Tunnel between two mikroTik
Written by vaheeD on August 24, 2015
You need two mikrotik for this example and many many client :D
In this case you need …
1) two mikrotik connect to the internet
2) just one interface
3) Just have IP address for connecting to internet and Default Gateway
4)Copy and past :D
Now start with MT-01
open terminal and paste…
# aug/01/2015 12:00:00 by RouterOS 6.31
# vaheeD MT-S
#Please Attention to all comment
#Secure VPN Server with
#OVPN SERVER ON PORT 10022 ** You can chenage this port to XXXXX
#SSTP SERVER ON PORT 1025 ** You can chenage this port to XXXXX
#WINBOX PORT 6600 ### SSH PORT 2221
#
/certificate
add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign
sign ca-template name=myCa
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc
/ip pool
add name=pool ranges=192.168.88.100-192.168.88.200
/ppp profile
set 0 dns-server=8.8.8.8,4.2.2.1 local-address=192.168.88.1 remote-address=\
pool
set 1 dns-server=8.8.8.8,4.2.2.1 local-address=192.168.88.1 \
remote-address=pool
/interface ovpn-server server
set enabled=yes \
port=10022
/interface sstp-server server
set enabled=yes port=1025
/ip address
###CHANGE PUBLIC_IP ADDRESS TO xxx.xxx.xxx.xxx
#add address=PUBLIC_IP interface=ether1
add address=192.168.88.1/24 interface=ether1 network=192.168.99.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,4.2.2.1
/ip firewall mangle
/ip firewall nat
add action=masquerade chain=srcnat
###CHANGE PUBLIC_IP ADDRESS TO xxx.xxx.xxx.xxx
#add action=src-nat chain=srcnat to-addresses=PUBLIC_IP
###CHANGE DefaultGateway ADDRESS TO zzz.zzz.zzz.zzz
#/ip route
#add distance=1 gateway=DefaultGateway
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2221
set winbox port=6600
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=ppp password=ppp
###EXPORT CA For Client ###OPTIONAL
#/certificate export-certificate myCa
#/certificate export-certificate client1 export-passphrase=xxxxxxxx
#/certificate export-certificate client2 export-passphrase=xxxxxxxx
###FINISH SCRIPT.
now paste
/interface ovpn-server server
set certificate=myca
Move to MT-02
****
now change xxx.xxx.xxx.xxx TO Public ip address MT-01
****
open terminal and paste…
# aug/01/2015 12:00:00 by RouterOS 6.31
# vaheeD MT-CS
#Please Attention to all comment
#Secure VPN Server with
#PPTP SERVER With PAP Configuration
#L2TP SERVER With PresharedKEY : 123456789
#WEB_PROXY SERVER ON PORT 9090
#SOCKS_PROXY SERVER ON PORT 10520
#WINBOX PORT 6600 ### SSH PORT 2221
#
### CHANGE xxx.xxx.xxx.xxx TO IP MT-S
:global vpnserverOUT xxx.xxx.xxx.xxx
/interface ovpn-client
add auth=md5 connect-to="$vpnserverOUT" name=\
ovpn-out1 password=ppp port=10022 user=ppp
add auth=md5 cipher=aes192 connect-to="$vpnserverOUT" name=\
ovpn-out2 password=ppp port=10022 user=ppp
add auth=md5 cipher=aes192 connect-to="$vpnserverOUT" name=\
ovpn-out3 password=ppp port=10022 user=ppp
add auth=md5 cipher=aes128 connect-to="$vpnserverOUT" name=\
ovpn-out4 password=ppp port=10022 user=ppp
add cipher=aes256 connect-to="$vpnserverOUT" name=\
ovpn-out5 password=ppp port=10022 user=ppp
add auth=md5 connect-to="$vpnserverOUT" name=\
ovpn-out6 password=ppp port=10022 user=ppp
add cipher=aes128 connect-to="$vpnserverOUT" name=\
ovpn-out7 password=ppp port=10022 user=ppp
add auth=md5 cipher=aes128 connect-to="$vpnserverOUT" name=\
ovpn-out8 password=ppp port=10022 user=ppp
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc,aes-256-cbc \
pfs-group=none
/ip pool
add name=vpn ranges=192.168.89.100-192.168.89.200
/ppp profile
add change-tcp-mss=yes dns-server=192.168.89.1,8.8.8.8 \
local-address=192.168.89.1 name=VPN remote-address=vpn
/interface sstp-client
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out1 password=ppp pfs=yes profile=default-encryption user=ppp
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out2 password=ppp pfs=yes profile=default-encryption user=ppp
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out3 password=ppp pfs=yes profile=default-encryption user=ppp
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out4 password=ppp pfs=yes profile=default-encryption user=ppp
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out5 password=ppp pfs=yes profile=default-encryption user=ppp
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out6 password=ppp pfs=yes profile=default-encryption user=ppp
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out7 password=ppp pfs=yes profile=default-encryption user=ppp
add connect-to="$vpnserverOUT:1025" disabled=no http-proxy=0.0.0.0:1025 name=\
sstp-out8 password=ppp pfs=yes profile=default-encryption user=ppp
/interface l2tp-server server
set default-profile=VPN enabled=yes max-mru=1460 max-mtu=1460
/interface pptp-server server
set authentication=pap default-profile=VPN enabled=yes max-mru=1460 max-mtu=\
1460
/ip address
###CHANGE PUBLIC_IP ADDRESS TO xxx.xxx.xxx.xxx
#add address=PUBLIC_IP interface=ether1
add address=192.168.89.1/24 interface=ether1 network=192.168.89.0
/ip dns
set allow-remote-requests=yes cache-max-ttl=1h cache-size=8192KiB \
max-udp-packet-size=8192 servers=4.2.2.4,8.8.8.8
/ip firewall address-list
add address=192.168.0.0/16 list=local
add address=172.16.0.0/12 list=local
add address=10.0.0.0/8 list=local
/ip firewall mangle
add chain=prerouting comment=accept-internal-network dst-address-list=local
add chain=output comment=accept-internal-network dst-address-list=local
add action=mark-routing chain=prerouting new-routing-mark=VPN src-address=\
192.168.89.0/24
add action=mark-routing chain=output dst-port=80 new-routing-mark=VPN \
protocol=tcp
add action=mark-routing chain=output dst-port=443 new-routing-mark=VPN \
protocol=tcp
add action=mark-routing chain=output dst-port=53 new-routing-mark=VPN \
protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=3des exchange-mode=main-l2tp \
generate-policy=port-override local-address=0.0.0.0 secret=123456789
/ip proxy
set always-from-cache=yes anonymous=yes cache-administrator=noway! \
cache-on-disk=yes cache-path=disk1/web-proxy1 enabled=yes parent-proxy=\
0.0.0.0 port=9090 serialize-connections=yes
/ip proxy direct
add dst-address=192.168.0.0/16
add dst-address=172.16.0.0/16
add dst-address=10.10.0.0/16
add dst-host=*.ir
/ip route
add comment=OUTPUT distance=1 gateway="ovpn-out1,ovpn-out2,ovpn-out3,ovpn-out4,\
ovpn-out5,ovpn-out6,ovpn-out7,ovpn-out8,sstp-out1,sstp-out2,sstp-out3,sstp\
-out4,sstp-out5,sstp-out6,sstp-out7,sstp-out8" routing-mark=VPN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2221
set api disabled=yes
set winbox port=6600
/ip socks
set connection-idle-timeout=5m enabled=yes max-connections=500 port=10520
/ppp secret
add name=ppp password=ppp profile=VPN
###FINISH SCRIPT
Client Connect to MT-02 with Public IP address.
Have a GOOD Day!