Mikrotik SSTP

From SWKLS WIKI
Revision as of 19:50, 26 March 2020 by Unknown user (talk) (Created page with "==SSTP (SSL VPN)== ===Mikrotik Router Setup=== ====NTP==== Make sure time & date are set correctly! Should be using NTP. <syntaxhighlight lang="bash"> /system ntp client set...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

SSTP (SSL VPN)

Mikrotik Router Setup

NTP

Make sure time & date are set correctly! Should be using NTP.

/system ntp client set enabled=yes primary-ntp=132.163.96.5 secondary-ntp=132.163.97.5

Create Certificates

Create certificates for WAN IP 100.100.100.100 valid for 3650 days

/certificate
add name=CA common-name=100.100.100.100 country=US state=KS locality=Library_Town organization=Library days-valid=3650 key-usage=key-cert-sign,crl-sign
add name=server common-name=server country=US state=KS locality=Library_Town organization=Library days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
sign CA ca-crl-host=100.100.100.100 name=CA
sign server ca=CA name=server

Export Certificates

Export CA certificate to files

/certificate export-certificate CA

Create SSTP Profile

Create SSTP profile

/ppp profile add name="sstp" use-encryption=yes local-address=192.168.1.1 dns-server=192.168.1.1 remote-address=vpn

Create Secrets

Create secrets (credentials) for login

/ppp secret add name=myusername profile=sstp password=mypassword

Create SSTP Server Instance

Create SSTP server on port 4430

/interface sstp-server server set enabled=yes default-profile=sstp authentication=mschap2 certificate=CA port=4430

Open Firewall Ports

Allow traffic to SSTP server on port 4430

/ip firewall filter add chain=input protocol=tcp dst-port=4430 action=accept place-before=0 comment="Allow SSTP"

Windows 10 Client Setup

Import Cert

On Windows 10 PC w/ elevated Powershell, cert file residing in Documents folder of MyUser profile

Import-Certificate -CertStoreLocation cert:\LocalMachine\Root -Filepath "C:\Users\myuser\Documents\cert_export_ca.crt"

Create VPN Connection

Add-VpnConnection -Name "My SSTP VPN" -ServerAddress "100.100.100.100:4430" -TunnelType "Sstp" -EncryptionLevel "Required" -AuthenticationMethod MSChapv2 -AllUserConnection -RememberCredential

View Certificates

Viewing certs via powershell:

SET-LOCATION CERT:\LOCALMACHINE\ROOT; get-childitem -dnsname '209.42.79.143'

Remove Certificates

Remove old cert:

Get-ChildItem cert:\LocalMachine\Root -dnsname '209.42.79.143' | Remove-Item

View VPN Phonebook

View vpn phonebook entries:

Get-VpnConnection -AllUserConnection