Community discussions

MikroTik App
 
Adephx
newbie
Topic Author
Posts: 48
Joined: Sat Sep 30, 2017 11:55 am

VPN with TUN interface

Mon Dec 14, 2020 11:03 pm

Has anyone managed to successfully set their Mikrotik router to serve as a VPN server with 100% physical LAN emulation? The documentation is scarce. I'm trying to stay away from the available solutions, such as ZeroTier, LogMeIn, etc. and there doesn't seem to be any solutions that allow you to run your own dedicated VPN (with TUN) server, with the exception of perhaps tinc.

I'm currently using the SSTP protocol to establish a connection with my friends and I've set the profile to use the default DHCP server, so that all of the clients are within the same /24 ip range as my local machines. Connecting directly works in most games, but not all and broadcasting just plain doesn't work.

From what I understand SSTP doesn't really support L2/L3 subnet broadcasting so my only solution seems to be OpenVPN. I've read through a metric tonne of posts so far and none seems to offer a clean answer.

Can someone guide me through setting something that would allow us to connect together and play games as if we were in the same physical network? If possible I would like to use the Mikrotik as the server, so SSTP/OpenVpn. I can also use my Raspberry as the server in case anyone has any experience with tinc.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: VPN with TUN interface

Tue Dec 15, 2020 12:51 am

You have confused TUN (layer 3 / IP) with TAP (layer 2 / ethernet).

None of the layer 3 VPNs (L2TP, PPTP, SSTP, IPsec or OpenVPN TUN) will route broadcasts, however as you have found you can use the same IP range on the local LAN and remote VPN client using proxy-arp.

If you need real layer 2 connectivity the options are either OpenVPN TAP, EoIP (Mikrotik proprietary protocol based on GRE), or BCP which is available for any PPP-like VPNs (L2TP, PPTP, SSTP).

There are examples in the wiki.
 
Adephx
newbie
Topic Author
Posts: 48
Joined: Sat Sep 30, 2017 11:55 am

Re: VPN with TUN interface

Tue Dec 15, 2020 8:30 am

Am I right to assume that BCP only supports router to router connections? In other words I need a BCP capable router on the other side as well to act as a client?
OpenVPN TAP should be fine for router to client connections > hassle free on the client side, because I can't expect my friends to reconfigure their routers completely?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN with TUN interface

Tue Dec 15, 2020 10:08 am

Worse than that, I don't know any other router supporting BCP than Mikrotik (there's L2TPv3 on Cisco but despite it's similar name, it doesn't make friends with L2TP/BCP on Mikrotik).

OpenVPN in TAP mode is the only VPN known to me which can run on a PC and support L2 tunneling, but OpenVPN in RouterOS 6.x only supports TCP as transport, which has some drawbacks and depending on the internet connection quality in your region, these may affect the gaming experience.

You might consider using something like hAP lite or hAP mini as an add-on to your friends' routers. In that case, L2TP/IPsec with BCP, or EoIP/IPsec would be the best options, as both use UDP as transport.

But among many downsides of L2 tunnels, there's also the security one - malware can spread easily in such environment.
 
Adephx
newbie
Topic Author
Posts: 48
Joined: Sat Sep 30, 2017 11:55 am

Re: VPN with TUN interface

Tue Dec 15, 2020 10:53 am

One last question. I have managed to set an OpenVPN TAP connection, but I can not ping or access my network maps, unless I set the OpenVPN Profile to "bridge". Is this the correct approach? I am intentionally using the default DHCP, because I want us to be within the same IP range, even though broadcasting should in theory work even if I use a different subnet for OpenVPN, as long as I'm not intentionally dropping connections?

Interface
/interface ovpn-server server
set auth=sha1 certificate=OpenVPN-Server cipher=aes256 default-profile=OpenVPN enabled=yes mode=ethernet require-client-certificate=yes

Interface Secret
/ppp secret
add name=username profile=OpenVPN service=ovpn

Interface Profile
/ppp profile
add bridge=bridge local-address=default-dhcp name=OpenVPN remote-address=default-dhcp use-encryption=required

OpenVPN
client
dev tap
proto tcp
remote 0000000000000.sn.mynetname.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca OpenVPN-CA.crt
cert OpenVPN-Client.crt
key OpenVPN-Client.key
remote-cert-tls server
auth SHA1
auth-user-pass Secret
auth-nocache
cipher AES-256-CBC
verb 3
redirect-gateway def1
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN with TUN interface

Tue Dec 15, 2020 12:18 pm

One last question. I have managed to set an OpenVPN TAP connection, but I can not ping or access my network maps, unless I set the OpenVPN Profile to "bridge". Is this the correct approach? I am intentionally using the default DHCP, because I want us to be within the same IP range, even though broadcasting should in theory work even if I use a different subnet for OpenVPN, as long as I'm not intentionally dropping connections?
Yes, the OpenVPN implementation on RouterOS handles the OpenVPN tunnels the same way it handles PPP-based tunnels. This means the L2 tunnel must be made a member port of a bridge, and the way to indicate which bridge to use is via /ppp profile.

I don't know what you mean by "network maps".

Regarding use of default-dhcp as a pool for local-address - in theory, you should not need any local-address in the /ppp secret since you are using L2/TAP/Ethernet mode and the Windows client exclusively uses either L3 or L2 tunnel, not both (whereas PPP can use IPCP, BCP and MPLSCP simultaneously). If it doesn't work without specifying a local-address and remote-address on the /ppp profile or /ppp secret rows, I'd rather use some pools (subnets) not related to the subnet used on the bridge, to avoid confusion. The client would then use DHCP to obtain its address. But I may be wrong here, someone regularly using OpenVPN on Mikrotik would be better as an information source.
 
Adephx
newbie
Topic Author
Posts: 48
Joined: Sat Sep 30, 2017 11:55 am

Re: VPN with TUN interface

Tue Dec 15, 2020 2:30 pm

Network maps as: \\192.168.88.254\Folder
If I don't set the Local Address, the OpenVPN client refuses to connect. I guess what you are saying is that it would be better to add a new subnet and bind it to the OpenVPN Profile, so that I can clearly see what is connected to the physical network and what isn't? I would then have to make a firewall rule and drop everything that is trying to connect to my main subnet, with the exception of the machine that should be able to communicate with both subnets?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN with TUN interface

Tue Dec 15, 2020 3:45 pm

Network maps as: \\192.168.88.254\Folder
OK, so it's from the Windows world. Sorry, I don't have English-speaking Windows so the term was not familiar to me.

If I don't set the Local Address, the OpenVPN client refuses to connect. I guess what you are saying is that it would be better to add a new subnet and bind it to the OpenVPN Profile, so that I can clearly see what is connected to the physical network and what isn't? I would then have to make a firewall rule and drop everything that is trying to connect to my main subnet, with the exception of the machine that should be able to communicate with both subnets?
Well, you don't need to add any subnet to the router separately, it is enough to set an unused address outside any used subnet as the local-address of the profile/secret. As said, I assume it's the RouterOS what needs this address to be set at all, the OpenVPN client at PC should not use it when in TAP mode.

Regarding firewall rules, of course the /ip firewall filter rules should prevent the VPN clients from accessing your router's management interface, and if you have multiple LAN subnets, also from accessing all these subnets. Packets coming via the L2 tunnel to addresses within the gaming subnet will bypass the IP firewall. If you don't have a dedicated subnet for gaming and bridge the common LAN subnet to your friends, your devices not used for gaming are endangered too.
 
Adephx
newbie
Topic Author
Posts: 48
Joined: Sat Sep 30, 2017 11:55 am

Re: VPN with TUN interface

Tue Dec 15, 2020 4:19 pm

I've ran into a slight issue. It seems that the OpenVPN Local Address is used as the Default Gateway. I've created a new pool "192.168.87.2-192.168.88.254" and bound it to the OpenVPN profile, I've also set the OpenVPN Local Address to 192.168.87.1.

The issue I now have is that I can no longer communicate between the subnets > 192.168.88.0/24 and 192.168.87.0/24. I can ping and access the gateway on either 192.168.88.1 or 192.168.87.1 but devices can not communicate between the subnets.

I'm assuming that the issue lies with the Default Gateway, but if I set the OpenVPN Profile Local Address to 192.168.88.1, the client refuses to connect.

Any ideas?
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: VPN with TUN interface  [SOLVED]

Wed Dec 16, 2020 11:41 pm

Throughout this thread you mention you are using Windows as client devices and by default, Windows firewall blocks incoming packets not on local subnet.

Check widows firewall
 
Adephx
newbie
Topic Author
Posts: 48
Joined: Sat Sep 30, 2017 11:55 am

Re: VPN with TUN interface

Thu Dec 17, 2020 12:06 am

Throughout this thread you mention you are using Windows as client devices and by default, Windows firewall blocks incoming packets not on local subnet.

Check widows firewall
I'll be damned, that was it, it was the firewall on the machine I was trying to access. Is there a an easy way to bypass this, without setting firewall rules? For example adding the machine to both subnets?
 
r00t
Long time Member
Long time Member
Posts: 672
Joined: Tue Nov 28, 2017 2:14 am

Re: VPN with TUN interface

Thu Dec 17, 2020 12:54 am

Haven't tried this myself, but OpenVPN can execute some commands on connection, so should be possible to use netsh.exe to create the firewall rule on connect.
Or telling windows the TAP interface is "home network" may also work.
 
Adephx
newbie
Topic Author
Posts: 48
Joined: Sat Sep 30, 2017 11:55 am

Re: VPN with TUN interface

Thu Dec 17, 2020 9:50 am

I've used the following commands to change the VPN Adapter to Private, but it doesn't help so far. I'll post the solution when I figure it out.

1. Run PowerShell (elevated rights)
2. Enter commands:
Get-NetConnectionProfile
Set-NetConnectionProfile -InterfaceIndex replace_this_with_index_number -NetworkCategory Private
 
zonhub
just joined
Posts: 2
Joined: Thu Nov 29, 2018 9:52 pm

Re: VPN with TUN interface

Fri Apr 16, 2021 3:32 am

One last question. I have managed to set an OpenVPN TAP connection, but I can not ping or access my network maps, unless I set the OpenVPN Profile to "bridge". Is this the correct approach? I am intentionally using the default DHCP, because I want us to be within the same IP range, even though broadcasting should in theory work even if I use a different subnet for OpenVPN, as long as I'm not intentionally dropping connections?

Interface
/interface ovpn-server server
set auth=sha1 certificate=OpenVPN-Server cipher=aes256 default-profile=OpenVPN enabled=yes mode=ethernet require-client-certificate=yes

Interface Secret
/ppp secret
add name=username profile=OpenVPN service=ovpn

Interface Profile
/ppp profile
add bridge=bridge local-address=default-dhcp name=OpenVPN remote-address=default-dhcp use-encryption=required

OpenVPN
client
dev tap
proto tcp
remote 0000000000000.sn.mynetname.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca OpenVPN-CA.crt
cert OpenVPN-Client.crt
key OpenVPN-Client.key
remote-cert-tls server
auth SHA1
auth-user-pass Secret
auth-nocache
cipher AES-256-CBC
verb 3
redirect-gateway def1
Hello Adephx,
Just writing here in order to thank you for your post. I implemented the same configuration on my Mikrotik router and it worked!
I also wanted to be able to broadcast/multicast packages. More in concrete, I wanted to be able to cast videos on my SmartTV even if I am not physically at home (being able to cast videos to kids and elderly while not being directly connected to the same wifi network).
And yes, thanks also to sindy, CZfan and all the others.

Who is online

Users browsing this forum: Ahrefs [Bot], mkx, mojojojo, seriosha, tinodj and 96 guests