Hello,
I have 2 Mikrotik routers in different locations, both with dinamic public IP address.
Which will be the best way to create a VPN between both networks?
Best regards.
Re: Site-to-site VPN with dynamic DNS
If at least one of both devices has a public IP directly on itself, you can use any VPN you choose, and all of them will suffer an interruption when one of the addresses changes. Wireguard, which is only available in RouterOS 7, which in turn is still only available as beta, has the advantage that it accommodates to the change of the public IP on one site at a time autonomously, i.e. without waiting for the dynamic DNS to get updated, so the interruption will be the shortest one in this case. For this to work, both sites must have a public IP, and that condition is met in your case.
Mikrotik provides its own Dynamic DNS service, found under /ip cloud settings; the fqdn is generated from the serial number of the device and it is not possible to change that, so if the device dies, you have to reconfigure all the other ones with a new fqdn. Hence it is highly recommended to use a static DNS CNAME record, translating a freely chosen name to the one generated from the serial number, so it is then enough to manually update this CNAME record when you need to replace a router. Or you can use some public Dynamic DNS service which doesn't require to run an application on the dynamic host to update the record instead, or in addition to, the Mikrotik's own one.
Mikrotik provides its own Dynamic DNS service, found under /ip cloud settings; the fqdn is generated from the serial number of the device and it is not possible to change that, so if the device dies, you have to reconfigure all the other ones with a new fqdn. Hence it is highly recommended to use a static DNS CNAME record, translating a freely chosen name to the one generated from the serial number, so it is then enough to manually update this CNAME record when you need to replace a router. Or you can use some public Dynamic DNS service which doesn't require to run an application on the dynamic host to update the record instead, or in addition to, the Mikrotik's own one.
Re: Site-to-site VPN with dynamic DNS
Thanks for the reply,If at least one of both devices has a public IP directly on itself, you can use any VPN you choose, and all of them will suffer an interruption when one of the addresses changes. Wireguard, which is only available in RouterOS 7, which in turn is still only available as beta, has the advantage that it accommodates to the change of the public IP on one site at a time autonomously, i.e. without waiting for the dynamic DNS to get updated, so the interruption will be the shortest one in this case. For this to work, both sites must have a public IP, and that condition is met in your case.
Mikrotik provides its own Dynamic DNS service, found under /ip cloud settings; the fqdn is generated from the serial number of the device and it is not possible to change that, so if the device dies, you have to reconfigure all the other ones with a new fqdn. Hence it is highly recommended to use a static DNS CNAME record, translating a freely chosen name to the one generated from the serial number, so it is then enough to manually update this CNAME record when you need to replace a router. Or you can use some public Dynamic DNS service which doesn't require to run an application on the dynamic host to update the record instead, or in addition to, the Mikrotik's own one.
I have a dyndns service that resolve the public IP address of both routers. The big question is wich VPN software use: OpenVPN, IPSec...
I want to stay in stable version of RouterOS. Which software do you recommend? The routerboards are RB3011 and RB2011.
Kind regards.
Re: Site-to-site VPN with dynamic DNS
I would use IPSEC, here is a great blogpost I found (and am using):
https://blog.pessoft.com/2016/05/29/mik ... s-and-nat/
https://blog.pessoft.com/2016/05/29/mik ... s-and-nat/
Who is online
Users browsing this forum: No registered users and 186 guests