Community discussions

MikroTik App
 
pooyan
just joined
Topic Author
Posts: 9
Joined: Wed Apr 19, 2023 9:37 pm

SSTP VPN Guide RouterOS V7

Wed Apr 19, 2023 9:51 pm

Hello,

I have read every guide out there but unfortunately I could not find a solution. I simply want to connect my Chateau LTE18 ax which runs RouterOS V7 to my SSTP VPN connection and direct all my internet traffic through my VPN connection.

Before I used to set up my VPN from my provider on my RouterOS V6 device with no issues, I followed this guide from my provider: https://www.cactusvpn.com/tutorials/set ... k-routers/

But now on V7 I cannot make my VPN to work and all the guides are for V6. When I get to Step 14 in my providers guide, there is no unicast option and I have tried everything, I even made a new table since I could not type a new routing mark section. Traffic will not get routed at all.

Can anyone please give me a step by step instruction as I am not a professional and I simply want to route all my traffic through my SSTP VPN connection.

Thanks
 
pooyan
just joined
Topic Author
Posts: 9
Joined: Wed Apr 19, 2023 9:37 pm

Re: SSTP VPN Guide RouterOS V7

Sat Apr 22, 2023 5:01 pm

Anyone? I would really appreciate a guide.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: SSTP VPN Guide RouterOS V7

Sat Apr 22, 2023 8:47 pm

Some things have moved around for "ip route" for v6 versus v7.

The other options besides 'unicast' for that TYPE answer nr 41 are 'blackhole, prohibit and unreachable' ... all 3 are forms of stopping or discarting the traffic.
In V7, I only see an option 'blackhole' that could be checkmarked lower in the panel.
Blackhole, something that is not needed in your case.

So the forwarding option ('unicast' Type in V6) should be active then.
And 'Routing mark' becomes 'Routing Table' in the panel of V7
... and routing tables must be defined before use here: https://help.mikrotik.com/docs/display/ ... h+examples
...
Klembord-2.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by bpwl on Sat Apr 22, 2023 10:42 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SSTP VPN Guide RouterOS V7

Sat Apr 22, 2023 10:00 pm

Please provide your config.....
/export file=anynameyouwish ( minus router serial number and any public WANIP info )
 
pooyan
just joined
Topic Author
Posts: 9
Joined: Wed Apr 19, 2023 9:37 pm

Re: SSTP VPN Guide RouterOS V7

Sun Apr 23, 2023 10:53 am

Please provide your config.....
/export file=anynameyouwish ( minus router serial number and any public WANIP info )
Hi there,

Here is my config...

I simply followed my providers guide up to step 16 as mentioned in my first post.

Really appreciate your help.
You do not have the required permissions to view the files attached to this post.
 
pooyan
just joined
Topic Author
Posts: 9
Joined: Wed Apr 19, 2023 9:37 pm

Re: SSTP VPN Guide RouterOS V7

Sun Apr 23, 2023 7:52 pm

Just a quick note. I got a reply from the two largest SSTP VPN providers, CactusVPN and Hide.me and they both confirmed with me that SSTP support has been broken in V7. Can anyone please confirm that this is the case as I have purchased 5 Chateau routers for SSTP specifically.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SSTP VPN Guide RouterOS V7

Sun Apr 23, 2023 8:56 pm

Havent heard that........................ But WHY SSTP, what is the use case, what do you need to accomplish??

Nothing stands out immediately.
How do you get regular internet, I dont see a manual route but I also dont see IP DCHP CLIENT settings??

I am using an SSTP client on ver7.9rc2 without any issue??
Can you confirm that the router makes a dynamic route to your SSTP interface <DAC> some address gateway=sstpinterfaceNAME
 
pooyan
just joined
Topic Author
Posts: 9
Joined: Wed Apr 19, 2023 9:37 pm

Re: SSTP VPN Guide RouterOS V7

Sun Apr 23, 2023 9:27 pm

Havent heard that........................ But WHY SSTP, what is the use case, what do you need to accomplish??

Nothing stands out immediately.
How do you get regular internet, I dont see a manual route but I also dont see IP DCHP CLIENT settings??

I am using an SSTP client on ver7.9rc2 without any issue??
Can you confirm that the router makes a dynamic route to your SSTP interface <DAC> some address gateway=sstpinterfaceNAME
I just put my sim card in and regular internet works without any issue. The only protocol that works where I live is SSTP, Softether and V2Ray. All other protocols are blocked and everything is blocked and censored like whatsapp, youtube...basically everything so we use VPN to access the free internet.

I’m not an expert, just a home user. Got these routers because I had older Mikrotik devices that worked perfect with SSTP on V6 but speed was slow due to the old CPU. I’m trying to avoid using VPN on my devices like my phone as it drains the batteries very quick.

If you or anyone can guide me on how to set up the Chateau out of the box to route all traffic through the SSTP client, it would be a huge help.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: SSTP VPN Guide RouterOS V7

Sun Apr 23, 2023 9:41 pm

Some user in the hide.me forum, indicated not being able to set up SSTP in V7, while following the details of the V6 SSTP setup.

That user made the same mistake in the V7 version, as not to handle the differences between V6 and V7 in "ip route" setup.
And the moderator there just blamed it on Mikrotik v7.
https://community.hide.me/threads/mikro ... s-v7.3734/


Just read the first visual page (24 lines) of what MT documentation says! https://help.mikrotik.com/docs/display/ ... h+examples
The main difference from v6 is that the routing table must be added to the /routing table menu before actually referencing it anywhere in the configuration.  And fib parameter should be specified if the routing table is intended to push routes to the  FIB.
.

So you need to make that table first and add it to FIB, that will exist besides the main default table. (ADD "l2tp_Cactus" route table, can be called VPN, no problem with that

"main" table routes, set by the WAN interface DHCP client (not configured yet?), should be defined for finding the CactusVPN website and SSTP-server.
Last edited by bpwl on Sun Apr 23, 2023 10:10 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SSTP VPN Guide RouterOS V7

Sun Apr 23, 2023 10:07 pm

BWPL if you look at the config he already has a table for SSTP traffic.
My concern was to ensure that the router was creating a DAC route for SSTP.
Trying to figure out how to track an outgoing SSTP attempt to join his provider................

Havent seen the SSTP settings but assuming the basics The setup is not all that signifcant............
such as name=sstp-out1
Connect TO: URL address provided.
Port: 443
Proxy Port: 443
Certificate: None ( depends on type of service offered )
TLS Version: ONLY 1.2
No checkboxes used (depends on service offered )
UserName: Provided
password: Provided'
Allws MSCHAP2
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: SSTP VPN Guide RouterOS V7

Sun Apr 23, 2023 10:19 pm

Yep @anav: VPN table is correct. But as they follow the CactusVPN screenshots in absolute detail, and I expected the main table also in the config export, what did not appear because it was empty, I tought wrongly the main table had just been renamed.

The path to the SSTP server is dynamic (DAC route) and as such is not in the config. Needs a DHCP client somewhere for the WAN AFAIK.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SSTP VPN Guide RouterOS V7

Sun Apr 23, 2023 10:23 pm

Yep @anav: VPN table is correct. But as they follow the CactusVPN screenshots in absolute detail, and I expected the main table also in the config export, what did not appear because it was empty, I tought wrongly the main table had just been renamed.

The path to the SSTP server is dynamic (DAC route) and as such is not in the config. Needs a DHCP client somewhere for the WAN AFAIK.
His internet I think is buy Cellular SIM CARD?? Not familiar with that..........

He has a route to the VPN for all traffic, associated with the Table VPN, that is correct.
Not sure what else you want to see??


Personally with flat subnet, I wouldnt mangle.
Keep the table
Keep the route
Add Routing Rule

add src-address=192.168.88.0/24 action=lookup table=VPN


And for mangling as an afterthought he should have disabled his fasstrack rule ( another reason to use routing rule method instead )
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
 
pooyan
just joined
Topic Author
Posts: 9
Joined: Wed Apr 19, 2023 9:37 pm

Re: SSTP VPN Guide RouterOS V7

Sun Apr 23, 2023 11:42 pm

Yep @anav: VPN table is correct. But as they follow the CactusVPN screenshots in absolute detail, and I expected the main table also in the config export, what did not appear because it was empty, I tought wrongly the main table had just been renamed.

The path to the SSTP server is dynamic (DAC route) and as such is not in the config. Needs a DHCP client somewhere for the WAN AFAIK.
His internet I think is buy Cellular SIM CARD?? Not familiar with that..........

He has a route to the VPN for all traffic, associated with the Table VPN, that is correct.
Not sure what else you want to see??


Personally with flat subnet, I wouldnt mangle.
Keep the table
Keep the route
Add Routing Rule

add src-address=192.168.88.0/24 action=lookup table=VPN


And for mangling as an afterthought he should have disabled his fasstrack rule ( another reason to use routing rule method instead )
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
Yes my internet is through LTE, my device is the Mikrotik Chateau LTE18 ax which uses a sim card and LTE to provide internet: https://mikrotik.com/product/chateaulte18_ax

I added the routing rule you mentioned but still no internet. as soon as I disable the SSTP interface I get normal internet back with no VPN obviously. The fasttrack code you mentioned, I copied and pasted your code into terminal but got a "bad command name" error.

I also tried ticking the "Add Default Route" in the sstp-out1 interface which made no difference so turned it off again.

Attached is my config now after adding the routing rule as you mentioned.
You do not have the required permissions to view the files attached to this post.
Last edited by pooyan on Sun Apr 23, 2023 11:48 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SSTP VPN Guide RouterOS V7

Sun Apr 23, 2023 11:45 pm

Yes but you need to disable or remove the mangle rule !!!

When the SSTP connection is available the subnet will go out SSTP.
If the connection is NOT available the router will revert back to the main table and will find the LTE connection.

IF you NEVER want the subnet to have the backup to main table then change action to.....
add action=lookup-only-in-table
 
pooyan
just joined
Topic Author
Posts: 9
Joined: Wed Apr 19, 2023 9:37 pm

Re: SSTP VPN Guide RouterOS V7

Mon Apr 24, 2023 1:01 am

Yes but you need to disable or remove the mangle rule !!!

When the SSTP connection is available the subnet will go out SSTP.
If the connection is NOT available the router will revert back to the main table and will find the LTE connection.

IF you NEVER want the subnet to have the backup to main table then change action to.....
add action=lookup-only-in-table
You sir are a hero! I deleted the mangle rule and got internet but couldn't access websites and services except for google.com, i removed the DNS servers which I had added in the DNS section which was 8.8.8.8 and 8.8.4.4 and instead went to DHCP Server section then Networks, selected the defconf and added the DNS servers over there and now it works beautifully!

Shall I disable the fasttrack rule in the firewall section with this method or keep enabled?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SSTP VPN Guide RouterOS V7

Mon Apr 24, 2023 2:35 am

No keep it enabled it should be only disabled for certain things, like whole lan mangling etc......
 
wiseroute
Member
Member
Posts: 352
Joined: Sun Feb 05, 2023 11:06 am

Re: SSTP VPN Guide RouterOS V7

Mon Apr 24, 2023 6:25 am

and now it works beautifully!
funtastic👍🏻

well... i think a cup of coffee for @ anav would be nice ☕
 
pooyan
just joined
Topic Author
Posts: 9
Joined: Wed Apr 19, 2023 9:37 pm

Re: SSTP VPN Guide RouterOS V7

Mon Apr 24, 2023 7:20 pm

No keep it enabled it should be only disabled for certain things, like whole lan mangling etc......
Got it. Thank you again sir. Just two questions please...

1. With this method I can no longer access the webfig through 192.168.88.1. I use the webfig to switch celluar bands on the go with my phone. Can you please guide me on how to set up access again with the VPN being on and all traffic routed?

2. I have tested the SSTP setup it for a good 24 hours now, the only issue is sometimes the speed becomes very slow which will get resolved either by disabling and enabling the SSTP connection or restarting the system. I have confirmed that it is not my VPN server and it is not the ISP. It is the Mikrotik that is causing it. Can you please be kind enough to take a look at my config to make sure I have not done anything foolish? If you have any other tips for me based on my config please do tell.

I really appreciate your time and if there is anyway to donate for your time please do let me know.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SSTP VPN Guide RouterOS V7

Mon Apr 24, 2023 10:17 pm

So you are saying you connect with your phone via WIFI using the IP address of the LAN gateway on the router (while on router wifi),??

Strange I didnt think a routing rule would override that but its possible.
Thus delete the current routing rule because we need to add one more as a first rule, to get the order right.

add action=lookup-only-in-table src-address=adminIP (desktop PC) dst-address=192.168.88.0/24 table=main { so you can use webconfig from desktop }
add action=lookup-only-in-table src-address=adminIP (smartphone) dst-address=192.168.88.0/24 table=main { so you can use webconfig from wifi connected device }
add action=lookup-only-in-table src-address=192.168.88.0/24 table=VPN
 
pooyan
just joined
Topic Author
Posts: 9
Joined: Wed Apr 19, 2023 9:37 pm

Re: SSTP VPN Guide RouterOS V7

Tue May 16, 2023 12:56 am

So you are saying you connect with your phone via WIFI using the IP address of the LAN gateway on the router (while on router wifi),??

Strange I didnt think a routing rule would override that but its possible.
Thus delete the current routing rule because we need to add one more as a first rule, to get the order right.

add action=lookup-only-in-table src-address=adminIP (desktop PC) dst-address=192.168.88.0/24 table=main { so you can use webconfig from desktop }
add action=lookup-only-in-table src-address=adminIP (smartphone) dst-address=192.168.88.0/24 table=main { so you can use webconfig from wifi connected device }
add action=lookup-only-in-table src-address=192.168.88.0/24 table=VPN
I finally got it working by first adding a first rule but since I wanted any device to be able to access to webconfig, I left the source address empty and in the dst-address, I had to add 192.168.88.1/32. Now any device that enters 192.168.88.1 into it's browser can access the webconfig. Did I do this correctly?

And one thing that I could not figure out which is also different in RouterOs V7, I have a address list in the firewall section which I want these addresses to not go through the VPN and into the main table, I tried prerouting using mangle but the speed is very slow that make sit impossible to use. Can you please tell me how to route my address list outside the VPN correctly?

Thank you
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SSTP VPN Guide RouterOS V7

Tue May 16, 2023 2:32 pm

Well sadly you have to do each one individually in a routing rule before the VPN rule.
Much better if you put these users in their own vlan or subnet so one rule suffices.
The only alternative is mangling and as you discovered slows things down.

However, if you have many users that fit the above category and all from different subnet, this method works and should not be as slow,
Do something like (not exact but you should get the idea)

/routing table add fib name=Local-WAN


ip mangle
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=to-ISP src-address-list=Local-WAN passthrough=yes
add action=mark-routing chain=prerouting connection-mark=to-ISP new-routing-mark=Local-WAN passthrough=yes


Ip routes
add route for Local WAN routing-table=main ( already in place )
add route for Local WAN routing-table=Local-WAN (new)


Here is what should help reduce any slowdowns ( fastrack rule adjusted to be used on all traffic except the local wan usage. )
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related connection-mark=no-mark

Who is online

Users browsing this forum: No registered users and 61 guests