Community discussions

MikroTik App
  4. RouterOS
  5. General

Mikrotik as vpn client  [SOLVED]

Post Reply
 
elstiv73
just joined
Topic Author
Posts: 10
Joined: Wed Jun 10, 2020 9:34 am

Mikrotik as vpn client

Thu Jul 16, 2020 7:20 am

Hi. I would like to set up Mikrotik to connect with a VPN server so that all users connected to Mikrotik will be automatically connected to this VPN. I have managed to set up PPTP client and Winbox shows that it is connected but when checking my public IP address it still shows the local WAN address. I also checked via whatismyip.com website and it still reports the local WAN address not the one related to my VPN. Thanks
Top
 
User avatar
nithinkumar2000
Member Candidate
Member Candidate
Posts: 167
Joined: Wed Sep 11, 2019 7:42 am
Location: Coimbatore
Contact:
Contact nithinkumar2000

Re: Mikrotik as vpn client

Thu Jul 16, 2020 8:15 am

Hi. I would like to set up Mikrotik to connect with a VPN server so that all users connected to Mikrotik will be automatically connected to this VPN. I have managed to set up PPTP client and Winbox shows that it is connected but when checking my public IP address it still shows the local WAN address. I also checked via whatismyip.com website and it still reports the local WAN address not the one related to my VPN. Thanks
Please share the Config Details Here so that we can understand the issue better.

Thanks :)
Top
 
elstiv73
just joined
Topic Author
Posts: 10
Joined: Wed Jun 10, 2020 9:34 am

Re: Mikrotik as vpn client

Sun Jul 19, 2020 1:10 pm

Sorry for the delay. This is my configuration:
Code: Select all
/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz frequency=2462 name=channel1
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface pptp-client
add connect-to=vpnserver name=VPN-NAME password=xxxxx user=xxxxx
/caps-man datapath
add bridge=bridge1 name=Bridge
/caps-man security
add authentication-types=wpa2-psk,wpa2-eap encryption=aes-ccm name=security1 \
    passphrase=xxxxxxx
/caps-man configuration
add channel=channel1 country=malta datapath=Bridge mode=ap name=Config \
    security=security1 ssid=home
/interface list
add name=WAN
add include=all name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=\
    xxxxxxx
/ip firewall layer7-protocol
add name=Facebook regexp="^.+(facebook).*\$"
add name=Youtube regexp=\
    "^.+(youtube.com | googlevideo.com | akamaihd.net).*\$"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip kid-control
add disabled=yes fri=0s-1h mon=0s-1h name="Block Now" sat=0s-1h sun=0s-1h \
    thu=0s-1h tue=0s-1h wed=0s-1h
/ip pool
add name=dhcp_pool ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp_pool disabled=no interface=bridge1 name=dhcp3
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    all wan-interface-list=all
/interface list member
add interface=ether1-WAN list=WAN
add interface=ether2 list=LAN
add interface=bridge1 list=LAN
add list=LAN
/ip address
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
/ip dhcp-client
add disabled=no interface=ether1-WAN
/ip dhcp-server lease

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=208.67.222.222,208.67.220.220 gateway=\
    192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=Bogons

add address=192.168.2.101 list=VPN
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="Facebook drop example (What to drop mus\
    t appear first before the accept)" disabled=yes layer7-protocol=Facebook \
    port=80,443 protocol=tcp
add action=drop chain=forward comment="Youtube drop" disabled=yes \
    dst-address-list="Block youtube"
add action=drop chain=forward comment="Roblox port drop" disabled=yes \
    dst-port=49152-65535 protocol=udp
add action=drop chain=forward comment="Tiktok drop" disabled=yes \
    dst-address-list="Block tiktok" log-prefix=tk protocol=tcp
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=input comment="DNS from outside drop UDP" dst-port=53 \
    in-interface=ether1-WAN protocol=udp
add action=drop chain=input comment="DNS from outside drop TCP" dst-port=53 \
    in-interface=ether1-WAN protocol=tcp
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1-WAN
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    Bogons
add action=accept chain=input comment="Allow ping" dst-limit=\
    30,30,dst-address/1m40s limit=30,30:packet protocol=icmp
add action=accept chain=input comment="Accept established" connection-state=\
    established
add action=accept chain=input comment="Accept related" connection-state=\
    related
add action=drop chain=input comment="Drop the rest" in-interface=ether1-WAN
add action=fasttrack-connection chain=forward comment="Fasttrack DNS TCP" \
    dst-port=53 protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack DNS UDP" \
    dst-port=53 protocol=udp
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Facebook -created automatically Layer 7" connection-mark=no-mark \
    dst-port=53 layer7-protocol=*1 new-connection-mark=youtube_conn \
    passthrough=yes protocol=udp
add action=mark-routing chain=prerouting dst-address-list=VPN \
    new-routing-mark=vpn
/ip firewall nat
add action=redirect chain=dstnat comment="Proxy redirect" disabled=yes \
    dst-port=80 protocol=tcp to-ports=8080
# VPN-NAME not ready
add action=masquerade chain=srcnat out-interface=VPN-NAME
add action=masquerade chain=srcnat comment=Masquerade ipsec-policy=out,none \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 log=yes log-prefix=elt protocol=\
    udp src-address=192.168.2.200 to-addresses=8.8.8.8 to-ports=53
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=\
    192.168.2.200 to-addresses=8.8.8.8
add action=redirect chain=dstnat comment="proxy dns" disabled=yes dst-port=53 \
    protocol=tcp to-ports=53
add action=redirect chain=dstnat comment="proxy dns" disabled=yes dst-port=53 \
    protocol=udp to-ports=53
/ip kid-control device

/ip proxy
set cache-administrator=xxx@gmail.com cache-on-disk=yes cache-path=\
    disk1/webproxy
/ip route
add distance=1 gateway=VPN-NAME routing-mark=vpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/Malta
/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set enabled=no
I only require IP address 192.168.2.101 to connect to VPN automatically. Thanks
Top
 
Shqipalb
just joined
Posts: 6
Joined: Wed May 06, 2020 11:50 pm

Re: Mikrotik as vpn client  [SOLVED]

Sun Jul 19, 2020 2:22 pm

I think that the VPN mangle is wrong, it isn t dst address list VPN but scr address list. Try to set scr-address list to the VPN list.
Top
Post Reply
  4. RouterOS
  5. General