Make home broadband as VPN server using maP RouterOs

RouterOS Beginner Basics
1

Dear Mikrotik master,

hello,
I’m a newbie on this application. I’ve recently bought a “maP 2nd” Routerboard and would like to use it as a VPN server using my home IP address and connect from my phone and laptop to internet via routerboard(my home IP address). I have already set up a vpn server on a VPS so i’m familiar with setting up VPN server and client.

My question is that how can I access my routerOS from outside?

  1. Do I need to setup port forwarding?
  2. would my server IP in my phone/laptop VPN setting contain port as well? something like 213.129.45.11:422
  3. Is there any tutorial in forum to refer me there?

Thank you in advance.

2

https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#L2TP.2FIpSec_setup

3

Did you read my question carefully? I’ve already set up L2TP server. I have also created a L2TP client on my Routerboard and it is connected. the question is how to share L2TP connection over the device WiFi. I need to do something in routerboard’s Firewall section but i don’t know how!

4

Yes, I read your question carefully. If I misunderstood you, it was because your question wasn’t written clearly.

I understood you to mean you wanted to setup your Mikrotik router as an L2TP VPN server, so you could connect to your home router from your Phone, and reach the Internet through your Mikrotik router. This is a common task. The link I directed to explains how to do exactly that.

You did write, “I’ve recently bought a Routerboard … and would like to use it as a VPN server using my home IP address and connect from my phone and laptop to internet via routerboard(my home IP address).” You also wrote, “My question is that how can I access my routerOS from outside?”

Now you say you want to share the connection over WiFi? How is that accessing from outside? Outside what?

I’m afraid it’s still not clear what you are trying to do.

5

It is unclear to me how your have your mAP set-up, is it behind another broadband router provided by your ISP? Because if thats the case you should start by forwarding the necessary ports from your ISPs router toward the mAP and if you use a non-default port it should be mentioned somewhere in the VPN-client-configuration, for example in the idea.

To give you an impression, my ISP gave a default router, I’ve set this up as a bridge and my hAP ac lite is setup as DMZ-host, so all traffic gets forwarded from the ISP router to my hAP. On my hAP I’ve setup an OpenVPN server using the official MikroTik documentation found on the wiki (https://wiki.mikrotik.com/wiki/OpenVPN#Server_configuration), since all traffics goes toward my hAP I’ve setup firewall on there as well, in the firewall I’ve configured the OpenVPN ports to accept new connections.

Since I get a dynamic IP from my ISP I use the RouterOS ability to preform Dynamic DNS (IP > Cloud) and use that address as my VPN-server. In the OpenVPN configuration I’ve setup the server name and the port I use.

I hope the way I’ve setup my OpenVPN can help you understand the steps you need to take in order to get your L2TP-connection from outside of your home network.

6

Ohhh, my apologies. I mixed it up.
Well, let me explain my funny problem shortly. I’ve got bank accounts in Iran and UK and have two problems with them:

  1. Iran has banned foreign IP addresses accessing Iranian banks so to overcome this problem, I got a VPS with routerOs installed & Iran IP, set up a L2TP sever, created an account and using it on my phone. But now, i would like to use routerboard to connect all my devices thru it rather than setting up VPN account on every single devices. To do so, I created a L2TP client in my routerboard but struggling sharing it over the wifi.

  2. When I travel Iran, I DO need to use VPN as many websites are filtered and some of my UK banks have banned Iran IPs. So I bought another mAP device to make a L2TP server on it and use my UK’s home IP from Iran!

*. about the first problem, I just need to know how to tell wifi to get internet from the L2TP client.
*. about the second mentioned problem, I just want to know if I need to do port forwarding or generally is it feasible or not.

P.S
I’ve got static IP from my UK ISP

7

If I understand correctly, you have tunnel ready, and you want to force some clients from your network (connected via WiFi) to connect to the Internet using remote public IP address. I’m new to all of it myself (I have set something similar just yesterday being newbie), so maybe my advise is not the best approach you can choose. Just sharing my thoughts. :slight_smile:

So by default you have a route in IP/Routes as 0.0.0.0/0 with public gateway provided by ISP. It has distance set o 1. You need to change distance to say 5. In router where you have static IP address set up, you are likely to be able to modify it in IP/Routes entry. In router where you get dynamic IP address, you need to change distance in IP/DHCP Client entry. At least it is like that in my case.

So now you have route 0.0.0.0/0 with public gateway and distance 5.

Next step would be to create IP/Firewall/Mangle.
Add new rule with chain=prerouting, define traffic filter (more about it below), and then in action select “mark routing”, and give it a name in field New Routing Mark, e.g. DestinedToIran
Re traffic filter, you can set Src Address, or use MAC Address of specific devices (you need to create a few mirror rules then), or you can define IP list in IP/Firewall/Addresses List, and then use this named list in mange. It will allow you to select some devices only to be routed via Iran, and rest of devices will use default rule, now with distance 5.

Next step is to add new routes. Again, add new rule where destination is 0.0.0.0/0, set distance 1 (to gives it priority over 5), and select routing mark DestinedToIran, and gateway will be your tunnel interface (easy with client, server covered below). Now all selected devices in mangle will connect to remote site via your VPN. And over there they will use default 0.0.0.0/0 route, so they will use remote NAT and public IP address.
Two remarks here:

  1. If your vpn goes down, tunnel will not be reachable, so default route with distance 5 will be used instead. It means that some traffic which was supposed to go via Iran will default to UK again.
  2. If you want to prevent it, you can mirror rule you have just added, but set distance 2 and set type=prohibit. It means that if VPN is down, you will rather fail to connect anywhere, rather than connect to Iran with your UK’s IP address.

When setting up rules above, you need to use tunnel interface. It is pretty simple with L2TP Client as you have such interface available. On the other hand server doesn’t generate such a gateway by default. In order to do it, and I’m not sure whether it is the best way to do it, you need to add IP/Interfaces/L2TP Server Binding. You can name an interface, match it with user name, and then you can use this new interface as a gateway in routes above on L2TP Server side.

btw: I had such setup yesterday, with L2TP, but at the end I set up GRE tunnel with IPSec instead.

And last thing to note… in my setup, Internet traffic routed over VPN was extremely slow. I found that switching off firewall rules with action=“fasttrack connection” solve this issue. Why, I’m not sure. You may have similar issue, so mentioning it just in case.

8

Regarding 1. It looks like @Yogieu gave you a good solution.
Regarding 2. It’s not clear why you are asking this. If you were able to setup a Mikrotik as an L2TP VPN server in Iran, you should be able to use the same process to setup a Mikrotik L2TP VPN server in the UK. If you set your clients to “route all traffic” over the VPN, then you should be able to browse the Internet from Iran through your UK router, using your UK IP address.

9

Thanks to both of you guys.
I finally managed to solve the first problem which was to share the L2TP client over the routerboard wireless. what I did was:

  1. Interface → L2TP client → checked “Add Default Route”
  2. IP → Firewall → NAT → masquerade → Out.Interface → L2TP client
    it works like a charm :smiley:

Regarding2. I don’t have a Routerboard at my Iran’s home; I got a VPS with Iran IP so I’m not familiar with Port forwarding and how to access my routerboard from outside home.

10

Good to hear you got things working.

Regarding 2… Go back and look at the first link I posted. This has instructions for setting up your UK router board as an L2TP server, including opening the necessary ports (1701, 500 & 4500) in the firewall. Once you’ve done that you can connect using the built-in L2TP client in iPhones, Macs, etc.