OK Scenario.
I have Mikrotik on site A
I have remote PC on site B
PC on site B has multiple users. These Users must connect to site A
I need a VPN protocol that would allow users to connect and VPN would be issued not per PC but per user so I know what user was connected
and to make sure that user uses its own dedicated VPN not other user.
As much as I have checked to all Mikrotik supported protocols configurations and limitations I afraid Im not able to accomplish this scenario
or Im wrong ?
Set up must be road warrior not site to site.
Any advice much appreciated.
hello,
PC on site B has multiple users.
yes. a single computer can be used by many users. but mostly only 1 user can control security devices - which is admin/root.
for user space vpn - you might read OpenVPN on the wiki page.
but… your problem is on your road warrior computer - not on mikrotik device as vpn server.
Not necessarily.
Lets say each user has to login into the PC.
Lets say each user has their own wireguard APP on the PC.
Lets say each user gets a different wireguard IP address on the MT ROuter wireguard subnet
(in fact we will actually make the subnet different for each user but attached to same wireguard interface on MT router)
In this way, each user will have separate access to the MT router as desired.
So the question becomes.
Can the wireguard application be separate for each user on a PC. if yes, this is super simple.
This is where the problem is: all tunnels are visible to all users within Wireguard application and any user can activate any tunnel.
There is no way to protect tunnel with a password as well setting NTFS permissions on tunnel config files didn’t work either.
It doesn’t necessary has to be wireguard any protocol supported by Mikrotik that would work for the scenario.
the question becomes.
Can the wireguard application be separate for each user on a PC. if yes, this is super simple
according to these..
https://www.wireguard.com/quickstart/
https://www.wireguard.com/xplatform/
any wg Initiator should read from local wg.conf - so wg seemed able to differentiate users.
the only way to find out (whether wg Interface can be run as regular users or not) is to have a spin.
good luck 
I quite agree with you that native windows VPN app is very limited but as well as Mikrotik has some limitations to achieve this scenario.
quite agree with you that native windows VPN app is very limited but as well as Mikrotik has some limitations to achieve this scenario.
well, i think mt has implemented plenty of current vpn solutions standards. as well as ms windows.
for a start, tell us about your road warrior operating systems and its version, and what kind of networking environment are you in (ad domain or just simple workgroups etc) - so we can help you better.
but as for guidance, your road warrior vpn solution will follow what kind of solution the vpn server has.
What I am using is the Windows embedded VPN client in IKEv2 mode with username&password authentication of the client. This requires RADIUS authentication on the server side, in my case provided by the Mikrotik’s user manager package, which also offers the “poor man’s MFA” where TOTP is used to generate a rolling password suffix.
The drawback is that it needed a restart after some months of operation as the log started reporting no RADIUS response the same second the request was sent (ROS 7.14.3).
Not at all.
MT as per normal wireguard protocol assigns a unique IP address to each peer.
Further it has firewall rules to assign permissions as required for each peer.
The Limitations are due to how wireguard interacts with operating systems ( be it windows or mac ) and really only allow one tunnel.
At least in this article for windows, it can be setup to allow the users to start and stop the tunnel as non-admins, without any other rights
https://randyrowland.me/post/wireguard/
Perhaps linux has a way off separating users on the same laptop for wireguard…worth investigating.
Totally agree with you have no complains about wireguard on MT limitations only on Windows Client APP but have got stuck with WG, we talk about all protocols all possibilities 
Ill have a look, but i like more cert based auth. Anyway thanks fro sharing. Maybe its gonna be an option.
[/quote]
Perhaps linux has a way off separating users on the same laptop for wireguard…worth investigating.
[/quote]
The problem in my case is that remote PC is Windows OS, no Linux in use.
The issue with client side certs for me is that Windows are unable to store the private key password-protected and ask for the password whenever you want to use the certificate. The fact that last time I’ve tried it had to be a machine certificate rather than a user one is secondary for me but critical for your case.
Exactly this is my problem with IKEv2 that with windows you can only use machine cert, windows native VPN app doesn’t support cert per user as doesn’t have option to choose cert for VPN profile
you can do it with Power-shell by telling witch connection should youse which cert, but I only tried then you have more then one IKEv2 VPN and certs installed pointing to different remote location from the same user. Never tried it to see if this would work while in a scenario of multiuser connecting to the same remote location.
I hesitated to jump in, because maybe I’m missing something… but why not simply use openvpn? It has user/password auth, and quite simply the different users should not share passwords.
The relevant config options are:
auth-user-pass
management-query-passwords
EDIT: For newer versions of OpenVPN and Windows this is not recommended any more:
And if you’re using ip tunneling on windows don’t forget:
ip-win32 dynamic 0 3600
I don’t understand that you necessarily have to use Wireguard? Otherwise, if they are Windows PCs, also an SSTP VPN where you create different profiles on ROS and then associate them with each Windows user
Nobody said Wireguard must be used we are discussing all available protocols and experiences, so mate you are welcome
Ill have a look thank you sounds promising.