Community discussions

 
kimdobranski
newbie
Topic Author
Posts: 43
Joined: Mon Aug 03, 2015 9:39 pm

VPN Question

Thu Jun 23, 2016 6:31 pm

Hi, 

I have a number of mikrotik routers acting as hotspots behind a satellite modem.  The satellite modem does not support port forwarding so I can't redirect the winbox port to the router for management. The satellite company suggested I create a VPN connection from the mikrotik to my server then I can connect to winbox through the VPN from my server.

Obviously I don't want the router to route traffic through the VPN, I just want the VPN for servicing the router remotely. I am not even sure if it needs to be a VPN. 

Can anyone help me set this up? Or is this possible?

.
 
haik01
Member
Member
Posts: 406
Joined: Sat Mar 23, 2013 10:25 am
Location: Netherlands

Re: VPN Question

Thu Jun 23, 2016 8:59 pm

Yes, it is possible. Setup a VPN, and make sure you do NOT include the VPN in your router bridge. Then set a static route, so that all traffic going to port xxxx (I do not remember the port of Mikrotik) will go to the VPN. Also you should create a route back from the AP (hotspot) to your router.
 
Van9018
Long time Member
Long time Member
Posts: 505
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: VPN Question

Thu Jun 23, 2016 10:37 pm

1.  Create a PPTP Client Interface, set it to connect to your server's IP/hostname. 
2.  Create a firewall filter rule, accept incoming TCP connections from PPTP Client Interface on port 8291

The PPTP client interface will obtain an IP from your server and thus will be part of your server's network subnet.  
So then from any PC on your server's network, you can now use Winbox to connect to the Mikrotik via that IP.

At this point though, you can only connect to that Mikrotik.  Need to be able to connect to devices behind the Mikrotik?
 
kimdobranski
newbie
Topic Author
Posts: 43
Joined: Mon Aug 03, 2015 9:39 pm

Re: VPN Question

Thu Aug 04, 2016 8:39 pm

1.  Create a PPTP Client Interface, set it to connect to your server's IP/hostname. 
2.  Create a firewall filter rule, accept incoming TCP connections from PPTP Client Interface on port 8291

The PPTP client interface will obtain an IP from your server and thus will be part of your server's network subnet.  
So then from any PC on your server's network, you can now use Winbox to connect to the Mikrotik via that IP.

At this point though, you can only connect to that Mikrotik.  Need to be able to connect to devices behind the Mikrotik?

Hi, I only need to connect with the mikrotik. Thank you i will give this a try. I can map ports to connect to internal devices if I need.
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1282
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: VPN Question

Thu Aug 04, 2016 8:48 pm

OpenVPN works very well for this. I have several MikroTik's that use AT&T LTE - They are all given a private IP. The MikroTik's open an OpenVPN tunnel to the server, and that allows me to have secure access to the routers.
David Joyce
Network & Security Engineer
Intrus Technologies, LLC.
Rancho Cucamonga, CA, USA
 
kimdobranski
newbie
Topic Author
Posts: 43
Joined: Mon Aug 03, 2015 9:39 pm

Re: VPN Question

Sun Aug 07, 2016 10:00 am

1.  Create a PPTP Client Interface, set it to connect to your server's IP/hostname. 
2.  Create a firewall filter rule, accept incoming TCP connections from PPTP Client Interface on port 8291

The PPTP client interface will obtain an IP from your server and thus will be part of your server's network subnet.  
So then from any PC on your server's network, you can now use Winbox to connect to the Mikrotik via that IP.

At this point though, you can only connect to that Mikrotik.  Need to be able to connect to devices behind the Mikrotik?
Question, if i did this, will the internal traffic still be routed as usual, or will it start to route via the VPN? I dont want any traffic over the VPN, its just for me to connect to manage.
 
ikiji
just joined
Posts: 2
Joined: Tue Aug 13, 2019 9:59 pm

Re: VPN Question

Wed Aug 14, 2019 3:22 am

OpenVPN works very well for this. I have several MikroTik's that use AT&T LTE - They are all given a private IP. The MikroTik's open an OpenVPN tunnel to the server, and that allows me to have secure access to the routers.
Hi Dave,

I was trying to setup OpenVPN server on Mtk devices to then connect to them as and when needed for support purposes.
Connecting both to the router and devices NAT'ed behind.

Like you, the routers are using LTE (USB) modems for their Internet connection and these have their own NAT'ed IP.

Sadly my setup is not working when using LTE (it's fine for standard PPPoE connection on ether1) but wondering if reversing what I have to use OpenVPN client (as opposed to server) and connect back to our management server. I take it you never tried connecting to OpenVPN server on each device?

What routing do you have in place to "split-tunnel" only "admin" traffic back over your VPN and keep remaining egress going out over the LTE Internet connection?

Thanks for your help
Neil

Who is online

Users browsing this forum: No registered users and 72 guests