I’ve recently got a paid VPN service through PrivateInternetAccess. I’ve looked and looked, and everywhere I go, I keep ending up at this post about PIA and PPTP. I can get it working, sort of - I can’t get my PC to connect to the VPN server without using the app, whether or not I have the rules from the guide enabled in my router, which it seems like I shouldn’t have to use the app if I have my router set up to connect to it.
But I’m wondering if there’s a more up-to-date version? (That guide is almost two years old.) Or if someone can help me get away from PPTP and into something more secure?
I don’t know a whole lot about what I’m trying to do, but if you could at least point me in the right direction, I’d appreciate it.
Windows 7
RB2011UiAS-2HnD
RouterOS 6.34.4
Export:
[admin@MikroTik] > /export compact hide-sensitive
# apr/10/2016 01:03:41 by RouterOS 6.34.4
# software id = 64RV-JMEM
#
/interface bridge
add admin-mac=00:0C:42:FD:2F:92 auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=eth1-gateway
set [ find default-name=ether2 ] name=eth2-master
set [ find default-name=ether3 ] master-port=eth2-master name=eth3-slave
set [ find default-name=ether4 ] master-port=eth2-master name=eth4-slave
set [ find default-name=ether5 ] master-port=eth2-master name=eth5-slave
set [ find default-name=ether6 ] name=eth6-master rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether7 ] master-port=eth6-master name=eth7-slave
set [ find default-name=ether8 ] master-port=eth6-master name=eth8-slave
set [ find default-name=ether9 ] master-port=eth6-master name=eth9-slave
set [ find default-name=ether10 ] master-port=eth6-master name=eth10-slave
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn country="united states" default-authentication=no disabled=no distance=indoors frequency=2462 mode=ap-bridge ssid="Hidden network" \
wireless-protocol=802.11
/interface pptp-client
add connect-to=us-midwest.privateinternetaccess.com disabled=no max-mru=1440 max-mtu=1440 mrru=1600 name=PIA-Home user=USERNAME]
/ip neighbor discovery
set eth1-gateway discover=no
set eth2-master discover=no
set eth3-slave discover=no
set eth4-slave discover=no
set eth5-slave discover=no
set eth6-master discover=no
set eth7-slave discover=no
set eth8-slave discover=no
set eth9-slave discover=no
set eth10-slave discover=no
set sfp1 discover=no
set wlan1 discover=no
set bridge-local discover=no
/interface wireless nstreme
set wlan1 enable-polling=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys radius-mac-authentication=yes
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/system logging action
set 0 memory-lines=100
/tool traffic-generator port
add interface=eth2-master name=port1
add interface=eth3-slave name=port2
/user group
add name=ftp policy=ftp,!local,!telnet,!ssh,!reboot,!read,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api
/interface bridge port
add bridge=bridge-local interface=eth2-master
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=eth6-master
/interface wireless access-list
add comment=Mobile-J mac-address=B0:45:19:2E:3A:3B vlan-mode=no-tag
add comment="Desktop Wireless" disabled=yes interface=wlan1 mac-address=88:9F:FA:4C:88:34 vlan-mode=no-tag
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=eth2-master network=192.168.88.0
/ip arp
add address=192.168.88.254 comment=Desktop interface=bridge-local mac-address=84:2B:2B:98:B7:D7
add address=192.168.88.253 comment=HTPC interface=bridge-local mac-address=C8:60:00:C9:A7:5A
add address=192.168.88.252 comment=Android interface=bridge-local mac-address=B0:45:19:2E:3A:3B
add address=192.168.88.251 comment=OpenElec interface=bridge-local mac-address=B8:27:EB:93:CD:48
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=eth1-gateway
/ip dhcp-server lease
add address=192.168.88.254 client-id=1:84:2b:2b:98:b7:d7 comment=Desktop mac-address=84:2B:2B:98:B7:D7 server=default
add address=192.168.88.253 comment=HTPC mac-address=C8:60:00:C9:A7:5A server=default
add address=192.168.88.252 comment=Mobile-J mac-address=B0:45:19:2E:3A:3B server=default
add address=192.168.88.251 client-id=1:b8:27:eb:93:cd:48 comment="RaspberryPi Bedroom" mac-address=B8:27:EB:93:CD:48 server=default
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" gateway=192.168.88.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=192.168.88.0/24 list=admin-access
add address=192.168.88.254 list=VPN
/ip firewall filter
add chain=forward comment=QBittorrent dst-port=50585 in-interface=eth1-gateway protocol=tcp
add chain=forward dst-port=50585 in-interface=eth1-gateway protocol=udp
add chain=forward dst-port=59853 in-interface=eth1-gateway protocol=tcp
add chain=forward comment="Emby Server HTTP & HTTPS" dst-port=8096 in-interface=eth1-gateway protocol=tcp
add chain=forward dst-port=8920 in-interface=eth1-gateway protocol=tcp
add action=fasttrack-connection chain=forward comment="Start of rules given here http://bit.ly/1jkLMqU" connection-state=established,related
add action=fasttrack-connection chain=input connection-state=established,related
add action=jump chain=forward jump-target=sanity-check
add action=jump chain=input jump-target=sanity-check
add action=jump chain=sanity-check connection-state=invalid jump-target=drop
add chain=sanity-check connection-state=established,related
add chain=input comment="Rules to block FTP, SSH, etc. externally. Found in this forum post http://bit.ly/1MSC1bQ" src-address-list=admin-access
add action=drop chain=input dst-port=21,22,23,53,80,443,8080,8291 protocol=tcp
add action=jump chain=input comment="Drop external traffic inboud to the router" in-interface=eth1-gateway jump-target=drop
add chain=input in-interface=bridge-local
add chain=forward connection-nat-state=dstnat
add chain=forward in-interface=bridge-local
add action=jump chain=input jump-target=drop
add action=jump chain=forward jump-target=drop
add action=drop chain=drop comment="Enable when you need to see log of dropped traffic" disabled=yes log=yes log-prefix=drop-log
/ip firewall mangle
add action=mark-routing chain=prerouting comment="PIA Pre-Routing" new-routing-mark=VPN src-address-list=VPN
/ip firewall nat
add action=masquerade chain=srcnat comment="PIA Masquerade" out-interface=PIA-Home
add action=masquerade chain=srcnat comment="Default SRCNAT for outbound on ETH1" out-interface=eth1-gateway
add action=dst-nat chain=dstnat comment="Torrent TCP & UDP" dst-port=50585 in-interface=eth1-gateway protocol=tcp to-addresses=192.168.88.254 to-ports=50585
add action=dst-nat chain=dstnat dst-port=50585 in-interface=eth1-gateway protocol=udp to-addresses=192.168.88.254 to-ports=50585
add action=dst-nat chain=dstnat comment="Torrent WebUI Port Forward" dst-port=59853 in-interface=eth1-gateway protocol=tcp to-addresses=192.168.88.254 to-ports=59853
add action=dst-nat chain=dstnat comment="Emby Port HTTP & HTTPS" dst-port=8096 in-interface=eth1-gateway log=yes protocol=tcp to-addresses=192.168.88.254 to-ports=8096
add action=dst-nat chain=dstnat dst-port=8920 in-interface=eth1-gateway protocol=tcp to-addresses=192.168.88.254 to-ports=8920
/ip route
add check-gateway=ping distance=1 gateway=PIA-Home routing-mark=VPN
/ip service
set telnet disabled=yes
set ftp address=192.168.88.0/24
set www disabled=yes
set ssh address=192.168.88.0/24
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=eth1-gateway type=external
/lcd
set enabled=no
/lcd interface pages
set 0 interfaces=sfp1,eth1-gateway,eth2-master,eth3-slave,eth4-slave,eth5-slave,eth6-master,eth7-slave,eth8-slave,eth9-slave,eth10-slave
/system clock
set time-zone-name=America/Detroit
/system scheduler
add comment="Automated daily backup" interval=1d name="daily backup" on-event="system backup save name=current-working.backup" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
start-date=jan/01/1970 start-time=00:00:00
/tool bandwidth-server
set enabled=no
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=eth2-master
add interface=eth3-slave
add interface=eth4-slave
add interface=eth5-slave
add interface=eth6-master
add interface=eth7-slave
add interface=eth8-slave
add interface=eth9-slave
add interface=eth10-slave
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=eth2-master
add interface=eth3-slave
add interface=eth4-slave
add interface=eth5-slave
add interface=eth6-master
add interface=eth7-slave
add interface=eth8-slave
add interface=eth9-slave
add interface=eth10-slave
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool romon port
add
/tool sniffer
set filter-interface=all