Difference between revisions of "Setting up a SSTP tunnel between RUTX and Mikrotik device"
m (Protected "Setting up a SSTP tunnel between RUTX and Mikrotik device" ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))) |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
Secure Socket Tunneling Protocol (SSTP) is a VPN protocol designed to transport PPP traffic via a secure SSL/TLS channel. | Secure Socket Tunneling Protocol (SSTP) is a VPN protocol designed to transport PPP traffic via a secure SSL/TLS channel. | ||
− | This article provides a guide on how to configure '''SSTP''' tunnel between | + | This article provides a guide on how to configure '''SSTP''' tunnel between RUTXxx (client) and Mikrotik (server) routers. |
==Prerequisites== | ==Prerequisites== | ||
− | * One | + | * One RUTXxx router of any type |
* One Mikrotik router (this configuration example was created using Mikrotik rb750gr3) | * One Mikrotik router (this configuration example was created using Mikrotik rb750gr3) | ||
* Server must have a Public Static or Public Dynamic IP address | * Server must have a Public Static or Public Dynamic IP address | ||
Line 15: | Line 15: | ||
==Configuration scheme== | ==Configuration scheme== | ||
− | [[File: | + | [[File:Networking_RUTXxx_configuration_example_sstp_mikrotik_topology_v1.png|border|class=tlt-border|1100x1100px]] |
==Mikrotik (server) configuration== | ==Mikrotik (server) configuration== | ||
Line 71: | Line 71: | ||
[[File:Networking_rutxxx_configuration_example_sstp_mikrotik_1_v1.png|border|class=tlt-border]] | [[File:Networking_rutxxx_configuration_example_sstp_mikrotik_1_v1.png|border|class=tlt-border]] | ||
− | == | + | ==RUTXxx (client) configuration== |
Access RUTxxx WebUI and go to '''Service > VPN > SSTP'''. There create a new configuration by writing configuration name and pressing '''Add''' button. It should appear after a few seconds. Then press '''Edit'''. | Access RUTxxx WebUI and go to '''Service > VPN > SSTP'''. There create a new configuration by writing configuration name and pressing '''Add''' button. It should appear after a few seconds. Then press '''Edit'''. | ||
Line 86: | Line 86: | ||
# Write '''Password''' (write the password which you created with this command: secret add name=user profile=vpn-profile password='''password'''). | # Write '''Password''' (write the password which you created with this command: secret add name=user profile=vpn-profile password='''password'''). | ||
# Upload '''CA cert''' (the file which you exported from MikroTik). | # Upload '''CA cert''' (the file which you exported from MikroTik). | ||
− | # Press '''Save'''. | + | # Press '''Save & apply'''. |
==Testing configuration== | ==Testing configuration== | ||
− | |||
− | |||
− | |||
− | |||
Try to ping the remote VPN endpoint via '''CLI''' or '''SSH''' using this command: | Try to ping the remote VPN endpoint via '''CLI''' or '''SSH''' using this command: | ||
Line 98: | Line 94: | ||
ping 192.168.8.250 | ping 192.168.8.250 | ||
− | [[File: | + | [[File:Networking_RUTXxx_configuration_example_sstp_mikrotik_5_v1.png]] |
Latest revision as of 16:48, 30 March 2020
Introduction
Secure Socket Tunneling Protocol (SSTP) is a VPN protocol designed to transport PPP traffic via a secure SSL/TLS channel.
This article provides a guide on how to configure SSTP tunnel between RUTXxx (client) and Mikrotik (server) routers.
Prerequisites
- One RUTXxx router of any type
- One Mikrotik router (this configuration example was created using Mikrotik rb750gr3)
- Server must have a Public Static or Public Dynamic IP address
- At least one end device (PC, Laptop) to configure the routers
- WinBox application
Configuration scheme
Mikrotik (server) configuration
Connect to MikroTik by using WinBox application and press New Terminal.
Prerequisite for any VPN server is to get certificates sorted. Procedure is exactly the same as for OpenVPN server setup with the slight difference being that common-name really matters. It must match either external IP or external host name – no exceptions. Use these commands to create certificates:
/certificate
add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=example.com days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate
You will need to export root certificate, to do so use these commands:
/certificate
export-certificate ca-certificate export-passphrase=""
Instead of editing the default encrypted profile, we can create a new one. Assumption is that your MikroTik will also be a DNS server. And while at it, create secure user/password:
/ppp
profile add name="vpn-profile" use-encryption=yes local-address=192.168.8.250 dns-server=192.168.8.250 remote-address=vpn-pool
secret add name=user profile=vpn-profile password=password
Enable SSTP VPN server interface:
/interface sstp-server server
set enabled=yes default-profile=vpn-profile authentication=mschap2 certificate=server-certificate force-aes=yes pfs=yes
Do not forget to adjust firewall if necessary (TCP port 443):
/ip firewall filter
add chain=input protocol=tcp dst-port=443 action=accept place-before=0 comment="Allow SSTP"
Now go to Files and export the certificate by simply dragging it to your desktop.
RUTXxx (client) configuration
Access RUTxxx WebUI and go to Service > VPN > SSTP. There create a new configuration by writing configuration name and pressing Add button. It should appear after a few seconds. Then press Edit.
Now apply the following configuration.
- Enable Instance.
- Write Server IP address (MikroTik public IP address).
- Write Username (write the username which you created with this command: secret add name=user profile=vpn-profile password=password).
- Write Password (write the password which you created with this command: secret add name=user profile=vpn-profile password=password).
- Upload CA cert (the file which you exported from MikroTik).
- Press Save & apply.
Testing configuration
Try to ping the remote VPN endpoint via CLI or SSH using this command:
ping 192.168.8.250