I’m a Mikrotik noob with very little knowledge of networking. So, please be patient.
I live in a big-brother country where the government keeps a strong hold on the internet, and I wish to connect to the internet safely without worrying that the government is spying on me.
So, I recently purchased a MT router (hAP Lite RB941-2nd-TC) and asked the seller to set it up for me in advance such that I could channel all my internet traffic at home through a secure VPN on this router. The seller has thus configured the router to work with L2TP VPN, and it has been up and running since day one.
But, I have a couple of questions:
Is the current configuration on my router correct and secure? For instance, I don’t see any firewall rules!
Is L2TP VPN secure enough for my purpose, or should I explore the possibility of setting up OpenVPN or any other VPN protocol? If yes, I will appreciate to receive a link to detailed setup guide.
My network is pretty basic and nothing complicated.
ISP ADSL MODEM (dynamic IP) > Mikrotik Router ↔ internal Network (2 Laptop+1 PC+ a few smart phones). That’s all.
This is my current configuration:
# dec/30/2021 15:44:12 by RouterOS 6.49
# software id = 65I6-VCH5
#
# model = RB941-2nD
# serial number = D0550D7B5504
/interface bridge
add name=bridge1-Local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface l2tp-client
add add-default-route=yes connect-to=XXX.XXX.XXX.XXX disabled=no name=ToVPN \
use-ipsec=yes user=XXXXXXXX
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=profile1-LocalWiFi supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
disabled=no frequency=2432 hide-ssid=yes mode=ap-bridge security-profile=\
profile1-LocalWiFi ssid=OurHome wps-mode=disabled
/ip pool
add name=dhcp_pool0 ranges=172.16.1.21-172.16.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1-Local lease-time=\
3h10m name=dhcp1
/interface bridge port
add bridge=bridge1-Local interface=ether4 multicast-router=disabled
add bridge=bridge1-Local interface=ether3 multicast-router=disabled
add bridge=bridge1-Local interface=wlan1 multicast-router=disabled
add bridge=bridge1-Local interface=ether2 multicast-router=disabled
/ip address
add address=172.16.1.1/24 interface=bridge1-Local network=172.16.1.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1-WAN
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.1.0/24
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.1.1
add distance=1 dst-address=XXX.XXX.XXX.XXX/32 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=7911
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Tokyo
/system clock manual
set dst-end="jan/01/2025 00:00:00" dst-start="jan/01/2021 00:00:00" \
time-zone=+03:30
You can Secure your L2TP with an extra layer of encryption with IPsec PSK or RSA. It’s more secure than PPTP. However, IKEv2 / Wireguard / OpenVPN / OpenConnect / SSTP are more secure than L2TP.
To me use-ipsec=yes tells this L2TP is wrapped in IPSec, you have remove password and IPSec secret part (good!! removing actual server would been even better), so looks as secure as password-authenticated VPN can be. All good and safe!
Thank you guys for both your comments. Points taken.
So, I need to add an extra layer of encryption with IPsec PSK or RSA, or opt for IKEv2 / Wireguard / OpenVPN / OpenConnect / SSTP altogether.
Unfortunately, however, I am quite new to these subjects and don’t have the proper knowledge to follow either option by my own. While I will do my own research for this, I wonder if you guys or any other veteran here could provide me with a ‘how-to’ link to implement either of the above alternatives.
Many thanks and kind regards to all.
All good, these wireguard/whatever/whatever fanboys are responsible for their false suggestions before even understanding the configuration. You can configure wireguard or any other tool insecurely if you don’t fully understand it.
Even more, hAP lite doesn’t have enough RAM to run ROS v7.1 with wireguard, so your current solution is quite optimal for max security for min price.
Thanks a lot bro.
I input the actual vpn address in two places: (1) under PPP>Interface <ToVPN)> >Dial Out Tab, and (2) under IP>Routes>General Tab.
Do you mean I should completely remove and delete the address from the ‘General’ tab in (2) above? Or, just replace the numbers with XXX.XXX.XXX.XXX as you have noted?
I assume I should keep the actual address in (1) for the vpn to work and connect. Right?
Sorry if my question sounds dumb!
Hi. Thanks for the thumbs-up! I appreciate it.
As stated in my original post, my prime intention is that all my clients at home (Windows laptops and PCs as well several IOS and Android smart phones) connect to internet (for browsing and otherwise) SOLELY through a vpn tunnel set up on the router. Could this arrangement be called ‘Clients-To-Server’, I wonder?
Don’t change anything in your configuration, it’s all good and suitable for providing internet to your devices to get past big-brother firewalls. I meant, it’s good that you shared your full configuration here and removed passwords from it, but next time remove also public IP-addresses from configuration before posting to public forum, because now your big-brother goverement might know that you use VPN from this address and block it.
@zippedmails one step you can change to better: in l2tp-server configuration change use-ipsec=yes → use-ipsec=required to be really sure IPSec tunnel is used.
What is strange with this VPN setup, though, is that I still get a timed out connection whenever I try to browse certain pages/websites (that are normally inaccessible by the general public due to ISP/government censorship policies) just as if I were connecting to internet directly through the ISP ADSL modem only (no router). To open such pages, I still need to turn on ANOTHER vpn (such as Psiphon 3, or OpenVPN client for Windows) which is ridiculous and contrary to the original intention of having a vpn in place.
Isn’t a VPN setup on the router really supposed to do its job and allow me to get through the government’s firewall to browse restricted websites (e.g. YouTube) and disguise my IP address and to hide my identity while surfing the Internet?! If the answer is yes, why on earth does the current L2TP vpn setup (with IPSec enabled) on my Mikrotik fail to do that??
Any solutions to get rid of the need to use a SECOND vpn in this case to get access to restricted websites?
If i were you i’m going to attack the issue differently, go get a service like hamachi or TOR instead of doing L2TP/Ipsec vpn, your other server which you peer to is also been blocked, just my 0.2$
Hello,
There are a few things wrong here.
I’m Sorry to check your VPN Address, That’s why you should not share it. Anyway, it looks like the service is in the JP if you want to bypass your ISP firewall your VPN server must be overseas. Maybe the L2TPserver has a Site to Site config. Whenever you figure out how to pass your L2TP connection out then you have to check your IP ipinfo.io or any other IP Address lookup. Then you will Know if your public IP did not change to any 3rd party country you need a true VPN. You could buy one from any provider that will sell out your data or you could create your own server Linux or MT CHR will do the job nicely.
IPSec Enabled or disabled don’t have anything to do with passing your traffic over the L2TP.
I don’t think you ever pass traffic over your VPN connection. with your current config. you don’t have any of the necessary rules that I know of to forward your traffic over the VPN.
The point of having a VPN on the router is that too not have to connect any VPN on the clients.
To pass your traffic through your VPN you will need these three rules. If you have FastTrack Enabled(it’s enabled by default) you have to mark your connection to out of the FastTrack or disable the FastTrack.FastTrack is a firewall future in RouterOS.
*You did not share any of your Firewall configs if you have any,
Don’t Copy paste these rules make the necessary change to suit your config.
*
This rule will mark your route from the src-address whatever device that you wanna pass your traffic through a VPN connection.
Thank you all for your contributions so far to my issue.
Basically I would like to get this vpn thing sorted out first if possible, and if it doesn’t I would like to understand why. As I mentioned in my original post, I received my router already configured by the seller for L2TP VPN, and so I don’t know why he has set it up the way it is and why it can’t access sites that are blocked by the ISP/government.
I apologize if my questions are too rudimentary for the forum. But, each reply teaches me something new, and since I am on a learning curve I want to understand what and why I should load something on my MT?
Therefore, please talk to me like I don’t know anything because I don’t know anything.
I really struggle to make head or tail of what each of you say each time!
No need to apologize for checking my VPN address. But, thank you anyways. I have already changed it thanks to @kalamaja’s advice earlier. My new VPN is now in Germany, ‘outside’ my ISP location. (The previous VPN address in Japan that you checked was also overseas. So, the problem did not stem from the VPN address IMHO). Nevertheless, I still have the same problem of ‘connection timed out’ for the ‘blocked’ sites. Therefore, I should agree with you that it’s highly likely that my internet traffic never passes over my current VPN connection configuration. But, if this is really the case why should I see my new VPN IP address correctly as Germany then when I check whatismyipaddress.com?? Isn’t that odd??
Where should I look for ‘FastTrack’ to check if it is Enabled? In PPP or elsewhere? I have checked several sections in Winbox to find it but can’t locate it.
What do you mean that “FastTrack is a firewall future in RouterOS”? (That it would be implemented as a new feature in future RouterOS upgrades?)
As for ‘Firewall Rules’, I can see no rules in IP > Firewall Rules.
Regarding amending your three rules, what element exactly should I change in each to suit my config?
A. Change “src-address=172.16.1.21-172.16.1.254” in Rule 1? If yes, change to what? 172.16.1.21-172.16.1.254 is the current range of my DHCP Server. Why should I change it?
B. Change “out-interface=VPN-L2TP“ in Rule 2? If you mean changing VPN-L2TP to another name, it is okay as a name. No need to change. Anything else to change?
C. In Rule 3, not sure what to change.
if this is really the case why should I see my new VPN IP address correctly as Germany then when I check whatismyipaddress.com?? Isn’t that odd?? If you did check your current IP and it’s not your ISP-provided IP, Then why you can not open a blocked website? looks like a miss config to me.
Where should I look for ‘FastTrack’ to check if it is Enabled? In PPP or elsewhere? I have checked several sections in Winbox to find it but can’t locate it. It’s in /IP firewall filter in the forwarding chain as you don’t have any firewall rules it’s likely that you don’t have Fasttrack enabled.
What do you mean that “FastTrack is a firewall future in RouterOS”? (That it would be implemented as a new feature in future RouterOS upgrades?) Somehow it will bypass the firewall for your local network so it may have a conflict with the rule in the / IP firewall mangle
As for ‘Firewall Rules’, I can see no rules in IP > Firewall Rules.
You should have a basic firewall even if you have a DSL modem before the MT. There is no point in using the VPN other than bypassing the ISP firewall when your point of origin is unsecure.
5. Regarding amending your three rules, what element exactly should I change in each to suit my config? Please do not set these rules for now.
A. Change “src-address=172.16.1.21-172.16.1.254” in Rule 1? If yes, change to what? 172.16.1.21-172.16.1.254 is the current range of my DHCP Server. I did replace it with your current IP range, Let’s say you want to forward your desktop traffic over the VPN, not the entire DHCP IP Pool. That’s why.
B. Change “out-interface=VPN-L2TP“ in Rule 2? If you mean changing VPN-L2TP to another name, it is okay as a name. No need to change. Anything else to change? The name of the gateway interface must be matched by your l2tp-out interface name.
C. In Rule 3, not sure what to change. NOW, I’m not sure too.
would you export your most recent config, please?
/export hide-sensitive
make sure your VPN status is connected when you are exporting, please. UPDATE
So I did a Lab version and everything works fine.
Any way
I don’t understand why your /IP route is the way it is, my guess is that’s your problem.
This is a route for your modem and the second route is for your VPN server through your modem. It doesn’t have any route regarding your actual VPN connection maybe it was disabled at the time.
When you want to hide, you must know how to check your fingerprints. Your configuration had add-default-route=yes, so all the traffic should go to the VPN-connection.
Let’s start with tracing:
You have a connection, Ethernet cable. Plug your computer to it and open https://whatismyipaddress.com. You get IP-address from your ISP.
Connect Mikrotik with L2TP-client to the connection. Check the status of PPP → L2TP client, is it successfully connected?
Connect to the router and open the site https://whatismyipaddress.com again. Does it show the same IP-address or different one? It should show the IP-address, you enter in l2tp-client configuration or similar. If it shows the same as at p1, then your L2TP+IPSec connection doesn’t work correctly and you must figure it out.
They are running an l2tp-out, they don’t own the VPN server so that they could change this setting. But for sure they can ask if Provider used RouterOS VPNServer.But I guess NOT. VPN provider used softether for that part.
