Mikrotik SSTP

From SWKLS WIKI
Revision as of 19:22, 27 March 2020 by Unknown user (talk)
Jump to navigation Jump to search

SSTP (SSL VPN)

Mikrotik Router Setup

NTP

Make s

ure time & date are set correctly! Should be using NTP. 

/system ntp client set enabled=yes primary-ntp=132.163.96.5 secondary-ntp=132.163.97.5

Create Certificates

Create certificates for WAN IP 100.100.100.100 valid for 3650 days 

/certificate

add name=CA common-name=100.100.100.100 country=US state=KS locality=Library_Town organization=Library days-valid=3650 key-usage=key-cert-sign,crl-sign

add name=server common-name=server country=US state=KS locality=Library_Town organization=Library days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server

sign CA ca-crl-host=100.100.100.100 name=CA

sign server ca=CA name=server

Export Certificates

Export CA certificate to files 

/certificate export-certificate CA

Create SSTP Profile

Create SSTP profile 

/ppp profile add name="sstp" use-encryption=yes local-address=192.168.1.1 dns-server=192.168.1.1 remote-address=vpn

Create Secrets

Create secrets (credentials) for login 

/ppp secret add name=myusername profile=sstp password=mypassword

Create SSTP Server Instance

Create SSTP server on port 4430 

/interface sstp-server server set enabled=yes default-profile=sstp authentication=mschap2 certificate=CA port=4430

Open Firewall Ports

Allow traffic to SSTP server on port 4430 

/ip firewall filter add chain=input protocol=tcp dst-port=4430 action=accept place-before=0 comment="Allow SSTP"

Windows 10 Client Setup

Import Cert

On Windows 10 PC w/ elevated Powershell, cert file residing in Documents folder of MyUser profile 

Import-Certificate -CertStoreLocation cert:\LocalMachine\Root -Filepath "C:\Users\myuser\Documents\cert_export_ca.crt"

Create VPN Connection

Add-VpnConnection -Name "My SSTP VPN" -ServerAddress "<WAN IP>:4430" -TunnelType "Sstp" -EncryptionLevel "Required" -AuthenticationMethod MSChapv2 -AllUserConnection -RememberCredential

View Certificates

Viewing certs via powershell: 

SET-LOCATION CERT:\LOCALMACHINE\ROOT; get-childitem -dnsname '<WAN IP>'

Remove Certificates

Remove old cert: 

Get-ChildItem cert:\LocalMachine\Root -dnsname '<WAN IP>' | Remove-Item

View VPN Phonebook

View vpn phonebook entries: 

Get-VpnConnection -AllUserConnection
Retrieved from "https://wiki.swkls.org/index.php?title=Mikrotik_SSTP&oldid=213"