Community discussions

MUM Europe 2020
 
josu
Member Candidate
Member Candidate
Topic Author
Posts: 152
Joined: Wed May 27, 2015 6:20 pm

VPN to 443 port from Android

Thu Nov 10, 2016 4:15 pm

Hello all,

I have a RB750G router and home and I want to use it as VPN server to connect from outside to local services.

I configure both PPTP and L2TP/IPSec and both works great from mobile networks.

The problem is that in my work I have limited wireless network and I can not access to thoose ports.

Is it possible to connect from Android devices to a 443 VPN port?

This is what I have when try to configure a VPN:

Image

Anyone have experience with this?

I will really appreciate your help.

Kind regards.
 
tuzok
just joined
Posts: 6
Joined: Thu Nov 10, 2016 2:24 pm

Re: VPN to 443 port from Android

Thu Nov 10, 2016 5:07 pm

I am not aware of any VPN technology which would allowed HTTPS as an VPN connection in Mikrotik. None of those listed in your Android app would be tunneled trough https.
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 939
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: VPN to 443 port from Android

Thu Nov 10, 2016 5:41 pm

It surely won't work with Android onboard clients - and all vpn types listed use multiple protocols and ports.
I'd say SSTP is your friend.
Look for an Android SSTP client and set up the SSTP server in your router.

-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
josu
Member Candidate
Member Candidate
Topic Author
Posts: 152
Joined: Wed May 27, 2015 6:20 pm

Re: VPN to 443 port from Android

Thu Nov 10, 2016 9:54 pm

Thanks!

I will try SSTP.

Best regards.
 
User avatar
che
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Fri Oct 07, 2005 1:04 pm

Re: VPN to 443 port from Android

Thu Nov 10, 2016 10:54 pm

I actually have deployed MikroTik OpenVPN server running on TCP port 443. Works like a charm with "OpenVPN Connect" app for Android.
 
josu
Member Candidate
Member Candidate
Topic Author
Posts: 152
Joined: Wed May 27, 2015 6:20 pm

Re: VPN to 443 port from Android

Fri Nov 11, 2016 7:01 pm

I actually have deployed MikroTik OpenVPN server running on TCP port 443. Works like a charm with "OpenVPN Connect" app for Android.
Great!

Could you share the configuration please?

I will really appreciate it.

Best regards.
 
User avatar
che
Frequent Visitor
Frequent Visitor
Posts: 94
Joined: Fri Oct 07, 2005 1:04 pm

Re: VPN to 443 port from Android

Fri Nov 11, 2016 10:45 pm

Alright, I am doing this for only one reason: I can not point you to a full tutorial since every single one on this forum or on the internet is incomplete (you would have to tinker a lot on your own, debug imperfections, etc). Also, this is the first time I am about to break my self-inflicted "think 2s tops, type 2 minutes max" rule on the forum. I will highlight things you need to alter in red, and color few things that correlate.

1. CERTIFICATES

This is usually the most confusing thing for people, so I will break it down to you so I am as clear as possible.

- Generate and sign certificates on the server machine - executed on your MikroTik box
Note: common-name has to match on ca-template and server-template certificates!
/certificate
add name=ca-template days-valid=3650 common-name=your.domain.name key-usage=key-cert-sign,crl-sign
add name=server-template days-valid=3650 common-name=your.domain.name
add name=client1-template days-valid=3650 common-name=client1
add name=client2-template days-valid=3650 common-name=client2

/certificate
sign ca-template name=root-ca
sign ca=root-ca server-template name=server
sign ca=root-ca client1-template name=client1
sign ca=root-ca client2-template name=client2

/certificate
set root-ca trusted=yes
set server trusted=yes
- Export certificates and keys required for client machines - executed on your MikroTik box (copy all resulting crt and key files to your PC, you will copy/paste crt contents in .ovpn file later, and use .key to convert on Linux box)
/certificate export-certificate root-ca
/certificate export-certificate "client1" export-passphrase=PASSPHRASE1
/certificate export-certificate "client2" export-passphrase=PASSPHRASE2
- Convert exported pkcs5 keys to RSA in order to avoid compatibility issues - executed on any Linux box (save the result of the commands, since those will be your new client keys)
openssl rsa -in cert_export_client1.key -text
openssl rsa -in cert_export_client2.key -text
2. ENABLING OVPN SERVER ON MIKROTIK BOX

This is a very simple step.
/ppp profile
add change-tcp-mss=yes dns-server=192.168.200.254 local-address=192.168.200.254 name=vpn only-one=no rate-limit=1M/10M \
remote-address=pool-vpn use-compression=no use-encryption=yes use-mpls=no use-upnp=no
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=vpn enabled=yes port=443 require-client-certificate=yes
You probably know this one, but nevertheless here is a step for creating VPN client un/pass that uses our VPN profile:
/ppp secret
add name=username1 password=password1 profile=vpn
3. CREATING OVPN CONFIG FILE

This is the source of .ovpn file you will use as your profile on Android, which you can import via OpenVPN Connect app. Short explanation:
<ca> - root certificate from MikroTik box (cert_export_root*.crt)
<cert> - client certificate from MikroTik box (cert_export_client*.crt)
<key> - client RSA key you got as a result of converting process on Linux box

dev tun
proto tcp-client
#client

nobind

# Server IP and port
remote 2.3.4.5 443
tls-client
port 443
#remote-random
#remote-cert-tls server

# Verbosity level.
# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
verb 9

# Silence the output of replay warnings, which are a common false
# alarm on WiFi networks. This option preserves the security of
# the replay protection code without the verbosity associated with
# warnings about duplicate packets.
mute-replay-warnings

# Reliability and connection performance
ping 15
ping-restart 45
ping-timer-rem
persist-key
persist-tun
#resolv-retry infinite
#tun-mtu 1500
#tun-mtu-extra 32
#mssfix 1450

auth-user-pass

#comp-lzo # Do not use compression. It doesn't work with RouterOS (at least up to RouterOS 3.0rc9)
#fast-io
#mute 10
#key-direction 1

cipher AES-256-CBC
auth SHA1
pull

# Route all traffic through VPN tunnel, adding VPN server's DNS to client
redirect-gateway def1 bypass-dhcp
remote-gateway 192.168.200.254
dhcp-option DNS 192.168.200.254

# SSL/TLS parms.
# See the server config file for more description. It's best to use
# a separate .crt/.key file pair for each client. A single ca file
# can be used for all clients.
<ca>
-----BEGIN CERTIFICATE-----
2222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222
222222222222222222222222222222222222222222222222222222
-----END CERTIFICATE-----

</ca>
<cert>
-----BEGIN CERTIFICATE-----
2222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222
222222222222222222222222222222222222222222222222222222
-----END CERTIFICATE-----

</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
2222222222222222222222222222222222222222222222222222222222222222
2222222222222222222222222222222222222222222222222222222222222222
222222222222222222222222222222222222222222222222222222
-----END RSA PRIVATE KEY-----

</key>
 
josu
Member Candidate
Member Candidate
Topic Author
Posts: 152
Joined: Wed May 27, 2015 6:20 pm

Re: VPN to 443 port from Android

Tue Nov 15, 2016 10:05 am

Thanks!!!

It really works great! Thank you very much for the help.

Best regards.
 
ronaldb
just joined
Posts: 4
Joined: Wed Feb 17, 2016 4:51 pm

Re: VPN to 443 port from Android

Fri Mar 24, 2017 3:03 pm

Thank you @che, your explanation on creating this vpn is almost perfect, i wish that was in the wiki for ovpn!

Gr,
Ronald

Who is online

Users browsing this forum: enzain, eworm, Google Feedfetcher, oskarsk, smarttruss and 107 guests