Newbie VPN Question

RouterOS Beginner Basics
1

I would appreciate some advice. I have a hEX router at my ISP’s location. Ether1 serves as the WAN side of the router, and is connected to the ISP’s network where I have a public IP address. From the internet, I can ping the public IP address, ssh into the router, and login to the router with Webfig and Winbox. While logged in, I can ping nodes on the LAN side (ether1, 192.168.11.0/24) ssh into them, etc. These nodes on the LAN are Ubiquiti radios (PowerBeams and LiteBeams). Once I’m logged into the hEX router, I can ssh into these radios using their 192.168.11.x addresses. However, they don’t have a well documented command line interface, and need to be configured using a web browser.

So, my newbie question is, what do I need to be able to configure the nodes from the internet? My gut tells me that simple port forwarding is not sufficient, and that I need a VPN, probably setup for a “road warrior” configuration. Is this correct? If so, which VPN (IPSEC/OpenVPN/Others???) would be easiest to configure? Put another way, which would I be less likely to screw up? :slight_smile:

Many thanks in advance.

2

If you want something easy and almost foolproof, you can stick with ssh. Enable ssh port forwarding on router:

/ip ssh set forwarding-enabled=yes

Then assuming you use Windows (statistically most likely), get PuTTY (you probably have it already), find Connection->SSH->Tunnels in configuration and add new forwarded port. Put e.g. 1080 in Source port, keep Destination empty and select Dynamic below. Click Add and that’s it. Now if you connect to router with this config, it will create SOCKS5 proxy on 127.0.0.1:1080. Configure this proxy in your browser and everything will go through remote router. You’ll be able to connect to any remote 192.168.11.x as if you were in remote network.

3

Thank you very much, that works. Actually, I’m using macOS, so I used the command line ssh from the terminal:

ssh -D 8888 admin@1.2.3.4

where 1.2.3.4 is the public IP address of my router, and entered the password to login.
After setting the SOCKS5 Host=127.0.0.1 and Port=8888 in my browser, I can now login to the radios from my laptop.