Answer the question
In order to leave comments, you need to log in
How to access local networks connected with mikrotiks to vps via vpn l2tp ipsec?
Hello.
There is:
VPS Ubuntu 16.04 with a constant external ip: 1.1.1.1 (example), and vpn clients receive ip 192.168.42.10-20
L2TP ipsec VPN is raised on Ubuntu VPS so that you can connect from any device so that Internet traffic can go through this vpn. It was raised with the help of this: https://github.com/hwdsl2/setup-ipsec-vpn#quick-start
All offices use microtics with a connection to Provo via pppoe.
I connected all mikrotiks of remote offices to this l2tp vpn server. I let only some machines of remote offices into vpn traffic (this is the task), they work without problems, they have an external ip address of the vpn server, which means that their Internet traffic walks through vpn as it should.
But here the task arose: it is necessary to have access to all computers of remote offices that are connected to ubuntu via vpn l2tp ipsec via microtics, including even those computers whose traffic does not go through vpn.
There are currently 3 remote offices. And you need to see all computers of all offices from any office. (sorry for the tautology)
Only 2 offices have a permanent external ip.
It is also necessary to see all networks connecting to ubuntu via vpn from any other places including mobile devices.
It turned out to connect all the offices through another vps using a cloud hosted router through a "clean" ipsec, but in this case, the necessary machines do not receive the external ip vps and the traffic goes unprotected. And also in this case, from any remote network, you cannot connect a mobile device via vpn to this server on demand.
############
SOLVED:
1. set up a pptp + l2tp ipsec server on a VPS with CHR
2. connected all remote offices to this CHR via pptp
3. registered routes on CHR and mikrotiks of remote offices (a couple of lines )
4. from 3g / 4g or another device, connecting via l2tp to CHR, I see all offices
5. on mikrotiks of remote offices, added the l2tp client interface and connected to CHR - letting all the traffic of certain devices or the entire subnet via l2tp
RESULT:
When connecting to CHR via L2TP ipsec - I have access to all devices of remote offices from anywhere.
CHR setup example:
subnet: 1.1.1.0/24
gateway: 1.1.1.1
wan: 123.45.67.89
/interface pptp-server server set enabled=yes
/ip firewall filter remove [find comment="PPTP Access"]
/ip firewall filter add chain=input protocol=gre comment="PPTP Access"
/ip firewall filter add chain=input dst-port=1723 protocol=tcp comment="PPTP Access"
/ip firewall filter move [find comment="PPTP Access"] 1
/ppp secret remove [find comment=pptp_2_2_2_0]
/ppp secret add local-address=1.1.1.1 remote-address=10.0.0.100 name=pptp_2_2_2_0 password="yourpass"
/ip route remove [find routing-mark=vpn_2_2_2_0]
/ip route add distance=1 dst-address=0.0.0.0/0 gateway=10.0.0.100 check-gateway=ping routing-mark=vpn_2_2_2_0
/ip route rule remove [find table=vpn_2_2_2_0]
/ip route rule add action=lookup disabled=no dst-address=2.2.2.0/24 table=vpn_2_2_2_0
/ip route rule move [find table=vpn_2_2_2_0] 0
# включить proxy-arp на bridge-local
/interface bridge
set [find name=bridge-local] arp=proxy-arp
/ip firewall filter remove [find comment=to_123.45.67.89]
/ip firewall filter add dst-address=123.45.67.89 action=accept chain=output comment=to_123.45.67.89
/ip firewall filter move [find comment=to_123.45.67.89] 1
/interface pptp-client remove [find name=pptp_123.45.67.89]
/interface pptp-client add name=pptp_123.45.67.89 add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=123.45.67.89 dial-on-demand=no disabled=no keepalive-timeout=60 max-mru=1450 max-mtu=1450 mrru=1600 user=pptp_2_2_2_0 password="yourpass" profile=default-encryption
/ip route remove [find routing-mark=vpn_123.45.67.89]
/ip route add distance=1 dst-address=0.0.0.0/0 gateway=pptp_123.45.67.89 check-gateway=ping routing-mark=vpn_123.45.67.89
/ip route rule remove [find table=vpn_123.45.67.89]
/ip route rule add action=lookup disabled=no dst-address=1.1.1.0/24 table=vpn_123.45.67.89
/ip route rule move [find table=vpn_123.45.67.89] 0
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question