VPNonline.pl - Polish VPN - Fast and Secure VPN, change of IP address VPNonline.pl - Polish VPN - Fast and Secure VPN, change of IP address

VPN Configuration - Mikrotik Router

VPN Configuration - Mikrotik Router
  • PPTP
  • L2TP/IPsec
  • SSTP
  • OpenVPN
  • Remote Access
  • Port Forwarding

VPN CONFIGURATION GUIDE - MOVIE

VPNonline Academy Player



VPN CONFIGURATION GUIDE - PICTURES

Log in to your router, start the browser or use the application WINBOX.
Enter the default router address: http://192.168.88.1

Go to "PPP" (1) and add (2) new interface "PPTP Client" (3)

Mikrotik PPTP Client

In "General" (4), in the "Name" (5) field,  enter the interface name: VPNonline-PPTP
In the "Max MTU" (6) and "Max MRU" (7)
enter a value: "1400"

Mikrotik PPTP Client

Go to "Dial Out" (8) tab and fill in the following fields:
In the "Connect to:" (9) field, enter the name of one of our VPN servers.
The list of available VPN servers can be found in the client panel: https://portal.vpnonline.pl
In the "User:" (10) field, enter your login name
In the "Password:" (11) field, enter your password
To confirm the entered data, click "OK" (12)

Mikrotik PPTP Client

Click the "IP" (13), then "Firewall" (14)
In the "Firewall"
select the "NAT" (15) tab, then add new rule (16)

Mikrotik PPTP Client

In the "General" (17) tab, select "Chain: srcnat" (18) then "Out. Interface: VPNonline-PPTP" (19)

Mikrotik PPTP Client

Go to "Action" (20) tab, in the "Action" (21) field, select "masquerade".
Click "OK" (22)

Mikrotik PPTP Client

Go to "Mangle" (23) tab and add new rule (24)

Mikrotik PPTP Client

In the "New Mangle Rule", select "General" (25) tab, then select "Chain: prerouting" (26)
In the "Src Address" (27) field,
enter the IP addresses of the computers that are to pass through the VPN tunnel.

In the example, we have entered the entire pool of IP addresses 192.168.88.2 - 192.168.88.254, but you can enter here the single IP address of the host, e.g. 192.168.88.10. Only this host will go through the VPN and  its public IP address will change to the IP address of the VPN server (e.g Poland). The other hosts from the 192.168.88.0 pool, will go through a local Internet connection and will be visible on the Internet under a local public IP address. 

Mikrotik PPTP Client

Go to "Action" (28) tab, in the "Action" field, select "mark routing" (29)
In the "New Routing Mark" (30) field, select "VPNonline"
To approve changes, click "Apply: (31) and "OK" (32)

Mikrotik PPTP Client

Go to "IP" (33) and "Routes" (34)
In the "Route List", select "Routes" (35) tab and add new rule (36)

Mikrotik PPTP Client

In the "New Route" window, go to "General" (37) tab and select:
"Dst. Address" (38) - 0.0.0.0/0
"Gateway" (39) - VPNonline-PPTP
"Routing Mark" (40) - VPNonline
To approve changes, click "OK" (41)

Mikrotik PPTP Client

A new routing route has been added (42) and the VPN connection should be established.

Mikrotik PPTP Client

Log in to your router, start the browser or use the application WINBOX.
Enter the default router address: http://192.168.88.1

Go to "PPP" (1) and add (2) new interface "L2TP Client" (3)

Mikrotik L2TP/IPsec Client

In "General" (4), in the "Name" (5) field,  enter the interface name: VPNonline-L2TP

Mikrotik L2TP/IPsec Client

Go to "Dial Out" (6) tab and fill in the fields below:
In the "Connect to:" (7)
enter the name of one of our VPN servers
The list of available VPN servers can be found in the client panel: https://portal.vpnonline.pl
In the "User:" (8) field, enter your user name
In the "Password:" (9) field, enter your password
Check "Use IPsec" and, in the "IPsec Secret:" (10) field, enter: vpnonline.pl
Check "Allow mschap2" (11)
To confirm the entered data, click "OK" (12)

Mikrotik L2TP/IPsec Client

Go to "IP" (13) tab, then "Firewall" (14)
In the "Firewall"
select the "NAT" (15) tab, then add new rule (16)

Mikrotik L2TP/IPsec Client

In the "General" (17) tab, select "Chain: srcnat" (18) , then "Out. Interface: VPNonline-L2TP" (19)

Mikrotik L2TP/IPsec Client

Go to "Action" (20) tab, in the "Action" (21) field, select "masquerade".
Click "OK" (22)

Mikrotik L2TP/IPsec Client

Go to "Mangle" (23) and add new rule (24)

Mikrotik L2TP/IPsec Client

In the "New Mangle Rule", select "General" (25) tab, then select "Chain: prerouting" (26)
In the "Src Address" (27) field,
enter the IP addresses of the computers that are to pass through the VPN tunnel.

In the example, we have entered the entire pool of IP addresses 192.168.88.2 - 192.168.88.254, but you can enter here the single IP address of the host, e.g. 192.168.88.10. Only this host will go through the VPN and  its public IP address will change to the IP address of the VPN server (e.g Poland). The other hosts from the 192.168.88.0 pool, will go through a local Internet connection and will be visible on the Internet under a local public IP address.

Mikrotik L2TP/IPsec Client

Go to "Action" (28) tab, in the "Action" field, select "mark routing" (29)
In the "New Routing Mark" (30) field, select "VPNonline"
To approve changes, click "OK" (31)

Mikrotik L2TP/IPsec Client

Go to "IP" (32) and "Routes" (33)
In the "Route List""Routes" (34) tab, add new rule (35)

Mikrotik L2TP/IPsec Client

In the "New Route", "General" (36) tab, select:
"Dst. Address" (37) - 0.0.0.0/0
"Gateway" (38) - VPNonline-L2TP
"Routing Mark" (39) - VPNonline
To confirm the entered data, click "OK" (40)

Mikrotik L2TP/IPsec Client

A new routing route has been added (41) and the VPN connection should be established.

Mikrotik L2TP/IPsec Client

Log in to your router, start the browser or use the application WINBOX.
Enter the default router address: http://192.168.88.1

Go to "PPP" (1) and add (2) new interface "SSTP Client" (3)

Mikrotik SSTP Client

In the "General" (4) tab, "Name" (5) fieldenter the interface name: VPNonline-SSTP

Mikrotik SSTP Client

Go to  "Dial Out" (6) tab, and fill in the fields below:
In the "Connect to:" (7)
enter the name of one of our VPN servers
The list of available VPN servers can be found in the client panel: https://portal.vpnonline.pl
In the "Port:" (8) filed, enter: "443"
Uncheck: "Verify Server Certificate" and others (9)
In the "User:" (10) field, enter your user name
In the "Password:" (11)
field, enter your password
In the "Allow:" (12) field, select "mschap2" only
To confirm the entered data, click "OK" (13)

Mikrotik SSTP Client

Click the "IP" (14) then "Firewall" (15)
In the "Firewall" ,
select the "NAT" (16) tab, then add new rule (17)

Mikrotik SSTP Client

In the "General" (18), select "Chain: srcnat" (19) and "Out. Interface: VPNonline-SSTP" (20)

Mikrotik SSTP Client

Go to "Action" (21) tab, in the"Action" (22) field, select "masquerade".
Click "OK" (23)

Mikrotik SSTP Client

Go to "Mangle" (24) tab, add new rule (25)

Mikrotik SSTP Client

In the "New Mangle Rule", select "General" (26) tab, then select "Chain: prerouting" (27)
In the "Src Address" (28) field,
enter the IP addresses of the computers that are to pass through the VPN tunnel.

In the example, we have entered the entire pool of IP addresses 192.168.88.2 - 192.168.88.254, but you can enter here the single IP address of the host, e.g. 192.168.88.10. Only this host will go through the VPN and  its public IP address will change to the IP address of the VPN server (e.g Poland). The other hosts from the 192.168.88.0 pool, will go through a local Internet connection and will be visible on the Internet under a local public IP address.

Mikrotik SSTP Client

Go to "Action" (29) tab, in the "Action" field, select "mark routing" (30)
In the "New Routing Mark" (31) select "VPNonline"
To approve changes, click "OK" (32)

Mikrotik SSTP Client

Go to "IP" (33) and "Routes" (34)
In the "Route List""Routes" (35), add new rule (36)

Mikrotik SSTP Client

In the "New Route""General" (37) tab, select:
"Dst. Address" (38) - 0.0.0.0/0
"Gateway" (39) - VPNonline-SSTP
"Routing Mark" (40) - VPNonline
To approve changes, click "OK" (41)

Mikrotik SSTP Client

A new routing route has been added (42) and the VPN connection should be established.

Mikrotik SSTP Client

Log in to your router, start the browser or use the application WINBOX.
Enter the default router address: http://192.168.88.1

Go to "PPP" (1) and add (2) new interface "OpenVPN Client" (3)

Mikrotik OpenVPN Client

In the "General" (4) tab, "Name" (5) fieldenter the interface nameVPNonline-OpenVPN

Mikrotik OpenVPN Client

Go to  "Dial Out" (6) tab, and fill in the fields below:
In the "Connect to:" (7)
enter the name of one of our VPN servers
The list of available VPN servers can be found in the client panel: https://portal.vpnonline.pl
In the "Port:" (8) field, enter: 993 or 443
depending on the selected VPN server
In the "User:" (9) field, enter your user name
In the "Password:" (10)
field, enter your password
In the "Auth:" (11) field, select: sha1
In the "Cipher:" (12) field, select: aes128
To confirm the entered data, click "OK" (13)

Mikrotik OpenVPN Client

Click the "IP" (14), then "Firewall" (15)
In the "Firewall",
select the "NAT" (16) tab, then add new rule (17)

Mikrotik OpenVPN Client

In the "General" (18), select "Chain: srcnat" (19) and "Out. Interface: VPNonline-OpenVPN" (20)

Mikrotik OpenVPN Client

Go to "Action" (21) tab, in the"Action" (22) field, select "masquerade".
Click "OK" (23)

Mikrotik OpenVPN Client

Go to "Mangle" (24) tab, add new rule (25)

Mikrotik OpenVPN Client

In the "New Mangle Rule", select "General" (26) tab, then select "Chain: prerouting" (27)
In the "Src Address" (28) field,
enter the IP addresses of the computers that are to pass through the VPN tunnel.

In the example, we have entered the entire pool of IP addresses 192.168.88.2 - 192.168.88.254, but you can enter here the single IP address of the host, e.g. 192.168.88.10. Only this host will go through the VPN and  its public IP address will change to the IP address of the VPN server (e.g Poland). The other hosts from the 192.168.88.0 pool, will go through a local Internet connection and will be visible on the Internet under a local public IP address.

Mikrotik OpenVPN Client

Go to "Action" (29) tab, in the "Action" field, select "mark routing" (30)
In the "New Routing Mark" (31) select "VPNonline"
To approve changes, click "OK" (32)

Mikrotik OpenVPN Client

Go to "IP" (33) and "Routes" (34)
In the "Route List""Routes" (35), add new rule (36)

Mikrotik OpenVPN Client

In the "New Route""General" (37) tab, select:
"Dst. Address" (38) - 0.0.0.0/0
"Gateway" (39) - VPNonline-OpenVPN
"Routing Mark" (40) - VPNonline
To approve changes, click "OK" (41)

Mikrotik OpenVPN Client

A new routing route has been added (42) and the VPN connection should be established.

Mikrotik OpenVPN Client

Remote access to Mikrotik router using a fixed IP address via VPN

(The fixed IP address will be assigned by VPNonline on one of the VPN servers
Access to the router, it works very well on GSM / LTE links)

Only the ports defined below will pass through the VPN tunnel.
Any other Internet traffic will go through local internet connection.

Winbox - TCP 8291 (default port)
SSH - TCP 22
(default port)
Interface VPN - VPNonline-PPTP (
sample VPN interface)

1. Mangle traffic (Mark Routing) for the selected service or ports used for access to the router (Chain Prerouting and Output).
The entries below must be the first of the Mangle rules.

Mikrotik Access Management via VPN

/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=VPNonline passthrough=no protocol=tcp dst-port=8291 log=no log-prefix="" 
add chain=prerouting action=mark-routing new-routing-mark=VPNonline passthrough=no protocol=tcp dst-port=22 log=no log-prefix="" 
add chain=output action=mark-routing new-routing-mark=VPNonline passthrough=no protocol=tcp src-port=8291 log=no log-prefix=""
add chain=output action=mark-routing new-routing-mark=VPNonline passthrough=no protocol=tcp src-port=22 log=no log-prefix=""

2. Static route to the Internet via VPN interface with selected Mark Routing

Mikrotik Access Management via VPN

/ip route
add distance=1 gateway=VPNonline-PPTP routing-mark=VPNonline

3. Rule on the Firewall allowing traffic to the router from the Internet via the VPN interface (VPNonline-PPTP)

Mikrotik Access Management via VPN

/ip firewall filter
add chain=input action=accept protocol=tcp routing-mark=VPNonline in-interface=VPNonline-PPTP  dst-port=8291 log=no log-prefix=""
add chain=input action=accept protocol=tcp routing-mark=VPNonline in-interface=VPNonline-PPTP  dst-port=22 log=no log-prefix=""

Port forwarding on the Mikrotik router via the VPN interface


Only the ports defined below will be redirected from the Internet through the VPN tunnel.

Ports to redirect - WWW server - TCP 80, 8080 (sample ports)
Internal IP address - WWW server - 192.168.88.200

Interface VPN - VPNonline-PPTP ( sample VPN interface)

1. Add DST NAT rules for specific ports and add Masquerade for hosts going through VPN

The order of the lines is important!

Mikrotik Port Forwarding via VPN

/ip firewall nat
add action=dst-nat chain=dstnat comment="Access to server WWW via VPNonline" dst-port=80 in-interface=VPNonline-PPTP protocol=tcp to-addresses=192.168.88.200 to-ports=80
add action=dst-nat chain=dstnat dst-port=8080 in-interface=VPNonline-PPTP protocol=tcp to-addresses=192.168.88.200 to-ports=8080
add action=masquerade chain=srcnat comment="Masqarade for VPN" out-interface=VPNonline-PPTP


2. M
ark traffic to the server (192.168.88.200) in the Mangle section (New Routing Mark)

Mikrotik Port Forwarding via VPN

/ip firewall mangle
add action=mark-routing chain=prerouting comment="Server WWW" new-routing-mark=VPNonline passthrough=yes src-address=192.168.88.200


3.
Static route to the Internet via the VPN interface with selected Mark Routing

Mikrotik Port Forwarding via VPN

/ip route
add distance=1 gateway=VPNonline-PPTP routing-mark=VPNonline


4. Firewall rule allows traffic from the Internet to the WWW server (192.168.88.200)
For redirection, we use the FORWARD CHAIN, the order of the lines is important!

Mikrotik Port Forwarding via VPN

/ip firewall filter
add action=accept chain=forward comment="Access to server WWW via VPNonline" dst-port=80 in-interface=VPNonline-PPTP protocol=tcp routing-mark=VPNonline
add action=accept chain=forward dst-port=8080 in-interface=VPNonline-PPTP protocol=tcp routing-mark=VPNonline