четверг, 2 сентября 2021 г.

Mikrotik vpn server sstp, pptp, l2tp, ikev2

Микротик

:global dnsServer  192.168.1.100;
:global radiusServer 192.168.1.100;
:global radiusSecret IEASrfghasdkalilagf234sdfD;
:global ipsecSecret KudOmjirortuk7Drie;
:global vpnRange 192.168.20.0/24;
:global vpnLocalIp 192.168.20.1;
:global splitNetworks 192.168.0.0/23,192.168.7.0/24;

# ip pool for vpn users
/ip pool add name=vpn-pool ranges=$vpnRange
# profile for pptp,l2tp,sstp
/ppp profile add dns-server=$dnsServer local-address=$vpnLocalIp name=XXtp remote-address=vpn-pool use-compression=yes use-encryption=yes use-mpls=yes wins-server=$dnsServer
#use radius for auth
/ppp aaa set use-radius=yes
/radius add address=$radiusServer secret=$radiusSecret service=ppp,ipsec
#seting up pptp, l2tp, sstp
/interface l2tp-server server set authentication=mschap2 default-profile=XXtp enabled=yes ipsec-secret=$ipsecSecret use-ipsec=yes
/interface pptp-server server set authentication=mschap2 default-profile=XXtp enabled=yes
/interface sstp-server server set authentication=mschap2 certificate=vpn.myreis.ru.pem_0 default-profile=XXtp enabled=yes port=10443 tls-version=only-1.2
#seting up ikev2 ipsec
/ip ipsec policy group add name=ikev2-policies
/ip ipsec profile set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
/ip ipsec profile add enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name=ikev2-profile
/ip ipsec peer add exchange-mode=ike2 name=ikev2-peer passive=yes profile=ikev2-profile send-initial-contact=no
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256,sha1 pfs-group=none
/ip ipsec proposal add auth-algorithms=sha256,sha1 name=ikev2-proposal pfs-group=none
/ip ipsec proposal add name=proposal1
/ip ipsec mode-config add address-pool=vpn-pool name=ikev2-cfg split-dns=$dnsServer split-include=$splitNetworks static-dns=$dnsServer system-dns=no
/ip ipsec identity add auth-method=eap-radius generate-policy=port-strict mode-config=ikev2-cfg notrack-chain=prerouting peer=ikev2-peer policy-template-group=ikev2-policies
/ip ipsec policy add dst-address=$vpnRange group=ikev2-policies proposal=ikev2-proposal src-address=0.0.0.0/0 template=yes
/ip ipsec settings set xauth-use-radius=yes

#allow vpn connections
/ip firewall filter add action=accept chain=input protocol=gre
/ip firewall filter add action=accept chain=input protocol=ipsec-esp
/ip firewall filter add action=accept chain=input protocol=ipsec-ah
/ip firewall filter add action=accept chain=input dst-port=443,1701,1723,10443 protocol=tcp
/ip firewall filter add action=accept chain=input dst-port=1701,500,4500 protocol=udp
/ip firewall raw add action=notrack chain=prerouting dst-address=0.0.0.0/0 src-address=$vpnRange
/ip firewall raw add action=notrack chain=prerouting dst-address=$vpnRange src-address=0.0.0.0/0

Certbot

certbot certonly --preferred-challenges=dns --manual -d vpn.domen.ru

И добавляем в letsencrypt-routeros.sh строчку которая обновляет сертификаты для ipsec
$routeros /ip ipsec identity set certificate="$DOMAIN.pem_0,$DOMAIN-chain.pem_0,$DOMAIN-chain.pem_1" numbers=0

Windows 10 sstp клиент

SSTP
$vpn_type = 'sstp'
$vpn_server = 'vpn.myreis.ru'
$vpn_name = $vpn_server+'_'+vpn_type
$vpn_nets = '192.168.0.0/23 192.168.7.0/24'
Remove-VpnConnection -Name $vpn_name -Force -PassThru
Add-VpnConnection -Name $vpn_name -TunnelType $tunel_type -ServerAddress "$($vpn_server):10443" -SplitTunneling -DnsSuffix 'alliancetravel.ru' -RememberCredential -PassThru
$vpn_nets.Split(" ") | foreach { Add-VpnConnectionRoute -ConnectionName $vpn_name -DestinationPrefix $_ -PassThru }

L2TP
$vpn_type = 'l2tp'
$l2tp_psk = 'l2tppsk'
$vpn_server = 'vpn.myreis.ru'
$vpn_name = $vpn_server+'_'+$vpn_type
$vpn_nets = '192.168.0.0/23 192.168.7.0/24'
Remove-VpnConnection -Name $vpn_name -Force -PassThru
Add-VpnConnection -Name $vpn_name -TunnelType $tunel_type -ServerAddress $vpn_server -SplitTunneling -DnsSuffix 'alliancetravel.ru' -L2tpPsk $l2tp_psk -RememberCredential -PassThru -Force
$vpn_nets.Split(" ") | foreach { Add-VpnConnectionRoute -ConnectionName $vpn_name -DestinationPrefix $_ -PassThru }

Остальные типы ВПН настраиваем по аналогии, надо только отключить "использовать впн соединение как шлюз по умолчанию" в ikev2 маршруты добавятся сами. 
Автор: на Комментариев нет:
Подписаться на: Сообщения (Atom)