Community discussions

MikroTik App
 
maverix3
just joined
Topic Author
Posts: 6
Joined: Sat Jan 18, 2020 12:16 pm

Is there any way to hide the RED comment?

Thu May 05, 2022 2:39 pm

After upgrading to 7.2.3 from v6, I noticed all of my PPTP connections topped with red messages saying
PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
whether in winbox or terminal.

I know PPTP is insecure, but a large number of my clients' embedded devices require VPN and PPTP is the only supported protocol then for now I have to suffer full window of red messages which is really annoying and distracting.

Is there any way to hide those red messages? Or any plan to make it be able to if it's not yet?

Thanks.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is there any way to hide the RED comment?

Thu May 05, 2022 2:54 pm

Is there any way to hide those red messages?
Yes, use a more modern VPN protocol instead...
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Is there any way to hide the RED comment?

Thu May 05, 2022 2:58 pm

Time to start upgrading older hardware.
 
maverix3
just joined
Topic Author
Posts: 6
Joined: Sat Jan 18, 2020 12:16 pm

Re: Is there any way to hide the RED comment?

Thu May 05, 2022 3:13 pm

Is there any way to hide those red messages?
Yes, use a more modern VPN protocol instead...
So there is no plan to make this message hide-able in the future?
Or any plan to remove pptp totally in the future?
 
maverix3
just joined
Topic Author
Posts: 6
Joined: Sat Jan 18, 2020 12:16 pm

Re: Is there any way to hide the RED comment?

Thu May 05, 2022 3:14 pm

Time to start upgrading older hardware.
Time is not the problem. Money is.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is there any way to hide the RED comment?

Thu May 05, 2022 3:20 pm

Time to start upgrading older hardware.
Time is not the problem. Money is.
Using, for example, SSTP require no money...
 
maverix3
just joined
Topic Author
Posts: 6
Joined: Sat Jan 18, 2020 12:16 pm

Re: Is there any way to hide the RED comment?

Thu May 05, 2022 3:43 pm



Time is not the problem. Money is.
Using, for example, SSTP require no money...
Like I said my clients are using dedicated embedded devices. No one will develop a SSTP stack for it for free as far as I know.
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Is there any way to hide the RED comment?

Thu May 05, 2022 3:45 pm

I know PPTP is insecure

But do you know precisely how insecure it is? Anyone who can MITM the connection can break it in under a day with decade-old cracking technology.

The MITM step isn't a huge hurdle. There are several available methods, all of which are reduced to freely-available tools. Since the best method for avoiding MITM is to encapsulate the traffic in a properly-designed secure tunnel — TLS, SSH, proper VPN, etc. — the argument that MITM isn't a concern falls in on itself when it comes to questions such as this thread's.

PPTP is really really really bad!

a large number of my clients' embedded devices require VPN

How about you draw out the network design, and let us come up with a workable migration plan for you? The only way PPTP is your only feasible option is if you're about to go out of business. By putting your trust in PPTP, you're risking that already.

my clients are using dedicated embedded devices. No one will develop a SSTP stack for it for free

Ship each site a pre-configured hEX or similar to terminate a proper VPN tunnel. For instance, a site-to-site WireGuard tunnel, which can be port-forwarded through a NAT layer. That'll solve your PPTP problems for very little money compared to the company-ending liability risk you're taking on by not doing something like this.

If the devices won't talk over anything but PPTP, you can still tunnel PPTP through the outer tunnel. It'd be inefficient, but it'd work.

I have to suffer full window of red messages which is really annoying and distracting.

How much suffering, annoyance, and distraction do you suppose you're in for if someone decides to start cracking your PPTP tunnels?

You don't get a choice between zero annoyance and some annoyance. You only get a choice of which bag-of-annoyance you're willing to pick up. Passively avoiding the choice is still a choice, because it merely means someone else gets to decide which bag-of-annoyance to hand you.

Time is not the problem. Money is.

Do you suppose cleaning up after a successful attack will be cost-free?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is there any way to hide the RED comment?

Thu May 05, 2022 3:58 pm

@tangent
I'm perfectly agree
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Is there any way to hide the RED comment?

Thu May 05, 2022 4:07 pm

Nothing insecure with PPTP if using correct encoding like EAP / PEAP / EAP-TLS etc. The problem is that ROS lacks support for these in the current implementation. I know plenty of old installations of PPTP (as well as IE6!) in corporate environments that for various reasons are still up and running but have been secured using modern encoding.

But in general and if possible I would advise to change to Wireguard (SOHO) or IPsec/IKv2 (business env).

EDIT:
Another reason to change from PPTP depends on GRE that nowadays often might be filtered in public hot spot, hotels, satellite links etc.
Last edited by Larsa on Thu May 05, 2022 4:23 pm, edited 1 time in total.
 
maverix3
just joined
Topic Author
Posts: 6
Joined: Sat Jan 18, 2020 12:16 pm

Re: Is there any way to hide the RED comment?

Thu May 05, 2022 4:14 pm

I know PPTP is insecure

But do you know precisely how insecure it is? Anyone who can MITM the connection can break it in under a day with decade-old cracking technology.

The MITM step isn't a huge hurdle. There are several available methods, all of which are reduced to freely-available tools. Since the best method for avoiding MITM is to encapsulate the traffic in a properly-designed secure tunnel — TLS, SSH, proper VPN, etc. — the argument that MITM isn't a concern falls in on itself when it comes to questions such as this thread's.

PPTP is really really really bad!

a large number of my clients' embedded devices require VPN

How about you draw out the network design, and let us come up with a workable migration plan for you? The only way PPTP is your only feasible option is if you're about to go out of business. By putting your trust in PPTP, you're risking that already.

my clients are using dedicated embedded devices. No one will develop a SSTP stack for it for free

Ship each site a pre-configured hEX or similar to terminate a proper VPN tunnel. For instance, a site-to-site WireGuard tunnel, which can be port-forwarded through a NAT layer. That'll solve your PPTP problems for very little money compared to the company-ending liability risk you're taking on by not doing something like this.

If the devices won't talk over anything but PPTP, you can still tunnel PPTP through the outer tunnel. It'd be inefficient, but it'd work.

I have to suffer full window of red messages which is really annoying and distracting.

How much suffering, annoyance, and distraction do you suppose you're in for if someone decides to start cracking your PPTP tunnels?

You don't get a choice between zero annoyance and some annoyance. You only get a choice of which bag-of-annoyance you're willing to pick up. Passively avoiding the choice is still a choice, because it merely means someone else gets to decide which bag-of-annoyance to hand you.

Time is not the problem. Money is.

Do you suppose cleaning up after a successful attack will be cost-free?
So generally there is no way to hide those red message for now and in the future right?
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Is there any way to hide the RED comment?

Thu May 05, 2022 4:19 pm

The problem is that ROS lacks support for these in the current implementation.

I'd bet the OP's embedded devices lack support for that as well. He doesn't read as one who's likely to run a proper PKI.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is there any way to hide the RED comment?

Thu May 05, 2022 4:21 pm

well... 1+1=2... :lol:
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Is there any way to hide the RED comment?

Thu May 05, 2022 4:57 pm

Nothing insecure with PPTP if using correct encoding like EAP / PEAP / EAP-TLS etc.

I wonder if the reason RouterOS doesn't bother supporting that is that the underlying MPPE protocol tops out at 128-bit RC4. All adding EAP-TLS does here is secure the authentication layer, effectively replacing a potentially weak CHAP password with a 128-bit random key. That's better, but is it "better enough" in the modern environment? That level of tech is what WEP and WPA-TKIP were based on, both now considered insecure. RC4 is outright banned in modern TLS.

The nice thing about TLS-based VPN technologies like SSTP and OpenVPN is that you can at least apply restrictions like "TLS v1.2 and up" to track evolving security risks such as these.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Is there any way to hide the RED comment?

Thu May 05, 2022 5:25 pm

i think some use cases of PPTP do not are deployed trying to reach confidentiality and integrity goals

sometimes PPTP are simply to overcome some obstacles in connectivity, but the traffic passing accross it is already encrypted because is intended to work accross internet without any aditional protection.

In some cases often establish PPTP without any encription to speedit up

Off course only for internet traffic passing by, no private, corporate or sensitive traffic

Most of internet traffic are already protected to achieve confidentiality and integrity

If you are pleny aware of the risk is your decision

Off course MikroTik have to make very clear the risk to avoid future problems because when a attack or a breach makes publicly known the involved vendor reputation gets affected

because of that they put that red flag impossible to ignore and i agree with that

if you are trying to hide that from your customer that is a bad thing, because of that this red flags exists
 
maverix3
just joined
Topic Author
Posts: 6
Joined: Sat Jan 18, 2020 12:16 pm

Re: Is there any way to hide the RED comment?

Fri May 06, 2022 10:00 am

i think some use cases of PPTP do not are deployed trying to reach confidentiality and integrity goals

sometimes PPTP are simply to overcome some obstacles in connectivity, but the traffic passing accross it is already encrypted because is intended to work accross internet without any aditional protection.

In some cases often establish PPTP without any encription to speedit up

Off course only for internet traffic passing by, no private, corporate or sensitive traffic

Most of internet traffic are already protected to achieve confidentiality and integrity

If you are pleny aware of the risk is your decision

Off course MikroTik have to make very clear the risk to avoid future problems because when a attack or a breach makes publicly known the involved vendor reputation gets affected

because of that they put that red flag impossible to ignore and i agree with that

if you are trying to hide that from your customer that is a bad thing, because of that this red flags exists
Yes our use case is exactly like what you've mentioned.
We use PPTP to link multiple devices into the same LAN and payloads are already encrypted with TLS. Security is not a concern of the tunnel.
My customers know nothing about the core router. I just want to make my backend clean and easier for me to concentrate because it was back in v6.
It's still alright if it can't be hidden since it's not intolerable.
Thanks.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26291
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Is there any way to hide the RED comment?

Fri May 06, 2022 10:18 am

Using EoIP is much better than using PPTP for such purpose. Don't use PPTP to just link networks
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Is there any way to hide the RED comment?

Fri May 06, 2022 11:57 am

Using EoIP is much better than using PPTP for such purpose.

That, or ZeroTier.
 
kraal
Member Candidate
Member Candidate
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Is there any way to hide the RED comment?

Fri May 06, 2022 12:07 pm

PPTP is the only supported protocol
The OP wrote the above line in his first message. Since then, almost everyone is trying to convince him to use anything else than PPTP. Am I missing anything?

That being said, I both understand "why" there are red messages and why the OP is annoyed.
Wouldn't it be possible for Mikrotik to add to the message something like "[current message] Use PPTP at your own risks. You can disable this warning in the preferences. Note that PPTP is deprecated for security reasons and will be removed in a future release."
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Is there any way to hide the RED comment?

Fri May 06, 2022 12:20 pm

The OP wrote the above line in his first message. Since then, almost everyone is trying to convince him to use anything else than PPTP. Am I missing anything?
You miss comment like this:
Ship each site a pre-configured hEX or similar to terminate a proper VPN tunnel. For instance, a site-to-site WireGuard tunnel, which can be port-forwarded through a NAT layer. That'll solve your PPTP problems for very little money compared to the company-ending liability risk you're taking on by not doing something like this.
If your equipment only supports pptp, get rid of it or add a box in front of it that do support a more secure communiction.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Is there any way to hide the RED comment?

Fri May 06, 2022 12:27 pm

@kraal
The OP wrote the above line in his first message. Since then, almost everyone is trying to convince him to use anything else than PPTP. Am I missing anything?

You prefer a dumb reply like: 1) No, 2) No
Or like the usual rextended answer: Go back to 6.48.6 long-term
Or the 2nd rextended choice for sarcasm: Yes, use a more modern VPN protocol instead...
Or something like: +1 for add "hide red warnings"
???
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Is there any way to hide the RED comment?

Fri May 06, 2022 12:45 pm

almost everyone is trying to convince him to use anything else than PPTP. Am I missing anything?

Perhaps it is the implicit admission that he's got a functionally unsecured tunnel into the private LAN on one end of this connection or the other. And once one end is cracked, the other end is vulnerable.

This is why I characterized it as a "company-ending risk" above. If they get cryptomalwared, for example, and someone works out that it got in via this PPTP path, what do you suppose the result will be?

What really irks me is that the OP keeps doubling down on the wish to hide the message rather than address the risk it's warning about.
 
kraal
Member Candidate
Member Candidate
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Is there any way to hide the RED comment?

Fri May 06, 2022 1:12 pm

You miss comment like this:

I wrote "almost", I'm not talking especially about tangent's comment which is suggesting a valid alternative, indirection based solution ("All problems in computer science can be solved by another level of indirection"), but about the ones writing "use XXX protocol instead".

I am personally not and would not be using PPTP in 2022. However I know almost nothing about the context of the OP, the devices, their usage, the business criticity, the cost of failure, etc. Only the OP knows about it and says that it's ok for him. So why trying to convince him if he continuously says he knows what he's doing ? I won't lose my job if anything happens, maybe he will, maybe he doesn't care. Most people think that managing risk means "removing the risk's cause" (get rid of PPTP), but there are alternative approaches such as "mitigating it" or simply "accepting" a risk it because the probability and effects of events if they occur are considered acceptable enough from the stakeholder's position.

In the end, he's the one running his business. Let him manage his risks as he considers he should do it.

Real life example: My car has a feature which starts beeping and displaying a red blinking logo on the car's dashboard everytime I'm above the speed limit "known" to the embedded navigation system... The problem is that the navigation system is outdated/data is wrong inn some cases and not easy to upgrade (and it's damn expensive and I don't want to spend a single cent to fix it). Yes the beeps are a valid warning in most cases, but in some cases they are not adapted to the context. As the navigation system it embedded, fixing this for good would mean to add an additional device or change the car. Hopefully they added a feature so I can turn those warnings off. So I turned them off: it is MY responsibility to evaluate how risky the situation is, it is not the responsibility of the car's producer, if something goes wrong.

If your equipment only supports pptp, get rid of it or add a box in front of it that do support a more secure communiction.

Sure, but I guess you're not explaining it this way to your clients are you ? I like the "direct and no bullshit" way of speaking the truth, but not all clients are able to hear it :-)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Is there any way to hide the RED comment?

Fri May 06, 2022 1:22 pm

If you can live with the non secure PPTP, you should have no problem with a RED comment in Winbox.

You can use an external tool to look at the VPN connection like my Splunk for MikroTik.
Dere you can setup what you like to see or not to see.
 
kraal
Member Candidate
Member Candidate
Posts: 142
Joined: Tue Jan 19, 2021 10:24 pm

Re: Is there any way to hide the RED comment?

Fri May 06, 2022 1:29 pm

This is why I characterized it as a "company-ending risk" above. If they get cryptomalwared, for example, and someone works out that it got in via this PPTP path, what do you suppose the result will be?
It's the OP's responsibility to analyse and suppose, not mine.
What really irks me is that the OP keeps doubling down on the wish to hide the message rather than address the risk it's warning about.
Why does it irk you ? You did (well) your "job" by explaining and suggesting a solution (due dilligence), IMHO none is here to save him from supposed mistakes.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Is there any way to hide the RED comment?

Fri May 06, 2022 1:39 pm

My car GSP gives a red warning sign with the speed limit when I drive passed the speed limit.
I have then some option.
1. Drive slower
2. Ignore warning
3. Turn of GPS
4. Request the producer to remove the warming.
5. Use another GPS without warning
6. ?

Same for OP. He gets several post here on what to do. Its up to him to choose what to do.


1. Change VPN or add some VPN in front
2. Ignore warning
3. Not look at Winbox message
4. Send email requesting removing warning. Send an email to support@mikrotik.com.
5. Use another tool to monitor VPN, like Splunk
6. ?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Is there any way to hide the RED comment?

Fri May 06, 2022 3:07 pm

In the end, he's the one running his business. Let him manage his risks as he considers he should do it.
I agree with this statement.
All have given valid reasons why not to pursue PPTP or provided alternatives how to get around that problem.
But at the end OP is responsible for his own choices given all arguments and options presented by others. Nobody else.

You can lead a horse to the water.
But you can not force it to drink.

Oh and BTW: I'm completely ok with the red message :lol:
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7038
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Is there any way to hide the RED comment?

Fri May 06, 2022 3:16 pm

In short, no you cannot hide the message and no there won't be option to disable it.

If you really need to hide something you can always develop your own tool that will show exactly what you want. RouterOS provides all the necessary means to do so.
 
flatbat
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Tue Apr 06, 2010 11:18 pm

Re: Is there any way to hide the RED comment?

Thu May 26, 2022 1:04 pm

We use lots of PPTP for file transfers over long-distance (=high latency) Point-2-Point links, where GRE is much much faster than the TCP- and UDP-based protocols.
We have seen that L2TP/IPsec works just as good as PPTP, but seems to be rate-limited at times; Contrary to many beliefs, it's our experience that UDP sometimes is rate-limited over expensive intercontinental links whereas GRE is let through on full speed, which still makes PPTP the superior protocol to use.

Some of our endpoints have dynamic ip and therefore needs to be the initiator of the setup and authentication can not be based on ip-address. Every site has its own address range, and we want routing (not eoip). We use OSPF on all links to share routes. All endpoints are RouterOS (Routerboards as well as CHR's in all the main public clouds).

I can't see any obvious alternative if we now can't use PPTP in the future?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Is there any way to hide the RED comment?

Thu May 26, 2022 1:42 pm

You still can use it.
It will just display a red message. That's all.
 
flatbat
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Tue Apr 06, 2010 11:18 pm

Re: Is there any way to hide the RED comment?

Thu May 26, 2022 2:47 pm

Sure, but I agree with OP that it doesn't seem very professional with screens full of red warnings that every connection is unsafe.
I could maybe DIY some solution with IPSec or EoIP, but that would also have its flaws and potential security issues due to the increased complexity.
RouterOS also doesn't have any route-based IPSec support, which would be the otherwise natural solution.
Last edited by flatbat on Thu May 26, 2022 8:36 pm, edited 1 time in total.
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Is there any way to hide the RED comment?

Thu May 26, 2022 6:39 pm

it doesn't seem very professional with screens full of red warnings that every connection is unsafe.

What's unprofessional is ignoring the warnings that your connections are unsafe!

Read the thread above. PPTP as implemented in RouterOS is trivial to break.

If it were strengthened to its max as Larsa suggests, requiring use of EAP and thus that you run a PKI to support it, it remains that the underlying MPPE encryption is about as secure as WEP was, since it's also based on RC4, which is itself badly broken. Even if it were a sound encryption algorithm, it maxes out at 128-bit, which is on the weak side for symmetric encryption these days.

I've skimmed the MPPE RFC, and I see no references to "RC4-drop[n]" or anything like it, which is the best mitigation for RC4's weaknesses.

If you're fine with insecure connections, use an unencrypted tunnel. Then you're telling RouterOS, "Yes, I know this is insecure," and it won't show red warnings.
 
flatbat
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Tue Apr 06, 2010 11:18 pm

Re: Is there any way to hide the RED comment?

Thu May 26, 2022 8:57 pm

Sure there is a risk with PPTP if there indeed is somewhere where someone has physical access to intercept and record your traffic, and then the ability to brute force your password from that recording. They could then disconnect my link and quickly use the credentials to log in to our server before the real site retries the connection. This assuming they also have access to a service such as CloudCracker, which I don't think is publicly available any longer, but there probably are others.
Anyway, first of all we need something that fulfills the business requirements; I need a protocol for site2site links with performance like GRE that circumvents international rate-limiting and tcp-latency, and that gives a routable interface in RouterOS for each site. The payload is encrypted in SSH, so I really only need to protect the credentials.
What would be the alternative to PPTP? We don't have ROS7 in many places, but maybe Wireguard could be the solution?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Is there any way to hide the RED comment?

Thu May 26, 2022 9:14 pm

Sure, but I agree with OP that it doesn't seem very professional with screens full of red warnings that every connection is unsafe.
Are OP logged inn to your router (winbox/web) and have the log window open all time?
I would say that Winbox/web are for configuration and searching for problems.
Last edited by Jotne on Fri May 27, 2022 8:06 am, edited 1 time in total.
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Is there any way to hide the RED comment?

Fri May 27, 2022 4:53 am

Sure there is a risk with PPTP if there indeed is somewhere where someone has physical access

If you believe that, and that you have adequate physical access protection, then why not do without encryption?

The fact is, not all of the MITM methods listed in the article I posted above require physical access, and for those that do, it may not be as difficult as you hope.

The rogue access point only has to be close enough to be in radio range. I'm posting this on a forum of a company that has products rated in kilometers. Chain one of these long-distance relays to a regular access point placed nearby (e.g. evil janitor attack) and your actual attacker may be on an upper floor of the apartment building overlooking the office.

If the attacker can get close enough to plug that rogue access point into a LAN port instead, it opens you to ARP and mDNS spoofing. The methods to prevent this (MAC address filtering, dot1x) aren't impenetrable.

And then there's the big daddy on that list: DNS spoofing, which allows a successful attacker to be halfway around the world.

That high-level survey article isn't a complete toolkit. Couple its options with a Trojan horse attack, where a legitimate LAN station is taken over, and now you can do all of this without even suborning a janitor.

Disregard MITM attacks at your peril.

The payload is encrypted in SSH

Why do you need PPTP, then? You ask for a point-to-point encrypted tunnel; that's SSH!

Yes, I know it's not a fully-general VPN, but it does let you tunnel other traffic over it (OpenSSH's -L and -R options) and it offers SOCKS proxying (-D) for more general use cases. Port-forward SSH through to an internal server on the remote side, and your tunnel becomes as strong as your key. Disable password authentication or set it to a long random password, put the port on a high random value, and implement fail2ban to frustrate script kiddies, and it'll be quite durable.

Cladding SSH in PPTP is like painting a main battle tank with the very best in appliance-grade enamel. Yes, it'll give a measurable improvement, but it's rather missing the point.

We don't have ROS7 in many places, but maybe Wireguard could be the solution?

WireGuard does make a fine S2S tunnel.

You don't have to have ROS 7 on the border. If you're willing to tolerate double-NAT, simply adding a small WG terminating gateway inside the target LAN with a port-forward to allow outside access may suffice. You could write a script to preconfigure a hEX for each site, storing the keys securely. Mail the box to the site, have the local admin plug it in somewhere sensible, and punch the port-forward through the firewall for its WG listening port. Now you have a WG tunnel to that site.

WG is like SSH with keys: a large random key pair secures access to the connection.

The last command in my configuration article shows the key concept in action.
 
flatbat
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Tue Apr 06, 2010 11:18 pm

Re: Is there any way to hide the RED comment?

Sat May 28, 2022 2:53 pm

If the attacker can get close enough to plug that rogue access point into a LAN port instead
Sure, but if someone gets physical access to install their own device in the endpoint, then the protocol used wouldn't matter much at all anyway.. ;-)
DNS spoofing is a good point that could work though.
Why do you need PPTP, then? You ask for a point-to-point encrypted tunnel; that's SSH!
RouterOS doesn't have support for SSH tunnels. I want a tunnel interface because there is not only the main payload, but also redundancy by OSPF and some management traffic between the routers themselves.
You don't have to have ROS 7 on the border.
Of course I can upgrade the routers or install second one. Still not sure if Wireguard perform better than L2TP though, as they are both UDP-based and may get rate-limited on busy links.
We will try and see..

Thanks for your suggestions.
 
tangent
Forum Guru
Forum Guru
Posts: 1333
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Is there any way to hide the RED comment?

Sun May 29, 2022 12:04 am

RouterOS doesn't have support for SSH tunnels.

It does; it's simply documented only in the old wiki for now.

However, I wasn't speaking of using the RouterOS box as the tunnel termination point. I was suggesting that, since you're using SSH from site to site already, presumably between endpoints behind each site's firewall, that you port-forward the destination site's SSH termini so the clients can connect to the remote machines directly.

Yes, this means exposing internal SSH servers to the Internet, which is why I suggested all the rest: high-numbered random ports, login rate limiting, fail2ban...

Realize that even without keys, an 8-character random password can stand up to decades of constant pounding if you rate-limit connections sufficiently. Obscuring the servers behind random ports and adding fail2ban to this makes it even tougher. Using keys instead of passwords atop these measures makes breaking in effectively impossible with known technology.

OSPF and some management traffic between the routers themselves.

Then I wonder if you shouldn't be looking at ZeroTier instead.

Still not sure if Wireguard perform better than L2TP

The proper comparison isn't to L2TP but to L2TP+IPsec+IKEv2. If you add all of that to L2TP, and WG comes out at the same performance, no better, it's still a net win on configuration complexity.

Also, performance isn't everything. Getting to the finish line safely also matters.

Who is online

Users browsing this forum: Bing [Bot], karlisi, kivimart, Omerik, peterda and 101 guests