ASL-Corp members, Bureaucrats, Check users, Structured Discussions bots, oversight, Suppressors, Administrators, Upload Wizard campaign editors
1,714
edits
Changes
Jump to navigation
Jump to search
Line 15:
Line 15: + + + + + + + + + + + + + + + + + + + + + + + + + − + − − ''Note: You can use this config to connect two non-MikroTik systems as well. Just replicate the config below for each system you wish to connect.'' Line 210:
Line 233: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 998:
Line 1,171: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Line 1,242:
Line 1,471: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
no edit summary
== IPSEC ==
== IPSEC ==
Information on how to setup IPSEC tunnels.
Information on how to setup IPSEC tunnels.
=== strongSwan to strongSwan ===
Use the following config for a strongSwan<ref>strongSwan Official Site [https://www.strongswan.org/]</ref> to strongSwan configuration. Make sure the left and right IP addresses are updated to match each system. You can use the same ipsec.secrets file on both systems without changing the IP address order, although I recommend changing it to having the local IP on the left and the remote on the right as shown below.
====ipsec.conf====
/sec/ipsec/conf:
conn <name>
authby=secret
auto=route # can also be start
keyexchange=ike
left=<your local IP>
right=<remote IP of Mikrotik system>
leftikeport=500
rightikeport=500
type=transport
esp=aes128gcm16!
dpddelay=5
dpdtimeout=20
dpdaction=clear # can also be restart
====ipsec.secrets====
/etc/ipsec.secrets:
<your local IP> <remote IP of Mikrotik system> : PSK "<Put your preshared key here>"
=== strongSwan to MikroTik ===
=== strongSwan to MikroTik ===
Use the following configurations to connect a system running stongSwan<ref>strongSwan Official Site [https://www.strongswan.org/]</ref> to a MikroTik<ref>MikroTik Official Site [https://mikrotik.com/]</ref> device using IPSEC.
Use the following configurations to connect a system running strongSwan to a MikroTik<ref>MikroTik Official Site [https://mikrotik.com/]</ref> device using IPSEC.
==== strongSwan config ====
==== strongSwan config ====
The following configuration will work on FreeBSD or Linux systems with strongSwan installed.
The following configuration will work on FreeBSD or Linux systems with strongSwan installed.
=====ipsec.conf=====
=====ipsec.conf=====
== PPTP ==
== PPTP ==
{{go to top}}
{{go to top}}
==Persistent SSH Tunnels==
The following is how to create a persistent SSH Tunnel between two systems. This is handy if you want to secure data flowing across networks, or even setup a tunnel without messing with VPN configuration.
===Create User/Generate SSH key===
First you will create the user you will use for the tunnel. This will allow you to forward non-privileged ports over 1024.
''Note: This user does not have a password assigned or a shell. This will prevent user logins to the system.''
<pre>
useradd -m -s /bin/false autossh
</pre>
Now switch to the user and generate an SSH key:
<pre>
su -s /bin/bash autossh
cd ~
ssh-keygen -b 4096
</pre>
''Note: Leave password blank''
Once done, exit back to your normal user shell
<pre>
exit
</pre>
===Copy public key to target system===
You will need to copy '''''id_rsa.pub''''' file from '''''/home/autossh/.ssh/''''' to the '''''authorized_keys''''' file on the remote system you want to connect to for the tunnel.
''Note: It is recommended that you also create a normal user on the remote system and not use root.''
===Install autossh===
You will need to install the autossh program on the system that will initiate the SSH tunnel. Autossh automatically restarts the SSH tunnel when it exits.
<pre>
apt-get install autossh
</pre>
===Setup script===
Copy the following script, making the necessary changes as specified between the <> and place on the system that will initiate the tunnel (here we will save it as /opt/ssh-tunnel.sh):
<pre>
#!/bin/sh
#
su -s /bin/sh autossh -c 'autossh -M 0 -N -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure=yes" -f -T -R localhost:<target port>:<local IP or localhost>:<local port> <user>@<domain>'
</pre>
{| class="wikitable"
! Parameter !! Description
|-
| localhost || localhost or IP address on target system
|-
| <target port> || port on target system
|-
| <local IP or localhost> || localhost or IP address on system initiating tunnel
|-
| <local port> || port on system initiating tunnel
|-
| <user@domain> || username and domain to use when SSHing to target system
|}
An example of this command is:
<pre>
su -s /bin/sh autossh -c 'autossh -M 0 -N -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure=yes" -f -T -R localhost:3306:localhost:3306 joe@blow.com'
</pre>
This would allow the target (remote) system to access the local (system initiating the SSH tunnel) system's MySQL server over the tunnel.
You can also use -L to change the direction of the port forwarding from Remote to Local and have the initiating system forward data over the tunnel the the remote.
===Make script executable===
Make sure you mark the script as executable with:
<pre>
chmod +x /opt/ssh-tunnel.sh
</pre>
===Tunnel at startup===
To have the tunnel up when the system restarts, choose one of the following methods
====rc.local====
Add a line to /etc/rc.local that calls the script.
<pre>
# Start AutoSSH tunnel at boot
/opt/ssh-tunnel.sh
</pre>
''Note: You may have to enable rc.local on Ubuntu and Debian based systems via systemd. Refer to your distributions documentation for information on how to enable it.''
====systemd====
To have the script start at boot with systemd, create the following file and add it to /etc/systemd/system/ssh-tunnel.service
=====ssh-tunnel.service=====
<pre>
[Unit]
Description=AutoSSH Tunnel at boot
[Service]
Type=oneshot
ExecStart=/opt/ssh-tunnel.sh
[Install]
WantedBy=multi-user.target
</pre>
=====Enable service=====
To enable the service to run via systemd run:
<pre>
systemctl enable ssh-tunnel.service
</pre>
== GRE Tunnel ==
== GRE Tunnel ==
{{go to top}}
{{go to top}}
GRE Tunnels
===Public/Private VM tunnel===
GRE tunnels are useful for connecting a VM in a private/home network to the internet via a public server/VM. The following information will connect Server A (public server) to Server B (private server), and allow requests to Server B to be passed to Server A's resources for use on the Internet.
====Configuration====
'''IP addresses'''
* Server A will have a public IP of 30.30.30.30/24 and the GRE interface will be assigned 192.168.168.1/30
* Server B will have a private IP of 10.0.0.50/24, a public IP of 40.40.40.40/24 and the GRE interface will be assigned 192.168.168.2/30
'''Ports'''
* Ports 22, 80 and 443 will be forwarded over the GRE tunnel
=====Server A (Public)=====
Copy the following to /etc/gre.sh
<syntaxhighlight lang="bash">
#!/bin/sh
ip tunnel add gre1 mode gre local 10.0.0.50 remote 40.40.40.40 ttl 255
ip add add 192.168.168.1/30 dev gre1
ip link set gre1 up
iptables -t nat -A POSTROUTING -s 192.168.168.0/30 ! -o gre+ -j SNAT --to-source 30.30.30.30
iptables -A FORWARD -d 192.168.168.2 -m state --state NEW.ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -d 192.168.168.2 -m state --state NEW.ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A PREROUTING -d 30.30.30.30 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.168.2
iptables -t nat -A PREROUTING -d 30.30.30.30 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.168.2
iptables -t nat -A PREROUTING -d 30.30.30.30 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.168.2
</syntaxhighlight>
=====Server B (Private)=====
* Add the following to /etc/iproute2/rt_tables<syntaxhighlight lang="text">
100 GRE</syntaxhighlight>
* Copy the following to /etc/gre.sh
<syntaxhighlight lang="bash">
#!/bin/sh
iptunnel add gre1 mode gre local 10.0.0.50 remote 30.30.30.30 ttl 255
ip addr add 192.168.168.2/30 dev gre1
ip link set gre1 up
ip rule add from 192.168.168.0/30 table GRE
ip route add default via 192.168.168.1 table GRE
</syntaxhighlight>
==L2TP Ethernet Pseudowires==
==L2TP Ethernet Pseudowires==
Calling tinc with -k or --kill option will cause it to automatically unregister itself.
Calling tinc with -k or --kill option will cause it to automatically unregister itself.
== SOCAT ==
SOCAT can be used to create a simple virtual network between two hosts using UDP and TUN devices.
'''Note: It is possible to use TCP for this as well, but without the nodelay option it might cause problems. You can also replace UDP with DTLS to add security to the connection.'''
*IP addresses used in this example:
{| class="wikitable" style="text-align: center; width: 35%"
! Host
! Address
! Mask
|-
| Physical server address
| 1.2.3.4
| N/A
|-
| Physical client address
| N/A
| N/A
|-
| TUN device on server
| 192.168.255.1
| 255.255.255.0
|-
| TUN device on client
| 192.168.255.2
| 255.255.255.0
|}
Note: UDP connections will use PORT 11443.
=== Create TUN devices ===
*TUN Server<syntaxhighlight lang="text">
socat -d -d UDP-LISTEN:11443,reuseaddr TUN:192.168.255.1/24,up</syntaxhighlight>
*TUN Client<syntaxhighlight lang="text">
socat UDP:1.2.3.4:11443 TUN:192.168.255.2/24,up</syntaxhighlight>
Executing these two commands will result in a connection being established from the client to the server via TUN devices.
=== Troubleshooting ===
The following are common errors that you may encounter when using SOCAT to create a VPN.
*Missing TUN/TAP Support<syntaxhighlight lang="text">
... E unknown device/address "tun"</syntaxhighlight>
The SOCAT binary probably does not provide TUN/TAP support. Reasons include not using Linux and using an older version of SOCAT.
*Missing Kernel Support<syntaxhighlight lang="text">
,,, E open("/dev/net/tun", 02, 0666): No such file or directory</syntaxhighlight>
This incidates that your kernel does not have TUN/TAP support compiled in.
*TUN Cloning Device Permissions<syntaxhighlight lang="text">
... E open("/dev/net/tun", 02, 0666): Permission denied</syntaxhighlight>
This indicates that you do not have sufficient permission to read or write to the TUN cloning device. Check the device's permssions and ownership.
== SoftEther ==
== SoftEther ==
*You can run it again to add/remove users or completely uninstall WireGuard
*You can run it again to add/remove users or completely uninstall WireGuard
=== Mikrotik Wireguard Road Warrior Config ===
From: https://forum.mikrotik.com/viewtopic.php?t=174417#<ref>Mikrotik Forums - MikroTik Wireguard server with Road Warrior clients [https://forum.mikrotik.com/viewtopic.php?t=174417#]</ref>
The following information will show you how to setup a Mikrotik Wireguard server with Road Warrior clients.
==== Network topology ====
The network used in this examples is 192.168.66.0/24. A Mikrotik device will be the server and client can be any device running the Wireguard software.
{| class="wikitable" style="text-align: center; width: 35%"
! System
! IP Address
|-
| Wireguard server
| 192.168.66.1
|-
| Wireguard client(s)
| 192.168.66.[2-254]
|}
==== Mikrotik Configuration ====
<syntaxhighlight lang="text">
# a private and public key will be automatically generated when adding the wireguard interface
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireguard peers
# the first client added here is ipv4 only
add allowed-address=192.168.66.2/32 interface=wireguard1 public-key="*** replace-with-public-key-of-first-client ***"
# this client is dual stack - public IPv6 should be used - replace 2001:db8:cafe:beef: with one of your /64 prefixes.
add allowed-address=192.168.66.3/32,2001:db8:cafe:beef::3/128 interface=wireguard1 public-key="*** replace-with-public-key-of-second-client-dual-stack ***"
/ip address
add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0
/ipv6 address
add address=2001:db8:cafe:beef::1/64 interface=wireguard1
</syntaxhighlight>
==== Client configuration ====
<syntaxhighlight lang="text">
Interface: (whatever name you want to specify)
Public key: the client should automatically generate this - add this to the server above replacing "replace-with-public-key-of-second-client-dual-stack"
Addresses: 192.168.66.3/24,2001:db8:cafe:beef::3/64 (note these are different subnet masks than in the server config)
DNS servers: as desired - if you want to use the wireguard server for dns, specify 192.168.66.1
Peer:
Public key - get the public key from the wireguard interface on the Mikrotik device and place here
Endpoint - mydyndns.whatever:13231
Allowed IPs: 0.0.0.0/0, ::/0
</syntaxhighlight>
This client configuration will result in all traffic being forwarded via the Mikrotik Wireguard server. You will need to ensure:
*Create an input chain firewall rule to allow UDP traffic in on port 13231
<syntaxhighlight lang="text">
/ip firewall filter add action=accept chain=input comment="Allow Wireguard" dst-port=13231 protocol=udp
</syntaxhighlight>
*Ensure the Mikrotik firewall is allowing traffic from 192.168.66.0/24 and that you are NATing this traffic. If your device is based off the default Mikrotik config and using the LAN interface list, you can add the Wireguard interface to this list to allow traffic through and NATing it as it leaves your network. Otherwise, you will need to modify your configuration accordingly.
==== Get/Set Wireguard Peers ====
*Get Mikrotik Wireguard peers list
<syntaxhighlight lang="text">
/interface wireguard peers print
</syntaxhighlight>
*Set Mikrotik Wireguard peers list
<syntaxhighlight lang="text">
/interface wireguard peers set <ID> allowed-addresses=whatever,whateverelse
</syntaxhighlight>
== VPNC ==
== VPNC ==