routeprotocol.com

ADGuard IKEv2 IPSec VPN from Mikrotik

Configuring a Mikrotik router to speak to AdGuard VPN is quite straight forward, once it’s all figured out. It provides an alternative to the AdGuard VPN client.

Adguard.com Configuration

After logging into the AdGuard account, navigate to the AdGuard VPN page and click the “+ Add Router” button. Give the connection a name under Device Name (or stick with the default of Router), select the protocol as IPSec and choose the location you wish your VPN to break out to the internet from, then click Add.

The pop-up box will refresh and display some important information: username, password, IP address, remote server ID. Take a note of all of these. Next download the certificate file comodo.crt to your device.

Mikrotik Configuration

Upload the certificate file to the root storage of the Mikrotik device, this can be completed via FTP, SFTP or via Winbox.

Next, SSH, telnet, or open a terminal window in Winbox to the Mikrotik device.

Importing the certificate

Navigate to /certificate and type import file-name=comodo.crt. Press enter to import the certificate from Mikrotik storage into the certificate store on the device.

Firewall Configuration

Address List

Navigate to /ip/firewall/address-list

Create a new list that will specify the addresses to be routed over the new AdGuard VPN. In this example 192.168.1.55 will utilise the AdGuard VPN

add address=192.168.1.55 list=vpn_include

Firewall Rules

Navigate to /ip/firewall/filter

As every Mikrotik will likely have different firewall rules, there can’t be a foolproof guide on adding the required rules.

As a general rule UDP Port 500 and 4500 will need permitted through the firewall.

IPSec Configuration

Mode Configuration

Navigate to /ip/ipsec/mode-config

add name=mode-adguard responder=no src-address-list=vpn_include use-responder-dns=no

IPSec Profile (Phase 1)

Navigate to /ip/ipsec/profile

add dh-group=ecp256 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128 name=profile-adguard proposal-check=strict

IPSec Peer

Navigate to /ip/ipsec/peer

Values to substitute from the details obtained from the AdGuard side are IP address, and the routers WAN IP in local-address.

add address=<adguard-ip-address> exchange-mode=ike2 local-address=<routers-wan-address> name=adguard profile=profile-adguard

IPSec Proposal (Phase 2)

Navigate to /ip/ipsec/proposal

add enc-algorithms=aes-128-cbc name=proposal-adguard pfs-group=none

IPSec Policy Group

Navigate to /ip/ipsec/policy/group

add name=adguard_group_policy

IPSec Identity

Navigate to /ip/ipsec/identity

Values to substitute are the remote server ID, certificate, username, and password.

add auth-method=eap certificate=comodo eap-methods=eap-mschapv2 generate-policy=port-strict mode-config=mode-adguard password=<adguard_password> peer=adguard policy-template-group=adguard_group_policy remote-id=fqdn:<adguard_remote_server_id> username=<adguard_username>

IPSec Policy

Navigate to /ip/ipsec/policy

add dst-address=0.0.0.0/0 group=adguard_group_policy proposal=proposal-adguard src-address=0.0.0.0/0 template=yes

add dst-address=192.168.1.55/32 src-addres=0.0.0.0/0 action=none place-before=1

Verifying Mikrotik Configuration

Inside of /ip/ipsec/active-peers it is possible to check the status of the VPN connection. State should be ‘established’ if the connection was successful.

It is important to note that AdGuard appears to block ICMP, including pings. This is a rare case that is it not possible to determine whether a connection was succcesful via a ping packet. Instead test browsing from a device that was included in the address list earlier.


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.