Setting up a VPN Server on RouterOS/Mikrotik

A new year, a new post 🙂

This year I’m starting with something completely non-PowerShell related for a change.

For a while now I’ve wanted to set up a VPN server at home for various reasons such as

  • Access to home Hyper-V lab
  • Secure internet access when using insecure WiFi
  • Access to other home resources [Synology etc]

Now I finally had some time over the holidays to play around with it, but to be honest found out that it was quite the pain, as all information I found was simply not complete as turns out.
So I thought what better way to solve that problem and to document it for future reference by making a blog post on the subject 🙂

Do note that I’m definitely not an expert on networking, so

What are we working with?

Well, my network isn’t all too fancy, but for the sake of clarity here’s an overview of my network layout

My network topology

The following hardware is used for this setup:

I’ve created bridges for my WAN, my LAN and my Guest so I can easily assign rules/access to each part as needed.

As for the VPN connection, while I first thought about using OpenVPN, I ended up going for L2TP/IPSEC instead, as OpenVPN is not yet fully supported and configuration requirements for L2TP/IPSEC are a bit easier [no certificate requirements etc].

Ok, let’s do this!

In order to set this up, we need to first create some pre-requisites and then put them all together.
For clarity sake I’ll list the required steps here:

  • L2TP
    • Create an address pool which can be used by your VPN clients
    • Create a VPN profile to be used by your L2TP server/users
    • Configure the L2TP server
    • Create a fixed Interface binding
    • Create a VPN User
  • IPsec
    • Modify the default IPsec Policy Proposal
    • Modify the default IPsec Peer Profile
    • Create an IPsec Policy
    • Create an IPsec Peer
  • Firewall
    • Input rules to allow L2TP traffic
    • Forward rules to provide LAN and Internet access
  • ARP
    • Set proxy-arp to make sure you can access your other LAN devices properly

L2TP

Create an address pool

Create an address pool

Create a VPN Profile

Create a VPN Profile

Configure L2TP Server

Configure the L2TP Server

of course be sure to replace InsetSecretKeyHere with your own key 🙂

Create a static binding

Now this isn’t a requirement, but I think it helps with maintenance and the configuration of the firewall later on, so I thought I’d include it

Static Interface binding

if you want to you can add user=<username> to create static bindings per user

Create a VPN user

Create a VPN user

Of course you should again replace your username and password by whatever you want to have here, this is the information you also need to provide when setting up the connection on your client!

IPsec

Now there are quite a few steps to be done here, but they’re all easy and self explanatory. In this section I’ll simply provide the code required for each step, everything can be found under the IP -> IPsec tab on your Winbox application

Again, be sure to change the PreShared Key here, you will need this when configuring your VPN connection on your client.

Almost there! Firewall up ahead!

It’s very important to note that you should place all your newly created firewall rules ABOVE any drop rules for them to be used.
Firewall rules work top to bottom, meaning that the first rule that applies to the traffic gets applied, skipping any following rule.

Input rules

Input rules for UDP L2TP
Input rules for IPsec-ESP

Forward rules

Now depending on your needs you might want to lock this down more or just do one bit and not the other [either provide access to internet for safe remote browsing or just provide access to LAN for resources], but in my case I’ve configured both

Forward rule for VPN to LAN
Forward rule for LAN to VPN

Now for VPN to Internet you will have the exact same setup as before, only your interface will be the WAN facing interface, in my case bridge-ziggo.

Here’s the code for both entries just in case.

Are we there yet?

Now the final thing we should do is set proxy-arp in order to properly access all LAN devices. Thanks for the help Mateusz Czerniawski!

Proxy ARP

That’s all!!

Now I know it seems like a lot, but that’s because of the code and screenshots.
Now that I look at it myself, it’s not that bad… But perhaps it can be of help to someone else now too!

Happy Scripting! 🙂

twitterredditlinkedinmail

QR codes and practical usage

Earlier this year I was lucky to attend the PowerShell Conference Europe [a.k.a. PSConfEU], which is easily the geek highlight of my year.

At the Opening ceremony, organizer and PowerShell GURU Dr. Tobias Weltner showed this gem that amazed me in it’s simplicity

I present you: the QRCodeGenerator

As the name implies, the QRCodeGenerator will generate various QR codes for you to use, all through the magic of PowerShell [and of course the QR generator solution in C# which this module uses].

Of course now we’ll want to play with it, so let’s get the module!

Let’s just assume by now you’ll have at least [Windows] PowerShell 5+, if you don’t, please get it ASAP [or get PowerShell Core instead]!

When searching the PowerShellGallery, you should be presented by the last version

Go ahead and install this module for yourself

or for everyone on your system [be sure to run PowerShell as Administrator]

Ok, so now what?

Let’s see what options we have available

So we can create a new

  • GeoLocation QR Code
  • vCard QR Code
  • Wifi Access QR Code

As expected, each of the provided cmdlets come with properly created help files, examples and all 3 cmdlets have similar input parameters, mainly

  • Width – height and width of the generated code [default is 100]
  • Show – open the generated code in default program
  • OutPath – path to generated png file. If left empty, a temporary file name will be used.

Practical applications

To be honest, the 2 main reasons I liked this are the Wifi Access and vCard codes.
While there might be some use for the GeoLocation one, I would think it’d mainly be in like print media, to display your company’s location information or such.

The New-QRCodeWifiAccess cmdlet can be used at home or at work provide access to your guest wifi network.
Simply generate the code, print and laminate it once and whenever people ask for access, just let them scan the code!

And tada!

As for the New-QRCodevCard cmdlet, it works just the same. In this case I would recommend using it on your business card to allow your contact to easily add you in her/her phone.

 

All in all, I thought this was thing to share, I hope you think so too!

Happy Scripting! 🙂

 twitterredditlinkedinmail

Windows Server 2019 – System Insights

After a small hiatus on Twitter, I got back just in time to notice a Tweet about the following [sorry, was unable to find who created the original Tweet, but saved the link luckily]:

Getting started with System Insights in 10 minutes

This fit in perfectly with my recent post on the Windows Admin Center, and I’ve got 10 minutes to spare, so let’s go!

Installing System Insights

As you can imagine, this is simply a breeze

Where is it?

Ok, I’ve installed the Admin Center and enabled System Insights, but I still don’t see the option.

For me this was the case, even after closing my browser and reconnecting.

Once you’re in the Admin Center, go to the Settings gear icon in the top right and choose Extensions [under Gateway]

Select the Windows Server System Insights (Preview) extension and Install it

Using System Insights

Once installed, you will see System Insights added to the Tools section of the server that has it installed.

It comes predefined with 4 settings it will check up on:

  • CPU capacity forecasting
  • Network capacity forecasting
  • Total storage consumption forecasting
  • Volume consumption forecasting

You can simply select one and click on Invoke to actually generate the data required for the forecast.

Unfortunately, if you run this on a fairly new machine [<2 hours], there’s a big chance you’ll run into this ‘notification’

Be sure to check out the videos on what kind of data you can expect if you’re impatient

Isn’t this a PowerShell related blog?

Well, yes, mainly it is 🙂

So it turns out, you can full access all this data through your friendly neighbourhood automation swiss knife!

It’s good to see that the terminology used in the Windows Admin Center mimics the cmdlets used in PowerShell, so it’s easy to reproduce what you’re trying to accomplish.

will simply show you all of the currently available forecasts, while

will start the process.

Do note generating analytics can be a process intensive operation, so PowerShell will actually warn you about this

Also interesting to keep in mind that Invoking capabilities though the Windows Admin Center will generate a notification in the Notification area, doing so through PowerShell will NOT.

Here’s what I love

Now while this is all nice and dandy, my favourite option can be found under the Settings -> Actions option for each Capability:

You can link Actions in the form of PowerShell scripts to be performed depending on the returned prediction status.

For example:

On the Volume consumption forecasting capability, you can  have an Action set on Warning that the system should try to clear out log files in a certain directory, or perhaps clear the C:\Windows\SoftwareDistribution\Download folder to quickly clear up some hard needed space.

Just imagine all the posibilities!

I want analytics, but I don’t want my to share my data

Now just in case you’re into tinfoil hats and are a little paranoid, you might wonder “where do they get all the data from to provide me with these analytics?”

Apparently it’s all local based analytics, so no sending data to evil cloud providers or Cambridge Analytica 😉 .
And even better, it’s fully operational through PowerShell, what more can I ask for?

 

Well, this might have been a little over 10 minutes, but I hope it’s been worth your while!

Play around with it, see what kind of cool things you can make and be sure to share them!

Happy Scripting! 🙂twitterredditlinkedinmail