Mikrotik SSTP

From SWKLS WIKI
Revision as of 18:53, 17 June 2020 by Unknown user (talk) (→‎Download Certificate)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

SSTP (SSL VPN)

Mikrotik Router Setup

NTP

Make sure time & date are set correctly! Should be using NTP.

/system ntp client set enabled=yes primary-ntp=132.163.96.5 secondary-ntp=132.163.97.5

Create Certificates

Create certificates for WAN IP 100.100.100.100 valid for 3650 days

/certificate

add name=CA common-name=100.100.100.100 country=US state=KS locality=Library_Town organization=Library days-valid=3650 key-usage=key-cert-sign,crl-sign

add name=server common-name=server country=US state=KS locality=Library_Town organization=Library days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server

sign CA ca-crl-host=100.100.100.100 name=CA

sign server ca=CA name=server

Export Certificates

Export CA certificate to files

/certificate export-certificate CA

Create SSTP Profile

Create SSTP profile

/ppp profile add name="sstp" use-encryption=yes local-address=192.168.1.1 dns-server=192.168.1.1 remote-address=vpn

Create Secrets

Create secrets (credentials) for login

/ppp secret add name=myusername profile=sstp password=mypassword

Create SSTP Server Instance

Create SSTP server on port 4430

/interface sstp-server server set enabled=yes default-profile=sstp authentication=mschap2 certificate=CA port=4430

Open Firewall Ports

Allow traffic to SSTP server on port 4430

/ip firewall filter add chain=input protocol=tcp dst-port=4430 action=accept place-before=0 comment="Allow SSTP"

Windows 10 Client Setup

Download Certificate

When storing certificate on webserver temporarily for retrieval on a remote machine, ensure that the server or folder can only be accessed by that network or device! This may require modifying firewall or Apache config temporarily!

(new-object System.Net.WebClient).Downloadfile("https://files.swkls.org/tmp/cert_export_CA.crt", "C:\cert_export_CA.crt")

Import Cert

On Windows 10 PC w/ elevated Powershell, cert file residing in Documents folder of MyUser profile

Import-Certificate -CertStoreLocation cert:\LocalMachine\Root -Filepath "C:\Users\myuser\Documents\cert_export_ca.crt"

Create VPN Connection

Add-VpnConnection -Name "My SSTP VPN" -ServerAddress "<WAN IP>:4430" -TunnelType "Sstp" -EncryptionLevel "Required" -AuthenticationMethod MSChapv2 -AllUserConnection -RememberCredential

View Certificates

Viewing certs via powershell:

SET-LOCATION CERT:\LOCALMACHINE\ROOT; get-childitem -dnsname '<WAN IP>'

Remove Certificates

Remove old cert:

Get-ChildItem cert:\LocalMachine\Root -dnsname '<WAN IP>' | Remove-Item

View VPN Phonebook

View vpn phonebook entries:

Get-VpnConnection -AllUserConnection