Replace OpenVPN Server/Client

gamba47 · August 31, 2017, 12:31pm

Hi guys. I’m a newbie on Mikrotik.

Today config is one OpenVPN Server running in a Linux Router (Debian based with iptables). VPN is configured using UDP because we have VOIP over those links.
Clients are OpenWRT routers with OpenVPN client configurations and all are working.

I need to know how can i replace this configuration.

Thinks i know before reading forum and wiki:

OpenVPN is not supported and never will supported. See topics from 2012 talking about this feature and they grow until now without any news about this.
L2tp seems to be the used protocol. He has UDP protocol, is for Point to Multipoint configurations, is secure and is for connecting clients to a central server.
L2tp works only on port UDP 500. This is a sad notice. In OpenVPN i don’t use standard ports for connect. Some ISPs will slow down traffic on this common ports.

My main problem is how can use a Mikrotik standard VPN with some Linux routers clients (some are OpenWRT others Linux boxes) without kill me in this change.

Best regards.

gamba47

pukkita · August 31, 2017, 12:45pm

Use SSTP then…

You can set up a different port if you want
NAT friendly
Less likely to be throttled down by ISPs

gamba47 · August 31, 2017, 5:10pm

Hi pukkita!

I will read about SSTP. I hope i can use this for replace OpenVPN.

Best regards.

gamba47

gamba47 · October 10, 2017, 12:43pm

Well this don’t work.

I have Mikrotik and Linux box in the other side (server)
SSTP is a Windows tool and works on linux using SoftEther, but the documentation is not enought for me to make it work yet. I was trying but i can’t understand how it works.

I can’t believe how Mikrotik don’t have OpenVPN implementation using UDP!! this is the best way to communicate two sites using VOIP and get acceptable results.

Metarouter is not working, OpenVPN don’t work. Looks like Mikrotik avoid using Opensource things

I will post results when i have something done.

best regards.
gamba47

pukkita · October 11, 2017, 12:12pm

No need for softether, SSTP Client is all you need.

What distribution are you using?

This provides a plugin for stock pppd and a sstp client tool (sstpc).

Typical area were you may find issues while setting up is the server certificate, watch out pppd client logs on Linux server.

gamba47 · October 11, 2017, 4:55pm

Ok i will make i try!

Debian or Ubuntu. They don’t have X, y only use ssh to connect. Those servers are behind a NAT and connect some Servers using routers over VPN.

Well, i will see. Thanks again!

Ok. I use OpenVPN since 2007 and have at least 10 servers and 50 clients working today. This is new for me. Sorry !

pe1chl · October 11, 2017, 6:38pm

SSTP works over TCP! Like all other VPN protocols that work over TCP it is garbage under load and when requiring realtime (VoIP).

pukkita · October 13, 2017, 10:14am

Download the sstp-client-1.0.11.tar.gz package and look at the README inside, there’s no need for X. You can create .deb packages rather easily, look inside the sources.

pe1chl, SSTP may not be the optimal solution but giving the limitations gamba47 is facing, which SSTP dodges, there’s nothing to lose in trying.

Sometimes things cannot be totally white or totally black…

gamba47 · October 13, 2017, 12:14pm

I don’t see this! thanks for the info.

I will do this to learn about SSTP i like have this skills.

VOIP over TCP nevers works good. I was reading again and it’s true. SSTP only uses TCP

https://wiki.mikrotik.com/wiki/VPN_Overview

L2tP and PPtP have UDP available. I will se L2tP.

+1

Looks like Mikrotik never will have OpenVPN working, found a lot of forum threads about this

Best regards.
gamba47

pe1chl · October 13, 2017, 2:32pm

BTW, that overview has a couple of errors. It is correct in that it states that SSTP works over TCP (it uses TLS on port 443 by default)
but it is incorrect that EoIP and IP Tunnel use TCP. They don’t. EoIP uses GRE and IPIP Tunnel directly runs on IP.
PPtP is listed as using GRE,TCP it should be noted that the actual traffic is over GRE and the TCP connection is only used for
connection management (authentication) so it does not have the problems associated with sending realtime data over a TCP tunnel.

gamba47 · October 13, 2017, 2:50pm

Thanks for share this.

But PPtP is not secure.

Best regards!
gamba47

pukkita · October 14, 2017, 11:24am

L2tp works only on port UDP 500. This is a sad notice. In OpenVPN i don’t use standard ports for connect. Some ISPs will slow down traffic on this common ports.

Similarly goes for GRE.

Would be nice having customizable L2TP port for ROS… of course only ROS devices could be used on both sides.

pe1chl · October 14, 2017, 2:34pm

GRE does not use a port!
I think your ISP is in a sad state when it is deliberately slowing down traffic to certain port numbers.
I also think that is illegal in the EU. I would complain at your local consumer authority or telecom agency if I were you.
Over here (NL) these regulations are very strictly monitored.

pukkita · October 15, 2017, 9:13am

GRE does not use a port!

I know… I meant ISPs are known/likely to throttle it down also, or even block it. The point of the OP was using a transport that was unlikely to be tinkered by the ISP…