I’m trying to access my office test network from my home and mikrotik’s default VPN is working like a charm but i’ve read that is not very secure so i would like to create VPN connection using Wiregurard.
Problem is, all tutorials that I have found is site to site, or between two routers. I only need to connect from my laptop to the network but in more secure way.
Right now I’m using Mikrotik VPN but I’m using my own DDNS (NO-IP) and I’m connecting to network via Windows built-in VPN client.
Is there any trusted tutorial on how to configure Wireguard ? Or is it better for me to add another router at home ?
I’m using Windows 11, and when I need to select VPN type I have L2TP/IPsec with certificate and L2TP/IPsec with pre-shared key.
I select L2TP/IPsec with pre-shared key but where do I get that key ? I entered my password and when i tried to connect i get error message in windows saying: "The network connection between your computer and the VPN serrver could not be established because the remote server is not responding.
In router log i get this: respond new phase 1 (Identity protection): My WAN address of the router i want to connect to[500]<=>My WAN address of the client PC[20042]
ISAKMP-SA established My WAN address of the router i want to connect to[4500]-My WAN address of the client PC[20059]spi:(long sequence of random numbers and letters)
Then when i get error:
purging ISAKMP-SA My WAN address of the router i want to connect to[4500]-My WAN address of the client PC[20059]spi:(long sequence of random numbers and letters)
ISAKMP-SA deleted My WAN address of the router i want to connect to[4500]-My WAN address of the client PC[20059]spi:(long sequence of random numbers and letters) rekey:1
Also after 20 minutes i started to get pptp,ppp errors, user 12345678 auth failed, as someone is trying to connect to the router.
I have some basic knowledge about networking and my VPN setup was basic, so enabling VPN on quick setup page, setting up a password, adding address pool for VPN connection and configuring windows client (setting VPN to Automatic and entering username and password). But with that type of connection, router was showing that im using PPTP and i wanted something more secure.
Unfortunately, advanced stuff like this is out of my league and I’m not sure if tutorials on youtube are trustworthy as i don’t wanna make our network vulnerable. I was looking at tutorials but for now, all of them involve 2 routers.
I have default firewall rule installed on the router.
A. Yes, I’m the only one with the access to the router.
B. I can’t post it until monday as tomorrow is national holiday but I have one router at home and i can set it up tomorrow and try to make VPN at home between that router and a laptop.
C. Yea, i found videos from Mikrotik on youtube, i think that i can trust them, but the others, who knows.
I select L2TP/IPsec with pre-shared key but where do I get that key ? I entered my password and when i tried to connect i get error message in windows saying: "The network connection between your computer and the VPN serrver could not be established because the remote server is not responding.
So this is my current setup, i have this router at home, it’s new out of the box so there is no configuration beside default one. I copied key and when i paste it i get VPN Addresss from the quickset menu. Now when i tried to connect to the router(i didn’t use that VPN address but my public address) i get this error from windows: "The L2TP connection attempt failedd because the security layer encountered a processing error during initial negotiations with the remote computer.
Below is config
# jan/06/2022 06:55:02 by RouterOS 7.1.1
# software id = KL0T-VH4S
#
# model = RBD53iG-5HacD2HnD
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-7E5179 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-7E517A \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN
/interface l2tp-server server
set enabled=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/Zagreb
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Also add ipsec-policy=in,ipsec to firewall rule for port 1701, because you want L2TP only with IPSec. And don’t forget to disable PPTP and SSTP, if you don’t plan to use them.
Once you drill down past the one-click canned feature in MT’s GUIs, you’ll find that IPSec over L2TP is complicated. You can say just about anything you like about it and be correct for some given configuration.
Contrast WireGuard, which has only one common configuration. We can thus make general statements about its security without getting caught up in quibbling about configuration details.
Is WireGuard more secure than IPSec? Maybe! Send your configuration to a cryptanalyst along with a large check, and you might get an answer.
i would like to create VPN connection using Wiregurard.
I posted a very simple configuration here. If your MT router is on the border, you can drop the src-nat rule, simplifying it further. Or, see the post at the top of the thread for more ideas.
is it better for me to add another router at home ?
WireGuard lets you treat either end as the “server” part. The choice of best configuration simply depends on which end is easier to point at. If one end has a stable public IP, that’s the better end as compared to one behind NAT with a dynamic public IP.
But, you can get around that too, as your comments about dynamic DNS suggest. My posted configuration accounts for that.
This is an important point, the concept of server/peer is really only valid for the initial process of connecting. Once established one can move traffic back and forth only limited by your ability to configure the two ends of the tunnel (configs on MT routers). Very flexible!!
As for WG not being secure, stop reading scribbles on toilet walls in bus stations ;-PP
Sort of yes, but the option to simply specify IPSec secret for L2TP server, and have system configure rest of IPSec automatically, makes the whole thing much easier. And it works, so it’s good. Upside is that you don’t have to install any extra software on client, it can sometimes help.
The rule you changed from original port 4500 is wrong, it was correct before. I meant to change original rule for port 1701. Both ports 500 and 4500 can also be combined in one rule. And I forgot one more, even though it probably won’t be used much, because client is going to be usually behind NAT. So the right rules you need are:
# jan/06/2022 16:03:04 by RouterOS 7.1.1
# software id = KL0T-VH4S
#
# model = RBD53iG-5HacD2HnD
# serial number = XXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=MikroTik-7E5179 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=MikroTik-7E517A \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.89.1 name=vpn remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input dst-port=500,450 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=1701 ipsec-policy=in,ipsec protocol=\
udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn profile=default-encryption service=l2tp
add name=l2tp profile=vpn service=l2tp
/system clock
set time-zone-name=Europe/Zagreb
/system leds
set 0 interface=wlan1 leds=led1,led2,led3,led4,led5 type=\
wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Log output is now(short version)
When i click connect on the router i get almost instant
respond new phase 1 (Identity protection):192.168.1.104[500]<=>xxx.xxx.xxx.xxx[3255]
ISAKMP-SA established 192.168.1.104[4500]-xxx.xxx.xxx.xxx[16825] spi:xxxxxxxxxxxxxxxxxxxxxxxxxx
then after some time
purging ISAKMP-SA 192.168.1.104[4500]-xxx.xxx.xxx.xxx[16825] spi:xxxxxxxxxxxxxxxxxxxxxxxxxx
ISAKMP-SA deleted 192.168.1.104[4500]-xxx.xxx.xxx.xxx[16825] spi:xxxxxxxxxxxxxxxxxxxxxxxxxx rekey:1
Then this process go one more time and after that window display error.
This router is connected to my ISP DSL router but i assigned static ip address to my mikrotik and i put that IP address in DMZ so ISP’s router firewall shouldn’t be a problem.
Is maybe a problem that i checked VPN box at first setup ? I can see now that after all config changes box is not checked anymore.
That’s problem with client. Microsoft assumes that server has public address directly, i.e. it’s not behind NAT. And when it is, Windows need to be told to work with it:
One more thing, I didn’t examine the latest config at first, but now I quickly checked it, and added firewall rules are in wrong place. Order of firewall rules matters. They should be where your original ones for given ports are. But since you already have yours, remove mine and just update yours for port 1701 (add ipsec-policy=in,ipsec to it). You can keep mine for protocol=ipsec-esp, but I think it probably won’t do anything for server behing NAT (I’m almost sure, but not entirely 100% sure).
