Community discussions

MikroTik App
 
p19lord
just joined
Topic Author
Posts: 3
Joined: Sun Sep 25, 2022 5:41 pm

Tunnel two mikrotik on VPS and guide the traffic through tunnle to connect to the internet

Sun Sep 25, 2022 6:11 pm

Hello everyone,
I have two VPS that have Mikrotik v6 installed on both of them and as they are VPS in separate geo locations obviously they have very different IPs. What I am trying to achieve is as follows:
the client connects to VPS 1 via PPTP, L2TP, or OVPN and through a tunnel connects to VPS 2, and via this route, they would be able to surf the internet. Obviously, both of these VPS have their own internet connection but I want VPS 1's traffic to be directed to VPS 2 and VPS 2 only gets the packets and contents from the internet and returns them from the same path to the client. I am not sure if this is possible or not but it looks logical to me o be possible.
This is the schematic of the connection.
1.png
I have looked for this in the forum and elsewhere but I couldn't make sense of them.
I would appreciate it if you can help me step by step and in plain English as I am basic.
Regards
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Tunnel two mikrotik on VPS and guide the traffic through tunnle to connect to the internet

Mon Sep 26, 2022 12:05 pm

I am not sure why you have chosen EoIP as the tunnel between the two CHRs. If the only function of that tunnel is to forward traffic from CHR 1 VPN clients to CHR 2, it can be an IPIP or any other L3 tunnel.

Other than that, you have to use policy routing (in brief, an approach that takes also other properties of a packet than its destination address alone into account when routing it) at CHR1 to send the traffic from the local VPN clients via the tunnel to CHR 2; at CHR 2, you have to add a route to the subnet used by the VPN clients of CHR 1 via the tunnel to CHR 1.

But before setting up any VPN, you should set up good firewalls at both CHRs.

If the above is not detailed enough for you, post the exports of the current configurations of both the CHRs, carefully removing anything that could identify them (public IP addresses, software IDs, possibly also time zones if you are avoiding regime censorship) without breaking consistency of the information, e.g. the public IP of CHR 2 should be replaced by string "ip.of.chr.2" in both exports as CHR 1 uses that address in the configuration of the tunnel. See my automatic signature below for a hint.
 
p19lord
just joined
Topic Author
Posts: 3
Joined: Sun Sep 25, 2022 5:41 pm

Re: Tunnel two mikrotik on VPS and guide the traffic through tunnle to connect to the internet

Wed Oct 05, 2022 11:34 am

I am not sure why you have chosen EoIP as the tunnel between the two CHRs. If the only function of that tunnel is to forward traffic from CHR 1 VPN clients to CHR 2, it can be an IPIP or any other L3 tunnel.

Other than that, you have to use policy routing (in brief, an approach that takes also other properties of a packet than its destination address alone into account when routing it) at CHR1 to send the traffic from the local VPN clients via the tunnel to CHR 2; at CHR 2, you have to add a route to the subnet used by the VPN clients of CHR 1 via the tunnel to CHR 1.

But before setting up any VPN, you should set up good firewalls at both CHRs.

If the above is not detailed enough for you, post the exports of the current configurations of both the CHRs, carefully removing anything that could identify them (public IP addresses, software IDs, possibly also time zones if you are avoiding regime censorship) without breaking consistency of the information, e.g. the public IP of CHR 2 should be replaced by string "ip.of.chr.2" in both exports as CHR 1 uses that address in the configuration of the tunnel. See my automatic signature below for a hint.
Thank you for the response.
The tunnel can be any type of tunnel (EOIP or IP/IP) it doesn't really matter and yes the CHR1's only duty is to forward the traffic to CHR2.
How do I export the configuration of both CHRs? is there anywhere I can export it or should I write it down manually?
Sorry for asking too many questions, as I mentioned I have basic knowledge!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Tunnel two mikrotik on VPS and guide the traffic through tunnle to connect to the internet

Wed Oct 05, 2022 11:42 am

See my automatic signature - open a command line (ssh or [Terminal] in Winbox or WebFig), type /export hide-sensitive file=xyz (in RouterOS 7, hide-sensitive is the default behaviour so do not use it), then download file xyz.rsc and edit the identification information.
 
p19lord
just joined
Topic Author
Posts: 3
Joined: Sun Sep 25, 2022 5:41 pm

Re: Tunnel two mikrotik on VPS and guide the traffic through tunnle to connect to the internet

Wed Oct 05, 2022 10:48 pm

See my automatic signature - open a command line (ssh or [Terminal] in Winbox or WebFig), type /export hide-sensitive file=xyz (in RouterOS 7, hide-sensitive is the default behaviour so do not use it), then download file xyz.rsc and edit the identification information.
This is for CHR 1:
# oct/05/2022 19:39:25 by RouterOS 6.49.6
# software id = 
#
#
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/interface ipip
add local-address=xx.xx.xx.77 mtu=1500 name=ipip-tunnel1 remote-address=\
    yy.yy.yy.62
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vpn ranges=172.30.16.2-172.30.16.253
/ppp profile
set *0 change-tcp-mss=default dns-server=8.8.8.8 local-address=172.30.16.1 \
    remote-address=vpn use-encryption=yes
/interface l2tp-server server
set default-profile=default enabled=yes use-ipsec=required
/interface ovpn-server server
set certificate=server cipher=blowfish128,aes128,aes256 enabled=yes port=443 \
    require-client-certificate=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default enabled=\
    yes
/ip address
add address=xx.xx.xx.77/23 interface=ether1 network=xx.xx.xx.0
add address=172.16.100.1/30 interface=ipip-tunnel1 network=172.16.100.0
add address=172.30.16.0/24 disabled=yes interface=ipip-tunnel1 network=\
    172.30.16.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dns
set servers=4.2.2.4
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
# sstp-out1 not ready
add action=masquerade chain=srcnat out-interface=*15
/ip route
add distance=1 gateway=185.181.183.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8899
set api-ssl disabled=yes
/ppp secret
add name=user1
This is CHR 2:
# oct/05/2022 19:39:53 by RouterOS 6.45.9185\.181\.182
# software id = G353-EXPG
#
#
#
/interface ethernet
set [ find default-name=ether1 ] name=ether2
/interface ipip
add local-address=yy.yy.yy.62 mtu=1500 name=ipip-tunnel1 remote-address=\
    xx.xx.xx.77
/ip ipsec policy group
add name=ikev2
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 \
    hash-algorithm=sha256 name=ikev2
/ip ipsec peer
add exchange-mode=ike2 name=ikev2 passive=yes profile=ikev2
/ip ipsec proposal
add auth-algorithms=sha512,sha256 enc-algorithms="aes-256-cbc,aes-256-ctr,aes-\
    256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-12\
    8-gcm" name=ikev2
/ip pool
add name=vpn ranges=172.16.1.2-172.16.1.255
/ip ipsec mode-config
add address-pool=vpn address-prefix-length=29 name=cfg1 static-dns=\
    8.8.8.8,8.8.4.4 system-dns=no51.68.218
/port
set 0 name=serial0
/ppp profile
add dns-server=8.8.8.8 local-address=172.16.1.1 name=vpn remote-address=vpn \
    use-encryption=yes
/interface l2tp-server server
set default-profile=vpn enabled=yes max-mru=1400 max-mtu=1400 use-ipsec=\
    required
/interface ovpn-server server
set certificate=server cipher=blowfish128,aes128,aes256 default-profile=vpn \
    enabled=yes port=443
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=vpn enabled=yes \
    max-mru=1400 max-mtu=1400
/interface sstp-server server
set certificate=SSTP-CA default-profile=vpn force-aes=yes
/ip address
add address=yy.yy.yy.62/27 interface=ether2 network=yy.yy.yy.32
add address=yy.yy.yy.62 interface=ether2 network=51.89.195.254
add address=172.16.100.2/30 interface=ipip-tunnel1 network=172.16.100.0
/ip cloud
set update-time=no
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input dst-port=2022 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.1.0/24
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
/ip ipsec identity
add auth-method=digital-signature certificate=server-ikev2 generate-policy=\
    port-strict match-by=certificate mode-config=cfg1 peer=ikev2 \
    policy-template-group=ikev2 remote-certificate=client-ikev2
/ip ipsec policy
set 0 dst-address=172.16.1.0/24 group=ikev2 proposal=ikev2 src-address=\
    0.0.0.0/0
add dst-address=172.16.1.0/24 group=ikev2 proposal=ikev2 src-address=\
    0.0.0.0/0 template=yes
/ip route
add distance=1 gateway=51.89.195.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=user profile=vpn
Please note that xx.xx.xx.77 is public ip address of CHR 1 and yy.yy.yy.62 is the public ip address of CHR 2.

Who is online

Users browsing this forum: biomesh, GuJack20, korg and 69 guests