Mikrotik Central VPN Server For Remote Branches Connectivity

 

 

.

Consider following scenario:

An ISP have multiple locations all over the country. Main Mikrotik router at NOC have fixed public IP. Radius Billing system is connected with LAN. All remote locations have Mikrotik Router boards as NAS and have dynamic public IP. All locations have there own internet connectivity with various ISP’s but we want to use our main RADIUS server as a centralized billing solution for all the REMOTE locations. So this is a short guide on howto create central Radius Server and connected all remote branches/nases with it.

 

Basic Points:

Create PPTP server at your Head Office Mikrotik.
Create user account in secret section, nd assign him fix IP address like 172.16.1.50
Now at branch office, create a pptp client in mikrotik pptp section, and add head office IP / user id passwd, Dont forget to UNCHECK “add DEFAULT ROUTE” button. because if you do so it will override default route and will route every traffic including internet requests too to head office, which will overload head office internet connection, since we only want to route request for specific IP/subnet, so we will create a route at both end so that request for specific ip subent should go via vpn tunnel .

Head Office Mikrotik Config

LAN subnet = 10.0.0.1/8
WAN subnet = 1.1.1.1/29
Radius = 10.0.0.2/8

First add IP pool for VPN users, like same as LAN series but with specific series.

/ip pool
add name=PPP-Pool ranges=172.16.0.1-172.16.1.255

Now add VPN Profile

/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
add change-tcp-mss=default dns-server=10.0.0.1 local-address=10.0.0.1 name=vpn-profile only-one=default remote-address=PPP-Pool \
use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
set 2 change-tcp-mss=yes name=default-encryption only-one=default use-compression=default use-encryption=yes use-mpls=default use-vj-compression=default

Now enable VPN server

/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled

Now add user so that we will be testing from remote location NAS.

/ppp secret
add caller-id=”” disabled=no limit-bytes-in=0 limit-bytes-out=0 name=aa password=aa profile=vpn-profile routes=”” service=any

Now add route for the 192.168.100.0/224 subnet in IP ROUTE section , via pptp gateway.

Remote Branch Mikrotik Config

LAN subnet = 192.168.100.1/8
WAN subnet = DYNAMIC Public IP x.x.x.x

Now we want to connect remote NAS with head office VPN server so that it can use central radius server as a centralized billing system.

In short: Create a pptp dialer , pointing to Head Office Main RB (where vpn is configured) , enter valid user id password, Make sure you remove tick from add default route, after its connect, simply add a route for 10.0.0.0/8 and its gateway pointing to pptp-out1 (pptp link we created above)

To be continued . . . will write soon about it , while writing guide,an issue in the network popedup . . 00-(

24.851000 67.008300