VPN for Beginner

Phoneguy65 · August 1, 2018, 2:18pm

I’m starting out with the Hex Lite and would like to know if / how I can setup a router to operate behind a firewall and be able to access it via VPN so I can have remote access to the network. I would use Windows VPN client from a remote PC, enter the unique router ID and once connected be able to enter an IP address in IE and log into my remote equipment.

Is t his possible or is there another scenario that I should be looking at?

Thanks,

HzMeister · August 2, 2018, 2:43pm

Yeah it’s definitely possible. I access my home network via vpn all the time.

There’s a lot of different tutorials and conflicting info out there, but for a basic vpn config, the wiki is best:
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Basic_L2TP.2FIpSec_setup

Here’s a run down with a few extra tips:

[add ip pool for vpn clients]
/ip pool add name=vpn-pool range=192.168.1.40-192.168.1.49 (I just took out a handful of IPs from the dhcp server ip pool of the main subnet)

[create vpn profile]
/ppp profile
add local-address=vpn-pool name=l2tp-vpn remote-address=vpn-pool (you can also set it up like in the wiki)

[create vpn login]
/ppp secret
add name=vpn password=password profile=l2tp-vpn

[enable l2tp server]
/interface l2tp-server server
set enabled=yes use-ipsec=required ipsec-secret=mySecret default-profile=l2tp-vpn (it’s configured from the “L2tp server” tab, NOT the “+”)

[be sure to add these firewall rules if using the default config]
/ip firewall filter
add chain=input protocol=udp port=1701,500,4500
add chain=input protocol=ipsec-esp

This is for l2tp/ipsec, but if you don’t need security, you can setup pptp instead.
To be able to access other devices, you need to enable proxy-arp on the LAN interface.
If you have an IP that changes periodically, you can use the /ip cloud service.

tedtucker · August 3, 2018, 2:15am

This method routes ALL of the traffic via the VPN? What is you only want to route traffic destine JUST for that remote subnet?

bramwittendorp · August 3, 2018, 2:46pm

You could just add a more specific route pointing towards the VPN-gateway. So don’t use a 0.0.0.0/0 pointing, but uses the IP-range intended.

For example:

/ip route
add distance=10 dst-address=10.9.5.0/24 gateway=10.9.5.1

The router knows the gateway because it’s a point-to-point connection. And can route any subnet through that router.

HzMeister · August 3, 2018, 2:58pm

What do you mean? This is NOT how to connect to an outside vpn(ie your workplace or a commercial vpn like nordvpn).
This is how remote users can vpn INTO your network. All of their traffic is routed through the vpn you’re running.
Traffic within the network doesn’t go through the vpn.