Secure-Socket Tunnel Protocol was developed by Microsoft and uses a TLS tunnel to encrypt the traffic. OpenVPN is an open VPN protocol with clients and servers on almost every platform. Since SSTP and OpenVPN are both treated as PPP servers by Mikrotik, their configuration is almost identical and they can share user credentials. As such we will initially demonstrate an OpenVPN configuration and then cover the differences for an SSTP VPN.

OpenVPN

Currently RouterOS only supports TCP type OpenVPN connections which has additional overhead, particularly when transporting TCP connections.

First create an IP pool and default profile for the VPN, the profile options can be overridden in individual user secrets. Both of these can be shared between the OpenVPN and SSTP servers.

/ip pool add name=vpn ranges=192.168.86.10-192.168.86.100
# ppp profile options set defaults that can be overridden in ppp secret
/ppp profile
add local-address=192.168.86.250 name=vpn-profile remote-address=vpn use-encryption=yes

Next a certificate authority, server and client certificates must be created. The server and client certificates' common names must be a sub-domain of the certificate authority. Depending on the hardware being used the certificate signing can take some time, if the command times out just wait for the CPU usage to come down from 100%.

/certificate
add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign
add name=server-template common-name=*.example.com days-valid=3650 key-size=2048 \
    key-usage=digital-signature,key-encipherment,tls-server
add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client
sign ca-template name=ca-certificate
sign server-template name=server-certificate ca=ca-certificate
sign client-template name=client-certificate ca=ca-certificate

Now configure the OpenVPN server options. If client certificates are not wanted and simple username and password is acceptable then require-client-certificate can be omitted.

/interface ovpn-server server
set certificate=server-certificate
set default-profile=vpn-profile
set require-client-certificate=yes
set enabled=yes

A firewall rule is needed for the clients' connections to be able to reack the router.

/ip firewall filter
add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OVPN"

Next we create the users. These can be as simple as name and password or can include the fixed local and remote addresses.

/ppp secret
# a remote access user
add name=user password=password
# a remote access user with static addresses in the local subnet
add name=Laptop password=123 local-address=192.168.88.1 remote-address=192.168.88.100

In order for users with a local address in the same subnet as the LAN to be able to communicate with devices in the LAN, proxy arp needs to be enabled on the LAN bridge.

/interface bridge set bridge arp=proxy-arp

For all other addresses the traffic needs to be allowed in the forward chain so that it can pass through the firewall.

/ip firewall filter
add action=accept chain=forward src-address=192.168.86.0/24 \
    comment="Allow VPN traffic through firewall"

So that services on the firewall can be accessed (such as DNS) firewall rules need to be created in the input chain for the VPN subnet. These rules allow access to DNS, SSH, Winbox and web access.

/ip firewall filter
add action=accept chain=input src-address=192.168.86.0/24 dst-port=53,22,8291,80 \
    protocol=tcp comment="Allow VPN clients to access TCP firewall services"
add action=accept chain=input src-address=192.168.86.0/24 dst-port=53 \
    protocol=udp comment="Allow VPN clients to access UDP firewal services"

This actually also applies when the subnet is shared by the LAN since the traffic doesn't originate from the LAN interface list.

In order to set up the clients the CA certificate and, if configured, client certificate and key are needed. In the former case the CA certificate can be exported through the command:

/certificate
export-certificate ca-certificate export-passphrase=""

Otherwise the combined CA certificate, client certificate and key can be exported in p12 format, in order to export a key an 8 digit passphrase is required.

/certificate
export-certificate client-certificate export-passphrase="12345678" type=pkcs12

The exported certificates can then be found under the files menu and downloaded. Their names follow the format cert_export_<certificate name>.

Example OpenVPN config file

Since mikrotik doesn't produce an ovpn config file this a generic one which can be modified by changing the remote line and inserting the certifiicates. Lines begining with # or ; are comments, lines begining with ; can be uncommented to enable features such as which traffic to route over the VPN.

client
dev tun
proto tcp
remote router.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun

remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
# uncomment to route all traffic through the vpn
; redirect-gateway def1
# or route only the remote subnet
; route 192.168.88.0 255.255.255.0 vpn_gateway
verb 3

# when a client certificate isn't being used this includes the CA cert (in PEM format)
; <ca>
; </ca>
; setenv CLIENT_CERT 0

# when a client certificate is being used
# a pkcs12 file includes ca, cert and key
# the file needs to be base64 encoded, using 
# > base64 <p12-file>
# on a linux system
; <pkcs12>
; </pkcs12>

Changes for SSTP

The main changes required for an SSTP server instead of (or as well as) and OpenVPN server are the different server options as well as normally a lack of client certificate.

The server options can be set with:

/interface sstp-server server
set certificate=server-certificate
set authentication=mschap2
set default-profile=vpn-profile
set force-aes=yes pfs=yes
set enabled=yes

The authentication must be set to mschap2 for Windows clients, force-aes means the connection uses AES encrption instead of the older RC4. pfs enables perfect-forward secrecy by generating a dynamic session key, this must also be enabled on the client.

A firewall rule is needed for the SSTP server's port.

/ip firewall filter
add chain=input protocol=tcp dst-port=443 action=accept place-before=0 comment="Allow SSTP"

For SSTP it is worth using an externally signed SSL certificate, such as from LetsEncrypt since this avoids the need to install the CA into Window's certificate store to setup the VPN. Also not all SSTP clients support client certificates so these don't need to be generated. In OpenVPN clients the certificate can be included in the config file and, except for Android, the client handles the certificates so no certificates need to be added to the certificate store.

If a self-signed CA is being used it will need exporting like was shown for OpenVPN without client certificates. This will then need to be added to Window's certificate store, the Linux client does not appear to check the certificate and provides a mechanism to handle a custom CA.

Site-to-Site

Since these are layer 3 tunnels, site-to-site connections on Mikrotik are handled by setting up one of the routers as a client and then adding routes to send traffic for certain IP's through the tunnel.

To do this first a site-to-site user is added with static endpoint addresses and a routes parameter which is automatically added to the routing table when the connection is active. The local and remote addresses are not routed and are just transport endpoints.

/ppp secret
add name=USERNAME password=PASSWORD local-address=172.16.1.1 remote-address=172.16.1.2 \
    routes="192.168.105.0/24 172.16.1.2 1"

The added route should be the client router's subnet. To limit this user to either SSTP or OpenVPN the service parameter can be added.

If client certificates are being used they will need to be exported and imported on the client router.

Client Router Once the certificate is copied onto the client router it can be imported.

/certificate
import file-name=ca.crt

The client configuration differs for the two VPNs, however for both configurations the parameters which need to be set are: connect-to, which is the WAN address of server router and dst-address on the added route needs to be the server router's subnet.

For SSTP this is:

/interface sstp-client
add user=USERNAME password=PASSWORD connect-to=192.168.80.1 disabled=no pfs=yes
/ip route add dst-address=192.168.88.0/24 gateway=sstp-out1

For OpenVPN you would run:

/interface ovpn-client
add user=USERNAME password=PASSWORD connect-to=192.168.80.1 disabled=no \
    certificate=client-certificate verify-server-certificate=yes
/ip route add dst-address=192.168.88.0/24 gateway=ovpn-out1

Note the different gateways which are used for the additional route. If a client certificate is not used omit the certificate and verify-server-certificate parameters.