Best tutorial on VPN access for Windows?
I've always used SSH tunnelling to get access to stuff behind MikroTiks, but a client has just asked for VPN access from his Windows box at home to a network behind a MikroTik. Can anyone point me to a good tutorial or doco on making that happen? A lot of the stuff out there seems to just be PPTP, which doesn't seem very secure. And a lot of it seems old. I'm not a Windows guy, but I am hoping that there is a way to set this up on the MikroTik so that a Windows VPN can be set up out of the box. Yours hopefully, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
Hi Karl, I have set up L2TP/IPSEC in the past for IOS and Windows clients using Mikrotik routers (including using RADIUS authentication from a Windows server). Don't use the PPP protocol. First read these: https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP https://mivilisnet.wordpress.com/2017/01/19/l2tpipsec-for-road-warriors/ Here is a decent looking guide for the Windows side: https://mivilisnet.wordpress.com/2016/12/22/how-to-setup-the-l2tpipsec-clien... On Sat, 1 Sep 2018 at 11:51, Karl Auer <kauer@nullarbor.com.au> wrote:
I've always used SSH tunnelling to get access to stuff behind MikroTiks, but a client has just asked for VPN access from his Windows box at home to a network behind a MikroTik.
Can anyone point me to a good tutorial or doco on making that happen?
A lot of the stuff out there seems to just be PPTP, which doesn't seem very secure. And a lot of it seems old.
I'm not a Windows guy, but I am hoping that there is a way to set this up on the MikroTik so that a Windows VPN can be set up out of the box.
Yours hopefully, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Hi Karl, I went through most of the online tutorials for this a couple of years ago and distilled them down into this guide which I've found works for Windows clients. Just remember to substitute the values MYKEY, MYPASSWORD and MYUSER and you should be good to go. Hope it helps. Ben Jackson ELOGIK (Sent from my mobile device) On Sat., 1 Sep. 2018, 12:07 Jason Hecker (Up & Running Tech), < jason@upandrunningtech.com.au> wrote:
Hi Karl,
I have set up L2TP/IPSEC in the past for IOS and Windows clients using Mikrotik routers (including using RADIUS authentication from a Windows server).
Don't use the PPP protocol.
First read these:
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP https://mivilisnet.wordpress.com/2017/01/19/l2tpipsec-for-road-warriors/
Here is a decent looking guide for the Windows side:
https://mivilisnet.wordpress.com/2016/12/22/how-to-setup- the-l2tpipsec-client-in-windows-7-and-later/
On Sat, 1 Sep 2018 at 11:51, Karl Auer <kauer@nullarbor.com.au> wrote:
I've always used SSH tunnelling to get access to stuff behind MikroTiks, but a client has just asked for VPN access from his Windows box at home to a network behind a MikroTik.
Can anyone point me to a good tutorial or doco on making that happen?
A lot of the stuff out there seems to just be PPTP, which doesn't seem very secure. And a lot of it seems old.
I'm not a Windows guy, but I am hoping that there is a way to set this up on the MikroTik so that a Windows VPN can be set up out of the box.
Yours hopefully, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- <https://www.upandrunningtech.com.au> _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Sun, 2018-09-02 at 19:38 +1000, Ben Jackson - ELOGIK wrote:
I went through most of the online tutorials for this a couple of years ago and distilled them down into this guide which I've found works for Windows clients.
Just remember to substitute the values MYKEY, MYPASSWORD and MYUSER and you should be good to go.
Er - what guide? There was no link or attachment. Would love to see it though! Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
Maybe the list doesn't allow attachments? Here's a link. https://drive.google.com/a/elogik.net/file/d/1OfgxfL2i_rQjxsMpX7EAKXJBylUnXt... Best regards, Ben Jackson eLogik (Sent from my mobile device) On Sun., 2 Sep. 2018, 21:27 Karl Auer, <kauer@nullarbor.com.au> wrote:
On Sun, 2018-09-02 at 19:38 +1000, Ben Jackson - ELOGIK wrote:
I went through most of the online tutorials for this a couple of years ago and distilled them down into this guide which I've found works for Windows clients.
Just remember to substitute the values MYKEY, MYPASSWORD and MYUSER and you should be good to go.
Er - what guide? There was no link or attachment.
Would love to see it though!
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Mon, 2018-09-03 at 08:13 +1000, Ben Jackson - ELOGIK wrote:
Maybe the list doesn't allow attachments?
Here's a link.
https://drive.google.com/a/elogik.net/file/d/1OfgxfL2i_rQjxsMpX7EAKXJ BylUnXtQF/view?usp=drivesdk
Thanks! That link tells me to get permission.... Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
Try now Karl, sorry about that *BEN JACKSON* Director *M *0404 924745 *E* ben@elogik.com.au *W* elogik.com.au <http://www.elogik.com.au/> <http://www.elogik.com.au> On Mon, Sep 3, 2018 at 8:51 AM, Karl Auer <kauer@nullarbor.com.au> wrote:
On Mon, 2018-09-03 at 08:13 +1000, Ben Jackson - ELOGIK wrote:
Maybe the list doesn't allow attachments?
Here's a link.
https://drive.google.com/a/elogik.net/file/d/1OfgxfL2i_rQjxsMpX7EAKXJ BylUnXtQF/view?usp=drivesdk
Thanks! That link tells me to get permission....
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Here's the link again - I think it changed since I updated the permissions https://drive.google.com/file/d/1OfgxfL2i_rQjxsMpX7EAKXJBylUnXtQF/view?usp=s... *BEN JACKSON* Director *M *0404 924745 *E* ben@elogik.com.au *W* elogik.com.au <http://www.elogik.com.au/> <http://www.elogik.com.au> On Mon, Sep 3, 2018 at 9:15 AM, Ben Jackson - ELOGIK <ben@elogik.net> wrote:
Try now Karl, sorry about that
*BEN JACKSON* Director
*M *0404 924745 *E* ben@elogik.com.au *W* elogik.com.au <http://www.elogik.com.au/> <http://www.elogik.com.au>
On Mon, Sep 3, 2018 at 8:51 AM, Karl Auer <kauer@nullarbor.com.au> wrote:
On Mon, 2018-09-03 at 08:13 +1000, Ben Jackson - ELOGIK wrote:
Maybe the list doesn't allow attachments?
Here's a link.
https://drive.google.com/a/elogik.net/file/d/1OfgxfL2i_rQjxsMpX7EAKXJ BylUnXtQF/view?usp=drivesdk
Thanks! That link tells me to get permission....
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
By the way - the public list is text-only and no attachments allowed :-} members@talk.mikrotik.com.au allows html and attachments ;) Cheers!
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Ben Jackson - ELOGIK Sent: Monday, 3 September 2018 9:23 AM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Best tutorial on VPN access for Windows?
Here's the link again - I think it changed since I updated the permissions
https://drive.google.com/file/d/1OfgxfL2i_rQjxsMpX7EAKXJBylUnXtQF/view?us p=sharing
*BEN JACKSON* Director
*M *0404 924745 *E* ben@elogik.com.au *W* elogik.com.au <http://www.elogik.com.au/> <http://www.elogik.com.au>
On Mon, Sep 3, 2018 at 9:15 AM, Ben Jackson - ELOGIK <ben@elogik.net> wrote:
Try now Karl, sorry about that
*BEN JACKSON* Director
*M *0404 924745 *E* ben@elogik.com.au *W* elogik.com.au <http://www.elogik.com.au/> <http://www.elogik.com.au>
On Mon, Sep 3, 2018 at 8:51 AM, Karl Auer <kauer@nullarbor.com.au> wrote:
On Mon, 2018-09-03 at 08:13 +1000, Ben Jackson - ELOGIK wrote:
Maybe the list doesn't allow attachments?
Here's a link.
https://drive.google.com/a/elogik.net/file/d/1OfgxfL2i_rQjxsMpX7EAK XJ BylUnXtQF/view?usp=drivesdk
Thanks! That link tells me to get permission....
Regards, K.
--
~~~~~~~~~~ >> Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 >> http://www.nullarbor.com.au mobile +61 428 957160 >> >> GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D >> Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB >> >> >> >> _______________________________________________ >> Public mailing list >> Public@talk.mikrotik.com.au >> http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com >> .au >> > > _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On the Windows side, consider if you want all traffic (including internet) to go via the VPN or just traffic for the VPN LAN. You have to make a change in the VPN's IP setting to configure the default route. On Sat, 1 Sep 2018 at 11:51, Karl Auer <kauer@nullarbor.com.au> wrote:
I've always used SSH tunnelling to get access to stuff behind MikroTiks, but a client has just asked for VPN access from his Windows box at home to a network behind a MikroTik.
Can anyone point me to a good tutorial or doco on making that happen?
A lot of the stuff out there seems to just be PPTP, which doesn't seem very secure. And a lot of it seems old.
I'm not a Windows guy, but I am hoping that there is a way to set this up on the MikroTik so that a Windows VPN can be set up out of the box.
Yours hopefully, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Windows10 supports sstp, which is relatively simple to set up on both windows and Mikrotik. The only small complexity is that windows requires a certificate based encryption on the server side to work ( mikrotik to mikrotik doesn't need any certs) But my preference is always use of mAP-lite as a kind of Road-Warrior VPN client. I carry one with me always for exactly that reason. It ca be powered by the USB port on my laptop, and I configure the wireless with virtual-AP as well as station so that it can connect to a local wifi and be personal hotspot for my other devices to connect back to the office LAN at the same time. I talked about that application as part of my presentation at the last MUM in Melbourne earlier this year: https://mum.mikrotik.com/2018/AU/agenda/EN# Cheers! Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Saturday, 1 September 2018 11:49 AM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] Best tutorial on VPN access for Windows?
I've always used SSH tunnelling to get access to stuff behind MikroTiks, but a client has just asked for VPN access from his Windows box at home to a network behind a MikroTik.
Can anyone point me to a good tutorial or doco on making that happen?
A lot of the stuff out there seems to just be PPTP, which doesn't seem very secure. And a lot of it seems old.
I'm not a Windows guy, but I am hoping that there is a way to set this up on the MikroTik so that a Windows VPN can be set up out of the box.
Yours hopefully, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 8454 EE43 6215 B6DD 1B4D 9D8D 984D 7BA1 7378 A38D Old fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (4)
-
Ben Jackson - ELOGIK -
Jason Hecker (Up & Running Tech) -
Karl Auer -
Mike Everest