I am posting this topic hoping to help other people to setup a simple VPN server accepting connections from Windows 10 clients and Android. I run this on hAP ac, RouterBOARD 962UiGS-5HacT2HnT. Between Romania and Greece, speedtest dot net running on windows reported about 25,5Mbps with aes-256 and almost 30Mbps lowering to aes-128, limited by the CPU capacity. Using SSTP I got only 2Mbps and much higher latency.
For windows 10 I didn’t find a solution without certificates, the authentication methods presented by mikrotik didn’t worked (at least for me). So we need first to generate some certificates. You can skip this chapter if you don’t need windows connections.
First we need a connection DNS name so if you don’t have a static IP and DNS for it, open winbox, connect you your router, IP / Cloud and check the box DDNS Enabled. Make sure your router is connected to internet with working dns and the field DNS Name will populate with an unique DNS name. I will refer to this name with 1a2a3a4a5a6a.sn.mynetname.net
I used openssl on ubuntu to create certificates. You can use your better method, keep in mind that certificates MUST have Enhanced Key Usage present and your server’s address must be in Subject Alternative Name. So open a terminal…
mkdir myCA
cd myCA
vi example.org.cnf
press “i” to enable insert mode and paste the next code
##############
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = usr_cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GR
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Attica
localityName = Locality Name (eg, city)
localityName_default = Athens
organizationName = Organization Name (eg, company)
organizationName_default = My house SA
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = HOME_byOvi
[ req_ext ]
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = 1a2a3a4a5a6a.sn.mynetname.net
[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = client, server, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
nsComment = “OpenSSL Generated Certificate”
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
###############
press escape, then “:wq” and enter
Now generate certificates and make notice of the passwords you type:
openssl genrsa -out ca.key 4096
openssl req -new -x509 -key ca.key -out ca.crt
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr -config example.org.cnf
openssl x509 -req -days 6900 -sha256 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 1 -extensions req_ext -extfile example.org.cnf -out server.crt
Now edit the example.org.cnf again and edit [alt_names] section as necessary for the client
openssl genrsa -des3 -out jane.key 4096
openssl req -new -key jane.key -out jane.csr -config example.org.cnf
openssl x509 -req -days 6900 -sha256 -in jane.csr -CA ca.crt -CAkey ca.key -set_serial 2 -extensions req_ext -extfile example.org.cnf -out jane.crt
openssl pkcs12 -export -out jane.pfx -inkey jane.key -in jane.crt -certfile ca.crt
If you run Winbox from windows, export certificates (for example using WinSCP): ca.crt, server.crt, server.key, jane.crt, jane.pfx
Open Winbox, Files, Upload and upload all previous files except jane.pfx
System / Certificates / Import
import server.crt before server.key. If successful, it will show in front KT (private Key and Trusted) for server and T for the other certificates.
Now you can use winbox to continue, or find below commands to edit and paste in terminal.
- Authentication is time sensitive so make sure we have a synchronized time
System / SNTP Client
Add Primary Server: 1.pool.ntp.org
Add Seconday Server: 2.pool.ntp.org - Create a pool or use existing. When my router was behind another router with NAT, I had to use same net as LAN
IP / Pool, add
Name: pool-IPsec
Aresses: 192.168.43.101-192.168.43.199 - Split include is what net is told to client to send over tunnel. Can take more nets comma separated, but people say some clients won’t accept. For all zeroes, all traffic goes through tunnel.
IPsec / Mode Configs, create
Name: cfg-IKEv2
Responder: checked
Address Pool = asigned from IP/pools
Address: not set
Address prefix length: 24 or 32
Split Include: lan addres, use comma for more nets or 0.0.0.0/0 to set client have all trafic routed through vpn. some clients dont accept multiple nets
Static DNS = use yout server’s DNS, google’s public DNS or just check System DNS - IPsec Proposal, create
Name: proposal-IKEv2
Auth. Algorithms: sha1, sha256
Encr. Algorithms: (aes-128+192+256)(cbc+ctr+gcm)
Lifetime: 8h
PFS Group: none (iphone escpecially) - IPsec / Groups, create
Name: group-IKEv2 - IPsec / Policies, edit default or create
Src 0.0.0.0/0 , Dst pool_net or 0.0.0.0/0
Group group-IKEv2
Action encrypt, esp, SA src and Dst zeroes
Proposal: proposal-IKEv2 (step4) - IPsec Profile, create
Name: profile-IKEv2
Hash: sha256
Encryption Algorithm: aes-128,192,256
DH Group: modp 1024, 1536, 2048
Proposal Check: obey (for maximum compatibility)
NAT Traversal
120
5 - Peers, create
Name: peer-IKEv2
Address = 0.0.0.0/0
Port: empty for default 500
Local Address = where to listen, external IP, or empty for all
Profile: profile-IKEv2 (step7)
Exchange mode IKE2
Passive: checked (means listen)
Send INITIAL_CONTACT: checked - Identities, create
Peer: peer-IKEv2
Auth. Method: pre shared key
Secret: agoodpass
Policy Template Group: group-IKEv2 (step5)
My ID Type: auto
Remote ID Type: key id
Remote ID: a string, must specify same on client
Match By: remote id
Mode Config: cfg-IKEv2 (step3)
Generate Policy: port override
Peer: peer-IKEv2
Auth. Method: rsa signature
Certificate: server.crt_0
Remote Certificate: jane.crt_0
Policy Template Group: group-IKEv2 (step5)
My ID Type: auto
Remote ID Type: ignore
Match By: certificate
Mode Config: cfg-IKEv2 (step3)
Generate Policy: port override - IP / Firewall / Filter Rules, add
Chain: input
Protocol: 17(udp)
Dst. Port: 500,4500
You need these two lines at the top of your filter rules,
Specifically, they need to be before/above the fasttrack connection rule:
Chain: forward
Advanced IPsec Policy: in:ipsec
Action: accept
Chain: forward
Advanced IPsec Policy: out:ipsec
Action: accept - IP / Firewall / NAT, add (only if you don’t use same pool as LAN)
Chain srcnat
Src. Address: your LAN
Dst. Address: 192.168.43.0/24 (vpn pool)
Now you can test android first, go Settings, More Networks, VPN and create new
Give a name, select “IPSec IKEv2 psk” , type your mikrotik addres: 1a2a3a4a5a6a.sn.mynetname.net, IPSec identifier:your choice at step9 and of course agoodpass
For troubleshooting you may enable some logging:
/system logging add topics=ipsec,!packet
/log print follow-only file=ipsec-start where topics~“ipsec”
Windows client:
Settings / Network & Internet / VPN / Add a VPN connection
Provider: Windows (built-in)
Connection name: your choice
Server name: 1a2a3a4a5a6a.sn.mynetname.net (don’t use IP here, it won’t work! Use dns address)
VPN type: IKEv2
Type of sign-in info: Certificate
Remember: checked
Now Change adapter options, right click your fresh created connection, properties
Networking, deselect TCP/IPv6
ONLY if you need all traffic through vpn: double click v4, advanced, tick Use default gateway
Security: Use machine certificates
Right click Windows Start, Run, type mmc
File / Add-Remove snap-in / Certificates / Add / Computer account / Local computer / Finish, OK
Dig to Certificates/Personal/Certificates right click, All Tasks/Import
Select jane.pfx to import it. Certificate authority will be imported together and if you wish you can move it to Trusted Root Certification Authorities
And now you can test your connection.