I use both Ivacy and PureVPN for vpn. Before people start trashing those two services, I will say that I use them because they are the only ones I have found that support fixed IP AND inbound port forwarding (including forwarding of all ports).
Previously, both services connected with PPTP. Worked from Asus… worked from Mikrotik. Mikrotik was 1000x better than the Asus because Mikrotik allowed me to do things like Port Knocking very easily. A huge improvement in unwanted inbound traffic.
Then both Ivacy and PureVPN dropped PPTP and allow ONLY OpenVPN connections to their dedicated IP services (pptp still works for non-dedicated IP accounts). I had to go back to the Asus routers. They work OK with OpenVPN.
Mikrotik DOES NOT. Neither service has instructions for connecting Mikrotik with OpenVPN. I have read various comments about Mikrotik’s implementation of OpenVPN is missing some things that would be needed to connect.
Has anyone been able to connect to Ivacy or PureVPN dedicated IP accounts with Mikrotik and OpenVPN?
Any modern VPN service that doesnt offer wireguard is simply lazy and stupid.
I note that PureVPN offers wireguard, why not use that… manual download, they dont state mikrotik but I imagine that using the windows file they generate would do fine, or perhaps
the linux one, or dd-wrt??
Then simply adapt to the mikrotik router and your off and running.
My understanding is that the connection types available are different for regular vpn (where you’re sharing and outside IP for surfing, streaming, etc) versus dedicated IP (where in my case i need a fixed IP and inbound port mapping). My understanding is that OpenVPN is the only option now for dedicated. They support other methods of connecting for ‘regular’ vpn…
I see the problem.
Well my advice is to get a DDR-WT or whatever router that handles OPEN WRT well.
Then you simply add this new router BEHInd the MT router on the MT network.
ITs a cool trick.
The main wan of the secondary router is through the MT router for internet. Like you do for any router natted behind another.
Then through this link you establish a tunnel to pureVPN.
Then, on the secondary router, assign two networks/subnets, one network for local access and one network/subnet dedicated-linked to the purevpn connection.
LEts say ether1 to MT
Ether2 is connected to the local subnet aka local LAN on secondary router for admin/configuration purposes (local subnet)
Ether3 and ETHER4 are for switches/device that you want on pureVPN access only (vpn subnet so to speak)
HEREs the fun one
Ether5 is assigned to the same vpn subnet/network but connected to an available port on the Mikrotik Router
Guess what you do on the MT. Yuu assign this connection as a secondary WAN with a fixed static IP address.
Ipso facto you have a normal WAN connection on the MT and also a VPN connection WAN via the secondary router.
Thus you can now access the openvpn connection from MT subnets etc…
interesting… i was working on a variation of that.
My Verizon Fios router (192.168.1.x) has telnet, ftp, etc, and my three Port Knock ports forwarded to an MT router. The WAN side of the MT router is on 192.168.1.x . The LAN side of the MT is 192.168.0.x, and the FTP server is on the 192.168.0.x network with a default gateway of the MT router 192.168.0.x.
So this works, but it was ‘cleaner’ when the MT was directly connected to the VPN service. I was able to shut off the Asus routers. But the Verizon router is not fixed IP, which I’d like to have for my Exchange server. And I can’t send inbound SMTP through the Verizon residential router. I don’t care about fixed IP for my telnet/ftp server.
Now I have the Asus routers connecting to the VPN service (wan on 192.168.1.x, lan on 192.168.0.x) and port forwarding directly to Exchange and the telnet/ftp servers on 192.168.0.x.
I’m trying to send traffic from the Asus VPN connected routers to forward to the MT for purposes of doing the port knock. It’s being a litle difficult. I think I’ll have to put the Asus WAN on 192.168.1.x, LAN on, say 10.1.1.x, MT wan on 10.1.1.x, lan on 192.168.0.x in order for all this to work. Lots of little blinking boxes.
It was sooooooooo easy when these vpn services supported PPTP.
Well not sure what you want to do, but the method I described gives you VPN access to your ASUS (acting as a second natted router) and VPN access to the MT.
If the VPN access to the MT as a WAN access is not helpful and thinking about this if it were possible we wouldnt do this trick in the first place.
Better yet, simply assign the MT etheport attached to the ASUS a static lanIP address on the Subnet of the ASUS.
Meaning lets say ether 3,4 on ASUS are on the subnet going out VPN,
Take ether4 and connect it to ether5 on the MT
Lets say the asus vpn subnet is 192.168.66.0/24
/ip address
add address= 192.168.66.6/24 interface=ether5 network=192.168.66.0
and ensure you statically set the lease on the asus if possible to reflect this.
So now you have your MT connected on the LAN side to the VPN connection afforded by the ASUS!!.
Now take any subnet on the MT and you can be connected to the LAN subnet via a static route.
The address above ensure that there now exists a route on the MT to that LAN
dst-address=192.168.60.0/24 gateway=192.168.60.1 table=main
If you want to route traffic to a different subnet or address and want to use the VPN connection.
add dst-address=xxxxxx gateway=192.168.60.1 table=main
If you wanted somebody on the MT to use that for internet
add dst-address=0.0.0.0/0 gateway=192.168.60.1 table=useVPN
plus additional rules..
In this case it would be wise to
add chain=srcnat action=masquerade out-interface=192.168.60.6
