While creating the best and fastest home network for me and my family, I got the opportunity to switch my internet provider in order to have an 1 GB internet connection up and down. In my quest for choosing the right hardware, my brother and several colleagues advised me to have a look at a MikroTik router. After some quick research, I bought a MikroTik RB750GR3 and installed it. Just for fun, I wanted to create a VPN to my Azure network from the new MikroTik router. After successful creating the VPN, I wrote this blog for other people to have a manual about doing the same.
Azure Landing Zone
First, I created a new landing zone with my script (link). This script will create resources that I have defined as default related to a landing zone. The script will create the following resources:
- Resource groups – based on the customer abbreviation parameter, it will create two resource groups: rg-[abbreviation]-vnet-01 and rg-[abbreviation]-rsv-01.
- Recovery Service Vaults – two vaults will be created, one with GRS storage and one with LRS storage
- Virtual Network (VNET) – one virtual network will be created with the name [abbreviation]-vnet-01
- Subnets – Three subnets will be created, one GatewaySubnet with a /27 address space, one DefaultSubnet with a /24 address space and one AVDSubnet also with a /24 address space.
- Network Security Groups – two network security groups will be created, one will be named nsg-DefaultSubnet and the other will be named nsg-AVDSubnet. These NSGs will be bound to the correct subnet.
- VPN Gateway – Depending on the parameter vpnGateWay it will create a basic route based VPN Gateway with the name [abbreviation]-vnetgw-01.
- Public IP – There also will be created a public IP address for the VPN Gateway with the name [abbreviation]-vnetgw-01-pip.
After the landing zone is created, we need to create the connections locally and remote. In this example, locally is my home network and remote is the Azure environment. To create the connection on the Azure side, I used my script that can be found here. The script needs a couple of parameters, but this is explained in the script. The script will create two resources in Azure. First a local network gateway will be created which contains the address space and the public IP of your home network. After the local network gateway is created, a connection is created. This is the glue that connects the local network gateway to the previously created VPN Gateway and will supply the preshared key that we need for the connection in the MikroTik.
Now that the Azure side is set up, we can continue configuring the MikroTik router. The configuration can be done in a couple of ways. We can create the VPN by using the web interface or by using SSH access to the router. In this blog, I used the web interface of the MikroTik router. In the web interface, we need to create a couple of things that I will explain in the coming section.
First, we need to create a profile where we can set the algorithms. In my configuration, I checked the following settings:
- Hash Algorithms: sha256
- Encryption Algorithms: 3des, aes-256
- DH Group: modp1024
- Proposal Check: obey
- Lifetime: 1d 00:00:00
- DPD Interval: 120
- DPD Maximum Failures: 5
After setting the profile, we need to create the peer where the information about the Azure environment need to be placed. In the profile, I checked the following settings:
- Name: Azure VPN ( Create your own name here)
- Address: Public IP Address of the VPN Gateway
- Local Address: Public IP Address of your home network
- Profile: They previously created profile
- Exchange Mode: IKE2
- Send INITIAL_CONTACT: checked.
Now that the profile and peer is in place, we can continue to the creation of the identity. In the identity tab, I checked the following settings:
- Peer: The previously created peer name.
- Auth. Method: pre shared key
- Secret: The previously created pre shared key.
After the peer is created, we need to create the proposal, I checked the following settings:
- Name: Azure
- Auth. Algorithms: sha1, sha256
- Encr. Algorithms: 3des, aes-128 dbc, aes-256 cbc, aes-256 ctr, aes-256 gcm
- PFS Group: none
Last I created the policy where I checked the following:
- Enabled: true
- Peer: Azure VPN (name of the peer)
- Tunnel: true
- Src. Address: Address space of your home network
- Dst. Address: Address space of the VNET
After creating the VNET, VNET Gateway and the configuration in the MicroTik router I created a virtual machine and the RDP to that virtual machine connected directly!
Stay tuned for new blog posts.