Community discussions

MikroTik App
  4. RouterOS
  5. General

Going to be traveling, need advice on remote/vpn connection  [SOLVED]

Post Reply
 
Jfdlew
just joined
Topic Author
Posts: 4
Joined: Thu Feb 22, 2018 4:43 am

Going to be traveling, need advice on remote/vpn connection

Thu Feb 22, 2018 6:15 am

Good evening. I'm going to be traveling in a few weeks and will need to be able to remote into one of my computers at home from my hotel. I want to get some configuration advice on the best way to achieve this since I'm new to RouterOS.

I have a 1GB/1GB fiber PPPOE connection wired directly into my RB750Gr3. The RB750Gr3 takes care of VLAN tagging, the PPPOE credentials, etc.
From there, the particular computer I will need to access is hard wired through a Cisco SG300-10PP switch.

I need to be able to remote desktop to this particular machine (Windows) from wherever I am. I figured a VPN set up might be the best option.

Any advice would be greatly appreciated, thanks!
Top
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:
Contact CZFan

Re: Going to be traveling, need advice on remote/vpn connection

Thu Feb 22, 2018 8:02 pm

My suggestion will be SSTP VPN, less chance of being blocked by firewalls.

https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
Top
 
Jfdlew
just joined
Topic Author
Posts: 4
Joined: Thu Feb 22, 2018 4:43 am

Re: Going to be traveling, need advice on remote/vpn connection

Thu Feb 22, 2018 10:40 pm

Hmmm, doesn't look like MacOS supports SSTP. I'll research it a bit more, thanks.

I configured L2TP/IPSec last night and have successfully connected using my iPhone and my Macbook. To make sure that there were no issues connecting off network, I had my brother connect from his place using an account I set up for him and its looks to be working ok.

Unfortunately, remote desktop from my Macbook to my PC won't connect once I'm on the VPN. Teamviewer worked fine, but now it has me curious on what I'm missing since it only fails to RDP when i'm on the VPN.
Top
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:
Contact CZFan

Re: Going to be traveling, need advice on remote/vpn connection  [SOLVED]

Thu Feb 22, 2018 11:09 pm

Is your VPN on same IP Subnet as LAN? If so, my suggestion will be to use a separate IP Subnet for your VPN and then route between the networks.

Also make sure firewall allows Input / Forward chain rules for the VPN subnet in order to access LAN and Router via VPN.

If you want, you can post output from "export hide-sensitive" here, this will hide any passwords, etc and then manually remove serial number and software id (should be top of the export output) and mask sensitive IP's such as WAN IP the last two octets with xx.xx, i.e. 196.40.xx.xx and we can see what and where needs changing / correcting
Top
 
Jfdlew
just joined
Topic Author
Posts: 4
Joined: Thu Feb 22, 2018 4:43 am

Re: Going to be traveling, need advice on remote/vpn connection

Thu Feb 22, 2018 11:47 pm

I very quickly set this up last night, so I didn't mess with the routing and set it up on the same subnet (192.168.0.0)

I'm new to this, be gentle :D But if you see anything glaringly obvious that I need to do for security, please let me know. Thanks!
Code: Select all
/interface bridge
add admin-mac=xxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=vlan1 vlan-id=201
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 use-peer-dns=yes user=xxxxxxxxxxxxx
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=none
/ip pool
add name=dhcp ranges=192.168.0.2-192.168.0.254
add name=vpn-pool ranges=192.168.0.100-192.168.0.105
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add dns-server=8.8.8.8,8.8.4.4 local-address=192.168.0.1 name=vpn-profile remote-address=vpn-pool
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=default enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input connection-state=new dst-port=500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input connection-state=new dst-port=1701 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input connection-state=new dst-port=4500 in-interface=pppoe-out1 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override local-address=192.168.0.1
/ip proxy
set cache-on-disk=yes enabled=yes parent-proxy=0.0.0.0 src-address=192.168.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=vpn profile=vpn-profile
add name=jason profile=vpn-profile
/system clock
set time-zone-name=America/Chicago
/system logging
add disabled=yes topics=ppp,pppoe,packet,debug
add action=disk disabled=yes topics=l2tp,ipsec,debug
add action=disk disabled=yes topics=ipsec,debug
/system note
set note="You are attempting to connect to a private network - Authorized administrators only. Access to this device is monitored."
/system routerboard mode-button
set enabled=no on-event=""
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Top
 
Jfdlew
just joined
Topic Author
Posts: 4
Joined: Thu Feb 22, 2018 4:43 am

Re: Going to be traveling, need advice on remote/vpn connection - SOLVED

Fri Feb 23, 2018 1:53 am

Well, I feel like an idiot. I set the IP pool for the VPN to 192.168.1.100 - 192.168.1.105 and it worked on the first shot. I guess it never occurred to me (networking isn't my background) that there would be routing/gateway issues by having the VPN on the same subnet. I figured it would treat it just as if I was at home (this computer is 192.168.0.19 at home, 192.168.0.100 when VPN remote). Apparently not!

But, with that figured out, if you do see anything wrong with my config, or have any tips you could offer, I'm all ears. Thanks!
Top
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Going to be traveling, need advice on remote/vpn connection

Fri Feb 23, 2018 2:29 am

IPSec may not work everywhere. Hotspots may block it. Hotels will likely allow it. Our international airport blocks all obvious VPNs like IPSec, PPTP

https://www.softether.org/ is an "Open-Source Free ​Cross-platform Multi-protocol VPN Program".
It can be daunting to learn, but with that on your Mac you'd be able to use SSTP.
Sometimes I use this on Windows when I want a reliable "Always On" SSTP VPN for road warriors.

SSTP works over TCP and uses certificates. If you use this on port 443 then you'll have a lot of success getting through firewalls.
Top
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26381
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Going to be traveling, need advice on remote/vpn connection

Fri Feb 23, 2018 1:02 pm

if you bring a tiny router with you, like a mAP-lite, then you can configure the SSTP client on the router, and use all your devices through it. It can even work as a repeater, when the only internet is over wireless.
Top
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:
Contact CZFan

Re: Going to be traveling, need advice on remote/vpn connection

Fri Feb 23, 2018 3:13 pm

Hmmm, doesn't look like MacOS supports SSTP. I'll research it a bit more, thanks.
...
Personally I would then use OpenVPN, there is a client on i-tunes

Rest looks ok, some minor changes that I personally would make:
Code: Select all
#Remove "connection-state=new" in below
add action=accept chain=input connection-state=new dst-port=500 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input connection-state=new dst-port=1701 in-interface=pppoe-out1 protocol=udp
add action=accept chain=input connection-state=new dst-port=4500 in-interface=pppoe-out1 protocol=udp

#Add in-interface-list=!WAN to below, do not want pings from WAN side
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
Enjoy the travelling and travel safe!
Top
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:
Contact CZFan

Re: Going to be traveling, need advice on remote/vpn connection

Fri Feb 23, 2018 3:16 pm

if you bring a tiny router with you, like a mAP-lite, then you can configure the SSTP client on the router, and use all your devices through it. It can even work as a repeater, when the only internet is over wireless.
@Jfdlew, excellent suggestion above, I will use it, also, if you do go this way, then you can setup a site to site SSTP VPN between the Mikrotiks and do not need certificates then
Top
 
haik01
Member
Member
Posts: 404
Joined: Sat Mar 23, 2013 10:25 am
Location: Netherlands

Re: Going to be traveling, need advice on remote/vpn connection

Sat Feb 24, 2018 3:19 pm

And another interesting feature what normis suggests:

Last vacation I was on the Canary islands.... and the hotel had a 30 minute free internet. After that it blocks it.

I found out it does that based on MAC address. So if you make a scheduler that adds one digit up to the WiFi MAC address, then the hotel "thinks" that there is a new connected client. Worked for one week perfectly (after that the vacation was over.... :( )
Top
Post Reply

Who is online

Users browsing this forum: Bing [Bot], bobr, Google [Bot], kuklei, Rox169, shahzaddj1 and 118 guests
  4. RouterOS
  5. General