Архив метки: Mikrotik

MikroTik SSTP VPN Server Configuration with Windows 10

VPN (Virtual Private Network) technology provides a secure and encrypted tunnel across a public network. So, a private network user can send and receive data to any remote private network through VPN tunnel as if his/her network device was directly connected to that private network.




Secure Socket Tunneling Protocol (SSTP) transports PPP tunnel over TLS channel. SSTP uses TLS channel over TCP port 443. So, SSTP VPN can virtually pass through all firewalls and proxy servers. Because of using TLS channel, encrypted data passes over SSTP Tunnel. So, there is no chance to steal data by a middle man attacker and data can send and receive across public network safely. MikroTik SSTP Server can be applied in two methods.




  • Connecting from remote workstation/client: In this method, SSTP VPN client software can communicate with MikroTik SSTP VPN Server over Secure VPN tunnel whenever required and can access remote private network as if it was directly connected to that remote private network.
  • Site to Site SSTP VPN: This method is also known as VPN between routers. In this method, an SSTP client supported router always establishes a SSTP VPN tunnel with MikroTik SSTP VPN Server. So, private networks of these two routers can communicate with each other as if they were directly connected to the same router.




The goal of this article is to connect a remote client device over secure SSTP VPN Tunnel across public network. So, in this article I will only show how to configure MikroTik SSTP VPN Server for connecting a remote workstation/client (Windows 10 Client).




How SSTP Connection Established




To establish a SSTP VPN tunnel across public network, the following mechanisms are occurred.




SSTP How Works
SSTP How Works




  • TCP connection is established from SSTP Client to SSTP Server on TCP port 443.
  • SSL validates server certificate. If certificate is valid connection is established otherwise connection is denied.
  • The client sends SSTP control packets within the HTTPS session which establishes the SSTP state machine on both sides.
  • PPP username and password validation is checked over SSTP. Client authenticates to the server and binds IP addresses to SSTP Client interface.
  • SSTP tunnel is now established and packet encapsulation can begin.




Network Diagram




To configure a Client-Server SSTP VPN Tunnel between a MikroTik Router and a Windows 10 SSTP Client, we are following the below network diagram.




Client-Server SSTP Diagram
Client-Server SSTP Diagram




In this network diagram, a MikroTik Router’s ether1 interface is connected to public network having IP address 117.58.247.198/30 and ether2 interface is connected to LAN having IP network 10.10.11.0/24.




We will configure SSTP Server in this MikroTik Router on TCP port 443. So, Windows 10 SSTP Client can be connected to this SSTP Server and can be able to access remote network resources as if the device is connected to that remote network.




SSTP VPN Server and SSTP Client Configuration




We will now start SSTP Server and Client configuration. Complete SSTP configuration can be divided into two parts.




  • Part 1: SSTP Server Configuration in MikroTik Router
  • Part 2: SSTP Client Configuration in Windows 10




Part 1: SSTP Server Configuration in MikroTik Router




According to the network diagram, MikroTik Router is our SSTP VPN Server. So, we will enable and configure SSTP VPN Server in MikroTik Router. It is assumed that MikroTik WAN and LAN networks have been configured and are working without any issue.




Complete MikroTik SSTP Server configuration can be divided into the following three steps.




  • Step 1: Creating TLS Certificate for SSTP Server
  • Step 2: Enabling and Configuring SSTP Server
  • Step 3: Creating SSTP Users




Step 1: Creating TLS Certificate for SSTP Server




SSTP Server configuration requires TLS certificate because SSTP VPN uses TLS certificate for secure communication. MikroTik RouterOS v6 gives ability to create, store and manage certificates in certificate store. So, we will create required SSTP Server certificate from MikroTik RouterOS. SSTP Server requires two types of certificates:




  • CA (Certification Authority) Certificate and
  • Server Certificate




Creating CA certificate




MikroTik RouterOS provides a self-signed certificate and self-signed certificate must have a CA (Certification Authority) Certificate to sign Server Certificate. This CA certificate will also be installed in SSTP Client devices otherwise Server Certificate cannot be verified.  The following steps will show how to create a CA certificate in MikroTik RouterOS.




  • From Winbox, go to System > Certificates menu item and click on Certificates tab and then click on PLUS SIGN (+). New Certificate window will appear.
  • Put your CA certificate name (for example: CA) in Name input field.
  • Put the WAN IP Address (example: 117.58.247.198) of MikroTik Router in Common Name input field.
  • You will find some optional fields in General tab. You can fill those if you wish. All fields are self-defined.
  • Click on Key Usage tab and uncheck all checkboxes except crl sign and key cert. sign
  • Click on Apply button and then click on Sign button. Sign window will appear now.
  • Your created CA certificate template will appear in Certificate dropdown menu. Select your newly created certificate template if it is not selected.
  • Put MikroTik Router’s WAN IP address (example: 117.58.247.198) in CA CRL Host input field.
  • Click on Sign button. Your Signed certificate will be created within few seconds.
  • Click on OK button to close New Certificate window.
  • If newly created CA certificate does not show T flag or Trusted property shows no, double click on your CA certificate and click on Trusted checkbox located at the bottom of General tab and then click on Apply and OK button.




Creating CA Certificate for SSTP Server
Creating CA Certificate for SSTP Server




Creating Server Certificate




After creating CA certificate, we will now create Server Certificate that will be signed by the created CA. The Server Certificate will be used by SSTP Server. The following steps will show how to create Server Certificate in MikroTik RouterOS.






  • Click on PPP menu item from Winbox and then click on Interface tab.
  • Click on SSTP Server button. SSTP Server window will appear.
  • Click on Enabled checkbox to enable SSTP Server.
  • Make sure TCP Port 443 is assigned in Port input field.
  • From Authentication, uncheck all checkboxes except mschap2 checkbox.
  • From Certificate dropdown menu, choose server certificate (Server) that we created before.
  • From TLS Version drop down menu, choose only-1.2 option. TLS Version any can also be selected.
  • Now click on Force AES and PFS checkboxes.
  • Now click on Apply and OK button.




Enabling SSTP Server in MikroTik Router
Enabling SSTP Server in MikroTik Router




SSTP Server is now running in MikroTik Router. As MikroTik SSTP VPN is limited to use username and password for successful VPN connection, we will now create PPP users who will be able to connect to MikroTik SSTP Server and get IP information.




Step 3: Creating SSTP Users




MikroTik SSTP uses username and password to validate legal connection. So, we have to create username and password to allow any user. The complete user configuration for SSTP Server can be divided into the following three parts.




  • IP Pool Configuration
  • User Profile Configuration and
  • SSTP User Configuration




IP Pool Configuration




Usually multiple users can connect to SSTP Server. So, it is always better to create an IP Pool from where connected user will get IP address. The following steps will show how to create IP Pool in MikroTik Router.




  • From Winbox, go to IP > Pool menu item. IP Pool Window will appear.
  • Click on PLUS SIGN (+). New IP Pool window will appear.
  • Put a meaningful name (vpn_pool) in Name input field.
  • Put desired IP Ranges (example: 192.168.2.2-192.168.2.254) in Addresses input filed. Make sure not to use VPN Gateway IP (192.168.2.1)in this range.
  • Click Apply and OK button.




SSTP User IP Pool
SSTP User IP Pool




User Profile Configuration




After creating IP Pool, we will now configure user profile so that all users can have similar characteristics. The following steps will show how to configure user profile for SSTP Users.




  • From Winbox, go to PPP menu item and click on Profile tab and then click on PLUS SIGN (+). New PPP Profile window will appear.
  • Put a meaningful name (example: vpn_profile) in Name input field.
  • Put VPN Gateway address (example: 192.168.2.1) in Local Address input field.
  • Choose the created IP Pool (vpn_pool) from Remote Address dropdown menu.
  • Click Apply and OK button.




OpenVPN User Profile Configuration
OpenVPN User Profile Configuration




SSTP User Configuration




After creating user profile, we will now create users who will be connected to SSTP Server. The following steps will show how to create SSTP users in MikroTik RouterOS.




  • From PPP window, click on Secrets tab and then click on PLUS SIGN (+). New PPP Secret window will appear.
  • Put username (For example: sayeed) in Name input field and put password in Password input field.
  • Choose sstp from Service dropdown menu.
  • Choose the created profile from Profile dropdown menu.
  • Click on Apply and OK button.




SSTP User Configuration
SSTP User Configuration




We have created a user for SSTP Server. Similarly, we can create more users that we require.




SSTP Server configuration in MikroTik Router has been completed. In the next part we will configure SSTP Client in Windows 10 Operating System.




Part 2: SSTP Client Configuration in Windows 10




After configuring SSTP Server in MikroTik Router, we will now configure SSTP Client in Windows 10 Operating System. SSTP Client configuration in Windows 10 can be divided into the following two steps.




  • Installing CA Certificate in Windows 10
  • SSTP Client Configuration in Windows 10




Installing CA Certificate in Windows 10




Exported CA Certificate must be installed in Windows Trusted Root Certification Authorities otherwise SSTP Client cannot verify SSTP Server Certificate. To install CA Certificate in Windows 10, do the following steps.

Click mouse right button on the Exported CA Certificate and choose Install Certificate option.


CA Certificate Installation in Windows 10
CA Certificate Installation in Windows 10




You will now find Certificate Import Wizard window and it will ask for choosing certificate Store Location. From Sore Location panel, choose Local Machine radio button and then click Next button.




Certificate Import Wizard
Certificate Import Wizard




The next window will ask for choosing a specific certificate store. Exported CA must be placed in Trusted Root Certification Authorities store. So, click on Place all certificate in the following store radio button and then click on Browse button and choose Trusted Root Certificate Authorities and then click Next button.




Placing CA Certificate to Trusted Root Certification Authorities
Placing CA Certificate to Trusted Root Certification Authorities




The next Certificate Import Wizard will show a summery and ask to click Finish button. So, click Finish button and you will find a certificate importation successful message.




SSTP Client Configuration in Windows 10




After importing CA certificate in Trusted Root Certification Authorities, we will now configure SSTP Client in Windows 10 Operating System. The Following steps will show how to configure SSTP Client in Windows 10 OS.






How to Configure MikroTik SSTP VPN Server with Windows 10 Operating System has been discussed in this article. I hope you will now be able to configure SSTP Server and Client with MikroTik Router and Windows 10 Operating System. However, if you face any confusion to configure SSTP VPN Server and Client, feel free to discuss in comment or contact me from Contact page.  I will try my best to stay with you.



2020-04-27T16:44:45
MikroTik Router Tutorials & Guides

Настройка Mikrotik на 2 WAN Load Balancing

Балансировка нагрузки на WAN-линках встает довольно часто и у многих, и в отличие от других вещей, которые можно настроить на оборудовании MikroTik быстро и безболезненно – в случае настройки Load Balancing придется постараться. Тема относительно сложная, наличие нескольких WAN-линков и задача по настройке балансировки нагрузки включает в себя настройку нескольких шлюзов и маршрутов по умолчанию, множество правил трансляции NAT и так далее.

НАСТРОЙКА МАРШРУТИЗАТОРА

Итак, в наличие у нас имеется один маршрутизатор MikroTik 951Ui-2HnD, который подключен к двум провайдерам через антенны, на портах ether1 и ether2 соответственно, и локальной сетью. Трафик из локальной сети будет NATиться из обоих WAN портов и будет сбалансирован по нагрузке.

Настраиваем локальные IP-адреса:

/ip address

add address=192.0.2.2/24 interface=ether1-isp-1

add address=198.51.100.2/24 interface=ether2-isp-2

add address=192.168.20.1/24 interface=bridge-local

Настраиваем шлюзы по умолчанию:

/ip route

add dst-address=0.0.0.0/0 check-gateway=ping gateway=192.0.2.1,198.51.100.1

Настраиваем NAT на WAN портах для исходящего направления:

/ip firewall nat

add action=masquerade chain=srcnat out-interface=ether1

add action=masquerade chain=srcnat out-interface=ether2

Если оставить только этот пример настройки, то если один из линков “отвалится”, то вместо него будет использоваться второй. Однако, никакой балансировки нагрузки здесь нет.

ИСХОДЯЩАЯ И ВХОДЯЩАЯ MANGLE МАРКИРОВКА

Одной из типичных проблем при использовании более одного WAN-соединения является то, что пакеты принятые на одном WAN интерфейсе, могут тут же быть отправлены через другой WAN-интерфейс, что может, к примеру, сломать VPN-based сеть. Нам нужно чтобы пакеты “принадлежащие” одному и тому же соединению принимались и отправлялись через один и тот же WAN порт. В случае аварии у одного из провайдеров, все подключения на порту “умрут” и затем будут переподключены на другом WAN порту. Для этого необходимо промаркировать соединения:

/ip firewall mangle

add action=mark-connection chain=input in-interface=ether1 new-connection-mark="CON-IN-ISP-1"

add action=mark-connection chain=input in-interface=ether2 new-connection-mark="CON-IN-ISP-2"

Это поможет маршрутизатору отслеживать порт для каждого входящего подключения.

Теперь мы будем использовать отметку подключения для входящих пакетов для вызова отметки маршрутизации. Это отметка маршрутизации будет использована позднее на маршруте, который будет сообщать подключению через какой WAN-порт необходимо слать пакеты наружу.

add action=mark-routing chain=output connection-mark="CON-IN-ISP-1" new-routing-mark="ROUTE-ISP-1"

add action=mark-routing chain=output connection-mark="CON-IN-ISP-2" new-routing-mark="ROUTE-ISP-2"

Помеченные подключения затем получают метку маршрута, так что роутер сможет маршрутизировать пакеты так, как нам необходимо. В следующем шаге мы настроим роутер таким образом, чтобы помеченные пакеты отправлялись наружу из корректного WAN-подключения.

МАРКИРОВКА LAN МАРШРУТА

Понадобится также настроить несколько Mangle правил – они необходимы, чтобы сообщить роутеру о необходимости балансировки пакетов, которые отправляются из локальной сети. Сам механизм балансировки в этой статье не описывается, можно только сказать что происходить много операций хеширования – если же интересно копнуть глубже, то вы можете обратиться к официальной документации MikroTik. В соответствии с этими правилами маршрутизатор будет балансировать трафик приходящий на bridge-local, который направлен на любой нелокальный адрес в Интернете. Мы захватываем трафик в цепочке предварительной маршрутизации для перенаправления его на необходимый нам WAN-порт в соответствии с меткой маршрутизации.

Следующие команды балансируют трафик на LAN-интерфейсе через две группы:

add action=mark-routing chain=prerouting 

    dst-address-type=!local in-interface=bridge-local new-routing-mark=

    "ISP-1-OUT" passthrough=yes per-connection-classifier=

    both-addresses-and-ports:2/0

add action=mark-routing chain=prerouting 

    dst-address-type=!local in-interface=bridge-local new-routing-mark=

    "ISP-2-OUT" passthrough=yes per-connection-classifier=

    both-addresses-and-ports:2/1

Настройка меток маршрутизации выше была выполнена точно такие же как и в предыдущем шаге и соответствуют тем маршрутам, которые будут созданы в следующем шаге.

ОСОБЫЕ МАРШРУТЫ ПО УМОЛЧАНИЮ.

В данный момент у нас должны быть помечены соединения поступающие на WAN-порты и эти метки были использованы для создания меток маршрутизации. Балансировка нагрузки в LAN, описанная в предыдущем шаге, также создает метки маршрутизации в соответствии со следующим шагом, в котором будут созданы маршруты по умолчанию, которые будут захватывать трафик с данными метками маршрутизации.

/ip route

add distance=1 gateway=192.0.2.1 routing-mark="ISP-1-OUT"

add distance=1 gateway=198.51.100.1 routing-mark="ISP-2-OUT"

Данные маршруты используются только при наличии необходимой метки маршрутизации. Непомеченные пакеты используют обычный маршрут по умолчанию.

Маршруты, относящиеся к Тарс Телеком получают метку подключения, которая вызывает метку маршрутизации. Эта метка маршрутизации совпадает с меткой в маршруте выше и обратный пакет выходит из того же интерфейса, на котором был получен изначальный пакет.

 

Итого, теперь у нас настроена балансировка трафика для двух WAN-соединений.



2020-04-12T13:34:25
MikroTik

MikroTik OpenVPN Configuration on TCP Port 443 with Windows OS

MikroTik OpenVPN is an amazing VPN solution. IT provides a secure and encrypted VPN tunnel across public network. Unlike PPTP and L2TP VPN Services which are poorly designed and can easily be blocked, OpenVPN can highly be customized and even can be run on so popular TCP Port 443. So, OpenVPN cannot easily be blocked. OpenVPN uses SSL/TLS Certificates. So, OpenVPN Tunnel is a trusted tunnel to send and receive data across public network. OpenVPN is a site to site VPN technology in nature even in NAT network. But MikroTik OpenVPN has limitation to use PPP username and password although a site to site VPN does not require username and password.




The goal of this article is to configure an OpenVPN Server on so popular TCP Port 443 in MikroTik Router and configure OpenVPN Client in Windows Operating System so that a Windows user can connect to a remote office network and can be able to access remote network resources (Servers, Printers etc.) across public network safely.




Network Diagram




To configure OpenVPN Server in MikroTik Router on TCP Port 443, we are following the below network diagram.




MikroTik OpenVPN Network Diagram
MikroTik OpenVPN Network Diagram




In this network, MikroTik Router (RouterOS v6.46) is connected to internet through ether1 interface having IP address 117.58.247.198/30. In your network, this IP address should be replaced with public IP address. MikroTik Router’s ether2 interface is connected to local network having IP network 10.10.11.0/24. We will configure OpenVPN server in this router and OpenVPN client in a Windows Operating System. After OpenVPN Server and Client configuration, the router will create a virtual interface (OpenVPN Tunnel) across public network where VPN Gateway IP address will be 192.168.2.1 and Client machine will get an IP Address within 192.168.2.0/24 IP Block. We will also declare route in OpenVPN Client so that connected VPN user can access resources of OpenVPN server’s network.




OpenVPN Server and Client Configuration




We will now start OpenVPN Server and Client configuration. Complete OpenVPN configuration can be divided into two parts.




  • Part 1: OpenVPN Server Configuration in MikroTik Router
  • Part 2: OpenVPN Client Configuration in Windows Operating System




Part 1: OpenVPN Server Configuration in MikroTik Router




According to the network diagram, MikroTik Router is our OpenVPN Server. So, we will enable and configure OpenVPN Server in MikroTik Router. It is assumed that your WAN and LAN networks are working without any issue.






Complete MikroTik OpenVPN Server configuration can be divided into the following three steps.




  • Step 1: Creating TLS Certificate for OpenVPN Server and Client
  • Step 2: Enabling and Configuring OpenVPN Server
  • Step 3: Creating OpenVPN Users




Step 1: Creating TLS Certificate for OpenVPN Server and Client




OpenVPN server and client configuration requires TLS certificate because OpenVPN uses TLS certificate for secure communication. MikroTik RouterOS v6 gives ability to create, store and manage certificates in certificate store. So, we will create required OpenVPN certificate from our RouterOS. OpenVPN Server and Client require three types of certificates:




  • CA (Certification Authority) Certificate
  • Server Certificate and
  • Client Certificate




Creating CA certificate




The following steps will show how to create CA certificate in MikroTik RouterOS.




  • From Winbox, go to System > Certificates menu item and click on Certificates tab and then click on PLUS SIGN (+). New Certificate window will appear.
  • Put your CA certificate name (for example: CA) in Name input field. Also put a certificate common name (for example: CA) in Common Name input field.
  • You will find some optional fields in General tab. You can fill those if you wish. All fields are self-defined.
  • Click on Key Usage tab and uncheck all checkboxes except crl sign and key cert. sign checkboxes.
  • Click on Apply button and then click on Sign button. Sign window will appear now.
  • Your created CA certificate template will appear in Certificate dropdown menu. Select your newly created certificate template if it is not selected.
  • Put MikroTik Router’s WAN IP address (example: 117.58.247.198) in CA CRL Host input field.
  • Click on Sign button. Your Signed certificate will be created within few seconds.
  • Click on OK button to close New Certificate window.
  • If newly created CA certificate does not show T flag or Trusted property shows no, double click on your CA certificate and click on Trusted checkbox located at the bottom of General tab and then click on Apply and OK button.




Creating CA Certificate
Creating CA Certificate




CA certificate has been created successfully. Now we will create server certificate.




Creating Server Certificate




The following steps will show how to create server certificate in MikroTik RouterOS.




  • Click on PLUS SIGN (+) again. New Certificate window will appear.
  • Put your server certificate name (for example: Server) in Name input field. Also put a certificate common name (for example: Server) in Common Name input field.
  • If you have put any optional field in CA certificate, put them here also.
  • Click on Key Usage tab and uncheck all checkboxes except digital signature, key encipherment and tls server checkboxes.
  • Click on Apply button and then click on Sign button. Sign window will appear now.
  • Your newly created Server certificate template will appear in certificate dropdown menu. Select newly created certificate template if it is not selected.
  • Also select CA certificate from CA dropdown menu.
  • Click on Sign button. Your Signed certificate will be created within few seconds.
  • Click on OK button to close New Certificate window.
  • If newly created server certificate does not show T flag or Trusted property shows no, double click on your server certificate and click on Trusted checkbox located at the bottom of General tab and then click on Apply and OK button.




Creating Server Certificate
Creating Server Certificate




Server certificate has been created successfully. Now we will create client certificate.




Creating Client Certificate




The following steps will show how to create client certificate in MikroTik RouterOS.




  • Click on PLUS SIGN (+) again. New Certificate window will appear.
  • Put your client certificate name (for example: Client) in Name input field. Also put a certificate common name (for example: Client) in Common Name input field.
  • If you put any optional field in CA certificate, put them here also.
  • Click on Key Usage tab and uncheck all checkboxes except tls client checkbox.
  • Click on Apply button and then click on Sign button. Sign window will appear now.
  • Your newly created Client certificate template will appear in certificate dropdown menu. Select your newly created certificate template if it is not selected.
  • Also select CA certificate from CA dropdown menu.
  • Click on Sign button. Your Signed certificate will be created within few seconds.
  • Click on OK button to close New Certificate window.
  • Client certificate does not require T flag.




Creating Client Certificate
Creating Client Certificate




Client certificate has been created successfully. Created and signed CA, Server and Client certificates will look like the following image in Certificates window.




CA, Server and Client Certificate
CA, Server and Client Certificate




After creating and signing CA, Server and Client certificates, we will now export CA and Client certificates because OpenVPN client will use these certificates.




Exporting CA and Client Certificates




OpenVPN server will use Server certificate from MikroTik RouterOS Certificate store. But client certificate has to supply to the OpenVPN client. So, we need to export client certificate as well as CA certificate from RouterOS certificate store. The following steps will show how to export CA certificate and Client certificate from MikroTik certificate store.




  • Select and make Right Click on your CA certificate and then click on Export option. Export window will appear.
  • Choose CA certificate from Certificate dropdown menu.
  • Click on Export button now. Your CA certificate will be exported and Export window will be closed.
  • Similarly, select and make right click on Client certificate and then click on Export option. Choose client certificate from Certificate dropdown menu. Put a password in Export Passphrase input field. The password should be strong enough and must remember because the password has to provide when OpenVPN client will be connected. Click on Export button now.




Exporting CA and Client Certificates
Exporting CA and Client Certificates




Exported CA and Client certificates with key will be found in Winbox File List window. The following steps will show how to download exported certificates file from File directory.




  • Click on Files menu from Winbox menu panel. You will find two certificate files (.crt) and one key file (.key) is exported here.
  • Drag and Drop these three files in a folder on your Desktop. We will use these files when OpenVPN Client will be configured.




Downloading CA and Client Certificates
Downloading CA and Client Certificates




TLS certificates for OpenVPN Server and Client are ready. Now we will configure our OpenVPN Server in MikroTik Router.




Step 2: OpenVPN Server Configuration in MikroTik Router




After creating TLS certificate, we are now eligible to enable and configure OpenVPN Server in MikroTik Router. The following steps will show how to enable and configure OpenVPN Server in MikroTik Router.




  • Click on PPP menu item from Winbox and then click on Interface tab.
  • Click on OVPN Server button. OVPN Server window will appear.
  • Click on Enabled checkbox to enable OpenVPN Server.
  • Put your desired TCP Port (example: 443) on which you want to run OpenVPN Server in Port input field.
  • Make sure ip option is selected in Mode dropdown menu.
  • From Certificate dropdown menu, choose server certificate that we created before. Also click on Require Client Certificate checkbox.
  • From Auth. Panel, uncheck all checkboxes except sha1.
  • From Cipher panel, uncheck all checkboxes except aes 256.
  • Now click on Apply and OK button.




Configuring OpenVPN in MikroTik RouterOS
Configuring OpenVPN in MikroTik RouterOS




OpenVPN Server is now running in MikroTik Router. As MikroTik OpenVPN is limited to use username and password for successful VPN connection, we will now create PPP user who will be able to connect MikroTik OpenVPN Server and get IP information.




Step 3: Creating OpenVPN Users




MikroTik OpenVPN uses username and password to validate legal connection. So, we have to create username and password to allow any user. The complete user configuration for OpenVPN Server can be divided into three parts.




  • IP Pool Configuration
  • User Profile Configuration and
  • User Configuration




IP Pool Configuration




Usually multiple users can connect to OpenVPN Server. So, it is always better to create an IP Pool from where connected user will get IP address. The following steps will show how to create IP Pool in MikroTik Router.




  • From Winbox, go to IP > Pool menu item. IP Pool Window will appear.
  • Click on PLUS SIGN (+). New IP Pool window will appear.
  • Put a meaningful name (vpn_pool) in Name input field.
  • Put desired IP Ranges (192.168.2.2-192.168.2.250) in Addresses input filed. Make sure not to use VPN Gateway IP (192.168.2.1) and the last IP (192.168.2.154) because last IP will be used as DHCP Server IP.
  • Click Apply and OK button.




OpenVPN User IP Pool
OpenVPN User IP Pool




User Profile Configuration




After creating IP Pool, we will now configure profile so that all users can have similar characteristics. The following steps will show how to configure user profile for OpenVPN User.






  • From Winbox, go to PPP menu item and click on Profile tab and then click on PLUS SIGN (+). New PPP Profile window will appear.
  • Put a meaningful name (vpn_profile) in Name input field.
  • Put VPN Gateway address (192.168.2.1) in Local Address input field.
  • Choose the created IP Pool (vpn_pool) from Remote Address dropdown menu.
  • Click Apply and OK button.




OpenVPN User Profile Configuration
OpenVPN User Profile Configuration




OpenVPN Users Configuration




After creating user profile, we will now create users who will be connected to OpenVPN Server. The following steps will show how to create OpenVPN users in MikroTik RouterOS.




  • From PPP window, click on Secrets tab and then click on PLUS SIGN (+). New PPP Secret window will appear.
  • Put username (For example: sayeed) in Name input field and put password in Password input field.
  • Choose ovpn from Service dropdown menu.
  • Choose the created profile from Profile dropdown menu.
  • Click on Apply and OK button.




Creating OpenVPN Users
Creating OpenVPN Users




We have created a user for OpenVPN Server. Similarly you can create more users that you require.




OpenVPN Server configuration in MikroTik Router has been completed. In the next part we will configure OpenVPN client in Windows Operating System.




Part 2:  OpenVPN Client Configuration in Windows Operating System




After configuring OpenVPN Server in MikroTik Router, we will now configure OpenVPN Client. OpenVPN Client configuration can be divided into two steps.




  • OpenVPN Client Download and Installation
  • OpenVPN Client Configuration




Steps 1: OpenVPN Client Download and Installation




OpenVPN.net provides OpenVPN Client software for all Operating Systems. OpenVPN Client software is found in OpenVPN Community Download page. So, visit to community download page and download OpenVPN Client that matches with your Operating System. I am using Windows 10. So, I downloaded WINDOWS 10/SERVER 2016/SERVER 2019 INSTALLER (NSI) package. At the time of this article, the OpenVPN client installer version was 2.4.8.




OpenVPN Client Installer
OpenVPN Client Installer




If you face any confusion to download OpenVPN client from OpenVPN Community Download, you can Download OpenVPN Client Software Package from this link where I have attached my tested OpenVPN Client Software and Client Configuration file.

After getting OpenVPN Client installer, install OpenVPN client in your operating system following the instructions. Installation process is as simple as installing other software in Windows operating system.


OpenVPN Client Installation
OpenVPN Client Installation




After OpenVPN Client installation, make sure that TAP Virtual Ethernet Adapter has been installed. If it is installed successfully, you will find a new Network Adapter named as TAP-Windows Adapter in Network Connections window.




Virtual TAP-Windows Adapter
Virtual TAP-Windows Adapter




If don’t find this TAP-Windows Adapter in Network Connections panel, uninstall the false installation from Windows Program and Features panel and then download my OpenVPN Client Package where I have attached another TAP-Windows installer and install that installer. I hope you will now find the TAP-Windows Adapter. Without TAP-Windows Adapter OpenVPN Client cannot be able to connect to OpenVPN Server.




Step 2: OpenVPN Client Configuration




After installing OpenVPN client software, we need to configure OpenVPN Client according to our OpenVPN Server requirements. OpenVPN Client configuration file is a UNIX like configuration file. The default OpenVPN configuration directory is C:Program FilesOpenVPN. This directory looks like the below image.




OpenVPN Client Default Directory
OpenVPN Client Default Directory




In this directory, a folder named sample-config will be found where a sample OpenVPN Client configuration file named client.ovpn is provided. Copy this sample configuration file into config folder and then open the client configuration file with a text editor such as WordPad, NotePad ++ or any editor that you like. Make sure the editor is opened with administrator privilege otherwise you cannot save the file when you make change.




Configuration Parameters Those We Need to Change




In the client.ovpn file, some parameters are required to change according to our OpenVPN Server configuration. The following parameters are required to change in client configuration file.




Protocol




By default OpenVPN client uses UDP protocol but MikroTik OpenVPN Server supports only TCP protocol. So, enable proto tcp and disable proto udp which may be found at line 36 and 37.




Note: To disable any option just put a semicolon (;) before that option and to enable any option remove the semicolon (;) from that option.




IP and Port




We must specify OpenVPN Server IP and Port in Client configuration file. IP and Port are declared with remote option which may be found at line 42 and the IP and Port should be declared in a line like below. Make sure to change your WAN IP with the example IP (117.58.247.198) and port (443) with your define port.




remote 117.58.247.198:443




SSL/TLS Parameters




In client configuration file, we need to declare CA and Client certificates and Client Key file. These options may be found at line 88, 89 and 90. So, assign ca, cert and key file like below.




ca CA.crt




cert Client.crt




key Client.key 




Make sure to rename exported and downloaded ca, client and key file according to the above options and then copy your renamed CA.crt, Client.crt and Client.key files into config directory.




We are not using any server key file. So we have to disable tls-auth option which is enabled by default. The tls-auth option may be found at line 108. So, disable this option by putting a semicolon (;) before it.

Configuration Options Those We Need to Add


There are some options those we need to declare in client configuration file because by default these options are not included in sample configuration file but MikroTik Router requires those options. The following options are required to include in client configuration to work with MikroTik OpenVPN Server properly.  




User Authentication




MikroTik OpenVPN Server is limited to work with user verification. So we have to provide username and password with auth-user-pass option. Add this option at the bottom of the client configuration file and declare a file name where username and password are stored like below.




auth-user-pass secret.cfg   




Now create a file named secret.cfg in config directory and specify username and password in this file. Username must be declared at the first line and password must be declared at the second line like below.




sayeed




password




Routing Information




By default OpenVPN Client will only be able to communicate with the same network IP Addresses. But remote network resources (Servers, Printers etc.) may have another network. In this case we have to declare routing with route option otherwise OpenVPN Client cannot reach to other network.




For example, Our VPN Gateway Address is 192.168.2.1 and Server network is 10.10.11.0/24. So, to reach this network we have to add route option like below.




route 10.10.11.0 255.255.255.0 192.168.2.1




If you have multiple networks, you have to add multiple route options but each route option per line.




Download Demo OpenVPN Client Configuration File




If you face any confusion to edit the above configuration option, Download OpenVPN Client Configuration File which has been prepared for this article configuration and cross check with your configuration file. Hope your confusion will be reduced.

After coping CA.crt, Cleint.crt, Client.key and client.ovpn files, your config directory will look like the below image.


OpenVPN Client Config Directory
OpenVPN Client Config Directory




Connecting OpenVPN Client




After completing client configuration, run OpenVPN Client by clicking OpenVPN GUI desktop shortcut icon. You will now find a new OpenVPN icon in Taskbar or System tray like below image.




OpenVPN Connection Icon
OpenVPN Connection Icon




Click mouse right button on this icon and then click Connect option. OpenVPN Connection window will appear and it will ask to put client certificate password that you have entered at the time of client certificate exportation.




OpenVPN Client Asking for Client Certificate Password
OpenVPN Client Asking for Client Certificate Password




After verifying Client Certificate Password as well as username and password, OpenVPN Client will be connected and an IP address will be assigned to TAP-Windows Adapter. At successful OpenVPN connection, the OpenVPN Client icon will be turned into green.




OpenVPN Client Connection Status in Windows 10
OpenVPN Client Connection Status in Windows 10




Now you will be able to access your remote office resources such as File Server, Printers and so on without any issue.




How to Configure OpenVPN Server on TCP Port 443 in MikroTik with Windows 10 Operating System has been discussed in this article. I hope you will now be able to configure MikroTik OpenVPN Server and can be connected across public network from remote location securely. However, if you face any confusion to configure MikroTik OpenVPN Server and OpenVPN Client, feel free to discuss in comment or contact me from Contact Page. I will try my best to stay with you.



2020-04-06T16:37:20
MikroTik Router Tutorials & Guides

CAPsMAN Channel Planning with Non-Overlapping Frequency

MikroTik CAPsMAN is an excellent application for managing multiple CAPs (Controlled Access Point) in a Wireless Network. But multiple APs create frequency overlapping issue if channels are not configured properly. Channel overlapping is required for smooth connection while roaming but there should not be frequency overlapping because frequency overlapping makes wireless performance so poor. In my previous article, I discussed MikroTik CAPsMAN basic configuration with default channel configuration. In this article, I will discuss how to configure CAPsMAN channel to avoid frequency overlapping.




Non Overlapping Channels




One of my previous articles on WiFi Frequency Band and Channel Width showed the available non overlapping channels in 2.4 GHz Band. There are five non overlapping channel sets on 20MHz channel width in 2.4 GHz frequency but globally 1, 6 and 11 channel set is usually used.  The middle frequency of these channels is given in the following table:




Channel NumberMiddle Frequency
12412
62437
112462




In a multi WiFi AP network, the coverage of WiFi AP must be overlap for smooth connection but frequency overlapping must be avoided. So, we have to plan properly for designing a multi WiFi AP network. A possible multi WiFi AP network where there will be no frequency overlapping can be as the following image.




Non Overlapping Channel Design with Coverage Overlap
Non Overlapping Channel Design with Coverage Overlap




Following the above image we will configure CAPsMAN channels so that different CAPs can operate on different frequencies to establish a frequency overlapping free WiFi network.




Network Diagram




To establish a frequency overlapping free network with MikroTik CAPsMAN we are following the below network diagram.




Multiple CAPs on Non-Overlapping Frequency in CAPsMAN Network
Multiple CAPs on Non-Overlapping Frequency in CAPsMAN Network




In this network diagram, the CAPsMAN Router (RouterBOARD 1100 AHX2) is controlling three CAPs which are operating on channel 1 (CAP1), channel 6 (CAP2) and channel 11 (CAP3). As the CAPs are on a floor, we must assign different non-overlapping frequency channel so that no CAP affect other performance.




In this article, we will see how to configure multiple channels in CAPsMAN and how to assign the configured channel on different CAPs.




CAPsMAN Channel Configuration




In my previous article, I discussed CAPsMAN basic configuration with a single CAP where I didn’t configure any channel.  Follow that article to apply basic configuration and then follow this article because in this article I will only show how to configure multiple channels in CAPsMAN and then apply these channels on different CAPs.




The following steps will show how to configure multiple channels in MikroTik CAPsMAN.




  • Login to CAPsMAN Router with Winbox.
  • Click on CAPsMAN menu item. CAPsMAN window will appear.
  • Click on Channel tab and then click on PLUS SIGN (+). New CAPs Channel window will appear.
  • Put a meaningful name (Example: channel1) in Name input field.
  • Put channel 1 middle frequency (2412) in Frequency input field.
  • Choose channel width (20MHz) from Control Channel Width dropdown menu.
  • Choose frequency band (2ghz-b/g/n) from Band dropdown menu.
  • Disable channel extension by choosing disabled option from Extension Channel dropdown menu.
  • Click Apply and OK button.
  • Similarly create channel6 for 2437 MHz frequency and channel11 for 2462 MHz frequency. Your channel list will look like the following image.




CAPsMAN Channel List
CAPsMAN Channel List




Applying Created Channel on Different CAPs




After creating channel groups we will apply these channels on different CAPs so that different CAPs can operate on different frequencies and frequency overlapping can be avoided. The following steps will show how to assign different channels on different CAPs.




  • Click on CAP Interface tab where you will find all the provisioned CAPs.
  • Double click on a desired CAP interface. CAP property window will appear and you will find that all properties are read only. But we need to edit channel property. So, click on Copy button. A new instance will appear that is editable,
  • In General tab put a meaningful in Name input field.
  • Click on Channel tab and choose your desired channel from Channel dropdown menu.
  • Click Apply and OK button.
  • Now you will find that your dynamic provisioned CAP interface will be removed and new interface will be created. So, it may require disabling and then enabling CAP property of your CAP Wireless Router.




Frequency Assigning on CAPsMAN's CAP
Frequency Assigning on CAPsMAN’s CAP




Do the above steps for all remaining CAPs. Assign channel carefully so that there have no frequency overlapping.




Planning to avoid frequency overlapping in CAPsMAN wireless network has been discussed in this article. I hope you will now be able to do proper planning for your CAPsMAN network where there will have no frequency overlapping. However, if you face any confusion to follow the above steps, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.



2020-03-16T13:45:49
MikroTik CAPsMAN Step by Step Tutorials

MikroTik CAPsMAN and CAP Basic Configuration using Winbox

MikroTik CAPsMAN (Controlled Access Point system Manager) is a centralized Access Point management application provided by MikroTik.  MikroTik introduces CAPsMAN from RouterOS v6.11 with CAPsMAN v1 and from RouterOS v6.22rc7 CAPsMAN v2 is running. If you have multiple MikroTik CAPs (Controlled Access Point) in your organization, CAPsMAN provides an easy way to maintain client data as well as CAPs configuration centrally. In my previous article, I discussed how to configure MikroTik Wireless Router as an Access Point. In this article, I will discuss how to do configure MikroTik CAPsMAN basic configuration with a Controlled Access Point (CAP).




Network Diagram 




For a simple MikroTik CAPsMAN configuration, I am following the below network diagram.




MikroTik CAPsMAN Configuration
MikroTik CAPsMAN Configuration




In this network diagram, MikroTik RouterBOARD 1100 AHX2 is working as a CAPsMAN but it is not a wireless router because CAPsMAN does not require being a wireless router but require a powerful hardware that can control multiple CAPs and client data. Another MikroTik Wireless Router (RB941-2nd) is working as a CAP which will be controlled by the CAPsMAN. After configuring CAPsMAN, SSID (MikroTik CAP) will be shown by the CAP and client will be able to connect providing valid password.




MikroTik CAPsMAN Configuration with CAP Wireless Router




Now we will start basic CAPsMAN configuration. Complete CAPsMAN configuration with a CAP can be divided into the following steps.




  • RouterOS basic configuration in CAPsMAN Router.
  • DHCP Server setup in CAPsMAN Router.
  • CAPsMAN basic configuration.
  • CAP configuration in Wireless Router.




Step 1: RouterOS Basic Configuration in CAPsMAN Router




Before going to start CAPsMAN configuration we need to do basic RouterOS configuration so that CAPsMAN can get internet access and can act as data path for the CAPs client. The following steps will show how to configure the basic features in MikroTik CAPsMAN Router.




  • Login to RouterOS using Winbox with full permission user.
  • From left menu panel click on Bridge menu item. Bridge window will appear. Click PLUS SIGN (+) to create a new bridge interface. In New Interface window put a meaningful name (CapDataPath) in Name input field. Click Apply and OK button.
  • Go to IP > Addresses menu item and click on PLUS SIGN (+). New Address window will appear. Put WAN IP (192.168.70.2/29) in Address input field and choose WAN interface (ether1) from Interface drop down menu and click Apply and OK button.
  • Click on PLUS SIGN (+) again and put LAN gateway IP (10.10.70.1/24) in Address input field and choose created bridge interface (CapDataPath) from Interface drop down menu and click Apply and OK button.
  • Go to IP > DNS menu item and put DNS server’s IP address (8.8.8.8) in Servers input field and then click Apply and OK button.
  • Go to IP > Routes menu item and click on PLUS SIGN (+) and put WAN gateway (192.168.70.1) in Gateway input field and click Apply and OK button.
  • Go to IP > Firewall menu item and click on NAT tab and then click on PLUS SIGN (+). New NAT Rule window will appear. In General tab, choose srcnat from Chain drop down menu. From Action tab, choose masquerade from Action dropdown menu. Click Apply and OK button.




Address Assigning in CAPsMAN Router
Address Assigning in CAPsMAN Router




RouterOS basic configuration has been completed. If everything is OK, you will now be able to get internet and be able to ping any public domain. In the next part, we will configure DHCP Server so that client IP and other network parameters can be assigned automatically.




Step 2: DHCP Server Setup in CAPsMAN Router




We will now setup DHCP Server on LAN network so that any connected wireless device can get IP and other network parameters automatically from this DHCP Server. The following steps will show how to setup DHCP Server in MikroTik RouterOS.




  • Go to IP > DHCP Server menu item and click on DHCP tab.
  • Click on DHCP Setup button. DHCP Setup window will appear.
  • Choose bridge interface (CapDataPath) from DHCP Server Interface dropdown menu and click Next button.
  • LAN network will automatically be assigned. So, nothing to do. Just click Next button.
  • LAN gateway IP will automatically be assigned in Gateway for DHCP Network. So, click Next button.
  • Whole LAN IP block except gateway will be assigned for Addresses to Give Out input filed. If you want, you can decrease DHCP IP range from here. Click Next button.
  • Assigned DNS IP in RouterOS will be automatically assigned. If you wish, you can add another one. Click Next button.
  • Default DHCP lease time 10 minutes will be assigned in Lease Time input field. If you wish, you can increase the lease time. Click Next button.
  • Now DHCP setup will be completed and you will get a successful message.




DHCP Setup in CAPsMAN Router
DHCP Setup in CAPsMAN Router




Step 3: CAPsMAN Basic Configuration




A lot of parameters are available in CAPsMAN configuration for maintaining client data and controlling CAP property. In basic CAPsMAN setup, we will do the following steps to launch a CAP network initially.




  • CAPs Configuration
  • Provisioning Configuration and
  • Enabling CAPs Manager




CAPs Configuration




In CAPs configuration, we will define some properties that will be assigned on provisioned CAP. The following steps will show how to define CAP properties to launch a CAP properly.






  • Click on CAPsMAN menu item from Winbox. CAPsMAN window will appear.
  • Click on Configurations tab and then click on PLUS SIGN (+). New CAPs Configuration window will appear.
  • In Wireless tab, put a meaningful configuration name (CAPs Conf) in Name input field and choose ap from Mode dropdown menu and then provide a SSID (MikroTik CAP) that you want in SSID input field.
  • Click on Datapath tab and choose the created bridge interface (CapDataPath) from Bridge dropdown menu.
  • Click on Security tab and click on Authentication Type hidden field and click on WPS2PSK checkbox. Click on Encryption hidden field and click the aes ccm encryption method checkbox. Also choose aes ccm from Group Encryption dropdown menu. Click on Passphrase input field and provide a strong password.
  • Click Apply and OK button.




New CAPs Configuration
New CAPs Configuration




Provisioning Configuration




After CAPs property configuration, we need to create CAPs provisioning rule. The following steps will show how to setup dynamic radio provisioning rule in CAPs Manager.




  • Click on Provisioning tab and then click PLUS SIGN (+). New CAPs Provisioning window will appear.
  • Choose create dynamic enabled option from Action dropdown menu.
  • Chose created CAPs configuration (CAPs Conf) from Master Configuration drop down menu.
  • Click Apply and OK button.




CAPs Provisioning Setup
CAPs Provisioning Setup




Enabling CAPs Manager




Now we will enable CAPs Manager so that it can provision any CAP connected to it and control the provisioned CAP according to the configuration. The following steps will show how to enable CAPs Manager from CAPs Window.




  • Click on CAP Interface tab and then click on Manager button. CAPs Manager window will appear.
  • Click on Enable checkbox.
  • Click Apply and OK button.




Enabling CAPs Manager
Enabling CAPs Manager




CAPsMAN basic configuration is now complete. CAPsMAN is now ready to provision any CAP connected to its network. CAP is mainly discovered by MAC address.




Step 4: CAP Configuration in Wireless Router




After configuring CAPsMAN, we also need to configure CAP in Wireless Router so that CAP can be able to connect to a CAPsMAN. The following steps will show how to configure CAP in a CAP capable MikroTik Wireless Router (RB941-2nD).




  • Login to CAP Wireless Router with Winbox and click on Wireless menu item from left menu bar. Wireless Table window will appear.
  • From Interface tab, click on CAP button. CAP window will appear.
  • Click on Enabled checkbox.
  • Choose wireless interface (wlan1) from Interfaces dropdown menu.
  • Choose an Ethernet interface (ether1) from Discover Interfaces dropdown menu. Connection between CAPsMAN and CAP will be established through this interface and client data will also be transmitted through this interface.
  • Click Apply and OK button.




Enabling CAP in Wireless Router
Enabling CAP in Wireless Router




The CAP configuration in Wireless Router has been completed. Now CAP is ready get configuration from CAPsMAN. Connect CAP Router to CAPsMAN Router either directly or a switch that is connected to the CAPsMAN Router. Make sure that you have connected the discovery interface in CAP Router.

After connecting, the CAP will be provisioned by CAPsMAN and all settings will be assigned and you will find that the given SSID is available. If the CAP is provisioned, the wireless interface will look like the following image.


CAP Interface Controlled by CAPsMAN
CAP Interface Controlled by CAPsMAN




Now connect any wireless client device. If everything is OK, the client device will be able to connect and get internet access.




This is a simple and basic level CAPsMAN configuration. If you have multiple CAPs in a floor or in a building, the CAPs configuration will be different because there will be frequency overlapping and CAPsMAN performance will be poor.  In the next article, I will discuss how to configure CAPsMAN advance configuration to overcome frequency overlapping.




If you face any confusion to follow the above configuration properly, watch the following video on MikroTik CAPsMAN Basic Configuration. I hope it will reduce your any confusion.