Community discussions

MikroTik App
 
DottorT86
newbie
Topic Author
Posts: 36
Joined: Fri Aug 09, 2019 7:51 am

Private IP site through public IP site

Thu Jul 22, 2021 5:11 pm

Hello everyone.
This is my problem:
I have two sites:
- site 1 with static public IP (RB1100AHX2)
- site 2 with dynamic private IP (NATted) (hAP mini)

In site 2 I have an IPCAM that I would like to reach from the internet through my smartphone but unfortunately site 2 has a private IP address.
Site 1 instead has a static public IP address, so I was thinking of creating a VPN between site 1 and site 2, using site 1 as a VPN server and site 2 as a VPN client.
After creating the VPN with the correct rules, do you think it would be possible to reach site 2 from the internet through site 1?
You do not have the required permissions to view the files attached to this post.
 
dmitris
Member Candidate
Member Candidate
Posts: 127
Joined: Mon Oct 09, 2017 1:08 pm

Re: Private IP site through public IP site

Thu Jul 22, 2021 5:18 pm

Yes, it wiil work!
 
DottorT86
newbie
Topic Author
Posts: 36
Joined: Fri Aug 09, 2019 7:51 am

Re: Private IP site through public IP site

Thu Jul 22, 2021 6:07 pm

I have found many examples of site 2 site VPN setup using IPSEC but from what I understand IPSEC requires public IPs on both sides of the VPN.
Is it correct?
What type of VPN do you recommend me to use?
I would like to use OpenVPN but I havn't found any example of VPN site 2 site setup on Mikrotik with OpenVPN.
 
dmitris
Member Candidate
Member Candidate
Posts: 127
Joined: Mon Oct 09, 2017 1:08 pm

Re: Private IP site through public IP site

Thu Jul 22, 2021 6:31 pm

Yes, you are right about ipsec site to site implementation, both sides should be equiped with public ip.
Personally i prefer SSTP tunneling for such solutions.
https://wiki.mikrotik.com/wiki/Manual:I ... -Site_SSTP

OpenVPN setup is similar to SSTP setup, so you can try both of them. Don't forget to use different ip segments on both sides.
 
DottorT86
newbie
Topic Author
Posts: 36
Joined: Fri Aug 09, 2019 7:51 am

Re: Private IP site through public IP site

Tue Jul 27, 2021 12:30 pm

Thank you for your answer. I was able to set up a very simple SSTP site to site VPN. I have followed various guides that I have found online, everything seems to work, but I don't know if my setup is correct. Most of all I don't know if my setup is safe and reliable. Is there a step-by-step guide to creating a site-to-site SSTP VPN?
My main question is the following:
I created the CA certificate and the Server certificate.
I signed the CA certificate by entering the public IP of the SSTP server in the CA CRL Host field.
Then I signed the Server certificate using CA.
I created the dynamic SSTP server using the "Server" certificate and then in the client I created the SSTP client.
Up to here everything is ok. The VPN is working fine.
I exported the CA certificate and imported it into the SSTP client.
In the SSTP interface, in "Certificate" I selected the CA certificate and then I checked the "Verify Server Certificate" box.
After I selected the CA certificate and activated the "Verify Server Certificate" checkbox, the SSTP server stopped working. I also tried to restart both routers but the VPN doesn't work. If I remove the certificate, it works again.
 
dmitris
Member Candidate
Member Candidate
Posts: 127
Joined: Mon Oct 09, 2017 1:08 pm

Re: Private IP site through public IP site

Tue Jul 27, 2021 1:27 pm

Nice start! You need to create also client certificate and sign it with the same CA and export and install it on client side. When you exporting client certificate you must specify a passhphrase or it will not generate private key for it.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Private IP site through public IP site

Tue Jul 27, 2021 1:32 pm

or it will not generate export private key for with it
 
DottorT86
newbie
Topic Author
Posts: 36
Joined: Fri Aug 09, 2019 7:51 am

Re: Private IP site through public IP site

Tue Jul 27, 2021 3:47 pm

To create a Client certificate which "Key Usage" should I use?
In the CA certificate I used:
"crl sign"
"key cert. sign".

In the Server certificate I used:
"digital signature"
"key enciphrement"
"tls server"
Is that okay?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Private IP site through public IP site

Tue Jul 27, 2021 3:55 pm

On CA you can set key-usage to: key-cert-sign, crl-sign

On certificates set key-usage to: digital-signature, key-encipherment, tls-server

Like exactly what you write.
 
DottorT86
newbie
Topic Author
Posts: 36
Joined: Fri Aug 09, 2019 7:51 am

Re: Private IP site through public IP site

Tue Jul 27, 2021 4:05 pm

Can I use the same Key Usage for Server and Client certificates?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Private IP site through public IP site

Tue Jul 27, 2021 4:20 pm

Yes
 
DottorT86
newbie
Topic Author
Posts: 36
Joined: Fri Aug 09, 2019 7:51 am

Re: Private IP site through public IP site

Tue Jul 27, 2021 7:13 pm

I tested using certificates but it still doesn't work...

This is the working SSTP config:
# Server side
/ppp secret
add local-address=192.168.255.1 name=Client password=\
"12345678" profile=default-encryption \
remote-address=192.168.255.2 routes=192.168.2.0/24 service=\
sstp
/interface sstp-server
add name=sstp-Server user=Client
/interface sstp-server server
set authentication=mschap2 certificate=Server default-profile=\
default-encryption enabled=yes force-aes=yes keepalive-timeout=30 pfs=yes \
port=443 tls-version=only-1.2

# Client side
/interface sstp-client
add authentication=mschap2 connect-to=1.1.1.1:443 disabled=no \
http-proxy=0.0.0.0:443 keepalive-timeout=30 name=sstp-out-Server password=\
"12345678" pfs=yes profile=default-encryption \
tls-version=only-1.2 user=Client verify-server-certificate=yes
Using these configurations SSTP works.
If I activate "Verify Client Certificate" on the Server side and I select the "Client" certificate on the Client side, the SSTP tunnel stops working.
I can't understand what's wrong.
 
dmitris
Member Candidate
Member Candidate
Posts: 127
Joined: Mon Oct 09, 2017 1:08 pm

Re: Private IP site through public IP site

Tue Jul 27, 2021 11:22 pm

or it will not generate export private key for with it
Thank you for making it correct!

I tested using certificates but it still doesn't work...

This is the working SSTP config:
# Server side
/ppp secret
add local-address=192.168.255.1 name=Client password=\
"12345678" profile=default-encryption \
remote-address=192.168.255.2 routes=192.168.2.0/24 service=\
sstp
/interface sstp-server
add name=sstp-Server user=Client
/interface sstp-server server
set authentication=mschap2 certificate=Server default-profile=\
default-encryption enabled=yes force-aes=yes keepalive-timeout=30 pfs=yes \
port=443 tls-version=only-1.2

# Client side
/interface sstp-client
add authentication=mschap2 connect-to=1.1.1.1:443 disabled=no \
http-proxy=0.0.0.0:443 keepalive-timeout=30 name=sstp-out-Server password=\
"12345678" pfs=yes profile=default-encryption \
tls-version=only-1.2 user=Client verify-server-certificate=yes
Using these configurations SSTP works.
If I activate "Verify Client Certificate" on the Server side and I select the "Client" certificate on the Client side, the SSTP tunnel stops working.
I can't understand what's wrong.
BTW

Have you uploaded Client certificate with the private key on client side and specified passphrase for private key when client certificate was imported ?
Check that all certificates have flag "trusted=yes"
 
DottorT86
newbie
Topic Author
Posts: 36
Joined: Fri Aug 09, 2019 7:51 am

Re: Private IP site through public IP site

Wed Jul 28, 2021 1:47 am

All certificates have flag "trusted=yes".
I've exported CA certificate without passphrase and Client certificate with passphrase.
I've uploaded CA.crt, Client.crt and Client.key to Client router.
In Client router:
I've imported CA.crt;
I've imported Client.crt using the passphrase;
I haven't imported Client.key.
Do I have to import Client.key too?
That's all.
 
DottorT86
newbie
Topic Author
Posts: 36
Joined: Fri Aug 09, 2019 7:51 am

Re: Private IP site through public IP site

Wed Jul 28, 2021 2:04 am

I made a new attempt.
On the server router:
- I enabled "Verify Client Certificate"
- I exported the CA certificate with passphrase;
- I exported the Client certificate with passphrase;
- I loaded CA.crt, CA.key, Client.crt and Client.key on the Client router

In the Client router:
- I imported in this order: CA.crt, CA.key, Client.crt and Client.key using passphrase.
- in SSTP Client interface I selected CA.crt as certificate and enabled "Verify Server Certificate"

Now it's working. Is it ok?
I thought that in the SSTP client interface I should select Client.crt as certificate instead of CA.crt.
 
DottorT86
newbie
Topic Author
Posts: 36
Joined: Fri Aug 09, 2019 7:51 am

Re: Private IP site through public IP site

Wed Jul 28, 2021 2:10 am

I think that now I've solved. Creating Client certificate in key usage I've selected "tls client" instead of "tls server".
Now it seems to work using Client certificate.
 
dmitris
Member Candidate
Member Candidate
Posts: 127
Joined: Mon Oct 09, 2017 1:08 pm

Re: Private IP site through public IP site  [SOLVED]

Wed Jul 28, 2021 9:53 am

I made a new attempt.
On the server router:
- I enabled "Verify Client Certificate"
- I exported the CA certificate with passphrase;
- I exported the Client certificate with passphrase;
- I loaded CA.crt, CA.key, Client.crt and Client.key on the Client router

In the Client router:
- I imported in this order: CA.crt, CA.key, Client.crt and Client.key using passphrase.
- in SSTP Client interface I selected CA.crt as certificate and enabled "Verify Server Certificate"

Now it's working. Is it ok?
I thought that in the SSTP client interface I should select Client.crt as certificate instead of CA.crt.
CA private key should remain only on server side and should not be exported anywhere else, because now it's possible to sign valid certificates for you installation not only on server side but on client side too...
For client side it's enough ca.crt, client.crt, client.key.

I think that now I've solved. Creating Client certificate in key usage I've selected "tls client" instead of "tls server".
Now it seems to work using Client certificate.
Yeah, that is the issue
 
DottorT86
newbie
Topic Author
Posts: 36
Joined: Fri Aug 09, 2019 7:51 am

Re: Private IP site through public IP site

Thu Jul 29, 2021 10:28 am

Thank you so much for your answer!

Who is online

Users browsing this forum: baragoon, fposavec, FranMercedesG, keithy, korg, Soleous75 and 93 guests