MikroTik

Hello everyone.
This is my problem:
I have two sites:
- site 1 with static public IP (RB1100AHX2)
- site 2 with dynamic private IP (NATted) (hAP mini)

In site 2 I have an IPCAM that I would like to reach from the internet through my smartphone but unfortunately site 2 has a private IP address.
Site 1 instead has a static public IP address, so I was thinking of creating a VPN between site 1 and site 2, using site 1 as a VPN server and site 2 as a VPN client.
After creating the VPN with the correct rules, do you think it would be possible to reach site 2 from the internet through site 1?

Yes, it wiil work!

I have found many examples of site 2 site VPN setup using IPSEC but from what I understand IPSEC requires public IPs on both sides of the VPN.
Is it correct?
What type of VPN do you recommend me to use?
I would like to use OpenVPN but I havn't found any example of VPN site 2 site setup on Mikrotik with OpenVPN.

Yes, you are right about ipsec site to site implementation, both sides should be equiped with public ip.
Personally i prefer SSTP tunneling for such solutions.
https://wiki.mikrotik.com/wiki/Manual:I ... -Site_SSTP

OpenVPN setup is similar to SSTP setup, so you can try both of them. Don't forget to use different ip segments on both sides.

Thank you for your answer. I was able to set up a very simple SSTP site to site VPN. I have followed various guides that I have found online, everything seems to work, but I don't know if my setup is correct. Most of all I don't know if my setup is safe and reliable. Is there a step-by-step guide to creating a site-to-site SSTP VPN?
My main question is the following:
I created the CA certificate and the Server certificate.
I signed the CA certificate by entering the public IP of the SSTP server in the CA CRL Host field.
Then I signed the Server certificate using CA.
I created the dynamic SSTP server using the "Server" certificate and then in the client I created the SSTP client.
Up to here everything is ok. The VPN is working fine.
I exported the CA certificate and imported it into the SSTP client.
In the SSTP interface, in "Certificate" I selected the CA certificate and then I checked the "Verify Server Certificate" box.
After I selected the CA certificate and activated the "Verify Server Certificate" checkbox, the SSTP server stopped working. I also tried to restart both routers but the VPN doesn't work. If I remove the certificate, it works again.

Nice start! You need to create also client certificate and sign it with the same CA and export and install it on client side. When you exporting client certificate you must specify a passhphrase or it will not generate private key for it.

or it will not generate export private key for with it

To create a Client certificate which "Key Usage" should I use?
In the CA certificate I used:
"crl sign"
"key cert. sign".

In the Server certificate I used:
"digital signature"
"key enciphrement"
"tls server"
Is that okay?

On CA you can set key-usage to: key-cert-sign, crl-sign

On certificates set key-usage to: digital-signature, key-encipherment, tls-server

Like exactly what you write.

Can I use the same Key Usage for Server and Client certificates?

Yes

I tested using certificates but it still doesn't work...

This is the working SSTP config: Using these configurations SSTP works.
If I activate "Verify Client Certificate" on the Server side and I select the "Client" certificate on the Client side, the SSTP tunnel stops working.
I can't understand what's wrong.

or it will not generate export private key for with it

Thank you for making it correct!

I tested using certificates but it still doesn't work...

This is the working SSTP config:

Code: Select all

# Server side
/ppp secret
add local-address=192.168.255.1 name=Client password=\
"12345678" profile=default-encryption \
remote-address=192.168.255.2 routes=192.168.2.0/24 service=\
sstp
/interface sstp-server
add name=sstp-Server user=Client
/interface sstp-server server
set authentication=mschap2 certificate=Server default-profile=\
default-encryption enabled=yes force-aes=yes keepalive-timeout=30 pfs=yes \
port=443 tls-version=only-1.2

# Client side
/interface sstp-client
add authentication=mschap2 connect-to=1.1.1.1:443 disabled=no \
http-proxy=0.0.0.0:443 keepalive-timeout=30 name=sstp-out-Server password=\
"12345678" pfs=yes profile=default-encryption \
tls-version=only-1.2 user=Client verify-server-certificate=yes

Using these configurations SSTP works.
If I activate "Verify Client Certificate" on the Server side and I select the "Client" certificate on the Client side, the SSTP tunnel stops working.
I can't understand what's wrong.

BTW

Have you uploaded Client certificate with the private key on client side and specified passphrase for private key when client certificate was imported ?
Check that all certificates have flag "trusted=yes"

All certificates have flag "trusted=yes".
I've exported CA certificate without passphrase and Client certificate with passphrase.
I've uploaded CA.crt, Client.crt and Client.key to Client router.
In Client router:
I've imported CA.crt;
I've imported Client.crt using the passphrase;
I haven't imported Client.key.
Do I have to import Client.key too?
That's all.

I made a new attempt.
On the server router:
- I enabled "Verify Client Certificate"
- I exported the CA certificate with passphrase;
- I exported the Client certificate with passphrase;
- I loaded CA.crt, CA.key, Client.crt and Client.key on the Client router

In the Client router:
- I imported in this order: CA.crt, CA.key, Client.crt and Client.key using passphrase.
- in SSTP Client interface I selected CA.crt as certificate and enabled "Verify Server Certificate"

Now it's working. Is it ok?
I thought that in the SSTP client interface I should select Client.crt as certificate instead of CA.crt.

I think that now I've solved. Creating Client certificate in key usage I've selected "tls client" instead of "tls server".
Now it seems to work using Client certificate.

I made a new attempt.
On the server router:
- I enabled "Verify Client Certificate"
- I exported the CA certificate with passphrase;
- I exported the Client certificate with passphrase;
- I loaded CA.crt, CA.key, Client.crt and Client.key on the Client router

In the Client router:
- I imported in this order: CA.crt, CA.key, Client.crt and Client.key using passphrase.
- in SSTP Client interface I selected CA.crt as certificate and enabled "Verify Server Certificate"

Now it's working. Is it ok?
I thought that in the SSTP client interface I should select Client.crt as certificate instead of CA.crt.

CA private key should remain only on server side and should not be exported anywhere else, because now it's possible to sign valid certificates for you installation not only on server side but on client side too...
For client side it's enough ca.crt, client.crt, client.key.

I think that now I've solved. Creating Client certificate in key usage I've selected "tls client" instead of "tls server".
Now it seems to work using Client certificate.

Yeah, that is the issue

Thank you so much for your answer!