Community discussions

MikroTik App
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Is L2TP VPN safe for internet traffic?

Thu Dec 30, 2021 12:03 pm

Hi all,

I'm a Mikrotik noob with very little knowledge of networking. So, please be patient.
I live in a big-brother country where the government keeps a strong hold on the internet, and I wish to connect to the internet safely without worrying that the government is spying on me.
So, I recently purchased a MT router (hAP Lite RB941-2nd-TC) and asked the seller to set it up for me in advance such that I could channel all my internet traffic at home through a secure VPN on this router. The seller has thus configured the router to work with L2TP VPN, and it has been up and running since day one.

But, I have a couple of questions:
1. Is the current configuration on my router correct and secure? For instance, I don’t see any firewall rules!
2. Is L2TP VPN secure enough for my purpose, or should I explore the possibility of setting up OpenVPN or any other VPN protocol? If yes, I will appreciate to receive a link to detailed setup guide.

My network is pretty basic and nothing complicated.
ISP ADSL MODEM (dynamic IP) > Mikrotik Router <-> internal Network (2 Laptop+1 PC+ a few smart phones). That’s all.

This is my current configuration:
# dec/30/2021 15:44:12 by RouterOS 6.49
# software id = 65I6-VCH5
#
# model = RB941-2nD
# serial number = D0550D7B5504
/interface bridge
add name=bridge1-Local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface l2tp-client
add add-default-route=yes connect-to=XXX.XXX.XXX.XXX disabled=no name=ToVPN \
    use-ipsec=yes user=XXXXXXXX
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=profile1-LocalWiFi supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no frequency=2432 hide-ssid=yes mode=ap-bridge security-profile=\
    profile1-LocalWiFi ssid=OurHome wps-mode=disabled
/ip pool
add name=dhcp_pool0 ranges=172.16.1.21-172.16.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1-Local lease-time=\
    3h10m name=dhcp1
/interface bridge port
add bridge=bridge1-Local interface=ether4 multicast-router=disabled
add bridge=bridge1-Local interface=ether3 multicast-router=disabled
add bridge=bridge1-Local interface=wlan1 multicast-router=disabled
add bridge=bridge1-Local interface=ether2 multicast-router=disabled
/ip address
add address=172.16.1.1/24 interface=bridge1-Local network=172.16.1.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1-WAN
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.1.0/24
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.1.1
add distance=1 dst-address=XXX.XXX.XXX.XXX/32 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=7911
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Tokyo
/system clock manual
set dst-end="jan/01/2025 00:00:00" dst-start="jan/01/2021 00:00:00" \
    time-zone=+03:30
Last edited by zippedmails on Mon Jan 03, 2022 3:37 pm, edited 1 time in total.
 
User avatar
smyers119
Member Candidate
Member Candidate
Posts: 232
Joined: Sat Feb 27, 2021 8:16 pm
Location: USA

Re: Is L2TP VPN safe for internet traffic?

Thu Dec 30, 2021 2:45 pm

1. no your router is not secure

2. l2tp does not provide encryption, so no it is not secure. it is usually tunneled through ipsec. wireguard would be easier then openvpn.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Is L2TP VPN safe for internet traffic?

Thu Dec 30, 2021 3:41 pm

You can Secure your L2TP with an extra layer of encryption with IPsec PSK or RSA. It's more secure than PPTP. However, IKEv2 / Wireguard / OpenVPN / OpenConnect / SSTP are more secure than L2TP.
 
kalamaja
Member Candidate
Member Candidate
Posts: 112
Joined: Wed May 23, 2018 3:13 pm

Re: Is L2TP VPN safe for internet traffic?

Thu Dec 30, 2021 3:58 pm

/interface l2tp-client add add-default-route=yes connect-to=XXX.XXX.XXX.XXX disabled=no name=ToVPN use-ipsec=yes user=vpn
To me use-ipsec=yes tells this L2TP is wrapped in IPSec, you have remove password and IPSec secret part (good!! removing actual server would been even better), so looks as secure as password-authenticated VPN can be. All good and safe!
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Thu Dec 30, 2021 4:05 pm

Thank you guys for both your comments. Points taken.
So, I need to add an extra layer of encryption with IPsec PSK or RSA, or opt for IKEv2 / Wireguard / OpenVPN / OpenConnect / SSTP altogether.
Unfortunately, however, I am quite new to these subjects and don't have the proper knowledge to follow either option by my own. While I will do my own research for this, I wonder if you guys or any other veteran here could provide me with a 'how-to' link to implement either of the above alternatives.
Many thanks and kind regards to all.
 
kalamaja
Member Candidate
Member Candidate
Posts: 112
Joined: Wed May 23, 2018 3:13 pm

Re: Is L2TP VPN safe for internet traffic?

Thu Dec 30, 2021 4:14 pm

All good, these wireguard/whatever/whatever fanboys are responsible for their false suggestions before even understanding the configuration. You can configure wireguard or any other tool insecurely if you don't fully understand it.
Even more, hAP lite doesn't have enough RAM to run ROS v7.1 with wireguard, so your current solution is quite optimal for max security for min price.
Last edited by kalamaja on Thu Dec 30, 2021 4:19 pm, edited 1 time in total.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Is L2TP VPN safe for internet traffic?

Thu Dec 30, 2021 4:15 pm

Thank you guys for both your comments. Points taken.
So, I need to add an extra layer of encryption with IPsec PSK or RSA, or opt for IKEv2 / Wireguard / OpenVPN / OpenConnect / SSTP altogether.
Unfortunately, however, I am quite new to these subjects and don't have the proper knowledge to follow either option by my own. While I will do my own research for this, I wonder if you guys or any other veteran here could provide me with a 'how-to' link to implement either of the above alternatives.
Many thanks and kind regards to all.
The default Firewall rules are pretty good for home use.
You can check viewtopic.php?t=181410 @anav replay
viewtopic.php?t=174199
https://help.mikrotik.com/docs/display/ ... c+Concepts

Fo the VPN part what's the purpose of this connection? Site to Site?
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Thu Dec 30, 2021 4:38 pm

/interface l2tp-client add add-default-route=yes connect-to=XXX.XXX.XXX.XXX disabled=no name=ToVPN use-ipsec=yes user=vpn
To me use-ipsec=yes tells this L2TP is wrapped in IPSec, you have remove password and IPSec secret part (good!! removing actual server would been even better), so looks as secure as password-authenticated VPN can be. All good and safe!
Thanks a lot bro.
I input the actual vpn address in two places: (1) under PPP>Interface <ToVPN)> >Dial Out Tab, and (2) under IP>Routes>General Tab.
Do you mean I should completely remove and delete the address from the 'General' tab in (2) above? Or, just replace the numbers with XXX.XXX.XXX.XXX as you have noted?
I assume I should keep the actual address in (1) for the vpn to work and connect. Right?
Sorry if my question sounds dumb!
Last edited by zippedmails on Tue Jan 04, 2022 11:50 am, edited 1 time in total.
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Thu Dec 30, 2021 4:51 pm

Thank you guys for both your comments. Points taken.
So, I need to add an extra layer of encryption with IPsec PSK or RSA, or opt for IKEv2 / Wireguard / OpenVPN / OpenConnect / SSTP altogether.
Unfortunately, however, I am quite new to these subjects and don't have the proper knowledge to follow either option by my own. While I will do my own research for this, I wonder if you guys or any other veteran here could provide me with a 'how-to' link to implement either of the above alternatives.
Many thanks and kind regards to all.
The default Firewall rules are pretty good for home use.
You can check viewtopic.php?t=181410 @anav replay
viewtopic.php?t=174199
https://help.mikrotik.com/docs/display/ ... c+Concepts

Fo the VPN part what's the purpose of this connection? Site to Site?
Hi. Thanks for the thumbs-up! I appreciate it.
As stated in my original post, my prime intention is that all my clients at home (Windows laptops and PCs as well several IOS and Android smart phones) connect to internet (for browsing and otherwise) SOLELY through a vpn tunnel set up on the router. Could this arrangement be called 'Clients-To-Server', I wonder?
 
kalamaja
Member Candidate
Member Candidate
Posts: 112
Joined: Wed May 23, 2018 3:13 pm

Re: Is L2TP VPN safe for internet traffic?

Thu Dec 30, 2021 5:03 pm

Thanks a lot bro.
I input the actual vpn address (219.100.37.198) in two places: (1) under PPP>Interface <ToVPN)> >Dial Out Tab, and (2) under IP>Routes>General Tab.
Do you mean I should completely remove and delete the address from the 'General' tab in (2) above? Or, just replace the numbers with XXX.XXX.XXX.XXX as you have noted?
I assume I should keep the actual address in (1) for the vpn to work and connect. Right?
Sorry if my question sounds dumb!
Don't change anything in your configuration, it's all good and suitable for providing internet to your devices to get past big-brother firewalls. I meant, it's good that you shared your full configuration here and removed passwords from it, but next time remove also public IP-addresses from configuration before posting to public forum, because now your big-brother goverement might know that you use VPN from this address and block it.
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Thu Dec 30, 2021 5:31 pm

@kalamaja

Ah! I got you now!
Silly how I didn't guess your good intention at first. But, thanks a lot for your insight. Will keep that in mind next time.
 
kalamaja
Member Candidate
Member Candidate
Posts: 112
Joined: Wed May 23, 2018 3:13 pm

Re: Is L2TP VPN safe for internet traffic?

Sun Jan 02, 2022 2:59 pm

@zippedmails one step you can change to better: in l2tp-server configuration change use-ipsec=yes -> use-ipsec=required to be really sure IPSec tunnel is used.
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Sun Jan 02, 2022 6:45 pm

@kalamaja Thanks so much for your advice. I greatly appreciate it.
Happy New Year to you and everyone else on this forum.
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Sun Jan 02, 2022 8:40 pm

What is strange with this VPN setup, though, is that I still get a timed out connection whenever I try to browse certain pages/websites (that are normally inaccessible by the general public due to ISP/government censorship policies) just as if I were connecting to internet directly through the ISP ADSL modem only (no router). To open such pages, I still need to turn on ANOTHER vpn (such as Psiphon 3, or OpenVPN client for Windows) which is ridiculous and contrary to the original intention of having a vpn in place.
Isn't a VPN setup on the router really supposed to do its job and allow me to get through the government's firewall to browse restricted websites (e.g. YouTube) and disguise my IP address and to hide my identity while surfing the Internet?! If the answer is yes, why on earth does the current L2TP vpn setup (with IPSec enabled) on my Mikrotik fail to do that??
Any solutions to get rid of the need to use a SECOND vpn in this case to get access to restricted websites?
 
User avatar
loloski
Member Candidate
Member Candidate
Posts: 298
Joined: Mon Mar 15, 2021 9:10 pm

Re: Is L2TP VPN safe for internet traffic?

Sun Jan 02, 2022 8:58 pm

Hi

If i were you i'm going to attack the issue differently, go get a service like hamachi or TOR instead of doing L2TP/Ipsec vpn, your other server which you peer to is also been blocked, just my 0.2$
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Is L2TP VPN safe for internet traffic?

Sun Jan 02, 2022 9:35 pm

What is strange with this VPN setup, though, is that I still get a timed out connection whenever I try to browse certain pages/websites (that are normally inaccessible by the general public due to ISP/government censorship policies) just as if I were connecting to internet directly through the ISP ADSL modem only (no router). To open such pages, I still need to turn on ANOTHER vpn (such as Psiphon 3, or OpenVPN client for Windows) which is ridiculous and contrary to the original intention of having a vpn in place.
Isn't a VPN setup on the router really supposed to do its job and allow me to get through the government's firewall to browse restricted websites (e.g. YouTube) and disguise my IP address and to hide my identity while surfing the Internet?! If the answer is yes, why on earth does the current L2TP vpn setup (with IPSec enabled) on my Mikrotik fail to do that??
Any solutions to get rid of the need to use a SECOND vpn in this case to get access to restricted websites?
Hello,
There are a few things wrong here.
I'm Sorry to check your VPN Address, That's why you should not share it. Anyway, it looks like the service is in the JP if you want to bypass your ISP firewall your VPN server must be overseas. Maybe the L2TPserver has a Site to Site config. Whenever you figure out how to pass your L2TP connection out then you have to check your IP ipinfo.io or any other IP Address lookup. Then you will Know if your public IP did not change to any 3rd party country you need a true VPN. You could buy one from any provider that will sell out your data or you could create your own server Linux or MT CHR will do the job nicely.
IPSec Enabled or disabled don't have anything to do with passing your traffic over the L2TP.
I don't think you ever pass traffic over your VPN connection. with your current config. you don't have any of the necessary rules that I know of to forward your traffic over the VPN.
The point of having a VPN on the router is that too not have to connect any VPN on the clients.
To pass your traffic through your VPN you will need these three rules. If you have FastTrack Enabled(it's enabled by default) you have to mark your connection to out of the FastTrack or disable the FastTrack.FastTrack is a firewall future in RouterOS.



You did not share any of your Firewall configs if you have any,
Don't Copy paste these rules make the necessary change to suit your config.



This rule will mark your route from the src-address whatever device that you wanna pass your traffic through a VPN connection.

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=VPN passthrough=no src-address=172.16.1.21-172.16.1.254

out-interface is the name of your outgoing VPN connection so all your local IP can send traffic with your public IP of the VPN connection.

/ip firewall nat
add action=masquerade chain=srcnat out-interface=VPN-L2TP


Finally a Route from your marked route (the first rule that I mentioned) to your gateway which is your outgoing connection to your VPN server.

/ip route
add  distance=1 dst-address=0.0.0.0/0 gateway=VPN-L2TP routing-mark=VPN

Last edited by own3r1138 on Wed Jan 05, 2022 6:54 am, edited 1 time in total.
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Mon Jan 03, 2022 12:30 am

Hi Guys.

Thank you all for your contributions so far to my issue.

Basically I would like to get this vpn thing sorted out first if possible, and if it doesn’t I would like to understand why. As I mentioned in my original post, I received my router already configured by the seller for L2TP VPN, and so I don’t know why he has set it up the way it is and why it can’t access sites that are blocked by the ISP/government.

I apologize if my questions are too rudimentary for the forum. But, each reply teaches me something new, and since I am on a learning curve I want to understand what and why I should load something on my MT?

Therefore, please talk to me like I don’t know anything because I don’t know anything.
I really struggle to make head or tail of what each of you say each time!

@own3r1138
1. No need to apologize for checking my VPN address. But, thank you anyways. I have already changed it thanks to @kalamaja’s advice earlier. My new VPN is now in Germany, ‘outside’ my ISP location. (The previous VPN address in Japan that you checked was also overseas. So, the problem did not stem from the VPN address IMHO). Nevertheless, I still have the same problem of ‘connection timed out’ for the 'blocked' sites. Therefore, I should agree with you that it’s highly likely that my internet traffic never passes over my current VPN connection configuration. But, if this is really the case why should I see my new VPN IP address correctly as Germany then when I check whatismyipaddress.com?? Isn't that odd??
2. Where should I look for ‘FastTrack’ to check if it is Enabled? In PPP or elsewhere? I have checked several sections in Winbox to find it but can’t locate it.
3. What do you mean that “FastTrack is a firewall future in RouterOS”? (That it would be implemented as a new feature in future RouterOS upgrades?)
4. As for ‘Firewall Rules’, I can see no rules in IP > Firewall Rules.
5. Regarding amending your three rules, what element exactly should I change in each to suit my config?
A. Change “src-address=172.16.1.21-172.16.1.254” in Rule 1? If yes, change to what? 172.16.1.21-172.16.1.254 is the current range of my DHCP Server. Why should I change it?
B. Change “out-interface=VPN-L2TP“ in Rule 2? If you mean changing VPN-L2TP to another name, it is okay as a name. No need to change. Anything else to change?
C. In Rule 3, not sure what to change.

Thanks for your patience and understanding.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Is L2TP VPN safe for internet traffic?

Mon Jan 03, 2022 12:53 am

@own3r1138
1. if this is really the case why should I see my new VPN IP address correctly as Germany then when I check whatismyipaddress.com?? Isn't that odd??
If you did check your current IP and it's not your ISP-provided IP, Then why you can not open a blocked website? looks like a miss config to me.
2. Where should I look for ‘FastTrack’ to check if it is Enabled? In PPP or elsewhere? I have checked several sections in Winbox to find it but can’t locate it.
It's in /IP firewall filter in the forwarding chain as you don't have any firewall rules it's likely that you don't have Fasttrack enabled.
3. What do you mean that “FastTrack is a firewall future in RouterOS”? (That it would be implemented as a new feature in future RouterOS upgrades?)
Somehow it will bypass the firewall for your local network so it may have a conflict with the rule in the / IP firewall mangle
4. As for ‘Firewall Rules’, I can see no rules in IP > Firewall Rules.
You should have a basic firewall even if you have a DSL modem before the MT. There is no point in using the VPN other than bypassing the ISP firewall when your point of origin is unsecure.
5. Regarding amending your three rules, what element exactly should I change in each to suit my config?
Please do not set these rules for now.
A. Change “src-address=172.16.1.21-172.16.1.254” in Rule 1? If yes, change to what? 172.16.1.21-172.16.1.254 is the current range of my DHCP Server.
I did replace it with your current IP range, Let's say you want to forward your desktop traffic over the VPN, not the entire DHCP IP Pool. That's why.
B. Change “out-interface=VPN-L2TP“ in Rule 2? If you mean changing VPN-L2TP to another name, it is okay as a name. No need to change. Anything else to change?
The name of the gateway interface must be matched by your l2tp-out interface name.
C. In Rule 3, not sure what to change.
NOW, I'm not sure too.

would you export your most recent config, please?
/export hide-sensitive
make sure your VPN status is connected when you are exporting, please.
UPDATE
So I did a Lab version and everything works fine.
Any way
I don't understand why your /IP route is the way it is, my guess is that's your problem.
This is a route for your modem and the second route is for your VPN server through your modem. It doesn't have any route regarding your actual VPN connection maybe it was disabled at the time.

/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.1.1
add distance=1 dst-address=219.100.37.198/32 gateway=192.168.1.1

LAB
1.png
2.png
3.png
7.png
8.png
4.png
5.png
6.png
You do not have the required permissions to view the files attached to this post.
Last edited by own3r1138 on Mon Jan 03, 2022 8:55 am, edited 14 times in total.
 
kalamaja
Member Candidate
Member Candidate
Posts: 112
Joined: Wed May 23, 2018 3:13 pm

Re: Is L2TP VPN safe for internet traffic?

Mon Jan 03, 2022 2:22 am

When you want to hide, you must know how to check your fingerprints. Your configuration had add-default-route=yes, so all the traffic should go to the VPN-connection.

Let's start with tracing:
1. You have a connection, Ethernet cable. Plug your computer to it and open https://whatismyipaddress.com. You get IP-address from your ISP.
2. Connect Mikrotik with L2TP-client to the connection. Check the status of PPP -> L2TP client, is it successfully connected?
3. Connect to the router and open the site https://whatismyipaddress.com again. Does it show the same IP-address or different one? It should show the IP-address, you enter in l2tp-client configuration or similar. If it shows the same as at p1, then your L2TP+IPSec connection doesn't work correctly and you must figure it out.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Is L2TP VPN safe for internet traffic?

Mon Jan 03, 2022 6:23 am

@zippedmails one step you can change to better: in l2tp-server configuration change use-ipsec=yes -> use-ipsec=required to be really sure IPSec tunnel is used.
They are running an l2tp-out, they don't own the VPN server so that they could change this setting. But for sure they can ask if Provider used RouterOS VPNServer.But I guess NOT. VPN provider used softether for that part.
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Mon Jan 03, 2022 12:50 pm

Okay. Thanks guys,

@own3r1138 and @kalamaja:

A point to add for clarification is that I currently use one of the publicly available vpn server addresses provided by www.vpngate.net, which is a free service and their servers are relatively stable and durable (but does it matter so much at this stage I wonder?). Surely, procuring a vpn subscription from NordVPN, or Linode, etc. is the proper way to go once my current config issue is resolved.
Bearing that in mind:
1. I input a working vpn server address (from www.vpngate.net) under PPP -> Interface -> ToVPN (this is my interface name) -> Dial Out (in order to activate the L2TP VPN). Note please that I have also added use-ipsec=yes -> use-ipsec=required as per last comment by @kalamaja.
Now:
2. When I plug my laptop directly to ISP modem with an Ethernet cable and open https://whatismyipaddress.com I get the IP-address from my ISP.
3. When I plug Mikrotik to ISP modem and plug the laptop to Mikrotik with an Ethernet cable and open https://whatismyipaddress.com again, this time I get the vpn address noted in p1 above, meaning that the L2TP VPN is connected to the vpngate server and config is thus seemingly okay. But, strangely enough, still I can’t get access to blocked sites even though my IP address is now shown in IP finder as being outside my ISP location!!? Apparently, my L2TP+IPSec connection doesn't work correctly (as mentioned by @kalamaja in his comment-3 yesterday) and needs fixing, but I can’t tell how.

Below, is my latest configuration WITH VPN status connected:
# jan/03/2022 10:02:44 by RouterOS 6.49
# software id = 65I6-VCH5
#
# model = RB941-2nD
# serial number = D0550D7B5504
/interface bridge
add name=bridge1-Local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface l2tp-client
add add-default-route=yes connect-to=XXX.XXX.XXX.XXX disabled=no name=ToVPN \
    use-ipsec=yes user=XXXXXXXX
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=profile1-LocalWiFi supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no frequency=2432 hide-ssid=yes mode=ap-bridge security-profile=\
    profile1-LocalWiFi ssid=OurHome wps-mode=disabled
/ip pool
add name=dhcp_pool0 ranges=172.16.1.21-172.16.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1-Local lease-time=\
    3h10m name=dhcp1
/interface bridge port
add bridge=bridge1-Local interface=ether4 multicast-router=disabled
add bridge=bridge1-Local interface=ether3 multicast-router=disabled
add bridge=bridge1-Local interface=wlan1 multicast-router=disabled
add bridge=bridge1-Local interface=ether2 multicast-router=disabled
/interface l2tp-server server
set enabled=yes [u]use-ipsec=required[/u]
/ip address
add address=172.16.1.1/24 interface=bridge1-Local network=172.16.1.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1-WAN
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.1.0/24
/ip route
add distance=1 dst-address=XXX.XXX.XXX.XXX/32 gateway=192.168.1.1
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=7911
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Amsterdam
/system clock manual
set dst-end="jan/01/2025 00:00:00" dst-start="jan/01/2021 00:00:00" \
    time-zone=+03:30
Please let me know if I should provide any other information to help find out what is wrong. I wanted to upload and share a number of screenshots that show various config sections in Winbox, but I couldn't figure out how to actually upload them here. The insert image icon on top menu requires the 'mage path' to be inserted as [img]https://image_url[/img]. But, being my first time, how can I insert images from my hard drive? There's no path/url for it.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Is L2TP VPN safe for internet traffic?

Mon Jan 03, 2022 6:36 pm

Hello,
Okay, I really think your config is wrong and you have to add those rules that I mentioned. + your l2tp client dose not have any local IP from the server in IP or route.
For attachments
2022-01-03_19-55-47.png
Honestly, I think the best course of action is to reset config your router Because you don't have any of the default settings. And then try to add your VPN to your router.
I did share the correct config for your VPN to work. So you could just uses my screenshots to config yours. If you CANT, I would be happy to remotely config your router for you.
1 - This command is server-side you can not set your client to required.
2 - You may get the IP from your default route but your config missing a huge part.
First, your connected L2TP does not have any IP address. Locally.
Second, the routes in your router are wrong.
3 - you do not have any mangle/NAT rules.
4- why did you enable your l2tp server?
/interface l2tp-server server
set enabled=yes [u]use-ipsec=required[/u]
You do not have the required permissions to view the files attached to this post.
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Mon Jan 03, 2022 8:32 pm

Hi,
Thank you so much for your attention and advice. I really appreciate it.
I have taken note of your replies to points 1, 2 & 3. All understood.
So, I need to reset the config based on your instructions. Let me try this out and come back to you with the end result once I can get everything in place, hopefully in the correct order (I will take up your offer to do the config for me remotely with great pleasure if I fail to do the config by myself since I haven't done this sort of stuff before!).
In the meantime, I presume I should receive from you the relevant 'script' for the firewall rules shown in your attached screenshot. Correct?
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Is L2TP VPN safe for internet traffic?

Mon Jan 03, 2022 8:45 pm

Hi,
Thank you so much for your attention and advice. I really appreciate it.
I have taken note of your replies to points 1, 2 & 3. All understood.
So, I need to reset the config based on your instructions. Let me try this out and come back to you with the end result once I can get everything in place, hopefully in the correct order (I will take up your offer to do the config for me remotely with great pleasure if I fail to do the config by myself since I haven't done this sort of stuff before!).
In the meantime, I presume I should receive from you the relevant 'script' for the firewall rules shown in your attached screenshot. Correct?
If you reset your config then you should have the same Firewall rules as mine.
Then you can try to add your VPN + the 3 rules I mention so you can pass traffic over the VPN.
But anyway here is a default firewall rules IPv4
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
update
I think you can not use these rules as you don't have a default config you don't have an in-interface-list so you should change it to an in-interface=ether1-WAN
and bridge1-Local due to your current config.

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface=!bridge1-Local
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1-WAN
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Mon Jan 03, 2022 9:26 pm


4- why did you enable your l2tp server?
Regarding 4, my chief reason to purchase the Mikrotik was/is to tunnel my whole internet traffic through it so that all my clients at home could bypass the ISP's firewall. Therefore, I asked the seller to set up the router for me to make this possible, preferably using OpenVPN Server with Windows clients. Instead, he enabled L2TP VPN server on the router saying it was not possible to set up OpenVPN Server on Mikrotik, which I now understand this is not so! I have also learnt in the intervening period that OpenVPN Server is mainly used for remote connection to a local network(s) behind the Mikrotik, but that's a different story I guess. Having said that, I should mention that I have even tried a few times, without success, to set up OpenVPN Server on a separate similar Mikrotik for the above purpose based on some how-to procedures I found in YouTube, but I could never get the final ovpn profile to connect to the openvpn server from my Windows client.That's an aim I am still pursuing with great interest.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Is L2TP VPN safe for internet traffic?

Mon Jan 03, 2022 9:33 pm


4- why did you enable your l2tp server?
Regarding 4, my chief reason to purchase the Mikrotik was/is to tunnel my whole internet traffic through it so that all my clients at home could bypass the ISP's firewall. Therefore, I asked the seller to set up the router for me to make this possible, preferably using OpenVPN Server with Windows clients. Instead, he enabled L2TP VPN server on the router saying it was not possible to set up OpenVPN Server on Mikrotik, which I now understand this is not so! I have also learnt in the intervening period that OpenVPN Server is mainly used for remote connection to a local network(s) behind the Mikrotik, but that's a different story I guess. Having said that, I should mention that I have even tried a few times, without success, to set up OpenVPN Server on a separate similar Mikrotik for the above purpose based on some how-to procedures I found in YouTube, but I could never get the final ovpn profile to connect to the openvpn server from my Windows client.That's an aim I am still pursuing with great interest.
You're very wrong.
If your purpose is to bypass the ISP firewall, Then you are using a VPN protocol to connect to a VPN server. You don't need to enable / config any VPN server in PPP you only need to add a VPN as a client. you don't provide any services. all of your devices are running under your Mikrotik and therefore you can configure your router to do whatever you wanna do with your local aspect of the network and then use a VPN as a client running on the router to forward it to WWW through a VPN tunnel.

update
What you want to do with an OpenVPN is the same as l2tp so you don't need to do a server-side config. The Mikrotik OpenVPN didn't have UDP support and still doesn't have it in your software version. and if you use a TCP as your ISP is filtering there is a good chance that it is gonna kill your connection speed or even not pass the firewall.

as the config file for OpenVPN, this is just a concept. no client certificate is required on the server-side.
client

dev tun                             

proto udp               

remote IP port

resolv-retry infinite

nobind

persist-key

persist-tun

auth-user-pass

auth-nocache

verb 3

#comp-lzo

cipher AES-256-CBC

data-ciphers AES-256-CBC

route 0.0.0.0 0.0.0.0

redirect-gateway def1

remote-cert-tls server

<ca>

-----BEGIN CERTIFICATE-----



-----END CERTIFICATE-----

</ca>



 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Mon Jan 03, 2022 11:43 pm

I have to admit that I am pretty confused and lost by all the technicalities you've mentioned here in your updated comments.
Please correct me if I am wrong. Put simply:
1. You say that in order to bypass the ISP firewall, I have been on the wrong path all along since I am trying to use a VPN protocol (be it l2tp, or openvpn) to connect to a VPN server. Okay. Fair enough. I didn't know this. If this is wrong practice, then it's wrong and should be abandoned. Perhaps this explains the reason for the peculiar behavior of my current vpn connection and config.
2. You then say in order to bypass the ISP firewall (which is my main intention of using the Mikrotik router), I just need to 'add a VPN as client' without the need to enable/config any VPN server in PPP. Okay. But, 'how' and 'where' to 'add a VPN as client' to run on the router? Please clarify.
3. Based on 2, do I still need to do a factory reset of the router and configure it anew according to your 3 rules and screenshots? If not, what changes/modifications does it need in order to allow adding a vpn as client to it?
4. How can I connect to this ‘added client VPN’ later from my Windows/IOS clients in my local network?
5. Last but not least, you say I should avoid setting up OpenVpn Server on Mikrotik for the purpose of bypassing ISP firewall due to its lack of support for UDP (I knew this before) and other limitations. Okay. But, hearing that ‘no client certificate is required on the server-side’ is surprising since all the literature I have read on OpenVPN Server (including Mikrotik wiki) require 3 certificates (namely, the main ‘Authority Certificate’ or CA as well as the ‘Server’ and ‘Client’ key) to be created, signed and exported for the OpenVPN to work. This, of course, is a side note to the issue at hand that could be discussed separately. I just pointed it out in response to your remark that ‘no client certificate is required on the server-side’.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Is L2TP VPN safe for internet traffic?

Mon Jan 03, 2022 11:47 pm

you are asking a lot of Q let me try to simplify this for you.

1/2
Perhaps you are thinking because you want to pass the traffic of your local device over VPN you should somehow enable server binding in your router. but this is not the case. you set up a VPN Client in your router and config your local network in the router in such a way as to pass the traffic over the VPN client.
So The VPN Connection that you created is correct, It is an L2TP-out(L2TP Client) but your router has some miss configs.
you don't need an L2TP server/OpenVPN server. your router is the client, not a server.
This is an L2TP Server binding.
/interface l2tp-server server
set enabled=yes use-ipsec=required
This is an L2TP Client it could be an OpenVPN client if you want to use OpenVPN.
2022-01-04_01-20-16.png
3------------------------------------------------------------------------
I strongly suggest the RESET config with the default factory setting. your current config does not have the default config this is hard to troubleshoot. you also did some changes your self as I can see in the first and last config export so to keep it simple and easy to manage yes. Alarm - before you do reset. remove the MT from your network connect your PC/phone to your DSL modem directly to see if you can connect to the internet directly. there is no config in your MT that suggests any problem if you reset config but as I don't know the full setup scenario check this before you do.

The full path
reset-config | Disable The FastTrack | Reboot | L2TP Client | Mangle | NAT | Route
Confirm everything works, You should enable the FastTrack after you did your test. But let us just stop here for now. I don't wanna confuse you more than you are.
4---------------------------------------------------------------------------
you don't have to connect to anything from your endpoint device. you simply config your router in such a way that it will pass your endpoint device traffic over the provided VPN on the router itself.
5-------------------------------------------------------------------------
You can configure your OpenVPN server with different scenarios.
The one you mentioned yes it does require at least 2 certs. you could use the CA at the OPVN server itself and one for the client.
This certificate is self-signed. and the authority of the CA is CA itself. so as there is no higher authority verifying your CA then you should export and install the certificates to any device that you want to connect with it. or you could simply put your CA and Client cert in your client profile.
I did not tell you that you could not use OpenVPN. If you update to V7 you could use it and properly you should as it is a better option than L2TP but if you do update then there are better options such as Wireguard will be available with an update to newer kernel But as I understand your device doesn't have enough ram for it. It's a shame. Still, nothing is prevent you to upgrade your hardware or using an IKEv2 at your V6 RouterOS.
the update - I may have been miss lead you.
but I could never get the final ovpn profile to connect to the OpenVPN server from my Windows client
The OpenVPN config file that I share with you is for the windows client connection as you mentioned in your previous post. this is not a way to config your OpenVPN server. Again as you don't provide any VPN services you don't need an OpenVPN server. you just need an OpenVPN client.
You do not have the required permissions to view the files attached to this post.
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Tue Jan 04, 2022 5:37 pm

Hello,
I disabled L2TP Server in PPP as per your advice. The blocked sites, however, continued to be inaccessible! (Just for the record.)
Next, I did a hard reset of the router (keeping default config).
Before resetting, I removed the MT from my network and connected my PC to the DSL modem directly. I could connect to the internet with no problem. (BTW, I don’t have a static IP on my DSL modem. It is dynamic).
This is the course of action for setting up the router:
1. I opened Quick Set -> Home AP -> Internet -> Automatic -> IP Address (192.168.1.110), Netmask (255.255.255.0 (/24)) and Gateway (192.168.1.1) were already populated automatically.
2. Under Local Network -> I manually set IP Address to (172.16.1.1) and DHCP Server Range to (172.16.1.21-172.16.0.254), Netmask was already populated as: 255.255.255.0 (/24)
Question: Why does ‘Address Acquisition’ under Internet in Home AP changes from Automatic to Static as soon as I click Apply and OK to save the above changes? Is this normal?
1.jpg
3. I then applied your Rule 1 in a new terminal; all okay.
[admin@MikroTik] /ip firewall mangle> add action=mark-routing chain=prerouting new-routing-mark=VPN passthrough=no src-address=172.16.1.21-172.16.1.254
4. Then applied Rule 2: (gave error)
[admin@MikroTik] /ip firewall nat> add action=masquerade chain=srcnat out-interface=VPN-L2TP
input does not match any value of interface
5. And Rule 3: (also gave error)
[admin@MikroTik] /ip firewall nat> add action=masquerade chain=srcnat out-interface=VPN-L2TP
input does not match any value of interface

So, I couldn’t proceed beyond Rule 1. Have I missed something so far?
2.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by zippedmails on Tue Jan 04, 2022 7:36 pm, edited 1 time in total.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Is L2TP VPN safe for internet traffic?

Tue Jan 04, 2022 6:07 pm

@zippedmails
The idea behind the reset config was for you to have a default IP Range and settings and you did replace it with your old config again.
Anyway
There are a few things.
No, you did not change your L2TP Client interface name. Therefore you got an error in 2-3 rule 3 is depends on the gateway name. so it did not register too. even if you did rename your interface then there is another variable in the picture for the routing rule.
You did not enable your firewall again.
I think it's time to try remote config.
Question: Why does ‘Address Acquisition’ under Internet in Home AP changes from Automatic to Static as soon as I click Apply and OK to save the above changes? Is this normal?
I think this is a quick set problem.
1.png
The gateway in your static IP is wrong too it should be 192.168.1.1 not 110
You do not have the required permissions to view the files attached to this post.
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Tue Jan 04, 2022 7:25 pm

I appreciate your detailed comments.
However, as stated in my previous post, I did a physical reset of the router (just keeping the default configuration) BEFORE applying rules 1, 2 and 3. So, there was no settings for L2TP Client on the router at this stage to cause a conflict with rules 2 and 3.
Notwithstanding the background, perhaps I should better leave it to you now to do a remote config at your convenience. Kindly PM me as to what you would need to be in place at my end in advance in this connection.
I look forward to your reply and am truly grateful for your assistance.
Kind regards.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Is L2TP VPN safe for internet traffic?

Tue Jan 04, 2022 7:38 pm

I appreciate your detailed comments.
However, as stated in my previous post, I did a physical reset of the router (just keeping the default configuration) BEFORE applying rules 1, 2 and 3. So, there was no settings for L2TP Client on the router at this stage to cause a conflict with rules 2 and 3.
Notwithstanding the background, perhaps I should better leave it to you now to do a remote config at your convenience. Kindly PM me as to what you would need to be in place at my end in advance in this connection.
I look forward to your reply and am truly grateful for your assistance.
Kind regards.
Do you have discord or any platform that we start with talking so we could exchange info ?
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Tue Jan 04, 2022 7:57 pm

Discord, no. But I am on WhatsApp (and Telegram). Will they be okay for you?
I am also reachable on Signal.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Is L2TP VPN safe for internet traffic?

Tue Jan 04, 2022 8:04 pm

Discord, no. But I am on WhatsApp (and Telegram). Will they be okay for you?
I am also reachable on Signal.
WhatsApp is fine by me
Last edited by own3r1138 on Tue Jan 04, 2022 8:30 pm, edited 2 times in total.
 
zippedmails
just joined
Topic Author
Posts: 16
Joined: Wed Dec 29, 2021 11:10 pm

Re: Is L2TP VPN safe for internet traffic?

Tue Jan 04, 2022 8:13 pm

I am also comfortable with WhatsApp and have it already installed. Thanks for the link anyways.
Pass me your WhatsApp number in PM please so that I can contact you..
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 681
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Is L2TP VPN safe for internet traffic?

Tue Jan 04, 2022 8:14 pm

I am also comfortable with WhatsApp and have it already installed. Thanks for the link anyways.
Pass me your WhatsApp number in PM please so that I can contact you.
There is no PM/PV as this is a forum. I did share my QR code you should scan it with your phone.

Who is online

Users browsing this forum: Adephx, Amijani, CGGXANNX and 46 guests