Make no mistake, I am not a network guy. Here I just want to describe my own experience on the topic as a reminder to future self as well as in hope that it may help to some poor souls that just want to setup goddamn VPN access to their home LAN. Thus I encourage you to question and double-check what's written below.
VPN allows you to have secure access to your home LAN from another network. Some reasons for me to have it:
To protect my network traffic in case I find myself using insecure networks (like open WiFi).
When I started digging into the topic I found that there were many VPN implementations and it was not obvious which one was best for my basic needs. The puzzle was even more tricky since those implementations had different names in Windows, Android, iOS. But after watching this talk I decided to go with L2TP/IPSec approach.
The steps below are given for modest (yet capable) MikroTik RB750UP running RouterOS v6.46.5.
L2TP/IPSec router setup
This approach is so simple because in "Quick Set" mode there's a single checkbox that you have to tick in order to enable it:
One nifty detail here is VPN Address field. Obviously you can use external IP address of your router to reach it via the Internet. But VPN Address contains domain name of your router that's resolvable via the Internet. So you can use it even if you don't get static IP address from your internet provider.
Behind the scenes this single checkbox introduce the necessary firewall rules, separate address pool (192.168.89.2-192.168.89.255), etc. Even PPTP and SSTP implementations of VPN are set up automatically but if you're not going to use those, it's better to disable them to shrink possible attack surface.
L2TP/IPSec client setup
Password and Secret both have value equal to VPN Password in the router.
Similar to iOS but the implementation is called L2TP over IPSec.
VPN type is L2TP/IPSec with pre-shared key. Pre-shared key and Password both have value equal to VPN Password in the router.
VPN type is L2TP/IPSec PSK.
Disable SSTP and PPTP traffic
PPTP and SSTP are automatically enabled as mentioned above. If you're not going to use those, it's better to disable them to shrink possible attack surface.
Here I'll start using MikroTik console. To access it just SSH into your router. Alternatively you can perform these steps in Webfig.
Print the list of firewall rules:
[admin@MikroTik] > /ip firewall filter print
Somewhere in the output you should see the following:
5 ;;; allow pptp chain=input action=accept protocol=tcp dst-port=1723 6 ;;; allow sstp chain=input action=accept protocol=tcp dst-port=443
Take the indices of the rules (5 and 6) and use them to disable the rules:
[admin@MikroTik] /ip firewall filter disable 5 [admin@MikroTik] /ip firewall filter disable 6
Access router via VPN
It turns out that at this point you cannot reach your router via VPN. This is because of this firewall rule:
9 ;;; defconf: drop all not coming from LAN chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
To make it possible add another rule just before the one above (pay attention to src-address and place-before):
/ip firewall filter add action=accept chain=input comment="[Custom] allow connections from VPN network" src-address="192.168.89.0/24" place-before=9
Assign host names to the servers that you want to access via VPN
VPN implementations do not tend to support broadcasts. That's why you may notice that you cannot resolve "magic" hostnames that work in LAN (for instance .local).
To fix this for a server you need to:
- make router to assign static IP address to the server by its MAC address:
/ip dhcp-server lease remove [/ip dhcp-server lease find mac-address=95:46:a4:90:4d:a6] # You probably need to restart the server to pick up the address /ip dhcp-server lease add address=192.168.88.100 mac-address=95:46:a4:90:4d:a6 comment="[Custom] Static IP for NAS"
- bind the IP address to a name
/ip dns static remove [/ip dns static find name=myserver.lan] /ip dns static add name=myserver.lan address=192.168.88.100
After the above setup your server should be resolvable via hostname myserver.lan.