Configure Mikrotik L2TP VPN for Windows and MacOS

Today, we look how to configure an L2TP VPN server so you can remotely connect to your Mikrotik router from a Windows or MacOS computer.

The first step is to create a VPN user, this is done in PPP > Secrets. The options are mostly straightforward:

  • Name: you username
  • Password: select a strong password for you user
  • Service: select l2tp (or any)
  • Profile: default-encryption
  • Local address: set the IP address of you mikrotik device on the LAN-side
  • Remote address: this is the IP address you will get from the VPN, select an address that is available on your LAN

The next step is to enable the L2TP server, click PPP > L2TP Server

  • Enable it
  • Default Profile: default-encryption
  • Authentication: mschap2
  • Use IPsec: yes
  • IPSec Secret: select a strong password, this is the pre-shared key

Now we need to create firewall rules to allow L2TP/IPsec traffic. Be sure to create these 2 rules before your input chain “DROP” rule.

Rule 1:

  • Chain: input
  • Protocol: 50 (ipsec-esp)

Rule 2:

  • Chain: input
  • Protocol: 17 (udp)
  • Ports 500, 1701, 4500

The next step is to configure IPsec so it can talk to Windows and MacOS, there is a matrix for the supported protocols on https://help.mikrotik.com/docs/display/ROS/IPsec but I will give you the most compatible settings I found in the screenshots below.

To do so, select IP > IPSec > Proposals and then Profiles

And that’s it, now on a Windows 10 PC you can just add a new L2TP VPN connection, and it should work!

VMWare upgrade from 6.7 to 7 MISSING_DEPENDENCY_VIBS ERROR

Recently I had to upgrade an HPE DL325 server which was running on VMWare ESXi 6.7U3 HPE Custom ISO, to VMWare ESXi 7.0.2 HPE Custom ISO

Doing so I got an “MISSING_DEPENDENCY_VIBS ERROR” on module HPE_bootbank_ssacli_4.15.6.0-6.7.0.75355516 at the end of the installation process.

To solve this, you have to reboot your ESXi host, enable SSH on it and then disable the problematic module so the upgrade process can proceed without an error:

[root@esxi1ng:~] esxcli software vib list | grep ssacli
ssacli 4.15.6.0-6.7.0.7535516 HPE PartnerSupported 2020-05-05
[root@esxi1ng:~] esxcli software vib remove --vibname ssacli
Removal Result
   Message: The update completed successfully, but the system needs to be rebooted for the changes to be effective.
   Reboot Required: true
   VIBs Installed:
   VIBs Removed: HPE_bootbank_ssacli_4.15.6.0-6.7.0.7535516
   VIBs Skipped:

Done, that’s all there is to it, you can now upgrade.

Configure Mikrotik SSTP VPN with TLS certificate

In our previous post, we showed how to automatically generate and activate/renew a Let’s Encrypt TLS certificate on a Mikrotik device: https://www.amd-k6.com/automate-letss-encrypt-tls-certificate-on-mikrotik-routeros/

Today, we look at configuring an SSTP VPN server which uses this certificate so you can remotely connect to your Mikrotik router from a Windows PC, for example.

The first step is to create a VPN user, this is done in PPP > Secrets. The options are mostly straightforward:

  • Name: you username
  • Password: select a strong password
  • Service: select sstp
  • Profile: default-encryption
  • Local address: set the IP address of you mikrotik device on the LAN-side
  • Remote address: this is the IP address you will get from the VPN, select an address that is available on your LAN
Continue reading

Automate Lets’s Encrypt TLS certificate on Mikrotik RouterOS

To configure an SSTP or OpenVPN service on my Mikrotik Router, I had the need to generate and upload a real TLS certificate to the device. Some solutions exist in various blog posts but they are either too complicated, outdated or badly documented. So I made my own post and script. I hope it helps someone!

The goal here is to generate a Let’s Encrypt certificate and upload/activate it on a Mikrotik router. What you will need to do manually is:

  • Generate a Let’s Encrypt certificate
  • Create an user to SSH to your Mikrotik
  • Run the script to transfer and activate the certificate
Continue reading

Kubernetes – Run workloads on the Control Plane Node

If you ever installed a Kubernetes cluster, you probably know that the minimal setup is composed of 2 nodes: a Control Plane Node (previously called master) and a Worker Node. This is a good thing as we usually don’t want workloads interfering with the API in production environments.

But what about lab environments where you want to run everything in a single VM for example? Well, it’s absolutely possible and actually very simple to configure a Control Plane Node to also accept workloads (pods).

This is managed by “taints”, which is a configuration string applied to nodes. On your Control Plant Node, you can see this by running:

# kubectl describe nodes YourNodeName | grep Taints

It will give you back a string resembling “node-role.kubernetes.io/master:NoSchedule”. NoSchedule, the name says it all.

Well, you can simply remove this taint by running the following command, note the “-” at the end to remove the taint:

kubectl taint nodes YourNodeName node-role.kubernetes.io/master:NoSchedule-

And that’s it, you can now run workload pods on your Control Plane Node in your lab.

CentOS Stream 8 software RAID1 and UEFI GPT Boot configuration

This post has nothing to do with the usual content of this website (not K6 related) but I’m sharing my experience of configuring a CentOS Stream 8 Linux software RAID 1 installation on an UEFI system that actually boots when you replace a failed disk.

Most of the tutorials and articles online are about such installations where the the disks are in MBR (legacy) mode and not GPT (UEFI) and this has a huge impact on how your system boots and how you act when a disk fails. We’ll have a look at a scenario where we:

  • Start by installing CentOS Stream 8 in software RAID 1 (on 2 disks) mode
  • Simulate the failing of one drive
  • Replace the drive so the RAID arrays are synchronized again
  • Configure the UEFI to be able to boot on this new replacement drive

For demonstration purposes, this will be done using a VM in VirtualBox, but it also applies to any PC or Server booting in UEFI mode, as most machines do nowadays.

Continue reading

Gigabyte GA-5AX performance optimisation

Having my working K6 system since a couple of weeks now I began tweaking the BIOS settings for my Gigabyte GA-5AX rev 4.1 to find the best performance, as it took quite some testing I’m now sharing what I found ;)

First of all let’s remember the system:

  • AMD K6-2+ 550 MHz
  • 768 MB PC133 CL2  RAM
  • nVidia GeForce 3 Ti200 64MB
  • Fast SATA HDD
  • Windows XP SP3

I began by setting reasonably good BIOS settings and after each individual setting change I  ran a series of 5 benchmarks using the good old Quake 3 v1.32 with “timedemo 1, demo four”. Quake 3 has the advantage of giving very consistent and reproducible results over any other benchmark tool and after all I’m using this system for old games…

The first tests I made is not BIOS related though…I tried to find the best nVidia driver working with my card. The 23.01 gave me an average of 28 FPS and the 21.83 WHQL an average of 28.7 FPS so there is the first base…I’ll be using the ForceWare 21.83 WHQL for the rest of the tests.

Now I’ll go trough each BIOS setting and give the fps change from this baseline…note that the changes are “incremental” by always keeping the previous test’s best performance.

Primary Frame Buffer

  • 2 MB (BIOS default): 28.7 FPS
  • All: 28.2 FPS
  • Disabled: 28.8 FPS

VGA Frame Buffer

  • Enabled: 28.8 FPS
  • Disabled: 27.7 FPS

Data Merge

  • Enabled: 28.8 FPS
  • Disabled: 27.7 FPS

Tweaking “IO Recovery Period” or “AGP Texture Size” didn’t change anything. Then I changed the CPU from an AMD K6-2+ 550MHz to an AMD K6-3+ 550 MHz to see how the 128kB additional L2 cache influenced the result. Well the fps jumped from 28.8 to 31.1 FPS which is nice!

As you can see I wasn’t that wrong with my default configuration as I only managed to “lower” the result by tweaking some settings…that’s experience talking ;) Here are the pictures of my final best result settings…

GA-5AX BIOS – Base Menu

GA-5AX BIOS – Power Management Setup

GA-5AX BIOS – PNP/PCI Configuration

GA-5AX BIOS – Integrated Peripherals

GA-5AX BIOS – BIOS Features Setup

GA-5AX BIOS – Chipset Features Setup