VPN solution from mikrotik

RouterOS Beginner Basics
1

Hi,
I am totally new in mikrotik stuff
I have main office and some branch offices. I would like to connect them to main office, where i have VDSL routers provided by dsl company.
I cannot forward protocols on those routers, i can forward only ports.

On main office site, i have some servers, computers. On branch - some server and computers as well (but from VPN tunnell, just server is important)

Can i do such tunnels with mikrotik?

Server—Mikrotik—VDSL—internet—VDSL—mikrotik—internal network

Main site - would be MikrotikOS on virtualized machine
Branch offices - Mikrotik Board

Which leve do i need to have? 4 is enough?
Where can i find some guide, how to configure that? :slight_smile:

Just one additional thing

  • on MAIN site, i have public IP, but it’s changing. Anyway, i do have DNS name, which is pointing to that changing IP.
2

You can do this with OpenVPN Server / Client on MikroTiK, until some Protocols are disabled it seems that L2TP dont work for you.

3

My research about RB1200 as VPN solution: Mikrotik RB1200 as VPN Solution

You can find wiki entries about your setup:
Wiki:Tunnels
As example:
PPTP VPN - multiple ADSL remote locations to Cental Office

Branch1(Mikrotik VPN Client) → Central Office(Mikrotik VPN Server) ← Branch2(Mikrotik VPN Client)

Also if possible you can switch your VDSL modem in bridge mode - for more convenient remote control of Mikrotik.
for more convenient.

VPN Server can bind on any port.
As raz mentioned you can create oVPN tunnel on 443 port.

4

Well, Thank You for the answers - it looks great. Especially those PPTP VPN.
Of course i will have to ask You about details during the configuration :slight_smile: but i have a lecture, so it’s good.

Just an additional questions,
In that scenario - with PPTP - as i understand, it will work without GRE protocol forward? As i mentioned, i am not able to forward protocols. Only ports (I had a long speech with customer support, and even if the option - to forward protocol is existing in firmware, it does not work at all)

Am i able to configure vpn clients, to connect vpn tunnel to DNS address, not IP address (i suppose, Yes)?

5

As I can see in Wikipedia: Point-to-Point Tunneling Protocol, PPTP use TCP 1723 and GRE(47) protocols.
But on my firewall GRE rules has 0 bytes received. Maybe it works via established or related rule.
Anyway you can create another VPN if this will not work.

What’s new in 6.4 (2013-Sep-12 13:52):
*) ovpn - allow to specify server via dns name;

What’s new in 6.3 (2013-Sep-03 12:25):

*) pptp, l2tp, sstp - allow to specify server via dns name;

6

Okay, a little change in a my idea, but i suppose it will not change anything according to the equipment

Main site — RouterOS (VPN Server)—Ethernet—VDSL router with changed IP—Internet----VDSL Router witch changed IP—WiFi network—RB connected to Wifi—Server

RB for main site:
RouterOS license for level4 installed on virtual servers farm

RB for remote site:
MikroTik RouterBoard 911G-5HnD-MMCX with RouterOS level3
power supply - http://routerboard.com/18POW
Enclosure - http://routerboard.com/CA411-711
antenna - http://routerboard.com/ACSWI

Is that set suitable?

VPN i want to configure will be L2TP with NAT-T - something like here:
http://wiki.mikrotik.com/wiki/L2TP_%2B_IPSEC_between_2_Mikrotik_routers

Addresation will be 192.168.1.0/24 with addresses 192.168.1.1-192.168.1.200 on main site and 192.168.1.201 - 192.168.1.211 on first remote site (and 10 IP/s per site)
will it work? :slight_smile:
Sites have own addresation like 192.168.0.0/24

7

Hello kerth
As I can see in Wkipedia: L2TP/IPsec it use:

Negotiation of IPsec security association (SA), typically through Internet key exchange (IKE). This is carried out over > UDP port 500> , and commonly uses either a shared password (so-called “pre-shared keys”), public keys, or X.509 certificates on both ends, although other keying methods exist.

Establishment of Encapsulating Security Payload (ESP) communication in transport mode. The IP protocol number for > ESP is 50 > (compare TCP’s 6 and UDP’s 17). At this point, a secure channel has been established, but no tunneling is taking place.

Negotiation and establishment of L2TP tunnel between the SA endpoints. The actual negotiation of parameters takes place over the SA’s secure channel, within the IPsec encryption. L2TP uses > UDP port 1701> .

I advice you to use SSTP or OpenVPN tunnel. In this case you should forward only one port(443 as example).
You can get a free certficate from StartSSL for one year and then create a new one for each year or create self signed cert.

Is that set suitable?

It seems that yes.

VPN i want to configure will be L2TP with NAT-T - something like here:
http://wiki.mikrotik.com/wiki/L2TP_%2B> _ … ik_routers

You ca use same diagram for SSTP or OpenVPN.

Addresation will be 192.168.1.0/24 with addresses 192.168.1.1-192.168.1.200 on main site and 192.168.1.201 - 192.168.1.211 on first remote site (and 10 IP/s per site)
will it work? > :slight_smile:

In general you ca use routing from one to another end without any additional IP. Why you want to use 10 IP/s per site ?

Sites have own addresation like 192.168.0.0/24

Both sites have same network ?

8

Thank You for an answer :slight_smile:
Nat traversal will allow me to omit protocol forwarding, that’s why with NAT-T

I have some network in main site, with addresation 192.168.1.0/24 and utilized about 150 addresses.

I have networks in branch offices with addresation 192.168.0.0/24 everywhere (and small utilization)

I want to have servers (one of the NIC’s) in the same subnetwork - flat addresation with main site - that’s why 192.168.1.200 and so on
Just for future use, i want to leave some not used addresses :slight_smile: that’s why each site will have 10 IP’s

9

I have changed my way a little.
On server side - I have OpenVPN Access Server (and dynamic IP, but static domain name)
working on layer2 (ethernet bridging)

On “satellite” site - i have mikrotik routerboard. I was able to start internet through wifi on that, but i have failed to configure openvpn connection.

Two problems:

  1. I have found a lot of howto’s, but only for NAT vpn
  2. All howto’s are with IP address, not DNS address.

How can i do that?

10

kerth

  1. I have found a lot of howto’s, but only for NAT vpn

Why you don’t want to use IP mode ?

  1. All howto’s are with IP address, not DNS address.

I think this can be because of old versions of ROS in HowTo.

As I mentioned:

What’s new in 6.4 (2013-Sep-12 13:52):
*) ovpn - allow to specify server via dns name;

This is a relative new feature.


How can i do that?

11

Because i want to have flat layer2 IP network - it iwll make my life easier :slight_smile:

I have seen, it’s possible from v6.4, but anyway, command allows me to put only IP adres, not domain name, so i am asking, how can i do that?

12

Nice wish but tio be realistic and make it happens that it is fitting at best your needs, I would also
suggest you to use on both sides a RB1100AHx2 and setting up IPSec VPN between them to get the best performing action, also the best throughput and most security for your network.

Not cheap to buy but it is fitting your needs for a long time in my eyes.

13

I’m assuming, that there is just a minor mistake, but i have no idea which one :slight_smile:

Basically, I am trying to connect to VPN server on local network (to be sure it’s not the case of NAT, firewall, or anywhat else).
I have checked VPN server with other clients - and it’s working on internal and external address. Certificates signed by CACERT.

I am trying to connect to port TCP and UDP - no change
I am trying to connect to internal and external IP - no change
I am trying to add or not to add ovpn port to bridge2 - no change.
I am able to ping both - internal and external IP (same subnetwork for internal)
What is wrong?
BTW - there are no logs from my RouterOS on VPN server (not even try to connect)
I am connected to ethernet with RouterOS (so no wireless even on the way)