|
|
| (9 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| | ==Introduction== | | ==Introduction== |
| − |
| |
| − | Secure Socket Tunneling Protocol (SSTP) is a VPN protocol designed to transport PPP traffic via a secure SSL/TLS channel.
| |
| − |
| |
| − | This article provides a guide on how to configure '''SSTP''' tunnel between RUTxxx (client) and Mikrotik (server) routers.
| |
| − |
| |
| − | ==Prerequisites==
| |
| − |
| |
| − | * One RUTxxx router of any type
| |
| − | * One Mikrotik router (this configuration example was created using Mikrotik rb750gr3)
| |
| − | * Server must have a Public Static or Public Dynamic IP address
| |
| − | * At least one end device (PC, Laptop) to configure the routers
| |
| − | * WinBox application
| |
| − |
| |
| − | ==Configuration scheme==
| |
| − |
| |
| − | [[File:Networking_rutxxx_configuration_example_sstp_mikrotik_topology_v1.png|border|class=tlt-border|1100x1100px]]
| |
| − |
| |
| − | ==Mikrotik (server) configuration==
| |
| − |
| |
| − | Connect to MikroTik by using '''WinBox''' application and press '''New Terminal'''.
| |
| − |
| |
| − | [[File:Networking_rutxxx_configuration_example_l2tp_ipsec_mikrotik_1_v1.jpg|border|class=tlt-border]]
| |
| − |
| |
| − | Prerequisite for any VPN server is to get certificates sorted. Procedure is exactly the same as for OpenVPN server setup with the slight difference being that common-name really matters. It must match either external IP or external host name – no exceptions. Use these commands to create certificates:
| |
| − |
| |
| − | /certificate
| |
| − |
| |
| − | add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
| |
| − |
| |
| − | add name=server-template common-name=example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
| |
| − |
| |
| − | add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client
| |
| − |
| |
| − | sign ca-template name=ca-certificate
| |
| − |
| |
| − | sign server-template name=server-certificate ca=ca-certificate
| |
| − |
| |
| − | sign client-template name=client-certificate ca=ca-certificate
| |
| − |
| |
| − | You will need to export root certificate, to do so use these commands:
| |
| − |
| |
| − | /certificate
| |
| − |
| |
| − | export-certificate ca-certificate export-passphrase=""
| |
| − |
| |
| − | Instead of editing the default encrypted profile, we can create a new one. Assumption is that your MikroTik will also be a DNS server. And while at it, create secure user/password:
| |
| − |
| |
| − | /ppp
| |
| − |
| |
| − | profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool
| |
| − |
| |
| − | secret add name=user profile=vpn-profile password=password
| |
| − |
| |
| − | Enable SSTP VPN server interface:
| |
| − |
| |
| − | /interface sstp-server server
| |
| − |
| |
| − | set enabled=yes default-profile=vpn-profile authentication=mschap2 certificate=server-certificate force-aes=yes pfs=yes
| |
| − |
| |
| − | Do not forget to adjust firewall if necessary (TCP port 443):
| |
| − |
| |
| − | /ip firewall filter
| |
| − |
| |
| − | add chain=input protocol=tcp dst-port=443 action=accept place-before=0 comment="Allow SSTP"
| |
| − |
| |
| − | Now go to '''Files''' and export the certificate by simply dragging it to your desktop.
| |
| − |
| |
| − | [[File:Networking rutxxx configuration example ovpn mikrotik 1 v2.jpg|border|class=tlt-border]]
| |
| − |
| |
| − | [[File:Networking_rutxxx_configuration_example_sstp_mikrotik_1_v1.png|border|class=tlt-border]]
| |
| − |
| |
| − | ==RUTxxx (client) configuration==
| |
| − |
| |
| − | Access RUTxxx WebUI and go to '''Service > VPN > SSTP'''. There create a new configuration by writing configuration name and pressing '''Add''' button. It should appear after a few seconds. Then press '''Edit'''.
| |
| − |
| |
| − | [[File:Networking_rutxxx_configuration_example_sstp_mikrotik_2_v1.png|border|class=tlt-border]]
| |
| − |
| |
| − | Now apply the following configuration.
| |
| − |
| |
| − | [[File:Networking_rutxxx_configuration_example_sstp_mikrotik_3_v1.png|border|class=tlt-border]]
| |
| − |
| |
| − | # '''Enable''' Instance.
| |
| − | # '''Write Server IP address''' (MikroTik public IP address).
| |
| − | # Write '''Username''' (write the username which you created with this command: secret add name='''user''' profile=vpn-profile password=password).
| |
| − | # Write '''Password''' (write the password which you created with this command: secret add name=user profile=vpn-profile password='''password''').
| |
| − | # Upload '''CA cert''' (the file which you exported from MikroTik).
| |
| − | # Press '''Save'''.
| |
| − |
| |
| − | ==Testing configuration==
| |
| − |
| |
| − | Go to '''Status > Routes''' and in the '''Active IP Routes''' table you should see this new route.
| |
| − |
| |
| − | [[File:Networking_rutxxx_configuration_example_sstp_mikrotik_4_v1.png|border|class=tlt-border]]
| |
| − |
| |
| − | Try to ping the remote VPN endpoint via '''CLI''' or '''SSH''' using this command:
| |
| − |
| |
| − | ping 192.168.8.250
| |
| − |
| |
| − | [[File:Networking_rutxxx_configuration_example_sstp_mikrotik_5_v1.png|border|class=tlt-border]]
| |
