No-IP configurations and VPN Server

Gorra7 · July 13, 2017, 2:54pm

Hi guys,

I have been spending more than 8 hours already to find some information about configuring my hAP ac lite for the No-IP ddns.net and a VPN access for the client but couldn’t succeed.
Is there anybody who has a valid No-IP script and would guide me through the configuration for the ddnes.net and the basic VPN server setup for the client?

The way I used to configure the VPN Server (PPTP) just doesn’t work this time. Would No-IP ddnes.net need some extra configs?

Thanks for the answer.

idlemind · July 13, 2017, 3:31pm

Any reason you can’t use the dynamic DNS used by /ip cloud? I use a CNAME record for my domain to point vpn.mydomain.net to the longer string from /ip cloud.

Also, time to look away from PPTP. Support for it is being pulled from client operating systems and it’s not considered safe from an encryption standpoint anymore. Additionally it’s not NAT friendly and requires routers and/or clients to support workarounds to establish connections. You may want to look at something like L2TP/IPSec. I use it for my iPhone and Android tablet without an issue when I’m away from home.

Gorra7 · July 13, 2017, 3:34pm

I have tried the script given on the below link and it works. However, I am having problem on the client side to connect to VPN server(PPTP) which is established on the same router as ddns.

https://wiki.mikrotik.com/wiki/Dynamic_DNS_Update_Script_for_No-IP_DNS

idlemind · July 13, 2017, 3:53pm

Is the PPTP client behind a NAT device (aka private IP)? Your latest post makes it sound like the problem is the PPTP side not the script.

Gorra7 · July 13, 2017, 3:55pm

Yes the PPTP client is behind the NAT, trying to connect to PPTP Server from another location.

Gorra7 · July 13, 2017, 3:59pm

I wanted to setup L2TP but I don’t know how to do it yet. There are bunch of videos on the internet but didn’t work for me. That would be better if I could able to setup the L2TP.

idlemind · July 13, 2017, 4:08pm

https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Connecting_Remote_Client

Follow the guide here. The only thing I’d suggest is to not use the same network for the remote client as the LAN. Like I said earlier that requires proxy-ARP to work. Just pick an unused range to use for your road warriors and you don’t have to do the steps that cover activating proxy-ARP on your LAN interface. It’s better for security.

idlemind · July 13, 2017, 4:13pm

Use this as an example to setup a basic road-warrior configuration that would support iOS or Android devices:

/interface l2tp-server server set enabled=yes default-profile=rw use-ipsec=yes ipsec-secret=MyRWSecret123!
/ip pool add name=rw ranges=172.16.1.100-172.16.1.199
/ppp profile add name=rw dns-server=192.168.20.1 local-address=172.16.1.1 remote-address=rw use-compression=no use-encryption=yes use-ipv6=no
/ppp secret add name=rw1 password=FirstRWUser123! profile=rw service=l2tp

Firewall rules to allow the inbound IPSec connection, the default firewall config allows this in the newer versions I believe as well:

/ip firewall filter add action=accept chain=input comment="(vpn-ra) allow ipsec" in-interface=eth1 protocol=ipsec-esp
/ip firewall filter add action=accept chain=input comment="(vpn-ra) allow ike, l2tp and nat-t" dst-port=500,1701,4500 in-interface=eth1 protocol=udp