Here’s the problem: need to VPN into my LAN from Windows laptop while traveling.
Laptop’s IP is unpredictable - airport, hotel, etc; ‘home LAN’ is on MT, behind dynamic DNS (dnsmadeeasy.com)
I searched for the recipe, but most examples are dedicated to permanent VPN setups between two routers.
How do I setup VPN server on MT for that?
Guys, please help - I need to set it up before I leave!
You haven’t even posted what kind of VPN you want to use.
I mentioned Windows laptop
I don’t have many choices there 
Sure you do. IPsec/L2TP and PPTP are built in, there’s clients for pure IPsec and OpenVPN.
Below a wiki guide for IPsec/L2TP:
http://wiki.mikrotik.com/wiki/MikroTik_RouterOS_and_Windows_XP_IPSec/L2TP
I saw this, my problem is with local-address=1.1.1.1 remote-address=1.1.1.2
Remote address isn’t known, but the guide says I can use 0.0.0.0
But what should I do about the local address - it’s dynamic IP. I have dynDNS, but I don’t see how can apply it here.
Local and remote addresses are for VPN connection. So you can set some unused address from LAN subnet as remote (client will get this address) and anything as local (client will use it as gateway). Then enable proxy-arp on LAN interface and computer connected using VPN will appear as part of LAN. Also in IPSec settings, instead of 0.0.0.0 you must use 0.0.0.0/0.
Good, now the dots are connecting… slowly but surely.
Thanks a lot!
The “Adjusting IPSec settings” part is written for Windows XP. On Windows 7 security settings are arranged in different way, and some options are not there. I followed the instructions as much as I could, but it doesn’t connect.
Have anyone made it work with Win7?
I skipped “Adjusting IPSec settings” completely and it worked on both XP and Win7. Well, not always, few times it didn’t want to connect for unknown reason and I wasn’t able to make it work through NAT at all.
If it doesn’t work for you, there are other options. You may try PPTP. Just enable it in RoS, change “service” in secret if you don’t have “any” and change VPN type on Windows, if you don’t have automatic selection.
Or there is also OpenVPN (http://wiki.mikrotik.com/wiki/OpenVPN). For that you’d need ssl certificate and additional client software for Windows.
That doesn’t sound good. I never had such problems when I had to VPN from Windows PC to the office in last work places. Not sure what they used server-side, but it always was zero-config on my (client) side. Why isn’t it possible with Mikrotik?
Then I’ll try from another direction: what is the most reliable way to VPN from NAT-ed Windows 7 laptop to NAT-ed MT? I don’t mind to install client software or certificates as long as it works reliably.
My favorite is OpenVPN. It needs exactly one open port on server and nothing else. As long as NATs allow access to this one port, it has no problems with them. In worst case, it can work even using HTTP proxy.
I can connect with PPTP from within LAN, but from outside it displays “Device connected” momentarily, and then fails with “Cannot connect” right after.
I suppose I have to change firewall settings, but I’m not sure what ARP proxy does here. I have ether1 as WAN and ether2 as LAN. Most of my rules for local traffic have in-interface=ether2 clause, and apparently PPTP comes via WAN (ether1) interface. On the other side it’s supposed to mimic local connection, isn’t it?
What should I change in firewall - remove in-interface conditions altogether, or it’s something else I need to check?
Proxy ARP: Lets say you have internal network 192.168.10.0/24. On your LAN interface you have 192.168.10.1 and other local computers use it as gateway. You want your VPN client to appear as part of 192.168.10.0/24 network, so you set it’s remote address to 192.168.10.200.
From the client side it’s easy, because the connection with server is point to point (netmask /32) and when client wants to access other computers in 192.168.10.0/24 network, it does that using normal routing via gateway which is what you set as local ip on VPN server.
The other way is different. If computer in internal network wants to access some other computer in the same subnet, it assumes that it’s directly reachable using ARP. But VPN client is not, because it’s behind the router. But if you enable proxy-arp on router’s LAN interface, it’ll reply on behalf of client and then forward the traffic to it and the other computer won’t see the difference.
Via WAN interface comes the VPN connection. For PPTP it’s TCP port 1723 and GRE protocol and they’re going to the external IP of the router and it must accept them. It’s input chain of WAN interface.
Once the connection is established, data between client and internal network travel between LAN and PPTP-client interface, so you need to set up your firewall to allow that.
Thanks! I hate to ask silly questions, but it happens a lot lately
You mean I’m supposed to see something named as “PPTP-client” interface in the interface list? Or you mean WAN interface is the “PPTP-client interface”?
You’ll see new interface. You can create it yourself for specific user by adding new “PPTP Server” in Interfaces window and name it anything you want (and fill in the User field). Or you can let RoS to create it dynamically and in that case it will be named “”. For setting up persistent firewall rules I believe the first one is what you need.
Still struggling to make it work from outside…
Here’s the trace - any ideas?
14:28:36 pptp,info TCP connection established from 22.111.333.44
14:28:36 pptp,ppp,info <pptp-0>: waiting for call...
14:28:36 pptp,debug,packet sent Set-Link-Info to 22.111.333.44
14:28:36 pptp,debug,packet peers-call-id=26080
14:28:36 pptp,debug,packet send-accm=0xffffffff
14:28:36 pptp,debug,packet receive-accm=0xffffffff
14:28:37 pptp,ppp,debug <22.111.333.44>: LCP timer
14:28:37 pptp,ppp,debug,packet <22.111.333.44>: sent LCP ConfReq id=0x1
14:28:37 pptp,ppp,debug,packet <mru 1460>
14:28:37 pptp,ppp,debug,packet <magic 0x623a72f5>
14:28:37 pptp,ppp,debug,packet <auth mschap2>
14:28:38 pptp,ppp,debug <22.111.333.44>: LCP timer
14:28:38 pptp,ppp,debug,packet <22.111.333.44>: sent LCP ConfReq id=0x2
14:28:38 pptp,ppp,debug,packet <mru 1460>
14:28:38 pptp,ppp,debug,packet <magic 0x623a72f5>
14:28:38 pptp,ppp,debug,packet <auth mschap2>
14:28:39 pptp,ppp,debug <22.111.333.44>: LCP timer
14:28:39 pptp,ppp,debug,packet <22.111.333.44>: sent LCP ConfReq id=0x3
14:28:39 pptp,ppp,debug,packet <mru 1460>
14:28:39 pptp,ppp,debug,packet <magic 0x623a72f5>
14:28:39 pptp,ppp,debug,packet <auth mschap2>
14:28:42 pptp,ppp,debug <22.111.333.44>: LCP timer
14:28:42 pptp,ppp,debug <22.111.333.44>: LCP timeout sending ConfReq
14:28:42 pptp,ppp,debug <22.111.333.44>: LCP lowerdown
14:28:42 pptp,ppp,info <pptp-0>: terminating...
14:28:42 pptp,ppp,info <pptp-0>: terminating...
14:28:42 pptp,ppp,debug <22.111.333.44>: LCP lowerdown
14:28:42 pptp,ppp,debug <22.111.333.44>: LCP down event in starting state
14:28:42 pptp,ppp,info <pptp-0>: disconnected
14:28:42 pptp,ppp,info <pptp-0>: disconnected
I got exactly the same messages when I blocked GRE.
Try to add the following rule at the beginning of filter rules list:
/ip firewall filter add action=accept chain=input disabled=no protocol=gre
I’ll try, thanks.
I have “drop invalid connections” in the very beginning - can it be the reason, should I move all “drop” rules to the end of the input and forward chains?
I think GRE for PPTP could be “related” connection, but I didn’t test it. Anyway, try to add the rule for allowing incoming GRE as the first one just for now. Test the connection and it should work. And you can fine tune it later.
But it’s also possible that GRE is blocked on the other end. It can happen if client is behind some really stupid NAT.