Mikrotik SSTP: Difference between revisions
Jump to navigation
Jump to search
(Created page with "==SSTP (SSL VPN)== ===Mikrotik Router Setup=== ====NTP==== Make sure time & date are set correctly! Should be using NTP. <syntaxhighlight lang="bash"> /system ntp client set...") |
|||
| Line 11: | Line 11: | ||
====Create Certificates==== | ====Create Certificates==== | ||
Create certificates for WAN IP 100.100.100.100 valid for 3650 days | Create certificates for WAN IP 100.100.100.100 valid for 3650 days | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash" line start="1"> | ||
/certificate | /certificate | ||
add name=CA common-name=100.100.100.100 country=US state=KS locality=Library_Town organization=Library days-valid=3650 key-usage=key-cert-sign,crl-sign | add name=CA common-name=100.100.100.100 country=US state=KS locality=Library_Town organization=Library days-valid=3650 key-usage=key-cert-sign,crl-sign | ||
Revision as of 19:50, 26 March 2020
SSTP (SSL VPN)
Mikrotik Router Setup
NTP
Make sure time & date are set correctly! Should be using NTP.
/system ntp client set enabled=yes primary-ntp=132.163.96.5 secondary-ntp=132.163.97.5
Create Certificates
Create certificates for WAN IP 100.100.100.100 valid for 3650 days
/certificate
add name=CA common-name=100.100.100.100 country=US state=KS locality=Library_Town organization=Library days-valid=3650 key-usage=key-cert-sign,crl-sign
add name=server common-name=server country=US state=KS locality=Library_Town organization=Library days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign CA ca-crl-host=100.100.100.100 name=CA
sign server ca=CA name=server
Export Certificates
Export CA certificate to files
/certificate export-certificate CA
Create SSTP Profile
Create SSTP profile
/ppp profile add name="sstp" use-encryption=yes local-address=192.168.1.1 dns-server=192.168.1.1 remote-address=vpn
Create Secrets
Create secrets (credentials) for login
/ppp secret add name=myusername profile=sstp password=mypassword
Create SSTP Server Instance
Create SSTP server on port 4430
/interface sstp-server server set enabled=yes default-profile=sstp authentication=mschap2 certificate=CA port=4430
Open Firewall Ports
Allow traffic to SSTP server on port 4430
/ip firewall filter add chain=input protocol=tcp dst-port=4430 action=accept place-before=0 comment="Allow SSTP"
Windows 10 Client Setup
Import Cert
On Windows 10 PC w/ elevated Powershell, cert file residing in Documents folder of MyUser profile
Import-Certificate -CertStoreLocation cert:\LocalMachine\Root -Filepath "C:\Users\myuser\Documents\cert_export_ca.crt"
Create VPN Connection
Add-VpnConnection -Name "My SSTP VPN" -ServerAddress "100.100.100.100:4430" -TunnelType "Sstp" -EncryptionLevel "Required" -AuthenticationMethod MSChapv2 -AllUserConnection -RememberCredential
View Certificates
Viewing certs via powershell:
SET-LOCATION CERT:\LOCALMACHINE\ROOT; get-childitem -dnsname '209.42.79.143'
Remove Certificates
Remove old cert:
Get-ChildItem cert:\LocalMachine\Root -dnsname '209.42.79.143' | Remove-Item
View VPN Phonebook
View vpn phonebook entries:
Get-VpnConnection -AllUserConnection