Secure-Socket Tunnel Protocol was developed by Microsoft and uses a TLS tunnel to encrypt the traffic. OpenVPN is an open VPN protocol with clients and servers on almost every platform. Since SSTP and OpenVPN are both treated as PPP servers by Mikrotik, their configuration is almost identical and they can share user credentials. As such we will initially demonstrate an OpenVPN configuration and then cover the differences for an SSTP VPN.
Currently RouterOS only supports TCP type OpenVPN connections which has additional overhead, particularly when transporting TCP connections.
First create an IP pool and default profile for the VPN, the profile options can be overridden in individual user secrets. Both of these can be shared between the OpenVPN and SSTP servers.
/ip pool add name=vpn ranges=192.168.86.10-192.168.86.100 # ppp profile options set defaults that can be overridden in ppp secret /ppp profile add local-address=192.168.86.250 name=vpn-profile remote-address=vpn use-encryption=yes
Next a certificate authority, server and client certificates must be created. The server and client certificates' common names must be a sub-domain of the certificate authority. Depending on the hardware being used the certificate signing can take some time, if the command times out just wait for the CPU usage to come down from 100%.
/certificate add name=ca-template common-name=example.com days-valid=3650 key-size=2048 key-usage=crl-sign,key-cert-sign add name=server-template common-name=*.example.com days-valid=3650 key-size=2048 \ key-usage=digital-signature,key-encipherment,tls-server add name=client-template common-name=client.example.com days-valid=3650 key-size=2048 key-usage=tls-client sign ca-template name=ca-certificate sign server-template name=server-certificate ca=ca-certificate sign client-template name=client-certificate ca=ca-certificate
Now configure the OpenVPN server options. If client certificates are not wanted and simple username and password is acceptable then
require-client-certificate can be omitted.
/interface ovpn-server server set certificate=server-certificate set default-profile=vpn-profile set require-client-certificate=yes set enabled=yes
A firewall rule is needed for the clients' connections to be able to reack the router.
/ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept place-before=0 comment="Allow OVPN"
Next we create the users. These can be as simple as name and password or can include the fixed local and remote addresses.
/ppp secret # a remote access user add name=user password=password # a remote access user with static addresses in the local subnet add name=Laptop password=123 local-address=192.168.88.1 remote-address=192.168.88.100
In order for users with a local address in the same subnet as the LAN to be able to communicate with devices in the LAN, proxy arp needs to be enabled on the LAN bridge.
/interface bridge set bridge arp=proxy-arp
For all other addresses the traffic needs to be allowed in the forward chain so that it can pass through the firewall.
/ip firewall filter add action=accept chain=forward src-address=192.168.86.0/24 \ comment="Allow VPN traffic through firewall"
So that services on the firewall can be accessed (such as DNS) firewall rules need to be created in the input chain for the VPN subnet. These rules allow access to DNS, SSH, Winbox and web access.
/ip firewall filter add action=accept chain=input src-address=192.168.86.0/24 dst-port=53,22,8291,80 \ protocol=tcp comment="Allow VPN clients to access TCP firewall services" add action=accept chain=input src-address=192.168.86.0/24 dst-port=53 \ protocol=udp comment="Allow VPN clients to access UDP firewal services"
This actually also applies when the subnet is shared by the LAN since the traffic doesn't originate from the LAN interface list.
In order to set up the clients the CA certificate and, if configured, client certificate and key are needed. In the former case the CA certificate can be exported through the command:
/certificate export-certificate ca-certificate export-passphrase=""
Otherwise the combined CA certificate, client certificate and key can be exported in p12 format, in order to export a key an 8 digit passphrase is required.
/certificate export-certificate client-certificate export-passphrase="12345678" type=pkcs12
The exported certificates can then be found under the files menu and downloaded. Their names follow the format
Since mikrotik doesn't produce an ovpn config file this a generic one which can be modified by changing the remote line and inserting the certifiicates. Lines begining with # or ; are comments, lines begining with ; can be uncommented to enable features such as which traffic to route over the VPN.
client dev tun proto tcp remote router.example.com 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-128-CBC auth SHA1 auth-user-pass # uncomment to route all traffic through the vpn ; redirect-gateway def1 # or route only the remote subnet ; route 192.168.88.0 255.255.255.0 vpn_gateway verb 3 # when a client certificate isn't being used this includes the CA cert (in PEM format) ; <ca> ; </ca> ; setenv CLIENT_CERT 0 # when a client certificate is being used # a pkcs12 file includes ca, cert and key # the file needs to be base64 encoded, using # > base64 <p12-file> # on a linux system ; <pkcs12> ; </pkcs12>
The main changes required for an SSTP server instead of (or as well as) and OpenVPN server are the different server options as well as normally a lack of client certificate.
The server options can be set with:
/interface sstp-server server set certificate=server-certificate set authentication=mschap2 set default-profile=vpn-profile set force-aes=yes pfs=yes set enabled=yes
The authentication must be set to mschap2 for Windows clients,
force-aes means the connection uses AES encrption instead of the older RC4.
pfs enables perfect-forward secrecy by generating a dynamic session key, this must also be enabled on the client.
A firewall rule is needed for the SSTP server's port.
/ip firewall filter add chain=input protocol=tcp dst-port=443 action=accept place-before=0 comment="Allow SSTP"
For SSTP it is worth using an externally signed SSL certificate, such as from LetsEncrypt since this avoids the need to install the CA into Window's certificate store to setup the VPN. Also not all SSTP clients support client certificates so these don't need to be generated. In OpenVPN clients the certificate can be included in the config file and, except for Android, the client handles the certificates so no certificates need to be added to the certificate store.
If a self-signed CA is being used it will need exporting like was shown for OpenVPN without client certificates. This will then need to be added to Window's certificate store, the Linux client does not appear to check the certificate and provides a mechanism to handle a custom CA.
Since these are layer 3 tunnels, site-to-site connections on Mikrotik are handled by setting up one of the routers as a client and then adding routes to send traffic for certain IP's through the tunnel.
To do this first a site-to-site user is added with static endpoint addresses and a
routes parameter which is automatically added to the routing table when the connection is active. The local and remote addresses are not routed and are just transport endpoints.
/ppp secret add name=USERNAME password=PASSWORD local-address=172.16.1.1 remote-address=172.16.1.2 \ routes="192.168.105.0/24 172.16.1.2 1"
The added route should be the client router's subnet. To limit this user to either SSTP or OpenVPN the
service parameter can be added.
If client certificates are being used they will need to be exported and imported on the client router.
Client Router Once the certificate is copied onto the client router it can be imported.
/certificate import file-name=ca.crt
The client configuration differs for the two VPNs, however for both configurations the parameters which need to be set are:
connect-to, which is the WAN address of server router and
dst-address on the added route needs to be the server router's subnet.
For SSTP this is:
/interface sstp-client add user=USERNAME password=PASSWORD connect-to=192.168.80.1 disabled=no pfs=yes /ip route add dst-address=192.168.88.0/24 gateway=sstp-out1
For OpenVPN you would run:
/interface ovpn-client add user=USERNAME password=PASSWORD connect-to=192.168.80.1 disabled=no \ certificate=client-certificate verify-server-certificate=yes /ip route add dst-address=192.168.88.0/24 gateway=ovpn-out1
Note the different gateways which are used for the additional route. If a client certificate is not used omit the