With the advent of online censorship on behalf of many states around the world and the increasing utilization of geo-blocks by the different online services such as Spotify, Netflix, and Amazon, users are flocking en masse to VPN use in order to circumvent these issues. Despite the highly effective performance of VPNs in tackling these issues, some of the more advanced methods of imposing internet restrictions also hinder the performance of VPNs in certain cases. Countries like Russia, China, Iran, and Cuba have demonstrated the ability to successfully shut down the internet during political upheavals, to the degree that even many reliable VPN protocols such as OpenVPN and Cisco, as well as normal options such as UDP and TCP, will not work. In situations like these, more advanced VPN methodologies and protocols are needed to bypass internet restrictions. One such VPN solution is the Mikrotik IPsec site-to-site VPN.
Mikrotik is not the only one of its kind that helps restricted users gain access to the internet despite the imposed restrictions. There are other technologies, such as reverse proxy, that allow this. But a site-to-site VPN is one of the most efficient and cheap methods of doing so. So, in this article, I will go over the history and Mikrotik VPN’s general trivia before delving into how to establish a Mikrotik site to site VPN.
What is RouterOS?
RouterOS is an advanced control-panel-oriented OS developed by Mikrotik that allows you to utilize the hardware of your desktop computer as components for a high-performance router by enabling you to access Mikrotic’s Routerboard. Beware that RouterOS is not free, and after the initial free trial, you will need to purchase a license in order to keep running your RouterOS site to site VPN . Even so, it remains the most efficient and reliable tool to establish a site-to-site VPN, so I would say the license is worth buying.
RouterOS is not just used to establish a site-to-site VPN. Since it essentially turns your PC into a full-on high-performance router, many other aspects of a router can also be performed by your desktop. This includes highly advanced firewalls that you can employ to secure your system or network with. The program is based on Linux V2, so naturally it will have better compatibility with Linux distros compared to Windows.
About Mikrotik
MikroTik is a tech company based in Riga, Latvia. Considered one of the most pre-eminent tech companies in the Baltic region, it is mostly known for its highly configurable and advanced protocols that facilitate wired as well as wireless connections. These include both hardware as well as software products, which include but are not limited to routers, switches, access points, and operating systems such as the aforementioned RouterOS. Mikrotik is one of the largest market shareholders of its kind in all of Europe, with the company estimated to be worth well above $1 billion as of 2022.
Mikrotik is known for its quality, and its products are designed to have inherent synergy with each other, so in other words, you can purchase their hardware and experience incredible performance when utilizing their software options, such as access points and operating systems such as the RouterOS. Mikrotik is the developer of RouterOS, which we will be using to establish a site-to-site VPN with the IPSec protocol in today’s guide. But before getting ahead of ourselves, let’s get to know what a site-to-site VPN actually is, so you can better understand if it suits your needs or not. If you require assistance to install Mikrotik CHR on your VPS, check out our guide to install and optimize it.
What is a Site-to-Site VPN?
In principle, a Mikrotik VPN site to site and a normal VPN are not much different. For example, the IPsec protocol used in this guide is one of the most popular protocols in the world for establishing normal VPNs. The main difference lies not in the tunnel and protocol itself but in the fact that a normal VPN uses this tunnel to connect users to a centralized server, whereas a site-to-site VPN connects the end user’s network to another network rather than a server. With this change also comes a set of advantages and disadvantages that I will now go over.
Advantages
Here are the main advantages that a site-to-site VPN has to offer. Do note that these advantages are situational, and some of them may not apply depending on the nature of your specific site-to-site VPN. However, in general, they apply in principle. So keep them in mind.
Secure Base Level Connection
IPsec, which is one of the most common protocols used in tunneling both remote access VPN solutions and the site-to-site VPNs, is encrypted. So all the data that is sent on your behalf between the two networks in a site-to-site VPN powered via this protocol is safe. Even if a hacker does get into your network, all the data that he or she would see would be in encrypted form, making phishing impossible. Despite this high level of base security, there are certain drawbacks to site-to-site VPN security as well that I will get to further down the article.
Easy-to-Understand Architecture
Since a site-to-site VPN uses networks instead of servers, the process of converting an internal IP address for use in LAN networks is entirely removed. All the sites involved in this VPN scheme can instead use each other’s internal addresses as operational IP addresses and ranges. This makes a site-to-site VPN an easier-to-establish VPN option. Especially for businesses that use a large number of computers and networks, it is highly advantageous to go for a site-to-site VPN as each network can be used. However, this high number of networks needs management, which I will mention further down. A VPS option is a great way to have a second network to establish a site-to-site VPN. You can read my list of the 10 best VPS options for VPN in 2023!
![10 Best VPS For VPN in 2022[Your Own VPN Server Hosting]](https://cloudzy.com/wp-content/uploads/Best-VPS-for-VPN-A-Full-Guide-1-300x167.png)
Access Control
With a site-to-site VPN, you can much more easily define access controls for different sets of users as the admin of the network. Since the entire architecture of a site-to-site VPN relies on internal users within the established network connecting to each other, you can easily block all external access to the server. This will enhance both the security of the network as a whole, and it also helps by preventing resources from being used by these external users. You can also define access layers within the network architecture in order to grant or take away access to different user groups based on your preferences. In this aspect, a site-to-site VPN is much more configurable in its deployment options compared to a traditional remote access VPN.
Good in Tight Restrictions
As we mentioned, the Mikrotik site to site VPN is highly efficient in times when state-sponsored internet restriction gets increasingly tight and normal VPNs begin to lose their utility. This is due to the fact that as opposed to traditional VPNs that connect to a specific server with a specific port, site-to-site VPNs can use any network as a host for the VPN, making the process of tracking and blocking all the ports that make this VPN connection happen, impossible. Therefore as long as the VPN protocol of choice is working, you can use different networks in order to create a site-to-site VPN and bypass internet restrictions.
Disadvantages
Here are the main disadvantages that a site-to-site VPN has to offer. Do note that these advantages are situational, and some of them may not apply depending on the nature of your specific site-to-site VPN. However, in general, they apply in principle. So keep them in mind.
Lack of Scalability
The most important drawback of a site-to-site VPN is its lack of proper scalability. Since a site-to-site VPN requires a point-to-point connection, a unique set of credentials is required for each additional set of sites that are connected using a site-to-site VPN. This may not seem like a big deal at first, but if you have a large network that requires a site to site VPN, then the number of required VPNs will also increase exponentially with each pair of sites that you wish to connect to. This severely hampers scalability. However, if managing the high number of VPNs and the costs are not important to you, this will not be a major issue.
Poor Routing
In order to provide proper security on top of the base level security that is provided by the site-to-site VPN itself, some organizations have little choice but to make all the connections go through a central connection hub in order to be vetted for security reasons. This is a major issue since if you have a large number of sites connected to each other within the network, then this process will cause massive weight on the network and will cause a lot of latency. This can be thought of as another form of inefficient scalability in site-to-site VPNs.
No Integrated Security
While I did mention the IPsec encryption as one of the security advantages of site-to-site VPNs, that is not an integrated security option. Meaning it is not part of the bare-bones networks that you use to establish the connection. This in turn means that most of the added security needs to be manually configured for connections involving more than two networks that are facilitated by access points. In other words, if you are looking for more security than provided at the base level, the site-to-site VPN is essentially as safe as you can make it.
Requires Direct Management
Although establishing a single VPN connection between two sites is rather straightforward using Mikrotic’s RouterOS, as the number of site pairs increases, the management of the networks and the tunnels become an increasingly demanding task. Aside from this, managing WAN networks tends to be inherently difficult as well. So you either need to be well versed in managing these networks yourself, or if you are implementing a large number of site-to-site VPN connections as part of your business plan, then you need an IT expert to directly manage the network for you at all times.
What is the IPSec Protocol?
Now we know all we need to know about what a site-to-site VPN is, how it works, as well as its advantages and disadvantages, it’s also a good idea to quickly familiarize ourselves with the qualities and properties of the IPSec protocol since this will be the protocol of choice for today’s guide. IPsec is short for Internet Protocol Security. It is a bundle of different protocols and algorithms that helps securely transfer networking data between hosts, servers, and networks. As the name implies, IPsec puts a heavy emphasis on the security of established connections, which makes it a highly popular option in VPNs.
IPsec’s use cases go beyond VPN usage since its high security makes it a reliable option in online financial transactions, storing of sensitive government information, medical records, as well as corporate data and information. Despite its high security and many use cases, it is also one of the easiest VPN protocols to disable by governments when they want to impose government internet censorship. In today’s guide, we’ll use this protocol in order to establish a site-to-site VPN connection; however, if the protocol is shut down in your country, you will need an alternative protocol.
Comprehensive Mikrotik IPSec Site to Site VPN Step by Step Guide
First, you will need two separate Mikrotik RouterOS-powered networks in order to establish an IPsec site-to-site VPN. I will put the configuration of each of these networks below for educational purposes, but do note that your networks will have different credentials, so keep that in mind when configuring your VPN using this guide:
1- Office 1 Router WAN IP: 192.168.70.2/30 and LAN IP Block 10.10.11.0/24
2- Office 2 Router WAN IP: 192.168.80.2/30 and LAN IP Block 10.10.12.0/24
Step 1: Configure your Mikrotik RouterOS Office 1
After you have logged in to your RouterOS on office 1, via either the free trial or the purchased license, it’s time to configure it. Click on the plus sign within the new address tab. Now in the WAN IP box, enter the following address: 192.168.70.2/30. Then select the Ether1 option for your WAN interface and then click on the plus sign again and this time, put in the following address on your LAN IP: 10.10.11.1/24. Choose Ether2 for your LAN interface.
Once you have done this, it’s time to configure the DNS and the firewall. Head to the IP section and then the DNS section, and enter the 8.8.8.8 address as your server input. Then head to the firewall and head into the NAT section. Then click on the plus sign again and in the general section, select the srcnat option from the chain dropdown selection and go into the action tab. Here choose the masquerade as the default option and apply the changes.
Finally, head into the IP section again and click on the plus sign in the gateway box enter the following WAN address:192.168.70.1. Apply and exit. You have now configured the first Mikrotik site.
Step 2: Configure your Mikrotik RouterOS Office 2
With the first server configured, it’s time to do the same process for the second Mikrotik Router site, known in this guide as Mikrotik RouterOS Office 2.
After you have logged in to your RouterOS on office 2, click on the plus sign within the new address tab. Now in the WAN IP box, enter the following address:192.168.80.2/30. Then select the Ether1 option for your WAN interface and then click on the plus sign again and this time, put in the following address on your LAN IP:10.10.12.1/24. Choose Ether2 for your LAN interface.
Once you have done this, it’s time to configure the DNS and the firewall. Head to the IP section and then the DNS section, and enter the 8.8.8.8 address as your server input. Then head to the firewall and head into the NAT section. Then click on the plus sign again and in the general section, select the srcnat option from the chain dropdown selection and go into the action tab. Here choose the masquerade as the default option and apply the changes.
Finally, head into the IP section again and click on the plus sign in the gateway box enter the following WAN address:192.168.80.1. Apply and exit. You have now configured the second Mikrotik RouterOS site.
Step 3: Peer IPsec Configuration for Office 1 RouterOS Site
Since we are going to use the IPsec protocol, we need to perform the peer configuration for both of our Mikrotik RouterOS sites. The process is not complicated and is the same for both the RouterOS sites, with the difference being the address we are going to use.
Head into the IP section again, and this time go to the peer tab. Here click that friendly plus sign once more, and in the newly opened IPsec peer window, place the IP address for your office 2 RouterOS site. Be careful not to put in the IP address for your first site! In this case, the address is:192.168.80.2. In the port input, put 500 as your desired port.
In the dropdown menu for the authentication method, choose the pre-shared key option. Then choose a secure password of your choosing, which will be the same for both sites. Save and apply. You have successfully configured the IPsec configuration on your Office 1 RouterOS site.
Step 4: Peer IPsec Configuration for Office 2 RouterOS Site
The process is the same for the Office 2 RouterOS site. We will simply swap out the addresses we used in the previous step with the address related to the Office 1 RouterOS site. Head into the IP section again, and this time go to the peer tab. Here click that friendly plus sign once more, and in the newly opened IPsec peer window, place the IP address for your office 1 RouterOS site. Be careful not to put in the IP address for your second site! In this case, the address is:192.168.70. In the port input, put 500 as your desired port.
In the dropdown menu for the authentication method, choose the pre-shared key option. Then enter the same secure password that you provided in the previous step. Save and apply. You have successfully configured the IPsec configuration on your Office 2 RouterOS site.
Step 5: Policy Configurations for IPsec in Office 1 RouterOS Site
After configuring the peer options for IPsec, we must now go for the process of policy configurations. This is again like the previous steps in the sense that the process is largely the same for both Office RouterOS sites.
Once again, head into the IP section and then to the policies tab and click on the plus sign. Now you will see the policies tab. Navigate to the general tab and enter the source code for Office 1 (10.10.11.0/24). In the port section, make no changes since we need all the ports to be open by default.
In the address section, place the destination address (Office 2), which is:10.10.12.0/24. Go to the action tab and make sure the tunnel checkbox is ticked so that tunneling will be enabled. In the proposal tab, select the default option and save and apply to finish the policy configuration for your Office 1 RouterOS site.
Step 6: Policy Configurations for IPsec in Office 2 RouterOS Site
Repeat the above process in step 5 for the Office 2 RouterOS site, with attention to altered addresses and inputs.
Head into the IP section and then to the Policies tab, and click on the plus sign. Now you will see the policies tab. Navigate to the general tab and enter the source code for Office 1 (10.10.11.0/24). In the port section, make no changes since we need all the ports to be open by default.
In the address section, place the destination address (Office 2), which is:10.10.12.0/24. Go to the action tab and make sure the tunnel checkbox is ticked so that tunneling will be enabled. In the proposal tab, select the default option and save and apply to finish the policy configuration for your Office 2 RouterOS site.
Step 7: NAT Configuration for Office 1 RouterOS Site
Finally, in the final part of this guide, before establishing the connection itself, we need to configure the NAT for both Office 1 and Office 2 RouterOS sites, which we are going to connect as part of our RouterOS site-to-site VPN. This step will also be the same for both sites, with addresses and inputs varying.
Head into the IP section once again and click on the firewall section, and then the NAT section. Here once again, click the plus sign to bring up the NAT rules tab. Head into the general tab and choose the srcnat option.
In the address input section called src.address, place the Office 1 LAN address, which corresponds to office 2: 10.10.11.0/24. Now in the address input called dst.address place the LAN address of office 2:10.10.12.0/24. Head into the action tab and accept the new changes. Save and apply. Now the NAT configuration for Office RouterOS site 1 is finished.
Step 8: NAT Configuration for Office 2 RouterOS Site
Repeat the same process for the Office 2 RouterOS site. Pay attention to the addresses.
Head into the IP section once again and click on the firewall section, and then the NAT section. Here once again, click the plus sign to bring up the NAT rules tab. Head into the general tab and choose the srcnat option.
In the address input section called src.address, place the Office 2 LAN address, which corresponds to office 1: 10.10.12.0/24. Now in the address input called dst.address place the LAN address of office 1:10.10.11.0/24. Head into the action tab and accept the new changes. Save and apply. Now the NAT configuration for Office RouterOS site 1 is finished.
Congratulations! You can now safely establish the connection between your two RouterOS sites and enjoy your very own Mikrotik site to site VPN!
Remote Access VPN vs. Site-to-Site VPN: Which one is for you?
The answer to this question largely comes down to your situation and facilities. If all you want is a simple VPN connection to encrypt your data and secure the connection, or if you are looking to bypass basic internet restrictions and geo-block, such as Netflix content allocation, then a normal remote access VPN is going to provide basically everything you need.
If, on the other hand, you need a well-integrated VPN that can connect the computers in your company on a 1-to-1 basis, then a site-to-site VPN is perfect for you. However, you note after a certain amount of site pairs, the management of the VPN connections will become a hassle, and this solution is best for small to medium-sized businesses.
Another major use case of a site-to-site VPN is when the existing internet censorship or restriction is also applied to typical VPN ports and servers, causing them to lose effect. Here, site-to-site VPNs are especially useful. So while in the majority of cases a normal VPN is going to solve your problem, site-to-site VPNs also come in handy in sticky situations.
Conclusion
So, here we are finally, with all the questions about Mikrotik site to site VPN, RouterOS, Mikrotic itself, and IPsec answered. If you found this guide useful or interesting and now want to start your own Mikrotik site to site VPN, chances are you have access to one network in your home or workplace but not a secondary one. In that case, Cloudzy’s highly tailored Mikrotik VPS is here to help you out. Coming in with the RouterOS client pre-configured and pre-installed on our end, allowing you to simply configure your own Mikrotik RouterOS client quickly and establish a site-to-site VPN without much hassle.
Turn Your Server into a Router
Use our MikroTik VPS and get a remote MikroTik Cloud Hosted Router with all the powerful features of MikroTik. Create VPNs, load balancers, and much more.
Get a MikroTik VPSCloudzy’s Mikrotik VPS starts cheaply at only $9.95, and it allows you to connect to more than 15 different locations around the world, with excellent latency and security, diverse payment options such as Bitcoin and other cryptocurrencies, flexible billing, and a 7-day money-back guarantee to ensure you of the quality of the service.
FAQ
Is Site-to-Site VPN Secure?
Site-to-site VPN services enjoy a decent level of base security compared to normal VPNs as they are enclosed within the participants of the network itself. However, adding security is a challenge.
Is RouterOS Free?
No. You can use RouterOS for free for 60-days before needing a license purchase. RouterOS plans are Plan1, 1Gbit, $45, and plan 2, 10Gbit, and $95, respectively.
What is the Best Site to Site VPN Service?
While there are several reliable options out there such as Atlas, NordVPN, and IPVanish, Mikrotik site-to-site VPN is by far the most advanced and configurable of the bunch.
![How to Make a Modded Minecraft Server? 👾 [2024 Guide]](https://cloudzy.com/wp-content/uploads/How-to-Host-a-Modded-Minecraft-Server-1-420x234.png)
0 Comment