SSTP – VPN MIKROTIK TUTORIAL [ENG SUB]

SSTP – VPN MIKROTIK TUTORIAL [ENG SUB]


Hello Guys
welcome back again on Mikrotik Indonesia channel Youtube Channel that will provide tips and tricks
about Mikrotik this time I will continue
tutorial series on VPN on previous video
that provided by my friends 1st video there was a VPN introduction then there is PPTP then for the next
I will explain about SSTP or Secure Socket Tunneling Protocol before continue to the video explanation don’t forget for you to Subscribe then click the bell button so that you get
the latest video updates from us there are many ways or methods to create a VPN network
or Virtual Private Network in the previous video
already explained about PPTP or Point to Point Tunneling Protocol in this tutorial
I will try to make a simulation how we can use SSTP or Secure Socket Tunneling Protocol what’s the difference?
conceptually similar to PPTP i will be explain for two mechanisms two examples of implementation that will be tried to do the first is Site to Site VPN this method is commonly used
to connect between 2 sites which is not possible to use physical connections for example already different islands or different countries if in the previous video using PPTP now we use the SSTP method besides that we can also use SSTP
for the mobile client but for SSTP not as flexible as PPTP because for now not all operating systems provide SSTP Client feature Immediately I will make a simulation with a topology like this if you pay attention or previously haven’t seen the PPTP video tutorial please search this channel because the topology that I use now is the same the shape is the same the difference is only the type or tunneling method that will be used namely SSTP the first step for these two sites must be connected do not have to use the same ISP because in each region it must be different Different ISPs, Public IPs are also different
not a problem because if you use this SSTP method
can still be connected though server and client use different Public IPs the term is different segments then for each office each also has a LAN network the goal is between these LANs in order to communicate if the assumption is site A and site B or office A and office B this
the location has different islands or different countries we can’t use physical connections anymore or later we can use optical fiber at a very expensive cost or take a long time therefore This VPN method is one solution
fast and maybe cheap if both sites are connected to the internet in the picture, there are two routers Router1 is a simulation at the head office
or Office A There are more another router in front of me acting as office B or as a branch office the process we need to do first is because we have to connect to the internet we need to do the basic configuration if you still doubt how to do basic configuration you can learn on the video
start the basic Mikrotik configuration on this channel please find the video the way is how can both sites of each office be connected to the internet because in making a VPN connection
we use the internet network as a virtual interface now i configure it for internet connection on the Office B router or here acts as a branch office here you can see the RB951Ui-2HnD Router
which is used as a simulation of the branch office router you can use any type of Mikrotik router because of how to configure the Mikrotik Router
everything is almost the same as an example I use two connections there is a WAN there is a LAN too then on the network I happen to later for WAN connections using DHCP Client so here I have to set the DHCP client incidentally the internet connection uses ether1 here has got an IP address too then for LAN connection i use ether2 things like this are still part of basic configuration this one is for WAN IP
and the bottom for LAN IP or local network to make it easier for me to configure I will add on LAN with DHCP Server we can enter into the IP menu then DHCP Server here to configure it
My laptop connects to Ether2 I set obtain IP
so using the DHCP Server so my laptop gets
Automatic IP Address and now my laptop is getting
IP Address 192.168.30.254 after this section is finished don’t forget the configuration
for NAT firewalls or scrub NAT masquerade for Out. The interface leads to ether1 if you are still confused and doubtful for basic configurations like this please learn
in the basic configuration video on this channel because we have discussed in more detail
on the video if this configuration is complete this time I demonstrated the configuration in one office because of configuration in office A
also the same configuration do not forget to give the name of the router
on the system-identity menu for example I named this router is Office B so later there will be Office A
and also Office B the next step we configure for the SSTP Server we configure the router in office A I happened to have prepared a router which uses IP Address 192.168.128.05 which acts as Office A for VPN configuration on Mikrotik devices everything is on the PPP menu so we can enter the PPP menu
on the top left on the Interface tab we can search there are several buttons there is a PPTP Server, there is a SSTP Server, L2TP Server
and also OpenVPN Server for PPTP discussed in the previous video then this time we will discuss
about SSTP Server to configure it is here when we configure it we click on the SSTP Server button the display is not much different from when configuring PPTP Server we check this Enable then our profile selects default encryption OK in this SSTP Server configuration
later we are given a choice to choose a Certificate one difference that can be seen between PPTP and SSTP on SSTP we can use SSL Certificate for Encryption options if PPTP uses TCP port 1723 and there are possibilities at some ISPs
block the port alternatively we can use SSTP which uses the default port 443 This port 443 is the same as the one used for the https website so it’s very unlikely
to be blocked by an ISP for example PPTP cannot be executed we can try another alternative, SSTP by using a certificate or not using a certificate if the device uses the same Mikrotik we will try the one without certificate let’s try first with
not use a certificate we check to enable SSTP Service
then click OK for the next steps to create a VPN we have to make authentication so the Service side needs to make Secrets here there is an account for sucrets we can add or use this existing one for making secrets the same as PPTP
or another type of VPN for the experiment this time I chose the service specifically to SSTP we can also choose PPTP when creating a PPTP server or can also choose any so that later it can be used for all types of VPN don’t forget also to determine
Local and Remote Address this is some IP address which will be installed when the SSTP service
can be connected For example, for a Local address
I give IP address 10.2.2.1 then for the remote address
using IP address 10.2.2.2 for this part make it a habit to use
Private IP address which may not have been installed before
on the router so that it will be easier
to manage the IP address for making users can adjust for example, it requires more than 1 user
we can do it by adding secrets like the bottom like this or maybe only use 1 user
depending on individual needs for SSTP Server configuration just as simple as this is enough and don’t forget to activate the profile in the secret
to choose default encryption the uses for encrypting
during data transactions so if there are questions
“safe or not using a VPN?” the data should be safe because the data is encrypted because we choose the default-encryption profile this is the configuration for the SSTP server router or office A then we switch to client configuration or office B office B we will specify as SSTP Client I have now remotely router for office B do not miss the router steps for configuration are almost the same first we enter the PPP menu we check first to connect to the server can ping
to the public IP address or not how to enter the terminal menu
then do ping Ping 192.168.128.105 for the experiment this time
I simulate this 192.168.128.105 is a Public IP for an Office A Server then we enter already seen reply means we can connect to the server’s IP address then we make the SSTP client we enter the PPP menu in the Interface tab then we add the SSTP Client suppose I give a name with sstp-center then for the tab dial out for the Connect To parameter
we fill in the Public IP that is on the server this time we use 192.168.128.105 then the most important is the User parameter the server settings were already made
with user name1 then my password is “test” for a while because of us
not use a certificate we can disable this parameter Verify Server Address From Certificate we can use this parameter if the certificate the client and server already exists then we click OK It should be that this SSTP connection has been established or the username and password are correctly filled then the R flag will appear
in front of this interface if it has been formed like this between site A and site B as if you already have a direct connection using VPN although physically not directly connected This SSTP interface will also have an IP address specified on the server side we can try to check the IP-Address menu later a new IP will appear on the sstp-center interface This IP address is given automatically from Secrets settings on the server so we don’t need to configure the IP address
Manually after the IP address on the interface has appeared to connect between LANs on both sites or can be connected then we must add static routing first we enter the IP menu then enter the Routes menu and the IP address in office A is 172.16.1.0 so this time I can add to route-list I add it by pressing the + sign Etc. We enter the IP address 172.16.1.0/24 Gateway parameters can use IP addresses for example we fill in IP 10.2.2.1 this is the IP address of the VPN interface because this VPN we can too or included in the PPTP category then we can fill in the Gateway
with the SSTP interface specifically only applies to VPN if physical interfaces can’t for example we used it
Gateway IP Address 10.2.2.1 then the Route will appear with US flags don’t forget to make the return path routing this is routing from office B to office A LAN from office A to LAN office B
static routing must also be made we have to enter the router in office A we have entered the office A router will also automatically appear later
a new interface on the PPP menu according to the name of the username then the IP address will also appear
on the SSTP interface so we can just make it in the IP-Routes menu we add new with Dst. The address is the IP of the office LAN B 192.168.30.0/24 We fill in the gateway 10.2.2.2 then we click OK Routing is already made we can try to check from the office A router we open New Terminal then we try to ping 192.168.30.1 we try to ping again to my laptop
with IP 192.168.30.245 look can already we can also Ping from Office B incidentally my laptop is a client
from LAN office B so that my position is in the office LAN B if I open a New Terminal on a Laptop for example I Ping to 172.16.1.1 look can already meaning between LAN in office A and office B
already able to communicate we can use this kind of communication to access the server at the head office or maybe there is a CCTV device, File Sharing
etc so that these LANs can share resources Sharing connections for servers, for example, at a branch office, there are no such facilities we can use features like this This configuration is similar to PPTP in the previous video the difference is only in the tunneling method now we will try what if we use certificates if we did an experiment earlier
without applying certificates the first step we can check in Office A
which acts as a Server we can check on the PPP menu Active Connections tab it will be seen using AES256 encoding if the previous PPTP method encodes it uses MPPE default if now the SSTP method uses AES256 encoding later we can change this encoding or we can change this encryption by using SSL Certificates as we have seen before
about SSL Certificates we can make Self Signed SSL Certificates
and we can make it for free How to? the way we can make it on Linux
with OpenSSL Microtic devices are also provided a Tool for us to be able to make SSL certificates what way? how do we enter the System menu then we enter into the sub menu Certificates so this menu is used to make
SSL certificates themselves by using Mikrotik if indeed we don’t have Linux to create with Open SSL on this Certificates menu we can add there are important parameters like Name
and Common Name but we can also fill in all the parameters
we make CA first we make CA-Template
and I enter the Country ID and we can enter data completely For example, I fill in the organization Citraweb For example, I fill in the Unit Technical Support for the Common Name parameter we must fill in the IP address of our Router 192.168.128.105 then click Apply in addition to making CA certificates, we must create a Server then Client for example we create Server-Templates the parameters below we fill the same as before I fill in the Common Name
server we make it again for clients and we can make more than one if we have more than one client for example, I will create Client-Template I fill in the Country ID I fill in the State of Yogyakarta then fill in more detail and complete then I fill in the Technical Support Unit
and I enter the Common Name Client after there are 3 certificates made
there are CA, Server and Client then we have to do Self Sign In we enter New Terminal because on Mikrotik there is no GUI menu we can use the CLI to do Self Signed
the certificates the way we do with the command
“certificates sign” then we type the name of the certificate
for example, I try the CA first the command is like this then I give the name myCAcertificates if the process has finished, a description will appear in the certificates menu with flag here we can see the KLAT flag
K-private key, L-ctrl, A-authority, T-trushted then we can do the Self Sign In process
for Server and Client we enter in the Terminal I try to server first we go to the name ca that we have made before then we give the name, for example, is the server It should be noted that typing the command here is Case Sensitive for example, before I made myCA using lowercase letters and here there is a description of the error because before I made it with all capital letters and the command here does not find the destination file so in this second step I can replace using uppercase letters and now the flag description appears
on menu certificates the last is for the Client we type Command “certificates sign” then we enter ca=myCA and I give name=client so after all the Sign In process is done
and the KA flag information appears but for Client and server certificates there is no Trusted information how to make these certificates trusted? we can make arrangements
through the Command Line Interface we type “trusted certificate set client=y” we do the same for certificates server
by typing “trusted certificate set server=y” so that later the flag description will appear on the Certificates menu which has a T flag which means Trusted if it’s arrived here then we can use it for SSTP certificate needs because I made these certificates on the Server router so it will also be stored on the router server after we signed signed certificated
and provide trusted information we can export these certificates
for us to import to the client the way we use the CLI with the command
“certificate export=certificate” first step I export myCA first
and I gave a passphrase another one I have to export
for the client certificate we can export the results on the Files menu
and there are 2 file types, namely * .crt and * key we can download these four files which later we can import into the client router I have saved it to my computer desktop
there are several files seen here, there are * .key and * crt then we enter the office B router
or into the Client router on this router client we upload
for the certificate file that we have made the way is we upload the file to the Files menu I select all files
for those who have the * crt and * .key extensions each has 2 files myCA has 2 files
and the client also has * .crt and * .key after that we click open already seen entering here if it’s already in the Files menu
then we enter the Certificates menu conditions on the router client have no certificates
we can do import we can do import certificates
first possible for myCA first then we import don’t forget to import * .key also for myCA files
so that it can be trusted import more certificate files for the client then we also import the key file for the client so that both types of files can enter here after we do the process of import certificates from the files that we have made on the previous server we can see in the certificates menu here are two files that were successfully imported the two file names here appear to be extended
I will try to rename it for the client certificate I give the client name then for CA I name it myCA so you can only replace the name because what will be used later are some parameters in the file then on the client and server side we can apply it first try on the client which is replaced here only on the Certificate parameter after selecting the appropriate certificate
for username and password still the same then we make adjustments to the server
enter the office A router as an SSTP Server we entered the SSTP Server
then we select the appropriate certificate if we see here, the SSTP is reconnected if we check on the active connection if we use a certificate later it will be seen using RC4 encoding whereas before we use the certificate
seen using AES256 encoding depending on the needs we want to use
what encoding is like from the references I read
for RC4 it’s simpler and more priority or better for speed if we want to be safer
when using AES256 encoding on the settings in the PPP tab interface menu
enter SSTP Server settings we can still force it to still use AES256 encoding we can check the AES force parameters
then we apply we try to connect again from the client side by clicking disable
then enable again if we check from the server side
the encoding will change to AES256 so if we use a certificate
can change the encoding we use depending on what we want to use
which type of encoding if the speed for RC4 is simpler
and will be better in terms of speed but in terms of security according to the reference I read for AES256 it would be better because maybe RC4 is an encryption technology that has been around for a long time but all that goes back to our choice of needs if we talk about speed if we use VPN it will not have a big effect on the speed of data transfer from site A to site B because the data transfer speed is affected by our respective internet subscriptions if at office A subscribe to the internet at speeds of 10 MBps and office B 20 MBps later it will use a smaller pipe line so it can’t use the speed of 10MBps
up to 20 MBps it can’t but looking at the internet speed
from each ISP this happens when we do
data transfer between LANs or I am accessing the server at the branch office from the head office and vice versa Maximum data transfer speed according to the internet subscription that we have for example, at the branch office, subscribe to the internet with a small speed of 5MBps so the maximum data transfer is only up to 5MBps can not rise up to a maximum of 10 MBps in terms of routing and also the actual connection with PPTP is only different from encoding or in terms of authentication security and also the transportation port that will be used if PPTP uses TCP port1723
if SSTP uses TCP443 that’s what distinguishes the two this example is an example of a site to site so if the Routing was made earlier
then we will try to access from LAN office B then I will try to access
computer or server in office A the way is almost the same as when we access using Windows File Sharing or when accessing CCTV or IP CAM
using the browser is the same because there is routing from the Router so laptops don’t need to do their own VPN now I will try to access the web cam in the head office I use IP at headquarters 172.16.1.15:8081 when I enter, I position in LAN office B
can access webcam or printer or server and also various resources there
which can be accessed from LAN office B vice versa if there is a resource in office B
can also be accessed from LAN office A that’s one of the functions of VPN who happened to be here I was using a type of SSTP VPN and some of these examples earlier
is an example of a VPN site to site one more example we can use for the mobile client as in the previous PPTP trial video This mobile client on SSTP will be a little different because not all Operating Systems
provide SSTP Client feature for now I have tried to be able to support Windows OS then later I will try to use
Windows laptop as SSTP Client before stepping into the experiment
we can also use the certificate on the client then the certificate that I used earlier can also be used on the mobile client on a note maybe we can make it
more than one client certificate can be for routers and one for the mobile client now I have used a laptop with a Windows operating system because it turns out that it still has
One of the SSTP Client features is the Windows OS the configuration is almost similar
with the mobile client on PPTP we have to make a new VPN connection I simulate this, for example, being mobile and connected using Public WiFi can access Public IP in the Office A Server then I created a new VPN for example
I gave the name to the SSTP Head Office then the server is 192.168.128.105 or on actual application
we must fill in the Public IP address of our server then my username uses the user2 that I have created before after filling in the password then we save by clicking connect if we want a more secure connection using a certificate then the certificate that we made earlier
we have to copy to this mobile client laptop after we copy the file
then how do I add this certificate? For example here I have 2 certificates
namely myCA and also the client I copied it to this folder this file I got by making
on Office A Server if it has been copied then we will enter the Microsoft Management Certificate menu after that we enter then we select console root
and go to the File tab and select Add / Remove Snap-Ins we click to enter into the certificates section we select Computer Account then click Next
select Local Computer and Finish after that we return to the Console Root menu
Select Certificates and then enter the Trusted Root how to add a certificate
did we have before? on this Certificate menu we right-click
select All Tasks then select Import on this Import menu we just follow to select the Certificate that we have had before I will import both types of certificates
for myCA and also the client after it’s finished, it will appear inside here then I took the same steps to import the client certificate after finish later there will be 2 new certificates
You can see myCA and the client so the step to add a new certificate to the Trusted Certificate Windows is complete so that later we can check by entering the previous SSTP configuration entered the Network and Sharing Center
then we check the Adapter Options on the SSTP connection we just right-click then select properties on the security tab we select the type of VPN SSTP then the encryption option we can choose
optional encryption or require encryption also if we choose require encryption
then on our server there must be encryption too then for authentication usually
we select allow these protocols then we choose Microsoft CHAP v2 it was also configured on the server side automatically SSTP on Mikrotik can use
several types of authentication if we can already try it, click connect if it’s connected we should be able to access the resources that are in Office A so if we use a laptop there is no need to add static routing so that when we are mobile we can still access the server, IPcam and also the resources at the head office when we really need to retrieve data or do maintenance on the device like this are some examples of implementations when we use SSTP in an outline almost similar to PPTP because there are 2 functions, namely site to site VPN
which means it can connect 2 LANs then for the mobile client when we need access to the network at the head office one more note is speed of data access from office A to B
or head office to the branch office it is impossible to exceed the speed of the Internet subscription that we use so for example we have an internet subscription of 10 MBps
then the speed we get is the same we cannot increase the access speed using VPN then for security issues it is slightly different from PPTP using MPPE128 if we use SSTP we can choose
can use AES256 or also RC4 sat using an SSL Certificate in the experiment I tried it use SSL certificates that are made free of charge using Mikrotik this might be an alternative when we want to use
SSL certificate on SSTP so are some examples of configurations and also implementations for SSTP VPN for other types of VPN
we can continue in the next video then don’t forget to subscribe and also share so that the information can be useful for others if there are questions don’t be shy to write in the comments column below to discuss then definitely press the bell button after subscribing so that you get notifications for the latest videos from us Thank you for watching
see you later on the next Mikrotik video

35 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *