Mikrotik SSTP: Difference between revisions

From SWKLS WIKI
Jump to navigation Jump to search
 
Line 58: Line 58:


====Download Certificate====
====Download Certificate====
When storing certificate on webserver temporarily for retrieval on a remote machine, ensure that the server or folder can only be accessed by that network or device! This may require modifying firewall or Apache config temporarily!
'''''When storing certificate on webserver temporarily for retrieval on a remote machine, ensure that the server or folder can only be accessed by that network or device! This may require modifying firewall or Apache config temporarily!'''
''
<syntaxhighlight lang="powershell">
<syntaxhighlight lang="powershell">
(new-object System.Net.WebClient).Downloadfile("https://files.swkls.org/tmp/cert_export_CA.crt", "C:\cert_export_CA.crt")
(new-object System.Net.WebClient).Downloadfile("https://files.swkls.org/tmp/cert_export_CA.crt", "C:\cert_export_CA.crt")

Latest revision as of 18:53, 17 June 2020

SSTP (SSL VPN)

Mikrotik Router Setup

NTP

Make sure time & date are set correctly! Should be using NTP.

/system ntp client set enabled=yes primary-ntp=132.163.96.5 secondary-ntp=132.163.97.5

Create Certificates

Create certificates for WAN IP 100.100.100.100 valid for 3650 days

/certificate

add name=CA common-name=100.100.100.100 country=US state=KS locality=Library_Town organization=Library days-valid=3650 key-usage=key-cert-sign,crl-sign

add name=server common-name=server country=US state=KS locality=Library_Town organization=Library days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server

sign CA ca-crl-host=100.100.100.100 name=CA

sign server ca=CA name=server

Export Certificates

Export CA certificate to files

/certificate export-certificate CA

Create SSTP Profile

Create SSTP profile

/ppp profile add name="sstp" use-encryption=yes local-address=192.168.1.1 dns-server=192.168.1.1 remote-address=vpn

Create Secrets

Create secrets (credentials) for login

/ppp secret add name=myusername profile=sstp password=mypassword

Create SSTP Server Instance

Create SSTP server on port 4430

/interface sstp-server server set enabled=yes default-profile=sstp authentication=mschap2 certificate=CA port=4430

Open Firewall Ports

Allow traffic to SSTP server on port 4430

/ip firewall filter add chain=input protocol=tcp dst-port=4430 action=accept place-before=0 comment="Allow SSTP"

Windows 10 Client Setup

Download Certificate

When storing certificate on webserver temporarily for retrieval on a remote machine, ensure that the server or folder can only be accessed by that network or device! This may require modifying firewall or Apache config temporarily!

(new-object System.Net.WebClient).Downloadfile("https://files.swkls.org/tmp/cert_export_CA.crt", "C:\cert_export_CA.crt")

Import Cert

On Windows 10 PC w/ elevated Powershell, cert file residing in Documents folder of MyUser profile

Import-Certificate -CertStoreLocation cert:\LocalMachine\Root -Filepath "C:\Users\myuser\Documents\cert_export_ca.crt"

Create VPN Connection

Add-VpnConnection -Name "My SSTP VPN" -ServerAddress "<WAN IP>:4430" -TunnelType "Sstp" -EncryptionLevel "Required" -AuthenticationMethod MSChapv2 -AllUserConnection -RememberCredential

View Certificates

Viewing certs via powershell:

SET-LOCATION CERT:\LOCALMACHINE\ROOT; get-childitem -dnsname '<WAN IP>'

Remove Certificates

Remove old cert:

Get-ChildItem cert:\LocalMachine\Root -dnsname '<WAN IP>' | Remove-Item

View VPN Phonebook

View vpn phonebook entries:

Get-VpnConnection -AllUserConnection