Hello, this is my first post
and I want to say Mikrotik is awesome, disruptive price in my country, best price per performance!
but I have problem with VPN. My ISP give me only private ip address, and it's double NAT (first 2 hop is private ip)
Tried almost everything and it doesn't work
PPTP SSTP OpenVPN
I tried using Mikrotik IP Cloud also as target IP for VPN, it doesn't work
Search the whole internet and here is my conclusion I need to make sure it will work
1. If I setup VPS and configure OpenVPN as server, will it route between 2 mikrotik router as VPN client?
2. If I upgrade my ISP subscription which include Dynamic Public IP, will it work?
3. I read about setting up some kind of domain routing like VPS or web page but with affordable price anyone knows about it? since I'm not good in web thing basically it makes your router has public IP that can be act as VPN destination
4. Is there any other option?
So far I'm using RPi + Ngrok but I'm planning to change all 12 router to Mikrotik and I'm afraid this must be halted for a moment
Re: Double NAT & no public IP for VPN
Hello my friend. If both "routers" are "inside" network (not public IP) and you can't redirect ports, is IMPOSSIBLE" for reaching each other. Both are inside and is not possible to communicate directly both.
The only "way" is finding somebody with a public IP allowing you to connect BOTH router to HIS router and cross the traffic in the "middle" router.
The only "way" is finding somebody with a public IP allowing you to connect BOTH router to HIS router and cross the traffic in the "middle" router.
Re: Double NAT & no public IP for VPN [SOLVED]
I am in the same scenario and solved by:
|Site 1| --> |Internet| --> |Ubuntu OpenVPN| --> |Site 2|, |Site 3|, |Site 4| All of them can ping the other sites.
1. Use VPS (Ubuntu LTS) with a static public IP. --> Mine is vultr.com get the cheapest VPS that give you a static IPv4
2. Install OpenVPN
3. Connect Mikrotik as client to the Ubuntu Server
4. Configure routing between sites
Done.
Keep in mind that you should learn to setup OpenVPN in Linux, it will take a couple of days but it is worth the trouble.
If you need help then PM me.
Notes:
Mikrotik supports for OpenVPN the following config.
|Site 1| --> |Internet| --> |Ubuntu OpenVPN| --> |Site 2|, |Site 3|, |Site 4| All of them can ping the other sites.
1. Use VPS (Ubuntu LTS) with a static public IP. --> Mine is vultr.com get the cheapest VPS that give you a static IPv4
2. Install OpenVPN
3. Connect Mikrotik as client to the Ubuntu Server
4. Configure routing between sites
Done.
Keep in mind that you should learn to setup OpenVPN in Linux, it will take a couple of days but it is worth the trouble.
If you need help then PM me.
Notes:
Mikrotik supports for OpenVPN the following config.
Code: Select all
cipher AES-256-CBC
auth SHA1
proto tcp #must tcp, udp not supported by Mikrotik
# tls-auth #no support
auth SHA1 # Only md5 or SHA1 is supported by Mikrotik
comp-lzo #not support
-
-
gotsprings
Forum Guru
- Posts: 2118
- Joined:
Re: Double NAT & no public IP for VPN
Pay the upgrade for the public IP.
The netname from cloud updates every 60 seconds and will work just fine for DNS resolving to reach your router...ONCE YOU HAVE A PUBLIC IP.
The netname from cloud updates every 60 seconds and will work just fine for DNS resolving to reach your router...ONCE YOU HAVE A PUBLIC IP.
Re: Double NAT & no public IP for VPN
You can't access Mikrotik router if it's behind NAT (which is owned by ISP).
But you can open the tunnel from your Mikrotik to VPN server, especially if you have another Mikrotik router with public IP. And I mean this: viewtopic.php?f=23&t=169538
But you can open the tunnel from your Mikrotik to VPN server, especially if you have another Mikrotik router with public IP. And I mean this: viewtopic.php?f=23&t=169538
Re: Double NAT & no public IP for VPN
Hello my friend. If both "routers" are "inside" network (not public IP) and you can't redirect ports, is IMPOSSIBLE" for reaching each other. Both are inside and is not possible to communicate directly both.
The only "way" is finding somebody with a public IP allowing you to connect BOTH router to HIS router and cross the traffic in the "middle" router.
I agree. There is no way VPN could work without public IPYou can't access Mikrotik router if it's behind NAT (which is owned by ISP).
But you can open the tunnel from your Mikrotik to VPN server, especially if you have another Mikrotik router with public IP. And I mean this: viewtopic.php?f=23&t=169538
Correct, the only way and easiest way pay for internet plan with public IPPay the upgrade for the public IP.
The netname from cloud updates every 60 seconds and will work just fine for DNS resolving to reach your router...ONCE YOU HAVE A PUBLIC IP.
unfortunately, $100 upgrade in 7 location bleeds my pocket monthly
Thanks for the solution. I'm thinking about this in a whole month. And you are right Vultr is the cheapest VPS I found so farI am in the same scenario and solved by:
|Site 1| --> |Internet| --> |Ubuntu OpenVPN| --> |Site 2|, |Site 3|, |Site 4| All of them can ping the other sites.
1. Use VPS (Ubuntu LTS) with a static public IP. --> Mine is vultr.com get the cheapest VPS that give you a static IPv4
2. Install OpenVPN
3. Connect Mikrotik as client to the Ubuntu Server
4. Configure routing between sites
Done.
Keep in mind that you should learn to setup OpenVPN in Linux, it will take a couple of days but it is worth the trouble.
If you need help then PM me.
Have you tried OpenVPN Cloud? or AWS free tier + OpenVPN
Thank you for all your responses, you guys are awesome
Re: Double NAT & no public IP for VPN
Depending on how the NATs in question behave, in particular whether the source port of a UDP packet sent from your router's WAN IP is kept as the packet goes through the NATs all the way to the public IP, it may be possible to establish an IPsec tunnel between the two devices. The source port must be kept unchanged for both devices which want to talk to each other in order that this worked.
Re: Double NAT & no public IP for VPN
Thanks for the solution. I'm thinking about this in a whole month. And you are right Vultr is the cheapest VPS I found so far
Have you tried OpenVPN Cloud? or AWS free tier + OpenVPN
Just FYI - Mikrotik ROS can be installed on x86_64 hardware, and I mean virtual machine. What I am trying to say that you can setup RouterOS on VPS, I've done it in Linode. Monthly cost of your instance + single purchase of ROS licence ($40 for L4) and you can setup VPN in your familiar ROS environment. :) But using Linux distro, like Debian, you can setup your own ipsec/ike2 VPN server using Strongswan, but it would be significantly harder if you've never done it before...
And if you decide to use Mikrotik ROS, you can follow the same guide I've shared few comments up. Basically you can end up having a public IP for your router which is behind NAT. EoIP on top of IPSEC/IKE2. :) P.S. Don't go for OpenVPN - it's slow.
Re: Double NAT & no public IP for VPN
how likely ipsec pass through NAT between 2 private IP?Depending on how the NATs in question behave, in particular whether the source port of a UDP packet sent from your router's WAN IP is kept as the packet goes through the NATs all the way to the public IP, it may be possible to establish an IPsec tunnel between the two devices. The source port must be kept unchanged for both devices which want to talk to each other in order that this worked.
interesting. I see the other post, and I don't find any cons in your tutorial. but I'm still learning about it
Just FYI - Mikrotik ROS can be installed on x86_64 hardware, and I mean virtual machine. What I am trying to say that you can setup RouterOS on VPS, I've done it in Linode. Monthly cost of your instance + single purchase of ROS licence ($40 for L4) and you can setup VPN in your familiar ROS environment. :) But using Linux distro, like Debian, you can setup your own ipsec/ike2 VPN server using Strongswan, but it would be significantly harder if you've never done it before...
And if you decide to use Mikrotik ROS, you can follow the same guide I've shared few comments up. Basically you can end up having a public IP for your router which is behind NAT. EoIP on top of IPSEC/IKE2. :) P.S. Don't go for OpenVPN - it's slow.
Re: Double NAT & no public IP for VPN
I have a positive experience with "normal" ISPs and a negative one with mobile ones, which do not keep the original port.how likely ipsec pass through NAT between 2 private IP?
I've looked at that topic too, and unless I've missed something, the responder (server) must have a public IP or port-forwarding from a public IP must be possible. So not applicable for your case.interesting. I see the other post, and I don't find any cons in your tutorial. but I'm still learning about it
Re: Double NAT & no public IP for VPN
User still has to purchase VPS with public IP in order to have public IP. Linode was just an example (that's what I've been using). This way user can have ROS running somewhere in DC:I've looked at that topic too, and unless I've missed something, the responder (server) must have a public IP or port-forwarding from a public IP must be possible. So not applicable for your case.
It looks something like this, but I've never done, so mistakes are possible:
- Connect from "behind NAT Mikrotik" to purchased VPS server using IPSEC/IKE2 (or different protocol).
- Establish EoIP tunnel (or any other tunnel) between these two on top of IPSEC/IKE2 (or different protocol).
- Add EoIP interface to bridges on both sides, mark as "Trusted", ensure your VPS gets IP from your physical "behind-the-nat" router.
- Perform port forwarding in VPS.