Mikrotik SSTP: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
(3 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
===Mikrotik Router Setup=== | ===Mikrotik Router Setup=== | ||
====NTP==== | ====NTP==== | ||
<blockquote style="color:#428bca;background:#ebf3f9;border-left:5px solid #428bca;padding:12px;margin:0px;>Make | <blockquote style="color:#428bca;background:#ebf3f9;border-left:5px solid #428bca;padding:12px;margin:0px;> | ||
'''Make sure time & date are set correctly! Should be using NTP.''' | |||
</blockquote> | </blockquote> | ||
Line 56: | Line 56: | ||
===Windows 10 Client Setup=== | ===Windows 10 Client Setup=== | ||
====Download Certificate==== | |||
'''''When storing certificate on webserver temporarily for retrieval on a remote machine, ensure that the server or folder can only be accessed by that network or device! This may require modifying firewall or Apache config temporarily!''' | |||
'' | |||
<syntaxhighlight lang="powershell"> | |||
(new-object System.Net.WebClient).Downloadfile("https://files.swkls.org/tmp/cert_export_CA.crt", "C:\cert_export_CA.crt") | |||
</syntaxhighlight> | |||
====Import Cert==== | ====Import Cert==== |
Latest revision as of 18:53, 17 June 2020
SSTP (SSL VPN)
Mikrotik Router Setup
NTP
Make sure time & date are set correctly! Should be using NTP.
/system ntp client set enabled=yes primary-ntp=132.163.96.5 secondary-ntp=132.163.97.5
Create Certificates
Create certificates for WAN IP 100.100.100.100 valid for 3650 days
/certificate
add name=CA common-name=100.100.100.100 country=US state=KS locality=Library_Town organization=Library days-valid=3650 key-usage=key-cert-sign,crl-sign
add name=server common-name=server country=US state=KS locality=Library_Town organization=Library days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign CA ca-crl-host=100.100.100.100 name=CA
sign server ca=CA name=server
Export Certificates
Export CA certificate to files
/certificate export-certificate CA
Create SSTP Profile
Create SSTP profile
/ppp profile add name="sstp" use-encryption=yes local-address=192.168.1.1 dns-server=192.168.1.1 remote-address=vpn
Create Secrets
Create secrets (credentials) for login
/ppp secret add name=myusername profile=sstp password=mypassword
Create SSTP Server Instance
Create SSTP server on port 4430
/interface sstp-server server set enabled=yes default-profile=sstp authentication=mschap2 certificate=CA port=4430
Open Firewall Ports
Allow traffic to SSTP server on port 4430
/ip firewall filter add chain=input protocol=tcp dst-port=4430 action=accept place-before=0 comment="Allow SSTP"
Windows 10 Client Setup
Download Certificate
When storing certificate on webserver temporarily for retrieval on a remote machine, ensure that the server or folder can only be accessed by that network or device! This may require modifying firewall or Apache config temporarily!
(new-object System.Net.WebClient).Downloadfile("https://files.swkls.org/tmp/cert_export_CA.crt", "C:\cert_export_CA.crt")
Import Cert
On Windows 10 PC w/ elevated Powershell, cert file residing in Documents folder of MyUser profile
Import-Certificate -CertStoreLocation cert:\LocalMachine\Root -Filepath "C:\Users\myuser\Documents\cert_export_ca.crt"
Create VPN Connection
Add-VpnConnection -Name "My SSTP VPN" -ServerAddress "<WAN IP>:4430" -TunnelType "Sstp" -EncryptionLevel "Required" -AuthenticationMethod MSChapv2 -AllUserConnection -RememberCredential
View Certificates
Viewing certs via powershell:
SET-LOCATION CERT:\LOCALMACHINE\ROOT; get-childitem -dnsname '<WAN IP>'
Remove Certificates
Remove old cert:
Get-ChildItem cert:\LocalMachine\Root -dnsname '<WAN IP>' | Remove-Item
View VPN Phonebook
View vpn phonebook entries:
Get-VpnConnection -AllUserConnection