One day some mobile operators started blocking ports to L2TP servers, so I set up a more secure OpenVPN server on MikroTik.
Continue reading “Setting up an OpenVPN server on MikroTik”Tag Archives: VPN
Configuring PPTP (VPN) server on Mikrotik
First, I will describe the first simple option for setting up a PPTP (VPN) server on Mikrotik via the web interface or Winbox. In this embodiment, only one client can connect to the server.
Continue reading “Configuring PPTP (VPN) server on Mikrotik”Installing and configuring PPTPd server
Below I will describe how pptpd is installed and configured. On the test I will install in Ubuntu Server 18.04.
Continue reading “Installing and configuring PPTPd server”How to set up a VPN connection in Windows 8
I will describe the points how to configure a VPN connection in Windows 8:
Continue reading “How to set up a VPN connection in Windows 8”Configuring the VPN IPSec / L2TP server on Mikrotik
Here is an example of setting up a VPN IPSec / L2TP server on Mikrotik so that you can connect to it from Windows, MacBook, iPhone, etc.
1) Add a range of IP addresses for DHCP by opening “IP” – “Pool” and indicating:
Name: vpn_pool
Addresses: 192.168.5.1-192.168.5.15
Next pool: none
From the terminal like this:
ip pool add name=vpn_pool ranges=192.168.5.1-192.168.5.15
2) Add a profile to “PPP” – “Profiles”
Name: l2tp_profile
Local address: vpn_pool (you can specify default 192.168.88.1)
Remote address: vpn_pool
Change TCP MSS: yes
The rest is not touched and left in default
From the terminal like this:
ppp profile add change-tcp-mss=yes local-address=vpn_pool name=l2tp_profile remote-address=vpn_pool
3) Add a user to “PPP” – “Secrets”
Name: LOGIN
Password: PASSWORD
Service: l2tp
Profile: l2tp_profile
From the terminal like this:
ppp secret add name=LOGIN password=PASSWORD profile=l2tp_profile service=l2tp
4) Enable the server in “PPP” – “Interface” – “L2TP Server”
Enabled: yes
MTU/MRU: 1450
Keepalive Timeout: 30
Default profile: l2tp_profile
Authentication: mschap2
Use IPSec: yes
IPSec Secret: ENCRYPTION_KEY (also indicated in the clients)
From the terminal like this:
interface l2tp-server server set authentication=mschap2 default-profile=l2tp_profile enabled=yes ipsec-secret=KEY use-ipsec=yes
5) “IP” – “IPSec” – “Peers”
Address: 0.0.0.0/0
Port: 500
Auth method: pre shared key
Exchange mode: main l2tp
Passive: yes (set)
Secret: ENCRYPTION_KEY (also indicated in the clients)
Policy template group: default
Send Initial Contact: yes
NAT Traversal: yes
My ID Type: auto
Generate policy: port override
Lifitime: 1d 00:00:00
DPD Interval: 120
DPD Maximum failures: 5
Proposal check: obey
Hash algorithm: sha1
Encryption Algorithm: 3des aes-128 aes-256
DH Group: modp 1024
From the terminal like this:
ip ipsec peer add address=0.0.0.0/0 enc-algorithm=aes-256,aes-128,3des exchange-mode=main-l2tp generate-policy=port-override passive=yes secret=KEY
6) “IP” – “IPSec” – “Proposals”
Name: default
Auth algorithms: sha1
Enrc. algorithms: 3des, aes-256 cbc, aes-256 ctr
Life time: 00:30:00
PFS Group: mod 1024
From the terminal like this:
ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,3des
7) “Firewall” – “Add New”
Let’s add the first rule allowing incoming VPN connections:
Chain: Input
Protocol: udp
Any. Port: 1701,500,4500
Action: Accept
And the second:
Chain: Input
Protocol: ipsec-esp
Action: Accept
From the terminal like this:
ip firewall filter add chain=input action=accept protocol=udp port=1701,500,4500 ip firewall filter add chain=input action=accept protocol=ipsec-esp
The rules should be at the top of the list.
This completes the configuration, you can connect.
Configuring a VPN Server in Windows Server
On the test I give an example of setting up a VPN server in Windows Server 2008 R2.
First of all, install the role:
1) Open the server manager and click on the link “Add role“.
2) Select the Network Policy and Access Services role and click “Next“.
3) Select “Remote Access” and click “Next“.
4) Click “Install” and after the installation is complete, click the “Close” button.
Now go to the setup:
1) Open the server manager, open the “Roles” branch, select the Network Policy and Access Services role, right-click on “Routing and Remote Access“, select “Configure and enable routing and remote access“.
2) In the first window click “Next“, in the next we’ll select “Custom configuration“, click the “Next” button, tick three items: Network Address Translation (NAT) and Local Area Networking (LAN routing), click Next and “Done“.
In the window that appears, click “Launch service“.
3) We’ll add an address pool for clients by opening the “Server Manager” – “Roles” – “Network Policy and Access Services“, right-click on “Routing and Remote Access” and select “Properties“.
In the “IPv4 tab, select” Static address pool “and add any range after clicking the “Add” button.
In order to be able to connect to a VPN server, for example, from the iPhone (via L2TP), in the “Security” tab, tick “Allow custom IPSec policies for L2TP connection” and specify the key .
4) Now configure permissions for users. Go to “Server Manager – Configuration – Local Users and Groups – Users“:
Open “Properties” of the desired user and on the Dial-in tab, where “Network Access permission” select “Allow access“.
5) Add NAT rules, the necessary routes and restart the service by right-clicking on “Routing and Remote Access” – “All Tasks” – “Restart “.
For the VPN to work, ports are used and should be opened:
TCP 1723 (for PPTP)
TCP 1701 and UDP 500 (for L2TP)
TCP 443 (for SSTP)
Done.
Connection logs can be seen in the C:\Windows\System32\LogFiles directory