Hotspot is an awesome service in MikroTik Router. MikroTik Hotspot is popularly used in ISP, Hotel, Airport, Coffee Shop, Enterprise office and many other organizations. By default MikroTik Hotspot uses HTTP CHAP login method where user must provide username and password to get internet service. Sometimes we may face that some users are not eager to provide username and password to get internet service or we cannot ask some users to put username and password to get internet due to his respect. In this case sometimes we need to allow some users to get internet without Hotspot login page. To overcome this situation MikroTik introduces automatic Hotspot login using MAC address. In my previous article I discussed on MikroTik Hotspot basic configuration using Winbox. In this article I will discuss how to enable Hotspot login by MAC method so that we can allow some users auto login in Hotspot Service.
Auto Login by MAC Address
Configuring MikroTik Hotspot Auto Login with MAC Address
Login by MAC method in MikroTik Hotspot allows user to get internet access without login page. So, if we allow any user login by MAC address, he/she will get internet access automatically without authenticating from Hotspot login page. To allow auto login by MAC in MikroTik Hotspot, we have to do the following steps in Hotspot configuration.
Enabling Login by MAC in MikroTik Hotspot
Creating Hotspot User with Device MAC Address
Enabling Login by MAC in MikroTik Hotspot
Login by MAC method is disabled by default in MikroTik Hotspot. So, if we wish to allow MAC authentication in MikroTik Hotspot, we have to enable login by MAC method in Hotspot Server profile. The following steps will show how to enable login by MAC method in MikroTik Hotspot profile.
Login MikroTik Router with Winbox using full permission user login credentials.
Go to IP > Hotspot menu item. Hotspot window will appear.
Click on Server Profiles tab and then click on active server profile.
From active server profile windows, click on Login tab and then click on MAC checkbox.
From MAC authentication mode we can choose either MAC as username or MAC as username and password. MikroTik Hotspot authentication engine and MikroTik Userman RADIUS Server authentication allow MAC authentication without password but many RADIUS Servers don’t allow authentication without password. So, it will be safe to choose MAC authentication mode both username and password and I will also prefer this method. If you wish to keep MAC as both username and password, choose MAC as username and password from MAC Auth. Mode drop down menu.
It is also possible to use MAC as username and a common password for all users so that any RADIUS Server does not deny authentication. If you wish to keep this option, choose MAC as username from MAC Auth. Mode drop down menu and put your common password in MAC Auth. Password input field. In this case MikroTik will send MAC as username and the common password to any user authentication engine.
Click Apply and OK button.
Login by MAC Method in MikroTik Hotspot
Login by MAC address is now enabled in Hotspot Service. Now 1we need to create user with authenticated device MAC address either in MikroTik Hotspot local user database or RADIUS Server user database. In this article we will see how to create user in MikroTik Hotspot local user database for authenticating device by MAC address.
Creating Hotspot User with Device MAC Address
After enabling auto login by MAC address, we will now configure user in MikroTik Hotspot with device MAC address. The following steps will show how to create user with MAC address in MikroTik Hotspot local user database.
From Hotspot window click on Users tab and then click on PLUS SIGN (+). New Hotspot User window will appear.
Choose Hotspot active server from Server drop down menu.
Collect allowed device MAC address and put in Name input field.
As we have decided to put MAC as username and password, put the MAC address in Password input field also.
Choose created profile that you want to apply on this MAC address from Profile drop down menu.
Click Apply and OK button.
Creating User in Hotspot Local User Database
We can create as many as users as we need following the above steps. Now browse any site from the allowed device. If everything is OK, you will find that the device can get internet without authenticating from Hotspot login page. So, auto login by MAC address in MikroTik Hotspot is now working and bypassing Hotspot login page for the allowed device.
If you face any confusion to follow the above steps, watch the following video on Hotspot auto login by MAC address configuration. I hope it will reduce your any confusion.
How to configure MikroTik Hotspot auto login by MAC address has been discussed in this article. I hope you will now be able to configure automatic login by MAC address in MikroTik Hotspot. However, if you face any confusion to configure Hotspot Login by MAC method, feel free to discuss in comment or Contact me from Contact page. I will try my best to stay with you.
SSL Certificate is required to enable HTTPS Login and HTTPS Redirect in MikroTik Hotspot. In one of my last articles I discussed how to configure MikroTik Hotspot HTTPS redirect and HTTPS login with MikroTik self-signed certificate. But self-signed certificate is not trusted by operating system. So, we get the following two issues if we configure HTTPS Login and HTTPS Redirect with self-signed certificate.
Ask to proceed unsafe site: As browsers cannot trust self-signed certificate, it shows a warning message and asks to proceed unsafe site every time the login page redirected with HTTPS redirect. Users may face disgusting seeing this warning message again and again.
Error or Warning icon in URL bar: Although we proceed the login page warning, browser also shows a red or yellow icon in URL bar. It also makes us confused whether the connection is secured or not.
Although self-signed certificate always establish secure connection by encrypting data, the above two issues make us confused and disgusting sometimes. To solve the above two issues we need to use public CA certificate that will be trusted by operating system and browsers.
Public CA requires yearly subscription fee to get their service. Although this payment is not so high for enterprise organizations but small business companies sometimes face trouble to pay yearly subscription fee. Don’t be worried if subscription fee goes out of budget. Some public CA organizations provide free SSL certificate to make internet completely secure. ZeroSSL is one of them who provides fast, reliable and free SSL/TL certificate for anyone. In my previous article I discussed how to get free SSL certificate from ZeroSSL. In this article I will discuss how to configure MikroTik Hotspot HTTPS Login and HTTPS Redirect with trusted public SSL certificate to overcome the above two issues.
MikroTik Hotspot with ZeroSSL
MikroTik Hotspot HTTPS Redirect Configuration with Free ZeroSSL Certificate
We will now configure MikroTik Hotspot HTTPS Redirect with trusted ZeroSSL certificate. Complete HTTPS redirect configuration with free ZeroSSL certificate can be divided into the following four steps.
Getting free SSL Certificate from ZeroSSL
Importing SSL certificate to MikroTik certificate store
Enabling HTTPS Server in MikroTik Router and
Enabling HTTPS Login and HTTPS Redirect in MikroTik Hotspot
Step 1: Getting Free SSL Certificate from ZeroSSL
In my last article I discussed how to get free SSL certificate from ZeroSSL. If you don’t have free SSL certificate from ZeroSSL yet, visit how to get free SSL certificate from ZeroSSL and get your free SSL certificate now. According to my previous article I have free SSL certificate from ZeroSSL for mikrotik.itechsheet.com subdomain like the following image.
Free ZeroSSL Certificate
If you buy SSL certificate from any trusted public CA, you will have similar certificate (ca-bundle.crt, certificate.crt and private.key) files those you can rename like me or whatever you like.
Step 2: Importing SSL Certificates to MikroTik Certificate Store
After getting SSL certificate from public CA, we will now import certificate files in MikroTik certificate store. The following steps will show how to import SSL certificate to MikroTik SSL certificate store.
Login to MikroTik with Winbox using full permission user credentials.
Click on Files menu item. File List window will appear.
Drag and drop certificate files downloaded from ZeroSSL into this File List window.
Uploaded certificate files in File List window will look like the following image.
Uploading SSL certificate to Files Directory.
Now go to System > Certificates menu item. Certificates window will appear.
From Certificates tab, click on Import button. Import window will appear.
Choose CA certificate (example: ZeroSSL CA.crt) from Only File dropdown menu and click on Import button. CA certificate will be imported now. Imported certificate will be named appending a numeric value. It will be better to rename the CA file with a meaning name rather keeping auto generated name. For this, double click on imported CA file and put a meaning name in Name input filed and click Apply and OK button.
Click on Import button again and choose certificate file (example: mikrotik.itechsheet.com.crt) from Only File dropdown menu and then click Import button. Certificate file will be uploaded. Rename the auto generated certificate file like the CA file.
Click on Import button again and choose key file (example: mikrotik.itechsheet.key) from Only File dropdown menu and then click on Import button. Key file will be uploaded and accumulate with certificate file. So, K flag will be found before certificate file name.
Importing SSL Certificates in MikroTik Certificate Store
Step 3: Enabling HTTPS Server in MikroTik Router
After importing certificates, we will now enable HTTPS Server in MikroTik Router. The following steps will show how to enable HTTPS Server in MikroTik Router.
From Winbox, go to IP > Services. IP Service List window will appear and you will find all available services are present here.
Double click on www-ssl service. IP Service <www-ssl> window will appear.
From Certificate drop down menu, choose SSL certificate (mikrotik.itechsheet.com.crt) that we have imported at second step.
Click Apply and OK button.
Enabling HTTPS Server in MikroTik Router
Suggestion: it is better to disable HTTP (Port 80) service so that HTTP login page does not appear accidently.
Step 4: Enabling HTTPS Login and HTTPS Redirect in MikroTik Hotspot
After enabling HTTPS Server, we will now enable HTTPS Login and HTTPS Redirect in MikroTik Hotspot. The following steps will show how to enable HTTPS Redirect in MikroTik Hotspot Server.
From Winbox, go to IP > Hotspot. Hotspot window will appear.
Click on Server Profiles tab and double click on your Server profile. Hotspot Server Profile window will appear.
From general tab, put domain or subdomain name (example: mikrotik.itechsheet.com) for which SSL certificate has been issued in DNS Name input field.
Click on Login tab and from Login By panel, click on HTTPS checkbox.
From SSL Certificate drop down menu, choose SSL certificate (mikrotik.itechsheet.com.crt) that we have imported at second step.
Make sure HTTPS Redirect checkbox is checked.
Click Apply and OK button.
Enabling HTTPS Redirect in MikroTik Hotspot
HTTPS Redirect is now enabled in MikroTik Hotspot Server. Visit any HTTPS website (example: https://systemzone.net) before authentication and you will find the redirected HTTPS Login Page.
You will also find that the login page is appearing without certificate warning because ZeroSSL certificate is a trusted certificate. Also you will find that there is no yellow or warning icon in URL bar.
Hotspot HTTPS Login Page
OOPS!!! I visit Facebook, YouTube or Google but HTTPS Login Page don’t appear. Why?
Because Facebook, YouTube and Google use HSTS (HTTP Strict Transport Security) and HTTPS Redirection is not possible to HSTS enabled websites that was visited before. In this case, use another HTTPS site such as https://systemzone.net or https://www.itechsheet.com or any other website that doesn’t use HSTS will redirect to HTTPS Login Page.
How to Configure HTTPS Redirect and HTTPS Login in MikroTik Hotspot with free SSL certificate from ZeroSSL has been discussed in this article. I hope you will now be able to configure HTTPS Redirect and HTTPS Login in MikroTik Hotspot Server with free public SSL certificate. However, if you face any confusion to configure HTTPS Redirect and HTTPS Login, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
SSL/TLS certificate is an essential part in today internet communication. Online communication cannot imagine without SSL/TLS certificate. SSL/TLS certificate makes online communication secure by encrypting data transmitted over public internet. So, most of the applications (Web, Email and VPN services) those transmit data over public internet use SSL/TLS certificate to secure communication.
SSL/TLS certificate requires to be signed by Certificate Authority (CA). It is possible to create self-signed certificate with SSL certificate creation tools such as OpenSSL. Some router venders such as MikroTik RouterOS also provide facility to create self-signed certificate. Although self-signed certificate establishes secure communication, it is always not trusted by Operating System. So, we get warning or error notification although we install private CA in trusted root certificate. For this, we need to get public CA to get warning or error free secure communication.
Public CA requires yearly subscription fee to get their service. Although this payment is not so high for enterprise organizations but small business companies sometimes face trouble to pay yearly subscription fee. Don’t be worried if subscription fee goes out of budget. Some public CA organizations provide free SSL certificate to make internet completely secure. ZeroSSL is one of them who provides fast, reliable and free SSL/TL certificate for anyone. But we need to follow some steps to get free SSL/TLS certificate from ZeroSSL. So, in this article I will show necessary steps to get free SSL/TLS certificate from ZeroSSL.
Free ZeroSSL Certificate
Requirements to Get Free SSL Certificate from ZeroSSL
It is so simple to get free SSL certificate from ZeroSSL but we must have the following valid information.
A valid domain
An admin email account
A ZeroSSL account
So, if you have a purchased domain and hosting, create an admin email account (example: admin@example.com) and then follow this article instructions to create ZeroSSL account and to get free SSL certificate. For this article, I am using itechsheet.com domain and admin@itechsheet.com email account as example. I will create SSL certificate for mk.itechsheet.com subdomain.
Getting Free SSL Certificate from ZeroSSL
ZeroSSL provides free SSL certificate for its user. So, we have to first create a ZeroSSL account. ZeroSSL account can be created just providing email and password. So, visit ZeroSSL account creation page [https://app.zerossl.com/signup] and create an account providing valid email address and secure password.
Signup to ZeroSSL
After creating account it will redirect to the account Dashboard or we can login to Dashboard from login page [https://app.zerossl.com/login].
ZeroSSL Dashboard
From Dashboard panel, click on Certificates menu item and then create on New Certificate button. New Certificate panel will appear.
Now put the domain or subdomain name for which you want to create SSL certificate in Enter Domains input box and then click Next Step button.
Creating Certificate for New Domain
Now validity panel will appear. ZeroSSL provides free SSL certificate for 90 days but certificate can be renewed again for more 90 days when issued certificate will be expired. So, choose 90-Day Certificate and then click Next Step button.
Certificate Validity
CSR& Contact panel will appear. ZeroSSL can create CSR automatically and it is safe for us. So, choose Auto-Generate CSR and then click Next Step button.
Creating CSR
Finalize Your Order panel will appear where you will find features of selected plan. Free plan is so simple, three 90-day certificates per account and that is enough for a small business. Click Next Step button.
Finalizing Certificate Order
ZeroSSL will now redirect to Verify Domain page and inform that certificate has been created successfully and need to verify domain.
There are three domain verification methods in ZeroSSL. Among these, Email Verification is so simple. So, choose Email Verification option and choose admin email account (example: admin@itechsheet.com) from drop down menu and then click Next Step button.
Domain Verification
Verification method summery panel will now appear. Click Verify Domain button to send verification email.
Domain Verification System
ZeroSSL will now send verification email to admin email account and it will confirm that an email has been sent and Verification Status will show Pending until we verify domain from email account.
Email Sent to Verify
Now we need to login to email account. ZeroSSL usually send verification email within a minute. So, login to admin email account and check verification email.
Verification Email
ZeroSSL will send verification page link and a verification key. So, click on Go to Verification Page link. Verification Page will now appear.
Verification Page
Copy Verification Key from email and paste in the appeared input box and then click NEXT button. Now verification success message will appear and ask to close the window.
Verification Successful Message
Now go to Dashboard and click on Refresh Status button. Verification Status shows Verified and Install Certificate button will appear.
Verification Successful Status
Click on Install Certificate button. ZeroSSL will now redirect to Install Certificate page and confirm that certificate has been issued and ready for installation. So, click on Download Certificate button.
Download Certificate
SSL Certificates will be downloaded as ZIP file in default download location. So, go to default download location of operating system and copy and paste that ZIP file in a folder where you want to save.
Now extract the ZIP file where you will find three files (ca-bundle.crt, certificate.crt and private.key) included. Rename these files according to your domain or subdomain name (example: ca-bundle.crt as ZeroSSL CA.crt, certificate.crt as mk.itechsheet.com.crt and private.key as mk.itechsheet.com.key) so that these files can distinguish easily.
Extract and Rename Downloaded Certificate
These certificate files issued by trusted Public CA (ZeroSSL) can be used any application where SSL certificate is required to make secure communication.
If you face any confusion to follow the above steps properly, watch the following video on Free SSL Certificate from Zero SSL. I hope it will reduce your any confusion.
How to Get Free SSL Certificate from ZeroSSL has been discussed step by step. I hope you will now be able to get free SSL certificate from ZeroSSL. However, if you face any confusion to get free SSL/TLS certificate, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
MikroTik Hotspot is one of the most popular services in MikroTik Router. It is a policy to authorize network clients before to access local network resources as well as public network resources through MikroTik Router. In my previous article I discussed MikroTik Hotspot Configuration using Winbox. But default MikroTik Hotspot configuration faces HTTPS Redirect and HTTPS Login issues. To solve these issues, MikroTik Hotspot HTTPS configuration is required. So, in this article I will discuss how to configure MikroTik Hotspot HTTPS to solve HTTPS Redirect and HTTPS Login issues.
MikroTik Hotspot HTTPS
MikroTik Hotspot HTTPS Redirect
When a Hotspot user browses any site from any browser before authentication, Hotspot will redirect the user to Hotspot login page and ask to authenticate. It is the default behavior of MikroTik Hotspot. But when a user browses HTTPS site, Hotspot does not redirect to the login page rather it will show secure connection error. It was not a problem a few years ago when all sites were HTTP. But recently all websites have been upgraded to HTTPS. So, HTTPS websites cause this problem. Configuring MikroTik Hotspot HTTPS, this issue can be solved.
MikroTik Hotspot HTTPS Login Page
By default MikroTik Hotspot provide HTTP login page but HTTP is not secure for login because HTTP transmits plain text data which can cause middle-man-attack issue and login credential can be leaked. So, HTTP login page can hamper business continuity. Configuring MikroTik Hotspot HTTPS, this issue can also be solved.
MikroTik Hotspot HTTPS Configuration
Data follow between a HTTP server and client is plain text. So, passing login credential over HTTP connection is never safe. So, it is always better to implement a HTTPS login page to Hotspot user.
Complete HTTPS configuration in MikroTik Hotspot Server can be divided into the following three steps.
Creating SSL Certificate for HTTPS Server
Enabling HTTPS in MikroTik Router
Enabling HTTPS Redirect in MikroTik Hotspot
Step 1: Creating SSL Certificate for HTTPS Server
HTTPS Server requires SSL certificate for secure communication. MikroTik RouterOS v6 gives ability to create, store and manage certificates in certificate store. So, we will create required HTTPS Server certificate in MikroTik RouterOS. HTTPS Server requires two types of certificates:
CA (Certification Authority) Certificate and
Server Certificate
Creating CA certificate
MikroTik RouterOS provides a self-signed certificate and self-signed requires a CA (Certification Authority) Certificate to sign Server Certificate. The following steps will show how to create a CA certificate in MikroTik RouterOS.
From Winbox, go to System > Certificates menu item and click on Certificates tab and then click on PLUS SIGN (+). New Certificate window will appear.
Put CA certificate name (for example: CA) in Name input field and Common Name input field.
You will find some optional fields in General tab. You can fill those if you wish. All fields are self-defined.
Click on Key Usage tab and uncheck all checkboxes except crl sign and key cert. sign
Click on Apply button and then click on Sign button. Sign window will appear now.
Your created CA certificate template will appear in Certificate dropdown menu. Select your newly created certificate template if it is not selected.
Put MikroTik Router’s LAN Gateway IP address or WAN IP address (example: 172.22.22.1) in CA CRL Host input field.
Click on Sign button. Your Signed certificate will be created within few seconds.
Click on OK button to close New Certificate window.
If newly created CA certificate does not show T flag or Trusted property shows no, double click on your CA certificate and click on Trusted checkbox located at the bottom of General tab and then click on Apply and OK button.
Creating CA Certificate
Creating Server Certificate
After creating CA certificate, we will now create Server Certificate that will be signed by the created CA. Server Certificate will be used by the HTTPS Server. The following steps will show how to create Server Certificate in MikroTik RouterOS.
Click on PLUS SIGN (+) again. New Certificate window will appear.
Put server certificate name (for example: Hotspot Server) in Name input field and Common Name input field.
If you have put any optional field in CA certificate, put them here also.
Click on Key Usage tab and uncheck all checkboxes except digital signature, key encipherment and tls server checkboxes.
Click on Apply button and then click on Sign button. Sign window will appear now.
Your newly created Server certificate template will appear in certificate dropdown menu. Select newly created certificate template if it is not selected.
Also select CA certificate from CA dropdown menu.
Click on Sign button. Your Signed certificate will be created within few seconds.
Click on OK button to close New Certificate window.
If newly created server certificate does not show T flag or Trusted property shows no, double click on your server certificate and click on Trusted checkbox located at the bottom of General tab and then click on Apply and OK button.
Hotspot Server Certificate
We have successfully created required CA and Server Certificates. After creating and signing CA and Server certificates, the Certificate lists will look like the following image.
Created CA and Server Certificates
Step 2: Enabling HTTPS in MikroTik Router
After creating certificates, we will now enable HTTPS Server in MikroTik Router. The following steps will show how to enable HTTPS Server in MikroTik Router.
From Winbox, go to IP > Services. IP Service List window will appear and you will find all available services are present here.
Double click on www-ssl service. IP Service <www-ssl> window will appear.
From Certificate drop down menu, choose Hotspot Server certificate that we have created in previous step.
Click Apply and OK button.
MikroTik HTTPS Server
Suggestion: it is better to disable HTTP (Port 80) service so that HTTP login page does not appear accidentally.
Step 3: Enabling HTTPS Redirect in MikroTik Hotspot
After enabling HTTPS Server, we will now enable HTTPS Redirect in MikroTik Hotspot. The following steps will show how to enable HTTPS Redirect in MikroTik Hotspot Server.
From Winbox, go to IP > Hotspot. Hotspot window will appear.
From Hotspot window, click on Server Profiles tab and double click on your Server profile. Hotspot Server Profile window will appear.
From Hotspot Server Profile window, click on Login tab.
From Login By panel, click on HTTPS checkbox.
From SSL Certificate drop down menu, choose Hotspot Server certificate that we have created at first step.
Make sure HTTPS Redirect checkbox is checked.
Click Apply and OK button.
Enabling HTTPS Redirect in MikroTik Hotspot
HTTPS Redirect is now enabled in MikroTik Hotspot Server. Visit any HTTPS website before authentication and you will find the redirected HTTPS Login Page.
MikroTik Hotspot HTTPS Login Page
OPPS!!! I visit Facebook, YouTube or Google but HTTPS Login Page don’t appear. Why?
Because Facebook, YouTube and Google use HSTS (HTTP Strict Transport Security) and HTTPS Redirection is not possible to HSTS enabled websites that was visited before. In this case, use another HTTPS site such as https://systemzone.net or https://www.itechsheet.com or any other website that doesn’t use HSTS will redirect to HTTPS Login Page.
How to Configure HTTPS Redirect and HTTPS Login Page in MikroTik Hotspot has been discussed in this article. I hope you will now be able to configure HTTPS Redirect and HTTPS Login Page in your Hotspot Server. However, if you face any confusion to configure HTTPS Redirect and HTTPS Login Page, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
VPN (Virtual Private Network) technology provides a secure and encrypted tunnel across a public network. So, a private network user can send and receive data to any remote private network through VPN tunnel as if his/her network device was directly connected to that private network.
Secure Socket Tunneling Protocol (SSTP) transports PPP tunnel over TLS channel. SSTP uses TLS channel over TCP port 443. So, SSTP VPN can virtually pass through all firewalls and proxy servers. Because of using TLS channel, encrypted data passes over SSTP Tunnel. So, there is no chance to steal data by a middle man attacker and data can send and receive across public network safely. MikroTik SSTP Server can be applied in two methods.
Connecting from remote workstation/client: In this method, SSTP VPN client software can communicate with MikroTik SSTP VPN Server over Secure VPN tunnel whenever required and can access remote private network as if it was directly connected to that remote private network.
Site to Site SSTP VPN: This method is also known as VPN between routers. In this method, an SSTP client supported router always establishes a SSTP VPN tunnel with MikroTik SSTP VPN Server. So, private networks of these two routers can communicate with each other as if they were directly connected to the same router.
The goal of this article is to create a VPN tunnel between two MikroTik RouterOS over secure SSTP VPN Tunnel across public network. In my previous article I discussed how to configure MikroTik SSTP VPN Server for connecting a remote Windows 10 Client. In this article I will discuss how to create site to site SSTP VPN between two MikroTik RouterOS.
Network Diagram
To configure a site to site SSTP VPN Tunnel between two MikroTik RouterOS, we are following a network diagram like the below network figure.
Site to Site SSTP Network Diagram
In this network diagram, there are two MikroTik Routers (Office Router and Home Router). Office Router has WAN IP 117.58.247.198/30 which is a public IP and LAN IP block 10.10.110/24. Home Router has WAN IP 192.168.40.2/30 which is under a NAT network. So, Home Router does not require having public IP. It has also a LAN IP Block 172.25.25.0/24.
We will configure SSTP VPN in Office Router and SSTP Client in Home Router. After configuring SSTP VPN, VPN Gateway in Office Router will be 192.168.2.1 and Home Router will get 192.168.2.10 and a Secure SSTP Tunnel will be established and Office Router and Home Router can access each other network over this SSTP Tunnel.
Site to Site MikroTik SSTP VPN Setup
We will now start SSTP Server and SSTP Client configuration between two MikroTik RouterOS. Complete SSTP configuration can be divided into two parts.
Part 1: SSTP Server Configuration in Office RouterOS
Part 2: SSTP Client Configuration in Home RouterOS
Part 1: SSTP Server Configuration in Office RouterOS
According to the network diagram, Office Router is our SSTP VPN Server. So, we will enable and configure SSTP VPN Server in Office MikroTik RouterOS. It is assumed that MikroTik WAN and LAN networks have been configured and are working without any issue.
Complete MikroTik SSTP Server configuration in Office RouterOS can be divided into the following three steps.
Step 1: Creating TLS Certificate for SSTP Server
Step 2: Enabling and Configuring SSTP Server
Step 3: Creating SSTP Users
Step 1: Creating TLS Certificate for SSTP Server
SSTP Server configuration requires TLS certificate because SSTP VPN uses TLS certificate for secure communication. MikroTik RouterOS v6 gives ability to create, store and manage certificates in certificate store. So, we will create required SSTP Server certificate from MikroTik RouterOS. SSTP Server requires two types of certificates:
CA (Certification Authority) Certificate and
Server Certificate
Click on PLUS SIGN (+) again. New Certificate window will appear.
Put your server certificate name (for example: Server) in Name input field.
Put the WAN IP Address (example: 117.58.247.198) of MikroTik Router in Common Name input field.
If you have put any optional field in CA certificate, put them here also.
Click on Key Usage tab and uncheck all checkboxes except digital signature, key encipherment and tls server checkboxes.
Click on Apply button and then click on Sign button. Sign window will appear now.
Your newly created Server certificate template will appear in certificate dropdown menu. Select newly created certificate template if it is not selected.
Also select CA certificate from CA dropdown menu.
Click on Sign button. Your Signed certificate will be created within few seconds.
Click on OK button to close New Certificate window.
If newly created server certificate does not show T flag or Trusted property shows no, double click on your server certificate and click on Trusted checkbox located at the bottom of General tab and then click on Apply and OK button.
Creating Server Certificate for SSTP Server
We have successfully created required CA and Server Certificates. After creating CA and Server certificates, the Certificates will look the following image.
Created CA and Server Certificates in Certificates Window
Step 2: SSTP Server Configuration in MikroTik Router
After creating CA and Server Certificates, we are now eligible to enable and configure SSTP Server in MikroTik Router. The following steps will show how to enable and configure SSTP Server in MikroTik Router.
Click on PPP menu item from Winbox and then click on Interface tab.
Click on SSTP Server button. SSTP Server window will appear.
Click on Enabled checkbox to enable SSTP Server.
Make sure TCP Port 443 is assigned in Port input field.
From Authentication, uncheck all checkboxes except mschap2 checkbox.
From Certificate dropdown menu, choose server certificate (Server) that we created before.
From TLS Version drop down menu, choose only-1.2 option. TLS Version any can also be selected.
Now click on Force AES and PFS checkboxes.
Now click on Apply and OK button.
Enabling SSTP Server in MikroTik Router
SSTP Server is now running in MikroTik Router. As MikroTik SSTP VPN is limited to use username and password for successful VPN connection, we will now create PPP users who will be able to connect to MikroTik SSTP Server and get IP information.
Step 3: Creating SSTP Users
MikroTik SSTP uses username and password to validate legal connection. So, we have to create username and password to allow any user. The following steps will show how to create SSTP users in MikroTik RouterOS.
From PPP window, click on Secrets tab and then click on PLUS SIGN (+). New PPP Secret window will appear.
Put username (For example: sayeed) in Name input field and put password in Password input field.
Choose sstp from Service dropdown menu.
Put VPN Gateway IP (192.168.2.1) in Local Address input field. This Gateway IP does not require assigning on any interface because virtual interface will be created where this Gateway IP will be assigned automatically.
Put the IP address (192.168.2.10) that will be assigned in Home Router in Remote Address input field. This address will be assigned automatically. So, no need to assign on any interface.
Put static route (172.25.25.0/24 192.168.2.10 1) that will be assigned in Office Router so that Office Router can reach to Home Router network in Routes input field. If you don’t assign Routes here, you have to put Routes statically in routing table to reach Home Router network. Multiple routes can be added by comma separated.
Click on Apply and OK button.
SSTP User Creation in Office Router
Multiple users can be created similarly if you have multiple Client RouterOS.
SSTP Server and user configuration in Office Router has been completed. Now we will configure SSTP Client in Home Router.
Part 2: SSTP VPN RouterOS Client Configuration
Home Router will act as a SSTP Client. So, we will create SSTP client in Home Router. The following steps will show how to configure SSTP Client in Home Router.
From Winbox, click on Interfaces menu item. Interfaces window will appear.
Click on PLUS SIGN (+) drop down menu and click on SSTP Client option. New Interface window will appear.
In General tab, you can put a meaningful name in Name input field. I am keeping the default one.
Click on Dial Out tab and put Office Router WAN IP (117.58.247.198) in Connect To input field.
By default port 443 will be assigned in Port input field. So, nothing to do here.
Server certification verification is enabled by default in RouterOS SSTP Client. So, click on Verify Server Address from Certificate check box for hostname verification.
Click on PFS (Perfect Forward Secrecy) checkbox that will make sure private encryption key is being generated for each session. As we have chosen PFS in SSTP Server Configuration, we have to enable PFS in SSTP Client Configuration also.
Put username (sayeed) that you created in SSTP User in Name input field and put password in Password input field.
Uncheck all checkboxes except mschap2 from Allow protocol panel.
Click Apply and OK button.
SSTP Client Configuration in RouterOS
If everything is OK, SSTP Tunnel will be established and Home RouterOS will now be able to access Office Router network successfully. Office Router will also be able to access Home Router network because dynamically a route will be added in Office Router’s routing table. You will find the connected users from PPP > Active Connection tab. You will also find that a virtual interface has been created dynamically and your assigned IP address has assigned automatically.
Active SSTP Connection Showing Home Router
If you face any confusion to follow the above steps properly, watch the following video about SSTP VPN configuration between RouterOS. I hope it will reduce your any confusion.
MikroTik Site to Site SSTP VPN Configuration has been discussed in this article. I hope you will now be able to established SSTP Tunnel between two RouterOS. However, if you face any confusion to configure SSTP VPN in MikroTik Router, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
VPN (Virtual Private Network) technology provides a secure and encrypted tunnel across a public network. So, a private network user can send and receive data to any remote private network through VPN tunnel as if his/her network device was directly connected to that private network.
Secure Socket Tunneling Protocol (SSTP) transports PPP tunnel over TLS channel. SSTP uses TLS channel over TCP port 443. So, SSTP VPN can virtually pass through all firewalls and proxy servers. Because of using TLS channel, encrypted data passes over SSTP Tunnel. So, there is no chance to steal data by a middle man attacker and data can send and receive across public network safely. MikroTik SSTP Server can be applied in two methods.
Connecting from remote workstation/client: In this method, SSTP VPN client software can communicate with MikroTik SSTP VPN Server over Secure VPN tunnel whenever required and can access remote private network as if it was directly connected to that remote private network.
Site to Site SSTP VPN: This method is also known as VPN between routers. In this method, an SSTP client supported router always establishes a SSTP VPN tunnel with MikroTik SSTP VPN Server. So, private networks of these two routers can communicate with each other as if they were directly connected to the same router.
The goal of this article is to connect a remote client device over secure SSTP VPN Tunnel across public network. So, in this article I will only show how to configure MikroTik SSTP VPN Server for connecting a remote workstation/client (Windows 10 Client).
How SSTP Connection Established
To establish a SSTP VPN tunnel across public network, the following mechanisms are occurred.
SSTP How Works
TCP connection is established from SSTP Client to SSTP Server on TCP port 443.
SSL validates server certificate. If certificate is valid connection is established otherwise connection is denied.
The client sends SSTP control packets within the HTTPS session which establishes the SSTP state machine on both sides.
PPP username and password validation is checked over SSTP. Client authenticates to the server and binds IP addresses to SSTP Client interface.
SSTP tunnel is now established and packet encapsulation can begin.
Network Diagram
To configure a Client-Server SSTP VPN Tunnel between a MikroTik Router and a Windows 10 SSTP Client, we are following the below network diagram.
Client-Server SSTP Diagram
In this network diagram, a MikroTik Router’s ether1 interface is connected to public network having IP address 117.58.247.198/30 and ether2 interface is connected to LAN having IP network 10.10.11.0/24.
We will configure SSTP Server in this MikroTik Router on TCP port 443. So, Windows 10 SSTP Client can be connected to this SSTP Server and can be able to access remote network resources as if the device is connected to that remote network.
SSTP VPN Server and SSTP Client Configuration
We will now start SSTP Server and Client configuration. Complete SSTP configuration can be divided into two parts.
Part 1: SSTP Server Configuration in MikroTik Router
Part 2: SSTP Client Configuration in Windows 10
Part 1: SSTP Server Configuration in MikroTik Router
According to the network diagram, MikroTik Router is our SSTP VPN Server. So, we will enable and configure SSTP VPN Server in MikroTik Router. It is assumed that MikroTik WAN and LAN networks have been configured and are working without any issue.
Complete MikroTik SSTP Server configuration can be divided into the following three steps.
Step 1: Creating TLS Certificate for SSTP Server
Step 2: Enabling and Configuring SSTP Server
Step 3: Creating SSTP Users
Step 1: Creating TLS Certificate for SSTP Server
SSTP Server configuration requires TLS certificate because SSTP VPN uses TLS certificate for secure communication. MikroTik RouterOS v6 gives ability to create, store and manage certificates in certificate store. So, we will create required SSTP Server certificate from MikroTik RouterOS. SSTP Server requires two types of certificates:
CA (Certification Authority) Certificate and
Server Certificate
Creating CA certificate
MikroTik RouterOS provides a self-signed certificate and self-signed certificate must have a CA (Certification Authority) Certificate to sign Server Certificate. This CA certificate will also be installed in SSTP Client devices otherwise Server Certificate cannot be verified. The following steps will show how to create a CA certificate in MikroTik RouterOS.
From Winbox, go to System > Certificates menu item and click on Certificates tab and then click on PLUS SIGN (+). New Certificate window will appear.
Put your CA certificate name (for example: CA) in Name input field.
Put the WAN IP Address (example: 117.58.247.198) of MikroTik Router in Common Name input field.
You will find some optional fields in General tab. You can fill those if you wish. All fields are self-defined.
Click on Key Usage tab and uncheck all checkboxes except crl sign and key cert. sign
Click on Apply button and then click on Sign button. Sign window will appear now.
Your created CA certificate template will appear in Certificate dropdown menu. Select your newly created certificate template if it is not selected.
Put MikroTik Router’s WAN IP address (example: 117.58.247.198) in CA CRL Host input field.
Click on Sign button. Your Signed certificate will be created within few seconds.
Click on OK button to close New Certificate window.
If newly created CA certificate does not show T flag or Trusted property shows no, double click on your CA certificate and click on Trusted checkbox located at the bottom of General tab and then click on Apply and OK button.
Creating CA Certificate for SSTP Server
Creating Server Certificate
After creating CA certificate, we will now create Server Certificate that will be signed by the created CA. The Server Certificate will be used by SSTP Server. The following steps will show how to create Server Certificate in MikroTik RouterOS.
Click on PPP menu item from Winbox and then click on Interface tab.
Click on SSTP Server button. SSTP Server window will appear.
Click on Enabled checkbox to enable SSTP Server.
Make sure TCP Port 443 is assigned in Port input field.
From Authentication, uncheck all checkboxes except mschap2 checkbox.
From Certificate dropdown menu, choose server certificate (Server) that we created before.
From TLS Version drop down menu, choose only-1.2 option. TLS Version any can also be selected.
Now click on Force AES and PFS checkboxes.
Now click on Apply and OK button.
Enabling SSTP Server in MikroTik Router
SSTP Server is now running in MikroTik Router. As MikroTik SSTP VPN is limited to use username and password for successful VPN connection, we will now create PPP users who will be able to connect to MikroTik SSTP Server and get IP information.
Step 3: Creating SSTP Users
MikroTik SSTP uses username and password to validate legal connection. So, we have to create username and password to allow any user. The complete user configuration for SSTP Server can be divided into the following three parts.
IP Pool Configuration
User Profile Configuration and
SSTP User Configuration
IP Pool Configuration
Usually multiple users can connect to SSTP Server. So, it is always better to create an IP Pool from where connected user will get IP address. The following steps will show how to create IP Pool in MikroTik Router.
From Winbox, go to IP > Pool menu item. IP Pool Window will appear.
Click on PLUS SIGN (+). New IP Pool window will appear.
Put a meaningful name (vpn_pool) in Name input field.
Put desired IP Ranges (example: 192.168.2.2-192.168.2.254) in Addresses input filed. Make sure not to use VPN Gateway IP (192.168.2.1)in this range.
Click Apply and OK button.
SSTP User IP Pool
User Profile Configuration
After creating IP Pool, we will now configure user profile so that all users can have similar characteristics. The following steps will show how to configure user profile for SSTP Users.
From Winbox, go to PPP menu item and click on Profile tab and then click on PLUS SIGN (+). New PPP Profile window will appear.
Put a meaningful name (example: vpn_profile) in Name input field.
Put VPN Gateway address (example: 192.168.2.1) in Local Address input field.
Choose the created IP Pool (vpn_pool) from Remote Address dropdown menu.
Click Apply and OK button.
OpenVPN User Profile Configuration
SSTP User Configuration
After creating user profile, we will now create users who will be connected to SSTP Server. The following steps will show how to create SSTP users in MikroTik RouterOS.
From PPP window, click on Secrets tab and then click on PLUS SIGN (+). New PPP Secret window will appear.
Put username (For example: sayeed) in Name input field and put password in Password input field.
Choose sstp from Service dropdown menu.
Choose the created profile from Profile dropdown menu.
Click on Apply and OK button.
SSTP User Configuration
We have created a user for SSTP Server. Similarly, we can create more users that we require.
SSTP Server configuration in MikroTik Router has been completed. In the next part we will configure SSTP Client in Windows 10 Operating System.
Part 2: SSTP Client Configuration in Windows 10
After configuring SSTP Server in MikroTik Router, we will now configure SSTP Client in Windows 10 Operating System. SSTP Client configuration in Windows 10 can be divided into the following two steps.
Installing CA Certificate in Windows 10
SSTP Client Configuration in Windows 10
Installing CA Certificate in Windows 10
Exported CA Certificate must be installed in Windows Trusted Root Certification Authorities otherwise SSTP Client cannot verify SSTP Server Certificate. To install CA Certificate in Windows 10, do the following steps.
Click mouse right button on the Exported CA Certificate and choose Install Certificate option.
CA Certificate Installation in Windows 10
You will now find Certificate Import Wizard window and it will ask for choosing certificate Store Location. From Sore Location panel, choose Local Machine radio button and then click Next button.
Certificate Import Wizard
The next window will ask for choosing a specific certificate store. Exported CA must be placed in Trusted Root Certification Authorities store. So, click on Place all certificate in the following store radio button and then click on Browse button and choose Trusted Root Certificate Authorities and then click Next button.
Placing CA Certificate to Trusted Root Certification Authorities
The next Certificate Import Wizard will show a summery and ask to click Finish button. So, click Finish button and you will find a certificate importation successful message.
SSTP Client Configuration in Windows 10
After importing CA certificate in Trusted Root Certification Authorities, we will now configure SSTP Client in Windows 10 Operating System. The Following steps will show how to configure SSTP Client in Windows 10 OS.
How to Configure MikroTik SSTP VPN Server with Windows 10 Operating System has been discussed in this article. I hope you will now be able to configure SSTP Server and Client with MikroTik Router and Windows 10 Operating System. However, if you face any confusion to configure SSTP VPN Server and Client, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
