When everyone started working from home I just set up port forwarding for RDP and whitelisted their home IP addresses. I’d like to move to something a bit more reliable but still secure…
I set up SSTP Server on the Mikrotik - I can connect to it easy … but I can’t seem to get anywhere once connected. Reading up on Mikrotik forums it sounds like the way Windows does it is to use a DHCP query after the PPP tunnel is established … and this isn’t standard … plus I’d also need to set up routing rules *on the client* … which is a deal breaker. Also inTune doesn’t have SSTP as an option for provisioning VPN connections to client devices.
So is there an easier way of doing this? Ideally I’d like to be able to configure it in inTune or send them a Windows 10 Provisioning Package containing the VPN settings.
I have been reading that IKEv2 is the easiest - but the setup looks a bit more involved. Can anyone comment as to whether its worth the time to set up? Does it work seamlessly or is there a bunch of extra things that have to be done client side?
IPSec IKEv2 is the way to go. It is a bit to setup initially. But the payoff is worth it. Connects fast, secure, built into windows and macOS as well as android and iOS. It just works.
I’ve implemented WireGuard - it’s fast, secure and running on a VM in my home infrastructure.
It’s also now a part of the 5.6 Linux kernel, so we should (hopefully) see it appear in Mikrotik at some point in the future.
Bonus: This was linked yesterday by The Register - and works REALLY well. This is also based off Wireguard VPN.
Edit: Re-read your requirements for a native Windows 10 VPN - which tends to be PPTP - which also tends to be the least trusted of the VPN solutions - so don’t use it. If you want a quick and dirty solution, try SoftEther, but my recommendation would be to use TailScale.
I don’t know why anyone is suggesting anything other than this for the use case discussed. Sure, maybe IKEv2 is “better”, but L2TP/IPSec on a Mikrotik works with Mac, Windows, Android and iOS. It’s a piece of cake to configure, and almost as easy to deploy - especially if you have Intune.
I’ve seen IKEv2 recommended in many places - plus I see that it can be set up with both provisioning packages and inTune - making it great to push out from the cloud…
Question though - am I still going to run into issues where the Windows 10 client connects to the VPN (which is on a different subnet) but can’t talk to other subnets? That was what I ran into with SSTP … and the fix was to add a route on the client side, then set up a bunch of nat / firewall rules on the Mikrotik … Some of my Mikrotiks have complex configurations … I have a CCR1009-7G-1C-1S+ that is functioning purely as a core router … multiple WAN interfaces … VLANs … I’d rather not introduce additional routing tags into its mess.
x.x.x.x is the remote router’s external IP. 192.168.88.x is my home network. 192.168.200.0/22 is the remote network’s internal subnet that I want to access. 192.168.250.x is the IP pool assigned on the mode config.
Most of the help articles I’ve been finding are people that can’t get it connected … not people that can’t use it…
Okay - so I finally got IKEv2 working… but I see a big problem. InTune installs a personal certificate with the purpose “Client Authentication” … having two personal certificates for that purpose breaks IKEv2 - it sends the wrong certificate…
So … you put SSTP ahead of L2TP/IPSec … I set up SSTP and it didn’t just work … client couldn’t access other subnets … the fix was to add a route on the client side … and do some fudgery on the router … So are you putting SSTP ahead because its secure … or because its easy to set up for a Win10 / Mikrotik solution?
This may be a firewalling issue, and bear in mind ipsec tends to have its own equivalent of routing tables, you need to think of it in ipsec terms when dealing with ipsec tunnels.
Got it working. I just exported the inTune certificate from the Machine certificate store (Personal) … then imported it into the certificate store on the router and updated the IPSec Identities’ remote-certificate.
I was able to push out the Router’s Intermediate Certificate and the VPN connection profile itself …
Just have to see if there is a way to obtain the inTune certificate remotely…
None of the above, or maybe ease of setup. Sometimes only SSTP works… unfortunately… it really depends on the situation.
It was an emergency during nation wide outage of their primary ISP. My deployment of SSTP is small in numbers, but almost all clients were behind restrictive firewalls by secondary LTE, that broke our IPsec tunnels. PPTP(security, and possibly that messy ISP’s wall policy) and L2TP ( walled again) were no go also…
They were remotely setup by the users themselves (retail/sales) with over the phone instructions and little to none competence from their side.
They were all dropped in dedicated subnet with the resources needed to access and nothing more. All took me a half of working day with the instruction part.
PS: Always test your backup/contingency links/plans…
wall policy) and L2TP (