Community discussions

MikroTik App
  4. RouterOS
  5. General

SSTP VPN - Multiple locations

Post Reply
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

SSTP VPN - Multiple locations

Mon Jul 11, 2022 6:36 pm

Hello guys. thank you in advance for any help / tips.

I was able to setup an SSTP server at an office location (on a mikrotik of course) following this guide. You may quick skim though the video to get an idea of how i got it setup.


Then i setup the client from home (2nd Mikrotik router), and the connection is stable, fast, perfect for my use.

Yesterday, i installed another (3rd mikrotik) in another location. So i set it up as a client using the same username and password i used previously.
The connection worked great at the new location, but then i noticed the first client (2nd Mikrotik router) was not able to talk to the office network anymore, although both client connections
show active on the Mikrotik server.

Image

So i assume each client needs to have a unique login to the server?
Or is the SSTP server on the Mikrotik router limited to only one client connection at a time?

Clients connect to the office in order to access simple samba shares, and files are cad documents or PDFs.. there is no high traffic going on to make the connection
slow down or anything.

I am trying to achieve a stable link between the 3 locations.

Thank you guys.
Top
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: SSTP VPN - Multiple locations

Mon Jul 11, 2022 7:50 pm

Now that i am trying to figure what may be wrong...

Server is 10.0.0.1
Client1: 192.168.88.1
Client2: 192.168.88.1

My noobish assumption here is the server then does not know who to talk to, so one side stops working? should i change the subnet in the second client?
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: SSTP VPN - Multiple locations

Tue Jul 12, 2022 3:19 am

You definitely need unique address for each client.

If 192.168.88.1 is what you're assigning to them, you need to fix it. You can either use address pool instead of exact address. Or create separate logins with different addresses.

If 192.168.88.x are addresses in their LANs (and clients get unique addresses from server), it's possible to keep them, if you don't care about them on server side, i.e. if connections will be only from them and not to them, you don't to do any filtering on them, etc. In that case you can simply add srcnat/masquerade on clients' VPN interfaces.
Top
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: SSTP VPN - Multiple locations

Sun Jul 24, 2022 6:54 am

Thank you sob.
I changed the local network on client 1 to 192.168.90.x but now this client is not able to access the network on the server anymore although it shows connected.
Here is a screenshot.
On the left side, you can see both remote clients connecting to the SSTP server. On the right, the server receiving the clients.
Notice client 2 gets the right local IP address, but client 1 is showing 10.0.0.2 instead of 192.168.90.x
I am very confused now...
I have not changed anything else besides the local DHCP server on client 1. Before i made the change, it was connected and working fine with the server, but client 2 would not be able to talk to the remote network then...
I can try setting up individual connections for each client, can i reuse the same certificates or do i need to create those from scratch too?
Also, the active connections on the server is showing the same 10.0.0.2 ip for both clients

Image
Top
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: SSTP VPN - Multiple locations

Sun Jul 24, 2022 8:44 pm

Ok i believe i got it set. I created a new PPP secret with a different user and password / and set a different remote address for the client.
I am waiting for my client to confirm he has access to the network, but i am already able to ping devices on his network from the server router.

I am connected to the SSTP and i can access some network devices, but not in the upper range of IPs.
I need to access a server located on 10.0.0.200 and it does not work, but the rest of devices are working fine.
Code: Select all
┌─[axo@thebox]─[~]
└──╼ $ping -c 3 10.0.0.5
PING 10.0.0.5 (10.0.0.5) 56(84) bytes of data.
64 bytes from 10.0.0.5: icmp_seq=1 ttl=62 time=10.1 ms
64 bytes from 10.0.0.5: icmp_seq=2 ttl=62 time=14.7 ms
64 bytes from 10.0.0.5: icmp_seq=3 ttl=62 time=9.37 ms

--- 10.0.0.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 9.369/11.388/14.688/2.352 ms
┌─[axo@thebox]─[~]
└──╼ $ping -c 3 10.0.0.100
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=62 time=8.90 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=62 time=13.0 ms
64 bytes from 10.0.0.100: icmp_seq=3 ttl=62 time=9.55 ms

--- 10.0.0.100 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 8.896/10.486/13.016/1.808 ms
┌─[axo@thebox]─[~]
└──╼ $ping -c 3 10.0.0.110
PING 10.0.0.110 (10.0.0.110) 56(84) bytes of data.
64 bytes from 10.0.0.110: icmp_seq=1 ttl=62 time=10.7 ms
64 bytes from 10.0.0.110: icmp_seq=2 ttl=62 time=9.64 ms
64 bytes from 10.0.0.110: icmp_seq=3 ttl=62 time=10.3 ms

--- 10.0.0.110 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 9.635/10.226/10.708/0.444 ms
┌─[axo@thebox]─[~]
└──╼ $ping -c 3 10.0.0.200
PING 10.0.0.200 (10.0.0.200) 56(84) bytes of data.

--- 10.0.0.200 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2031ms
The server is there alive and it replies to ping if i login remotely to any of the other clients or the MikroTik server terminal. But it does not work from here.
I have checked the firewall, i do not see any rules blocking connections to the upper IP numbers, where else can i check?
Thank you
Top
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2994
Joined: Mon Apr 08, 2019 1:16 am

Re: SSTP VPN - Multiple locations

Sun Jul 24, 2022 10:05 pm

Your server must know the way back to the client device, even to respond to a ping.
If the client has a local LAN address, then the server has no clue where to find it.
Your SSTP tunnel ends with an office IP address, and the router will find the other end of the tunnel, as the tunnel is an interface of the router.
But normally the router has no idea about the subnets at the end of the tunnel.
And if it does, the server still has to use this router as gateway then.

Either you need a non-overlapping subnet plan, and routing rules, or you must use NAT/masquerade for the clients via the SSTP tunnel.
That NAT/masquerade makes those clients unreachable if connection initiated from the office. But they will access the server with an office address, so the server can always answer.

Proxy ARP is also known as "poor mans routing", and a workaround could maybe be created with it.
Top
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: SSTP VPN - Multiple locations

Mon Jul 25, 2022 4:15 am

Thank you for the replies.
The 3 point network is working perfect now.
I found the issue with that specific server to be a bug in the software (Truenas), and not a problem with the network itself.
Top
Post Reply

Who is online

Users browsing this forum: GoogleOther [Bot], massinia, Semrush [Bot] and 87 guests
  4. RouterOS
  5. General