I have part of my self-hosted services on cloud and part at my home, ia have solved connection between them with OpenVPN sever installed on cloud machine and Raspbery Pi 2 as my client. If you are familiar with MikroTik, you can instal Cloud hosted router on your provider.
Installation#
This first part can be different by cloud service provider. I’m installing this on Hetzner cloud.
Create new cloud machine, go to settings and enable rescure system.
Next you will need download raw image for CHR from Mikrotik Website.
I will use stable version of image. Latest version when i writing this post is 6.48.3, so check if there is something newer. Next extract it directly to the disk with DD as follows
curl https://download.mikrotik.com/routeros/6.48.3/chr-6.48.3.img.zip > chr.zip
funzip chr.zip > chr.img
dd if=/path/to/chr.img of=/dev/sda bs=1M
When its done you can restart your machine with reboot.
Securing router#
Create new user with full rights and remove old admin user.
/user add name=<username> password=<userpassword> group=full
/user remove admin
I will recommend to you to change SSH port something other than 22
/ip service set ssh port=12345
You can also connect to the router with Winbox if you are on Window PCs. Ok back to point. Next is recomended to disable all unwanted services.
First of all disable remote request to our DNS server.
/ip dns set allow-remote-requests=no
When allow-remote-requests is set to yes, then mikrotik allows request on port 53 via TCP and UDP. We don’t need that on cloud because ip addresses and other stuff are managed by cloud provider, but when you want to use DNS (on local networks for ex.) than you need manage connection to DNS via firewall.
Next service - Mac-server is used to provide acces to routers that has no IP address. After you configure IP address on router you don’t need this service anymore.
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no
Another service we dont need is Neighbor discovery /ip neighbor. This service allows to find other devices compatible with MNDP (mikrotik neighbor discovery protocol) or CDP (cisco discovery ptorotcol) or LLDP. This working in Layer2 broatcast domain.
/ip neighbor discovery-settings set discover-interface-list=none
We are almost done, another services we dont need are proxy, socks, upnp and cloud, disable them as follows
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
Back to cloud if you want use services as DDNS or Backup you can keep enabled this service. Imo I don’t need DDNS as i have public static ip on mikrotik, and backup i can manage by uploading files to FTP server.
Last one in this section: enable to use stronger encryption for your SSH protocol
/ip ssh set strong-crypto=yes
Basic fireall setup#
to be continue …
This article is marketd as WIP, it is means that the article is not winished and may contains mistakes and typos.
This article is part of Mikrotik Administration series.
Reply by Email