Community discussions

MUM Europe 2020
 
RackKing
Member
Member
Topic Author
Posts: 310
Joined: Wed Oct 09, 2013 1:59 pm

Router access with Winbox using VPN

Sat Nov 09, 2019 11:45 pm

Just looking for confirmation and/or recommendations to further harden.

For remote access, I am planning on using a L2TP/IPSec VPN connection. I am planning on giving the admin VPN user a specific IP address say 192.168.88.5. Then allow that IP address via a firewall filter input rule access to Winbox port 8291. Am I missing anything? Should I consider a port knock on prior to allowing a VPN connection?

Any recommendations welcome.
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Router access with Winbox using VPN  [SOLVED]

Sun Nov 10, 2019 12:11 am

Should I consider a port knock on prior to allowing a VPN connection?
That's not needed. L2TP+IPSec will be secure enough.
Then allow that IP address via a firewall filter input rule access to Winbox port 8291.
Or you can allow access from the l2tp-in interface created for that user instead.
 
RackKing
Member
Member
Topic Author
Posts: 310
Joined: Wed Oct 09, 2013 1:59 pm

Re: Router access with Winbox using VPN

Sun Nov 10, 2019 12:23 am

Should I consider a port knock on prior to allowing a VPN connection?
That's not needed. L2TP+IPSec will be secure enough.
Then allow that IP address via a firewall filter input rule access to Winbox port 8291.
Or you can allow access from the l2tp-in interface created for that user instead.
Thank you for this - are you saying add the user to an interface list? It looks like you can specify an interface list in the profile. I would need to create different VPN profiles as opposed to default. Do i have that right?
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Router access with Winbox using VPN

Sun Nov 10, 2019 9:49 am

Thank you for this - are you saying add the user to an interface list? It looks like you can specify an interface list in the profile. I would need to create different VPN profiles as opposed to default. Do i have that right?
You can create "L2TP Server Binding" interfaces for every user, that needs to be static. And then use these interfaces in interface lists, firewall, etc.
Also you can use "all ppp" option in firewall's in-interface/out-interface matchers.

No need for different profiles: one profile - multiple secrets (users).
L2TP Server Binding is tied to the particular secret (user).
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router access with Winbox using VPN

Sun Nov 10, 2019 10:54 am

The server interface binding is a straightforward concept but it can be used only with L2TP; the addition of the dynamically created interface to the interface list specified in the /ppp profile can be used with any PPP-based protocol, i.e. also SSTP, PPPoE, OVPN...
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
RackKing
Member
Member
Topic Author
Posts: 310
Joined: Wed Oct 09, 2013 1:59 pm

Re: Router access with Winbox using VPN

Sun Nov 10, 2019 3:38 pm

Thank you for this - are you saying add the user to an interface list? It looks like you can specify an interface list in the profile. I would need to create different VPN profiles as opposed to default. Do i have that right?
You can create "L2TP Server Binding" interfaces for every user, that needs to be static. And then use these interfaces in interface lists, firewall, etc.
Also you can use "all ppp" option in firewall's in-interface/out-interface matchers.

No need for different profiles: one profile - multiple secrets (users).
L2TP Server Binding is tied to the particular secret (user).
Ah - got it. Thanks.
 
KarelVDM
just joined
Posts: 11
Joined: Mon Jun 24, 2019 4:31 pm

Re: Router access with Winbox using VPN

Wed Nov 13, 2019 7:47 pm

Evening,

Im to accomplish exactly this, is there any example of what the firewall rules should look like?

Karel
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Router access with Winbox using VPN

Wed Nov 13, 2019 8:20 pm

Evening,

Im to accomplish exactly this, is there any example of what the firewall rules should look like?

Karel
For l2TP+IPSec these ports have to be open:
1) UDP 1701 - for L2TP
2) UDP 500 - for IPSec
and UDP 4500 - for IPSec with NAT-traversal, in case clients are behind the NAT, which most likely is the case, because otherwise there's no real point to use L2TP at all.
Last edited by xvo on Thu Nov 14, 2019 2:33 am, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router access with Winbox using VPN

Wed Nov 13, 2019 8:37 pm

in case clients are behind the NAT, which most likely is the case, because otherwise there's no real point to use L2TP at all.
Can you be more verbose regarding this thought, please?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Router access with Winbox using VPN

Wed Nov 13, 2019 9:06 pm

in case clients are behind the NAT, which most likely is the case, because otherwise there's no real point to use L2TP at all.
Can you be more verbose regarding this thought, please?
Clients, that can benefit from dial-in behaviour: PCs, phones, other personal devices are always behind at least one layer of NAT.
For sure I can imagine use cases for l2tp between two devices with public addresses too, but these are scenarios where building a symmetrical tunnel is impossible for some reason.
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router access with Winbox using VPN

Wed Nov 13, 2019 9:21 pm

For sure I can imagine use cases for l2tp between two devices with public addresses too, but these are scenarios where building a symmetrical tunnel is impossible for some reason.
OK, but what you write is relevant for L2TP without IPsec, because it is the only one of "only tunneling" (i.e. without encryption) protocols which can traverse NAT nicely (leaving pptp aside because only one PPTP client of a given server can connect from behind each public IP). Once you add IPsec into the picture, you don't need L2TP to traverse the NAT any more, because IPsec can take care about it itself, so you can have IPIP, GRE, EoIP between a client behind a NAT and the VPN server. For all the gadgets you have listed (where IPIP, GRE, EoIP are unlikely to be supported), IKEv2 can be used without wasting part of the MTU for the L2TP encapsulation. And L2TP, the way it has been glued with IPsec (i.e. using transport mode of the SA), suffers from the same issue like PPTP - only one client of a given server can be connected from behind the same public IP. This limitation doesn't exist for L2TP without IPsec, and doesn't exist for IPsec without L2TP :)

So all in all, I do not see the need to traverse NAT as a reason to use L2TP/IPsec.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Router access with Winbox using VPN

Wed Nov 13, 2019 10:03 pm

For sure I can imagine use cases for l2tp between two devices with public addresses too, but these are scenarios where building a symmetrical tunnel is impossible for some reason.
OK, but what you write is relevant for L2TP without IPsec, because it is the only one of "only tunneling" (i.e. without encryption) protocols which can traverse NAT nicely (leaving pptp aside because only one PPTP client of a given server can connect from behind each public IP). Once you add IPsec into the picture, you don't need L2TP to traverse the NAT any more, because IPsec can take care about it itself, so you can have IPIP, GRE, EoIP between a client behind a NAT and the VPN server. For all the gadgets you have listed (where IPIP, GRE, EoIP are unlikely to be supported), IKEv2 can be used without wasting part of the MTU for the L2TP encapsulation. And L2TP, the way it has been glued with IPsec (i.e. using transport mode of the SA), suffers from the same issue like PPTP - only one client of a given server can be connected from behind the same public IP. This limitation doesn't exist for L2TP without IPsec, and doesn't exist for IPsec without L2TP :)

So all in all, I do not see the need to traverse NAT as a reason to use L2TP/IPsec.
Ok, I never wrote that the point of L2TP+IPSec is to traverse NAT, I simply stated, that if somebody is going to use L2TP+IPSec most likely it will be used by clients from behind the NAT, so opening the 4500 port is enough, no need to open both 4500 and 500. That's all :)
 
sindy
Forum Guru
Forum Guru
Posts: 4189
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router access with Winbox using VPN

Wed Nov 13, 2019 10:23 pm

so opening the 4500 port is enough, no need to open both 4500 and 500.
Прошу прощения, но leaving aside my understanding of your "otherwise there's no real point to use L2TP at all", the above statement is simply wrong. You are perfectly right that an IKEv2 responder MUST always listen on 4500, and thus an IKEv2 initiator may initiate connections directly towards responder's port 4500 (which RouterOS actually does), but L2TP comes bundled with IKE(v1), and there the initiator always contacts the responder at port 500 so the responder MUST listen there. The IKE(v1) session only migrates to port 4500 if the NAT-T extension finds out that the NAT is there.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
xvo
Long time Member
Long time Member
Posts: 631
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Router access with Winbox using VPN

Thu Nov 14, 2019 2:32 am

so opening the 4500 port is enough, no need to open both 4500 and 500.
Прошу прощения, но leaving aside my understanding of your "otherwise there's no real point to use L2TP at all", the above statement is simply wrong. You are perfectly right that an IKEv2 responder MUST always listen on 4500, and thus an IKEv2 initiator may initiate connections directly towards responder's port 4500 (which RouterOS actually does), but L2TP comes bundled with IKE(v1), and there the initiator always contacts the responder at port 500 so the responder MUST listen there. The IKE(v1) session only migrates to port 4500 if the NAT-T extension finds out that the NAT is there.
Yes, my mistake.
You are right, как всегда. :)
I think, last few times I configured L2TP server, the rule for 500 port was already in place for other types of tunnels, so it slipped my mind.

Who is online

Users browsing this forum: No registered users and 129 guests