Community discussions

MikroTik App
 
tiego
just joined
Topic Author
Posts: 11
Joined: Sun Jan 02, 2011 7:25 pm

Best VPN

Thu Feb 09, 2017 5:32 pm

Hello,

i need a vpn between 2 Offices, but only one office have a static ip adress behind a firewall.
the uplink and downlink is on the office 2 1mbit and 4mbit
wath is the best vpn protocoll to connect the 2 offices.
 
User avatar
razavim
Trainer
Trainer
Posts: 99
Joined: Sun Sep 27, 2015 1:43 pm
Location: Turkey
Contact:

Re: Best VPN

Thu Feb 09, 2017 6:56 pm

Gre
Ipip
If security matter then "ipsec"

Sent from my SM-N920T using Tapatalk
 
tiego
just joined
Topic Author
Posts: 11
Joined: Sun Jan 02, 2011 7:25 pm

Re: Best VPN

Fri Feb 10, 2017 8:29 am

Hello,
my problem is, only one Site have a offical Public IP. the oder Site have a 3G LTE Uplink.
i need to conect forom any place bihind Firewalls.

now i use pptp, but the speed is verry slow.
SSTP, or L2TP better?
 
User avatar
BlackVS
Member Candidate
Member Candidate
Posts: 175
Joined: Mon Feb 04, 2013 7:00 pm
Contact:

Re: Best VPN

Fri Feb 10, 2017 11:35 am

Hello,
my problem is, only one Site have a offical Public IP. the oder Site have a 3G LTE Uplink.
i need to conect forom any place bihind Firewalls.

now i use pptp, but the speed is verry slow.
SSTP, or L2TP better?
PPTP is faster comparing l2tp/sstp/openvpn.
I.e. questions are:
- which router you have?
- which Internet channels (speeds)?
- how you measure VPN speed?
 
User avatar
razavim
Trainer
Trainer
Posts: 99
Joined: Sun Sep 27, 2015 1:43 pm
Location: Turkey
Contact:

Re: Best VPN

Fri Feb 10, 2017 2:00 pm

So you mean you have private address on LTE side ?
If yes you maye use script which is not defficult to find on google inorder to use DDNS address for the private address side such as LTE.
but if you will dynamic address through LTE but it is public you can use the Mikrotik cloud

Sent from my SM-N920T using Tapatalk
 
tiego
just joined
Topic Author
Posts: 11
Joined: Sun Jan 02, 2011 7:25 pm

Re: Best VPN

Mon Feb 13, 2017 12:39 pm

Hello, thanks for the replay

I.e. questions are:
- which router you have? RB750
- which Internet channels (speeds)? 3G LTE with shared Public IP, not accesibil from remote. 1Mbit Up. 5Mbit Down.
- how you measure VPN speed? Bandwith test tool from Mikrotik

I Have Set MAX MTU and MRU to 1420 to have a mor stable connection.
I Use Mikrotik Cloud, butt Remot acces on 3G Devices is not Possible
I Have 1 Central with privat Public IP and to this any 3G Roter neeed to Connect it. so i have the possibiliti to conect to ech other network.

I need a stabe, fast speed VPN Connection.

thanks Markus
 
tomaz_borstnar
just joined
Posts: 14
Joined: Tue Feb 26, 2008 12:42 pm

Re: RE: Re: Best VPN

Tue Feb 14, 2017 9:38 am

Hello, thanks for the replay

I.e. questions are:
- which router you have? RB750
- which Internet channels (speeds)? 3G LTE with shared Public IP, not accesibil from remote. 1Mbit Up. 5Mbit Down.
- how you measure VPN speed? Bandwith test tool from Mikrotik

I Have Set MAX MTU and MRU to 1420 to have a mor stable connection.
I Use Mikrotik Cloud, butt Remot acces on 3G Devices is not Possible
I Have 1 Central with privat Public IP and to this any 3G Roter neeed to Connect it. so i have the possibiliti to conect to ech other network.

I need a stabe, fast speed VPN Connection.

thanks Markus
L2TP/ipsec or sstp
 
amyacker
just joined
Posts: 11
Joined: Mon Nov 28, 2016 9:32 am

Re: Best VPN

Thu Feb 16, 2017 11:47 am

PPTP is efficient but you can only use L2TP over IPSec due to some routers limitations.
 
th0massin0
Member Candidate
Member Candidate
Posts: 156
Joined: Sun May 11, 2014 4:16 am
Location: Poland

Re: Best VPN

Thu Feb 16, 2017 1:26 pm

If VPN must be fast, then you should avoid all TCP solutions (only UDP are fast). http://sites.inka.de/bigred/devel/tcp-tcp.html
If it should be encrypted - (private data) - than you should consider IPSEC with IKEv2.
If you are only escaping from ISP's NAT or looking for other unencrypted purposes, look at L2TP.
SSTP is usable (for example) to configuring devices in restricted firewall enviorment in secure way. SSTP is using TCP, so you can set port to 443 (yes, HTTPS port) to be sure that nobody (?) :) will block it.
 
anajames
just joined
Posts: 4
Joined: Wed Mar 01, 2017 9:36 am

Re: Best VPN

Tue Mar 21, 2017 3:04 pm

Hello, thanks for the replay

I.e. questions are:
- which router you have? RB750
- which Internet channels (speeds)? 3G LTE with shared Public IP, not accesibil from remote. 1Mbit Up. 5Mbit Down.
- how you measure VPN speed? Bandwith test tool from Mikrotik

I Have Set MAX MTU and MRU to 1420 to have a mor stable connection.
I Use Mikrotik Cloud, butt Remot acces on 3G Devices is not Possible
I Have 1 Central with privat Public IP and to this any 3G Roter neeed to Connect it. so i have the possibiliti to conect to ech other network.

I need a stabe, fast speed VPN Connection.

thanks Markus
Why not give a try to Astrill, i have been using it for a while now. And it is performing really good.
 
Van9018
Long time Member
Long time Member
Posts: 558
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Best VPN

Wed Mar 22, 2017 4:22 am

Both IPSec and SSTP do not require both sides to have a static IP. For IPSec you'll have to use the NAT-T option so IPSec packets are wrapped in a UDP packet.

In my experiences, IPSec is more tolerant of network issues. I use SSTP for site-to-site as well but then I have to use a script on both routers to consistently check (ping) the remote site to see if it's still up, and if not, disable the interface for 5 seconds (which disconnects it). The client side router will reconnect after that. That script runs every 15 seconds.

SSTP and IPSec will likely perform the same, your bandwidth on the 3G site is the limiting factor. SSTP has acceptable performance for me.

Try for IPSec with NAT-T (UDP), fall back on SSTP.
 
eine
just joined
Posts: 16
Joined: Thu Sep 10, 2015 9:50 pm

Re: Best VPN

Fri Mar 24, 2017 12:48 pm

Funny, most responders seems to recommend IPSec, but I doubt if any of them did even try it in circumstances like yours. Be careful when choosing IPsec if you want layer 2 (ISO OSI) site2site VPN (which is must in enviroment with AD, PXE deployment and so on) when one of the pears is behind NAT (without possibility to do port forwarding) with DHCP. You won't be able to find any documentation for that case. Reason is simple - it cannot be done. Please correct me if I am wrong. I've heard it's possible to do by encapsulating: EoIP on top of IPsec on top of PPTP (3 extra layers lol, I know how it sounds), but performance will suck (unfortunately I don't tired it and I cannot offer you any numbers). I'd be ideal case for OpenVPN. Unfortunately, Mikrotik devs shot their foot by not implementing UDP/LZO in OpenVPN. In your case choosing routerboard was a bad choice. On the other hand you could also try it. OpenVPN @ routerboard with TCP (BAD transport - it's important to understand it) it gives me 20-30 mbps @ 600 MHz MIPS (951 for example).
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7188
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Best VPN

Fri Mar 24, 2017 1:05 pm

when one of the pears is behind NAT (without possibility to do port forwarding) with DHCP. You won't be able to find any documentation for that case. Reason is simple - it cannot be done.
Wrong. It can be done - NAT-T and port forwarding, depending on which side is behind NAT.
 
eine
just joined
Posts: 16
Joined: Thu Sep 10, 2015 9:50 pm

Re: Best VPN

Fri Mar 24, 2017 1:50 pm

when one of the pears is behind NAT (without possibility to do port forwarding) with DHCP. You won't be able to find any documentation for that case. Reason is simple - it cannot be done.
Wrong. It can be done - NAT-T and port forwarding, depending on which side is behind NAT.
Example, documentation? :>
Let's say that IPSec's initiator side is behind NAT with dynamic public address and WITHOUT possibility of doing port forwarding, do you state it's possible?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7188
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: Best VPN

Fri Mar 24, 2017 2:07 pm

For initiator side port forwarding is not required.
It is basic client/server setup with generate-policy on server side.
 
eine
just joined
Posts: 16
Joined: Thu Sep 10, 2015 9:50 pm

Re: Best VPN

Fri Mar 24, 2017 4:52 pm

For initiator side port forwarding is not required.
Trying to do a peer-to-peer tunnel will be problematic because you have to specify a peer IP address or hostname on both VPN endpoints. What do you specify on the one trying to connect to the device behind the NAT? The IP of the NATing device? Or the private IP of the VPN endpoint behind it? The second option is obviously wrong (because it will be an RFC1918 address or otherwise invalid), but the first option can't be right either because you don't want to peer with the public facing firewall/router, you want to peer with the device behind it. So...
 
ajack46
newbie
Posts: 37
Joined: Tue Mar 28, 2017 9:08 am

Re: Best VPN

Fri Aug 10, 2018 5:05 pm

What about windscribe?
Have you used it?
This Canadian-based VPN provider offers freemium software. The free version comes with a 10GB/month limit with many servers available on the premium version. For instance, Australia is not available as a server option in the free version.

I would suggest you to go for PureVPN. One of the best I have ever used. Currently, a friend of mine also got it for just $2.48 per month with a 2 years subscription. Moreover,

And no doubt it is one of the fastest vpn service available at the moment to buy. Windscribe stands at 15th whereas PureVPN stands at number 2

If you need something cheap and reliable I would recommend this vpn.
 
squeeze
Member Candidate
Member Candidate
Posts: 145
Joined: Thu Mar 22, 2018 7:53 pm

Re: Best VPN

Sun Aug 12, 2018 12:58 pm

PureVPN is one of the worst possible VPNs you can choose if you care about security and privacy since they are infamous for logging and leaks.

I do not understand why people simply do not google a potential new service or product they want to use and type "productservicename bad" / "productservicename issues" / "servicename lies". You'll be shocked how you find issues that may or may not affect you and help you filter for what you actually want, while enabling you to understand that field a little more.

You will not find a single one recommending the Hong Kong VPN provider, PureVPN.
 
ajack46
newbie
Posts: 37
Joined: Tue Mar 28, 2017 9:08 am

Re: Best VPN

Wed Aug 15, 2018 8:45 am

The best place to check a VPN review is Trust pilot. No one can match their rating. It scores 9.5/10 are the most trusted app.
 
Ape
Member Candidate
Member Candidate
Posts: 177
Joined: Sun Oct 06, 2013 3:32 pm
Location: Freiburg, Germany
Contact:

Re: Best VPN

Tue Dec 18, 2018 12:38 pm

Hi,

coming back to the intial issue, I would like to contribute some technical facts.

You need to chose the VPN technology according to your limiting factors. These could be:
- NAT/CNAT (https://en.wikipedia.org/wiki/Carrier-grade_NAT)
- dual-stack lite (https://en.wikipedia.org/wiki/IPv6_tran ... DS-Lite.29)
- restricted internet access (e.g. firewall)
- throughput
- latency
- security
- compatibility

For me, there are three VPN technologies which stand the test for almost all scenarios. Of course there are several other VPN technologies, but either they are considered insecure or not implemented on RouterOS, so my selection is:

(L2TP)/IPsec
Pros:
  • secure if configured correctly
  • good throughput if you're using HW acceleration
  • highly compatible to all kind of devices, vendors and OS
  • if you use L2TP, you have "real" interfaces which behave like physical interfaces
Cons:
  • "difficult" to configure right (in terms of security as you really need to understand what you're doing)
  • not so well suited for NAT, "simple NAT" will work, CNAT mostly won't
  • relativly sensitive to packet loss

SSTP
Pros:
  • easy to configure (use proper SSL/TLS certificates, use PFS, use TLS 1.2, check server certificate and if you need/like to: check client certificate)
  • works out of the box with windows clients
  • works in almost every scenario where port 443 is available
  • works fine with "MikroTik <--> MikroTik" and "MikroTik <--> Windows"

Cons:
  • slow (as someone already mentioned: TCP-over-TCP is bad regarding throughput and latency)
  • not so common in the non Windows-world

GRE (over IPSec)
Pros:
  • if used in conjunction with IPSec: same as (L2TP)/IPSec
  • "more generic" than L2TP
  • GRE by itself (without IPSec) is stateless
Cons:
  • it's stateless (can be a curse and a mercy at the same time)
  • plain GRE has no authentication mechnism

Of course the mentioned pros and cons are not complete. I focused on the in my opinion most important facts.

Okay, I'll stop beeing a wise ass. To come back to the intial question: If you have one site connected by LTE you probably run into (C)NAT issues, so you need to bite the bullet and use SSTP.
If (C)NAT is no issue, use (L2TP)/IPsec. All VPN techologies add additional encapsulation (translates to overherad), and are therefore decreasing throughput and increasing latency. So using VPN with 1MBit/s will result in a slow(er) connection between the two sites and there is nothing you can do about it :-/

Regards,
Ape

Who is online

Users browsing this forum: No registered users and 24 guests