes
we recieved the following error when try connecting from internet to router

The certificate chain has been processed, but processing has been interrupted on the root certificate, which does not have a pre-trust relationship with the trust provider

how do i remove this error?

Well, that’s because you are using a certificate created by yourself, not by a trusted entity. That’s not a router issue.

Maybe you can deal with the new issue by adding the CA certificate to your windows host.

Also the common-name or the alt-name should match the hostname you are using to connect to the WAN side. As I’ve seen in your other topic, you created the certificate only for your LAN address.

More info: https://security.stackexchange.com/questions/166295/self-signed-certificate-for-sstp-vpn-server

client certificate with ip of host in internet is added in trusted root of windows 10 for ip and all values is according your intruction

windows 10 from local ip 192.168.1.253 connect to router using vpn sstp
but from windows 10 from internet ip 91.13.2.14 we recieved error
The certificate chain has been processed, but processing has been interrupted on the root certificate, which does not have a pre-trust relationship with the trust provider
and do not connect

we do not have alt-name in router.

do i need to add to trusted root only server certificate myCa in every computer connected to router from internet
and do not add certificate with ip of each client computer to trusted root ?

Yes, if you have your own CA, client does need to have CA’s certificate and trust it.