Configure Mikrotik L2TP VPN for Windows and MacOS

Today, we look how to configure an L2TP VPN server so you can remotely connect to your Mikrotik router from a Windows or MacOS computer.

The first step is to create a VPN user, this is done in PPP > Secrets. The options are mostly straightforward:

  • Name: you username
  • Password: select a strong password for you user
  • Service: select l2tp (or any)
  • Profile: default-encryption
  • Local address: set the IP address of you mikrotik device on the LAN-side
  • Remote address: this is the IP address you will get from the VPN, select an address that is available on your LAN

The next step is to enable the L2TP server, click PPP > L2TP Server

  • Enable it
  • Default Profile: default-encryption
  • Authentication: mschap2
  • Use IPsec: yes
  • IPSec Secret: select a strong password, this is the pre-shared key

Now we need to create firewall rules to allow L2TP/IPsec traffic. Be sure to create these 2 rules before your input chain “DROP” rule.

Rule 1:

  • Chain: input
  • Protocol: 50 (ipsec-esp)

Rule 2:

  • Chain: input
  • Protocol: 17 (udp)
  • Ports 500, 1701, 4500

The next step is to configure IPsec so it can talk to Windows and MacOS, there is a matrix for the supported protocols on https://help.mikrotik.com/docs/display/ROS/IPsec but I will give you the most compatible settings I found in the screenshots below.

To do so, select IP > IPSec > Proposals and then Profiles

And that’s it, now on a Windows 10 PC you can just add a new L2TP VPN connection, and it should work!

VMWare upgrade from 6.7 to 7 MISSING_DEPENDENCY_VIBS ERROR

Recently I had to upgrade an HPE DL325 server which was running on VMWare ESXi 6.7U3 HPE Custom ISO, to VMWare ESXi 7.0.2 HPE Custom ISO

Doing so I got an “MISSING_DEPENDENCY_VIBS ERROR” on module HPE_bootbank_ssacli_4.15.6.0-6.7.0.75355516 at the end of the installation process.

To solve this, you have to reboot your ESXi host, enable SSH on it and then disable the problematic module so the upgrade process can proceed without an error:

[root@esxi1ng:~] esxcli software vib list | grep ssacli
ssacli 4.15.6.0-6.7.0.7535516 HPE PartnerSupported 2020-05-05
[root@esxi1ng:~] esxcli software vib remove --vibname ssacli
Removal Result
   Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
   Reboot Required: true
   VIBs Installed:
   VIBs Removed: HPE_bootbank_ssacli_4.15.6.0-6.7.0.7535516
   VIBs Skipped:

Done, that’s all there is to it, you can now upgrade.

Configure Mikrotik SSTP VPN with TLS certificate

In our previous post, we showed how to automatically generate and activate/renew a Let’s Encrypt TLS certificate on a Mikrotik device: https://www.amd-k6.com/automate-letss-encrypt-tls-certificate-on-mikrotik-routeros/

Today, we look at configuring an SSTP VPN server which uses this certificate so you can remotely connect to your Mikrotik router from a Windows PC, for example.

The first step is to create a VPN user, this is done in PPP > Secrets. The options are mostly straightforward:

  • Name: you username
  • Password: select a strong password
  • Service: select sstp
  • Profile: default-encryption
  • Local address: set the IP address of you mikrotik device on the LAN-side
  • Remote address: this is the IP address you will get from the VPN, select an address that is available on your LAN
Continue reading

Automate Lets’s Encrypt TLS certificate on Mikrotik RouterOS

To configure an SSTP or OpenVPN service on my Mikrotik Router, I had the need to generate and upload a real TLS certificate to the device. Some solutions exist in various blog posts but they are either too complicated, outdated or badly documented. So I made my own post and script. I hope it helps someone!

The goal here is to generate a Let’s Encrypt certificate and upload/activate it on a Mikrotik router. What you will need to do manually is:

  • Generate a Let’s Encrypt certificate
  • Create an user to SSH to your Mikrotik
  • Run the script to transfer and activate the certificate
Continue reading

Kubernetes – Run workloads on the Control Plane Node

If you ever installed a Kubernetes cluster, you probably know that the minimal setup is composed of 2 nodes: a Control Plane Node (previously called master) and a Worker Node. This is a good thing as we usually don’t want workloads interfering with the API in production environments.

But what about lab environments where you want to run everything in a single VM for example? Well, it’s absolutely possible and actually very simple to configure a Control Plane Node to also accept workloads (pods).

This is managed by “taints”, which is a configuration string applied to nodes. On your Control Plant Node, you can see this by running:

# kubectl describe nodes YourNodeName | grep Taints

It will give you back a string resembling “node-role.kubernetes.io/master:NoSchedule”. NoSchedule, the name says it all.

Well, you can simply remove this taint by running the following command, note the “-” at the end to remove the taint:

kubectl taint nodes YourNodeName node-role.kubernetes.io/master:NoSchedule-

And that’s it, you can now run workload pods on your Control Plane Node in your lab.

CentOS Stream 8 software RAID1 and UEFI GPT Boot configuration

This post has nothing to do with the usual content of this website (not K6 related) but I’m sharing my experience of configuring a CentOS Stream 8 Linux software RAID 1 installation on an UEFI system that actually boots when you replace a failed disk.

Most of the tutorials and articles online are about such installations where the the disks are in MBR (legacy) mode and not GPT (UEFI) and this has a huge impact on how your system boots and how you act when a disk fails. We’ll have a look at a scenario where we:

  • Start by installing CentOS Stream 8 in software RAID 1 (on 2 disks) mode
  • Simulate the failing of one drive
  • Replace the drive so the RAID arrays are synchronized again
  • Configure the UEFI to be able to boot on this new replacement drive

For demonstration purposes, this will be done using a VM in VirtualBox, but it also applies to any PC or Server booting in UEFI mode, as most machines do nowadays.

Continue reading

Windows 2000 with nVidia FX5700

One of the hardestĀ things to get right when currently installing a K6 machine is to have a working Windows/DirectX/Drivers combination. Well after some sweat I’m happy to say that I finally found the perfect sweet-spot:

  • Windows 2000 with unofficial SP5
  • nVidia GeForce FX 5700 with series-50 drivers
  • DirectX 9.0c from july 2006 (later versions may require SSE and crash on a K6 without telling you that)

This great success has lead to the update of theĀ OS Support page with all the info one may want and need…the system doesn’t BSOD on nv4_disp.dll when running DirectX 8/9 applications and OpenGL also works fine!