![(please configure the [header_logo] section in trac.ini)](/Utils/chrome/site/your_project_logo.png){kind=logo}
Mikrotik VPN
We want Mikrotik to make l2tp connect to server when it check the webserver.
- Web server site
- VPN server
- l2tp Mikrotik client
On Web server, we need to edit file out.txt for any vpn client to check the connect need or not.
[krit@mini D4410D3300C8]$ pwd /home/krit/public_html/Tmp/D4410D3300C8 [krit@mini D4410D3300C8]$ cat out2.txt trueiot.io, tonic11, vpnPassw0rd, 1, [krit@mini D4410D3300C8]$
In above, vpn server=trueiot.io, vpn username=tonic11, passwd=vpnPassw0rd, connect enable=1 (to disable connection this value will be 0)
Note: we need to have "," at the end of line ex. "1," , otherwise the script $conn below need to compare to "1\n" or "0\n".
VPN with l2tp config script
[admin@G02] /system script> print
Flags: I - invalid
0 name="http_getvpn" owner="admin" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
dont-require-permissions=no last-started=mar/02/2021 17:06:04 run-count=20 source=
{
:local serialnum [/system routerboard get serial-number];
:put $serialnum;
:local name1 [/system identity get name];
:put $name1
:local result [/tool fetch url="http://myComPany.com/~krit/SF19/$name1/cmd.txt" as-value output=user];
:put $result;
:local msg ($result->"data");
:put "---msg---";
:put $msg;
:put "---msg 3 --";
:local myArray [:toarray [:pick $msg ([:find $msg ":"]) [:len $msg]]];
:local ipaddr [:pick $myArray 0];
:local uname [:pick $myArray 1];
:local passwd [:pick $myArray 2];
:local conn [:pick $myArray 3];
:put "ip: $ipaddr";
:put "user: $uname";
:put "passwd: $passwd";
:put "connect: $conn";
:put "------------";
:local serialnum [/system routerboard get serial-number];
:put $serialnum;
:if ($result->"status" = "finished") do={
:if ( $conn = "0" ) do={
:log info "value is $conn disable l2tp-out1 for user $uname";
:put "value is $conn disable l2tp-out1 for user $uname";
/interface l2tp-client disable l2tp-out1;
} else={
:if ( [/ping 10.50.30.254 count=3 size=64 interval=2s]=0 ) do={
:log error "----VPN didn't connect";
:put "edit user: $uname in l2tp";
:log info "edit user: $uname in l2tp";
/interface l2tp-client set connect-to=$ipaddr l2tp-out1;
/interface l2tp-client set user=$uname l2tp-out1;
/interface l2tp-client set password=$passwd l2tp-out1;
/interface l2tp-client enable l2tp-out1;
/ip route add dst-address=10.50.30.0/24 gateway=10.50.30.254
} else={
:log info "----VPN already connect";
}
}
}
}
1 name="script_reboot" owner="admin" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
dont-require-permissions=no run-count=0 source=
:if ([/ping 8.8.8.8 count=3 size=64 interval=2s]=0) do={
:log error "LTE DOWN";
/system reboot;
} else={
:log info "LTE OK";
}
2 name="check_internet" owner="admin" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
dont-require-permissions=no run-count=0 source=
:if ([/ping 8.8.8.8 count=3 size=64 interval=2s]=0) do={
:log error "----Internet DOWN";
/interface lte set numbers=lte1 disabled=yes;
/system routerboard usb power-reset duration=1;
:log info "---Power USB DOWN ---";
/delay 40s;
/interface lte set numbers=lte1 disabled=no;
:log info "---Enable lte1 ";
} else={
:log info "----Internet OK";
}
[admin@MikroTik] >
Better version of VPN
:local serialnum [/system routerboard get serial-number];
:put $serialnum;
:local name1 [/system identity get name];
:put $name1
:local result [/tool fetch url="http://myCompaNy.com/~po/SF19/$name1/cmd.txt" as-value output=user];
:put $result;
:if ($result->"status" = "finished") do={
:local msg ($result->"data");
:put "---msg---";
:put $msg;
:put "---msg 3 --";
:local myArray [:toarray [:pick $msg ([:find $msg ":"]) [:len $msg]]];
:local ipaddr [:pick $myArray 0];
:local uname [:pick $myArray 1];
:local passwd [:pick $myArray 2];
:local conn [:pick $myArray 3];
:put "ip: $ipaddr";
:put "user: $uname";
:put "passwd: $passwd";
:put "connect: $conn";
:put "------------";
:if ( $conn = "0" ) do={
:log info "value is $conn disable l2tp-out1 for user $uname";
:put "value is $conn disable l2tp-out1 for user $uname";
/interface l2tp-client disable l2tp-out1;
/ip route remove [find dst-address=10.50.30.0/24]
} else={
:if ( [/ping 10.50.30.254 count=3 size=64 interval=2s]=0 ) do={
:log error "----VPN didn't connect";
:put "edit user: $uname in l2tp";
:log info "edit user: $uname in l2tp";
/interface l2tp-client set connect-to=$ipaddr l2tp-out1;
/interface l2tp-client set user=$uname l2tp-out1;
/interface l2tp-client set password=$passwd l2tp-out1;
/interface l2tp-client enable l2tp-out1;
/ip route add dst-address=10.50.30.0/24 gateway=10.50.30.254
} else={
:log info "----VPN already connect";
}
}
}
Add firewall rule to allow ssh from WAN
/ip firewall filter add action=accept chain=input disabled=no dst-port=22 protocol=tcp place-before=2
Add nat rule to forward port to dst-nat IP address
[admin@LOTUSBKP101] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
1 chain=dstnat action=dst-nat to-addresses=192.168.188.21 to-ports=80 protocol=tcp in-interface=l2tp-out1 dst-port=8001 log=yes log-prefix=""
2 chain=dstnat action=dst-nat to-addresses=192.168.188.22 to-ports=80 protocol=tcp in-interface=l2tp-out1 dst-port=8002 log=no log-prefix=""
3 chain=dstnat action=dst-nat to-addresses=192.168.188.23 to-ports=80 protocol=tcp in-interface=l2tp-out1 dst-port=8003 log=no log-prefix=""
4 chain=dstnat action=dst-nat to-addresses=192.168.188.23 to-ports=22 protocol=tcp in-interface=l2tp-out1 dst-port=2203 log=no log-prefix=""
5 chain=dstnat action=dst-nat to-addresses=192.168.188.21 to-ports=22 protocol=tcp in-interface=l2tp-out1 dst-port=2201 log=no log-prefix=""
6 chain=dstnat action=dst-nat to-addresses=192.168.188.22 to-ports=22 protocol=tcp in-interface=l2tp-out1 dst-port=2202 log=no log-prefix=""
[admin@LOTUSBKP101] /ip firewall nat>
Last modified 5 years ago
Last modified on 04/16/21 06:46:21
