Quick home VPN using Mikrotik and an existing router
I had a situation today where we had an office worker needing to work from home. This user had a Housefull of devices and a router managed by the Fiber to the home provider. This user had devices attached to the wifi on the provider router and such. Normally I would want to replace this router, but it would be an undertaking.
For this setup, we used a Mikrotik MAP lite.
My quick solution was to have the user install the Mikrotik mAP as an ethernet device off of the provider’s router. We then established a VPN tunnel from this device to the ISP’s network they work for.
We then added routes in the Mikrotik to the 3 networks they needed to access across the L2tp tunnel. This user runs the Dude and Winbox. Once the tunnel was established we had two issues to overcome.
1. You have to add a nat rule in order for traffic behind the Mikrotik to reach the devices on the other side of the tunnel. I simply added a nat rule that looks like this:
add action=masquerade chain=srcnat out-interface=all-ppp src-address=\ 192.168.88.0/24
We could have done this in a few different ways, but remember this was a quick setup.
2. I needed the laptop they were working on the be able to route the three prefixes to the Mikrotik, thus going out the VPN. In our setup, the laptop only has 2 default gateways. It does not know any other routing info.
I created a bash script with the following in it. In short, you add the text below into a notepad file and save it with the extension of .bat.
route ADD 10.2.0.0 MASK 255.255.0.0 192.168.88.1 route ADD 10.3.0.0 MASK 255.255.0.0 192.168.88.1 route ADD 10.4.0.0 MASK 255.255.0.0 192.168.88.1
If you need help on creating a bash script
Once I had the file, which I simply saved into the Dude folder on the desktop, I created a shortcut on the desktop. You will want to right-click on the shortcut and do the following.
It is important to note you are only able to do this on a shortcut in Windows, not the actual file itself. No idea why. The script is important because this user brings the laptop back and forth. I did not want to create persistent routes on the computer because the office network is different. If you do not do persistent routes they will be after a reboot. This way the user double clicks on the script shortcut when they login to the computer and before firing up the dude.
There are many other ways to accomplish this. This was one of the quickest and less-impacting to the user and fewer things to support. One of the downsides to this setup is the user maintains two physical connections to two physical routers. In this instance, the user could hardwire into the Mikrotik and maintain a wireless connection to the FIOS router.
If given more time you could have the laptop wired into the Mikoritk as your desk and have the wireless on the Mikrotik become a wireless client back to the FIOS router. This would make the setup a little more mobile.
#teleworker @packetsdownrange #j2 #vpnj2networks family of sites