Has anyone managed to successfully set their Mikrotik router to serve as a VPN server with 100% physical LAN emulation? The documentation is scarce. I’m trying to stay away from the available solutions, such as ZeroTier, LogMeIn, etc. and there doesn’t seem to be any solutions that allow you to run your own dedicated VPN (with TUN) server, with the exception of perhaps tinc.
I’m currently using the SSTP protocol to establish a connection with my friends and I’ve set the profile to use the default DHCP server, so that all of the clients are within the same /24 ip range as my local machines. Connecting directly works in most games, but not all and broadcasting just plain doesn’t work.
From what I understand SSTP doesn’t really support L2/L3 subnet broadcasting so my only solution seems to be OpenVPN. I’ve read through a metric tonne of posts so far and none seems to offer a clean answer.
Can someone guide me through setting something that would allow us to connect together and play games as if we were in the same physical network? If possible I would like to use the Mikrotik as the server, so SSTP/OpenVpn. I can also use my Raspberry as the server in case anyone has any experience with tinc.
You have confused TUN (layer 3 / IP) with TAP (layer 2 / ethernet).
None of the layer 3 VPNs (L2TP, PPTP, SSTP, IPsec or OpenVPN TUN) will route broadcasts, however as you have found you can use the same IP range on the local LAN and remote VPN client using proxy-arp.
If you need real layer 2 connectivity the options are either OpenVPN TAP, EoIP (Mikrotik proprietary protocol based on GRE), or BCP which is available for any PPP-like VPNs (L2TP, PPTP, SSTP).
Am I right to assume that BCP only supports router to router connections? In other words I need a BCP capable router on the other side as well to act as a client?
OpenVPN TAP should be fine for router to client connections > hassle free on the client side, because I can’t expect my friends to reconfigure their routers completely?
Worse than that, I don’t know any other router supporting BCP than Mikrotik (there’s L2TPv3 on Cisco but despite it’s similar name, it doesn’t make friends with L2TP/BCP on Mikrotik).
OpenVPN in TAP mode is the only VPN known to me which can run on a PC and support L2 tunneling, but OpenVPN in RouterOS 6.x only supports TCP as transport, which has some drawbacks and depending on the internet connection quality in your region, these may affect the gaming experience.
You might consider using something like hAP lite or hAP mini as an add-on to your friends’ routers. In that case, L2TP/IPsec with BCP, or EoIP/IPsec would be the best options, as both use UDP as transport.
But among many downsides of L2 tunnels, there’s also the security one - malware can spread easily in such environment.
One last question. I have managed to set an OpenVPN TAP connection, but I can not ping or access my network maps, unless I set the OpenVPN Profile to “bridge”. Is this the correct approach? I am intentionally using the default DHCP, because I want us to be within the same IP range, even though broadcasting should in theory work even if I use a different subnet for OpenVPN, as long as I’m not intentionally dropping connections?
Interface
/interface ovpn-server server
set auth=sha1 certificate=OpenVPN-Server cipher=aes256 default-profile=OpenVPN enabled=yes mode=ethernet require-client-certificate=yes
Yes, the OpenVPN implementation on RouterOS handles the OpenVPN tunnels the same way it handles PPP-based tunnels. This means the L2 tunnel must be made a member port of a bridge, and the way to indicate which bridge to use is via /ppp profile.
I don’t know what you mean by “network maps”.
Regarding use of default-dhcp as a pool for local-address - in theory, you should not need any local-address in the /ppp secret since you are using L2/TAP/Ethernet mode and the Windows client exclusively uses either L3 or L2 tunnel, not both (whereas PPP can use IPCP, BCP and MPLSCP simultaneously). If it doesn’t work without specifying a local-address and remote-address on the /ppp profile or /ppp secret rows, I’d rather use some pools (subnets) not related to the subnet used on the bridge, to avoid confusion. The client would then use DHCP to obtain its address. But I may be wrong here, someone regularly using OpenVPN on Mikrotik would be better as an information source.
Network maps as: \192.168.88.254\Folder
If I don’t set the Local Address, the OpenVPN client refuses to connect. I guess what you are saying is that it would be better to add a new subnet and bind it to the OpenVPN Profile, so that I can clearly see what is connected to the physical network and what isn’t? I would then have to make a firewall rule and drop everything that is trying to connect to my main subnet, with the exception of the machine that should be able to communicate with both subnets?
OK, so it’s from the Windows world. Sorry, I don’t have English-speaking Windows so the term was not familiar to me.
Well, you don’t need to add any subnet to the router separately, it is enough to set an unused address outside any used subnet as the local-address of the profile/secret. As said, I assume it’s the RouterOS what needs this address to be set at all, the OpenVPN client at PC should not use it when in TAP mode.
Regarding firewall rules, of course the /ip firewall filter rules should prevent the VPN clients from accessing your router’s management interface, and if you have multiple LAN subnets, also from accessing all these subnets. Packets coming via the L2 tunnel to addresses within the gaming subnet will bypass the IP firewall. If you don’t have a dedicated subnet for gaming and bridge the common LAN subnet to your friends, your devices not used for gaming are endangered too.
I’ve ran into a slight issue. It seems that the OpenVPN Local Address is used as the Default Gateway. I’ve created a new pool “192.168.87.2-192.168.88.254” and bound it to the OpenVPN profile, I’ve also set the OpenVPN Local Address to 192.168.87.1.
The issue I now have is that I can no longer communicate between the subnets > 192.168.88.0/24 and 192.168.87.0/24. I can ping and access the gateway on either 192.168.88.1 or 192.168.87.1 but devices can not communicate between the subnets.
I’m assuming that the issue lies with the Default Gateway, but if I set the OpenVPN Profile Local Address to 192.168.88.1, the client refuses to connect.
Throughout this thread you mention you are using Windows as client devices and by default, Windows firewall blocks incoming packets not on local subnet.
I’ll be damned, that was it, it was the firewall on the machine I was trying to access. Is there a an easy way to bypass this, without setting firewall rules? For example adding the machine to both subnets?
Haven’t tried this myself, but OpenVPN can execute some commands on connection, so should be possible to use netsh.exe to create the firewall rule on connect.
Or telling windows the TAP interface is “home network” may also work.
Hello Adephx,
Just writing here in order to thank you for your post. I implemented the same configuration on my Mikrotik router and it worked!
I also wanted to be able to broadcast/multicast packages. More in concrete, I wanted to be able to cast videos on my SmartTV even if I am not physically at home (being able to cast videos to kids and elderly while not being directly connected to the same wifi network).
And yes, thanks also to sindy, CZfan and all the others.