Hello,

I have a working IPSEC VPN set up on RB750Gr3 running 6.49.1 for an IP phone connecting to PBX at head office.

Now, I would like to add a VPN server on the RB, to allow road warrior access to an internal network. It seems that a complete (!) how-to for either setting up OPENVPN or L2TP with IPSEC is very difficult or impossible to find. (ie, a tutorial that makes assumptions the reader should understand that the local IP address should be the gateway, or in most cases, forgets to mention that firewall rules to allow the connection is also required)
I have tried to follow multiple tutorials, without success. (Windows 10 client will not connect). Maybe I'm just that dumb and can't figure it out.

Just now, I read a line in a discussion that there maybe an issue with setting up L2TP with IPSEC, if an existing IPSEC profile already exists (in my case, for the phone). Is this true?

And if anyone actually does have a complete guide (from A to Z) to make an OPENVPN setup work, I would like to see it.

Thanks for your time.

A complete guide to set up you-name-it providing for all the possible situations you may encounter in any other than out-of-the-box configuration would be about equal to a complete RouterOS manual:

• the mutual order of firewall rules matters, so not knowing the initial state of the firewall means that the tutorial cannot tell you exactly where to put the permissive rule for OpenVPN's transport packets.
• existing IPsec setup usually does not interfere with an OpenVPN one, but if there eventually is an IPsec policy matching on both local and remote addresses used by the OpenVPN (or any other) setup, it will override them.

For OpenVPN in particular, you have to know the limitations of the OpenVPN implementation in RouterOS and respect these limitations when configuring the other side (Windows in your case).

What's VPN for the iPhone configured like, do you use IKEv2 and certificates or L2TP/IPsec and a pre-shared key?

My personal opinion is that setting up any VPN before properly understanding how firewall works is a voucher for future headache.

Search is your friend, but no guarantees of success.
Depending upon your business you want to invest in a router with more horsepower (5009) for example.
Wireguard works well and is relatively simple to implement and is now available on 7.1.

Also with 7.1,,,,,,,,,,,,,,
VPN
----------------------
!) support for L2TPv3;
!) support for OpenVPN UDP transport protocol;
!) support for WireGuard;
!) support for ZeroTier on ARM and ARM64 devices;


Suggest see what people discover with openvpn on 7.1 before making any plunges but wireguard works right now........

My apologies if any misunderstanding, not suggesting you need a new router, depends upon your requirements.
Advice remains the same, upgrade to 7.1 and use wireguard and wait to see how openvpn works for others..............

A complete guide to set up you-name-it providing for all the possible situations you may encounter in any other than out-of-the-box configuration would be about equal to a complete RouterOS manual:

• the mutual order of firewall rules matters, so not knowing the initial state of the firewall means that the tutorial cannot tell you exactly where to put the permissive rule for OpenVPN's transport packets.
• existing IPsec setup usually does not interfere with an OpenVPN one, but if there eventually is an IPsec policy matching on both local and remote addresses used by the OpenVPN (or any other) setup, it will override them.

For OpenVPN in particular, you have to know the limitations of the OpenVPN implementation in RouterOS and respect these limitations when configuring the other side (Windows in your case).

What's VPN for the iPhone configured like, do you use IKEv2 and certificates or L2TP/IPsec and a pre-shared key?

My personal opinion is that setting up any VPN before properly understanding how firewall works is a voucher for future headache.

Thank you for taking the time to read through my post. I understand that many scenarios exist and implementations will differ from setup to setup. Likewise, as you said, there are basic rules that apply to any setup. I suppose my frustration is finding a post/youtube with the title "complete" only to find out that complete means different things to different people. Oh well, live and learn.

You stated "you have to know the limitations of the OpenVPN implementation in RouterOS and respect these limitations when configuring the other side (Windows in your case)". So, where can I read a concise document that clarifies those limitations? I agree I should know about them.

And it's not an iPhone (never used that term), but IP Phone. It is set up with a preshared key.

As for "setting up any VPN before properly understanding how firewall works is a voucher for future headache" - I agree. Thing is, you don't know how a firewall works, until you get started and try and try again. So, I'm in that stage.

Search is your friend, but no guarantees of success.
Depending upon your business you want to invest in a router with more horsepower (5009) for example.
Wireguard works well and is relatively simple to implement and is now available on 7.1.

Also with 7.1,,,,,,,,,,,,,,
VPN
----------------------
!) support for L2TPv3;
!) support for OpenVPN UDP transport protocol;
!) support for WireGuard;
!) support for ZeroTier on ARM and ARM64 devices;


Suggest see what people discover with openvpn on 7.1 before making any plunges but wireguard works right now........

My apologies if any misunderstanding, not suggesting you need a new router, depends upon your requirements.
Advice remains the same, upgrade to 7.1 and use wireguard and wait to see how openvpn works for others..............

Thank you for reading through my post. No apologies needed. The RB750Gr3 is just for home use. I've successfully set up 5 VLANs on port 2, connected via a trunk to a managed PoE switch (needed for the phone and an AP). WAN is on port 1. The other ports are left unused for now.

I would love to upgrade to 7.1. Although it is for home use, I would like it to be stable enough to replace my current OPNsense FW. Is 7.1 considered stable enough for daily use?

The feedback I am getting so far is that it is stable enough for home use and for most things non BGP or non OSPF.
So I would say good to go.

You stated "you have to know the limitations of the OpenVPN implementation in RouterOS and respect these limitations when configuring the other side (Windows in your case)". So, where can I read a concise document that clarifies those limitations? I agree I should know about them.

Unfortunately, no one-stop shopping - there are multiple threads here at the forum, one of them is the years-lasting woe regarding the limitations. Only TCP transport, no compression, no route pushing from server to client... google "openvpn site:forum.mikrotik.com" for more. 7.1 is a bit better (at least UDP transport is supported), never dug into the details.

For Win10 PCs, bare IKEv2 seems superior to me as it supports route pushing, and the manual describes it quite clearly and completely, even mentioning some firewall rules if I remember well. But if you want to do it the way certificates were intended to be used, you cannot generate certificates for clients at the Mikrotik and export them along with the private key as the manual suggests - instead, you should properly generate a certificate request at the Windows and let the certification authority (which may be the Mikrotik) only sign them. That way, the private key to the certificate never leaves the machine that will use it.

And it's not an iPhone (never used that term), but IP Phone. It is set up with a preshared key.

Funny, I was quite surprised why should you connect an iPhone to a PBX, but it didn't make me re-read the line Needless to say I deal with IP phones almost daily but very rarely with iPhones.

Thing is, you don't know how a firewall works, until you get started and try and try again. So, I'm in that stage.

And that's the point, you should first pass that quest without the VPN, and only then add VPN to the mix.

Anyway, the IP phone with a pre-shared key IPsec is probably a bare IKE(v1) then, not L2TP over IPsec? This can interfere with Windows' L2TP/IPsec setup if the phone requires a different /ip ipsec profile contents than the Windows' native VPN client; while you can permit multiple encryption algorithms and multiple DH groups in a single profile, you have to choose only a single hash algorithm, so it has to be the same for all remote peers connecting to the same local one. And even if this doesn't stop the show, you have to use a single /ip ipsec identity row for all Windows L2TP/IPsec clients of the same local peer as the ID provided by the Windows VPN client acting as initiator cannot be used to distinguish the clients from one another. Plus there is the "multiple L2TP/IPsec clients cannot be connecting from behind the same public IP" problem, plus no route pushing.

But at the responder (Mikrotik) side, an IKE(v1) peer and an IKEv2 peer may listen at the same address and port and the initial request from the initiator is handled by the proper one because RouterOS distinguishes by contents of that initial packet which peer to use. So even if you've only got a single public IP, you can make both the Windows clients and your IP phone use IPsec.

Posting your config (anonymized as per my automatic signature below) is the best way to answer the question regarding the particular VPN configuration for the IP phone.

Regarding 7.1 - it's in "testing" stage; even Mikrotik's naming of the "stable" stage as such is considered an exaggeration by many forum users, so I wouldn't recommend the (two days old!) 7.1 for anything but lab testing. That excludes both OpenVPN over UDP and Wireguard from consideration.

If no mysterious reboots and memory leaks are reported here for a month, I may change my opinion.