wiki:Mikrotikvpn

Version 13 (modified by krit, 4 years ago) (diff)

--

Mikrotik VPN

We want Mikrotik to make l2tp connect to server when it check the webserver.

  1. Web server site
  2. VPN server
  3. l2tp Mikrotik client

On Web server, we need to edit file out.txt for any vpn client to check the connect need or not.

[krit@mini D4410D3300C8]$ pwd
/home/krit/public_html/Tmp/D4410D3300C8
[krit@mini D4410D3300C8]$ cat out2.txt 
trueiot.io, tonic11, vpnPassw0rd, 1,
[krit@mini D4410D3300C8]$ 

In above, vpn server=trueiot.io, vpn username=tonic11, passwd=vpnPassw0rd, connect enable=1 (to disable connection this value will be 0)
Note: we need to have "," at the end of line ex. "1," , otherwise the script $conn below need to compare to "1\n" or "0\n".

VPN with l2tp config script

[admin@G02] /system script> print 
Flags: I - invalid 
 0   name="http_getvpn" owner="admin" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon 
     dont-require-permissions=no last-started=mar/02/2021 17:06:04 run-count=20 source=
       {
                    :local serialnum [/system routerboard get serial-number];
                    :put $serialnum;
                    :local name1 [/system identity get name];
                    :put $name1
                    :local result [/tool fetch url="http://myComPany.com/~krit/SF19/$name1/cmd.txt" as-value output=user];
                    :put $result;
                    :local msg ($result->"data");
                    :put "---msg---";
                    :put $msg;
                    :put "---msg 3 --";
                    :local myArray [:toarray [:pick $msg ([:find $msg ":"]) [:len $msg]]];
                    :local ipaddr [:pick $myArray 0];
                    :local uname [:pick $myArray 1];
                    :local passwd [:pick $myArray 2];
                    :local conn [:pick $myArray 3];
                    :put "ip: $ipaddr";
                    :put "user: $uname";
                    :put "passwd: $passwd";
                    :put "connect: $conn"; 
                    :put "------------";
                    :local serialnum [/system routerboard get serial-number];
                    :put $serialnum;
                    :if ($result->"status" = "finished") do={                                            
                       :if ( $conn = "0" ) do={
                           :log info "value is $conn disable l2tp-out1 for user $uname";      
                           :put "value is $conn disable l2tp-out1 for user $uname";
                           /interface l2tp-client disable l2tp-out1; 
                       } else={             
                           :if ( [/ping 10.50.30.254 count=3 size=64 interval=2s]=0 ) do={
                             :log error "----VPN didn't connect";
                             :put "edit user: $uname in l2tp";
                             :log info "edit user: $uname in l2tp";
                             /interface l2tp-client set connect-to=$ipaddr l2tp-out1;
                             /interface l2tp-client set user=$uname l2tp-out1; 
                             /interface l2tp-client set password=$passwd l2tp-out1;
                             /interface l2tp-client enable l2tp-out1;
                             /ip route add dst-address=10.50.30.0/24 gateway=10.50.30.254
                           } else={
                             :log info "----VPN already connect";
                           }
                        }
                     }                        
       } 

 1   name="script_reboot" owner="admin" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon 
     dont-require-permissions=no run-count=0 source=
       :if ([/ping 8.8.8.8 count=3 size=64 interval=2s]=0) do={
           :log error "LTE DOWN";
           /system reboot;
       } else={
           :log info "LTE OK";
       }

 2   name="check_internet" owner="admin" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon 
     dont-require-permissions=no run-count=0 source=
       :if ([/ping 8.8.8.8 count=3 size=64 interval=2s]=0) do={
              :log error "----Internet DOWN";
              /interface lte set numbers=lte1 disabled=yes;
              /system routerboard usb power-reset duration=1;
              :log info "---Power USB DOWN ---";
              /delay 40s;
              /interface lte set numbers=lte1 disabled=no;
              :log info "---Enable lte1 ";
       } else={
              :log info "----Internet OK";
       }   


[admin@MikroTik] > 

Better version of VPN

:local serialnum [/system routerboard get serial-number];
:put $serialnum;
:local name1 [/system identity get name];
:put $name1
:local result [/tool fetch url="http://myCompaNy.com/~po/SF19/$name1/cmd.txt" as-value output=user];
:put $result;
:if ($result->"status" = "finished") do={
    :local msg ($result->"data");
    :put "---msg---";
    :put $msg;
    :put "---msg 3 --";
    :local myArray [:toarray [:pick $msg ([:find $msg ":"]) [:len $msg]]];
    :local ipaddr [:pick $myArray 0];
    :local uname [:pick $myArray 1];
    :local passwd [:pick $myArray 2];
    :local conn [:pick $myArray 3];
    :put "ip: $ipaddr";
    :put "user: $uname";
    :put "passwd: $passwd";
    :put "connect: $conn";
    :put "------------";

    :if ( $conn = "0" ) do={
        :log info "value is $conn disable l2tp-out1 for user $uname";
        :put "value is $conn disable l2tp-out1 for user $uname";
        /interface l2tp-client disable l2tp-out1;
        /ip route remove [find dst-address=10.50.30.0/24]
    } else={
        :if ( [/ping 10.50.30.254 count=3 size=64 interval=2s]=0 ) do={
            :log error "----VPN didn't connect";
            :put "edit user: $uname in l2tp";
            :log info "edit user: $uname in l2tp";
            /interface l2tp-client set connect-to=$ipaddr l2tp-out1;
            /interface l2tp-client set user=$uname l2tp-out1;
            /interface l2tp-client set password=$passwd l2tp-out1;
            /interface l2tp-client enable l2tp-out1;
            /ip route add dst-address=10.50.30.0/24 gateway=10.50.30.254
        } else={
            :log info "----VPN already connect";
        }
    }
}

Add firewall rule to allow ssh from WAN

/ip firewall filter add action=accept chain=input disabled=no dst-port=22 protocol=tcp place-before=2