From fe2815b7ff91bdef21787c19054e844768494d5a Mon Sep 17 00:00:00 2001
From: cattalurdai <cattalurdai@gmail.com>
Date: Wed, 12 Jun 2024 10:29:53 -0300
Subject: [PATCH] vpn-sstp-configurator: add script

---
 README.md                    |   1 +
 doc/vpn-sstp-configurator.md |  34 ++++++++++
 vpn-sstp-configurator.rsc    | 125 +++++++++++++++++++++++++++++++++++
 3 files changed, 160 insertions(+)
 create mode 100644 doc/vpn-sstp-configurator.md
 create mode 100644 vpn-sstp-configurator.rsc

diff --git a/README.md b/README.md
index b6e529d7..74d7adbb 100644
--- a/README.md
+++ b/README.md
@@ -251,6 +251,7 @@ Available scripts
 * [Install LTE firmware upgrade](doc/unattended-lte-firmware-upgrade.md)
 * [Update GRE configuration with dynamic addresses](doc/update-gre-address.md)
 * [Update tunnelbroker configuration](doc/update-tunnelbroker.md)
+* [Configure SSTP VPN with one command](doc/vpn-sstp-configurator.md)
 
 Available modules
 -----------------
diff --git a/doc/vpn-sstp-configurator.md b/doc/vpn-sstp-configurator.md
new file mode 100644
index 00000000..616ec922
--- /dev/null
+++ b/doc/vpn-sstp-configurator.md
@@ -0,0 +1,34 @@
+Send GPS position to server
+===========================
+
+[![GitHub stars](https://img.shields.io/github/stars/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=red)](https://github.com/eworm-de/routeros-scripts/stargazers)
+[![GitHub forks](https://img.shields.io/github/forks/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=green)](https://github.com/eworm-de/routeros-scripts/network)
+[![GitHub watchers](https://img.shields.io/github/watchers/eworm-de/routeros-scripts?logo=GitHub&style=flat&color=blue)](https://github.com/eworm-de/routeros-scripts/watchers)
+[![required RouterOS version](https://img.shields.io/badge/RouterOS-7.13-yellow?style=flat)](https://mikrotik.com/download/changelogs/)
+[![Telegram group @routeros_scripts](https://img.shields.io/badge/Telegram-%40routeros__scripts-%2326A5E4?logo=telegram&style=flat)](https://t.me/routeros_scripts)
+[![donate with PayPal](https://img.shields.io/badge/Like_it%3F-Donate!-orange?logo=githubsponsors&logoColor=orange&style=flat)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=A4ZXBD6YS2W8J)
+
+[⬅️ Go back to main README](../README.md)
+
+> ℹ️ **Info**: This script can not be used on its own but requires the base
+> installation. See [main README](../README.md) for details.
+
+Description
+-----------
+This script automates the configuration of SSTP (Secure Socket Tunneling Protocol) VPN on MikroTik RouterOS devices. 
+SSTP VPN provides a secure encrypted connection for remote access to your network, making it ideal for remote workers or secure communication between branch offices.
+
+Usage
+-----------------------------
+
+To configure the SSTP VPN on your MikroTik device, simply copy and paste the following command into the Winbox terminal:
+
+```plaintext
+/tool fetch url="https://raw.githubusercontent.com/cattalurdai/MikroTik-SSTP-VPN-Configurator/main/configurator.rsc" mode=http dst-path=configurator.rsc; /import file-name=configurator.rsc;
+```
+
+You will then be prompted to enter the necessary network parameters, VPN login credentials, and certificate details to complete the configuration process.
+
+---
+[⬅️ Go back to main README](../README.md)  
+[⬆️ Go back to top](#top)
diff --git a/vpn-sstp-configurator.rsc b/vpn-sstp-configurator.rsc
new file mode 100644
index 00000000..be170ff9
--- /dev/null
+++ b/vpn-sstp-configurator.rsc
@@ -0,0 +1,125 @@
+{
+:put ""
+:put "- Welcome to SSTP VPN CONFIGURATOR -"
+:put ""
+
+:local defaultRemoteNetwork "192.168.150.0/24";
+:put "Enter the network assigned to VPN clients (press enter to use default: $defaultRemoteNetwork): ";
+:local input1 do={:return};
+:local remoteNetwork [$input1];
+:if ([:len $remoteNetwork] = 0) do={
+    :set remoteNetwork $defaultRemoteNetwork;
+}
+
+:local defaultVpnPort "443";
+:put "Enter the VPN port (press enter to use default: $defaultVpnPort): ";
+:local input2 do={:return};
+:local vpnPort [$input2];
+:if ([:len $vpnPort] = 0) do={
+    :set vpnPort $defaultVpnPort;
+}
+
+:local vpnUsername;
+:while ([:typeof $vpnUsername] = "nothing" || [:len $vpnUsername] = 0) do={
+    :put "Enter the VPN username: ";
+    :local input3 do={:return};
+    :set vpnUsername [$input3];
+}
+
+:local vpnPassword;
+:while ([:typeof $vpnPassword] = "nothing" || [:len $vpnPassword] = 0) do={
+    :put "Enter the VPN password: ";
+    :local input4 do={:return};
+    :set vpnPassword [$input4];
+}
+
+:local country;
+:while ([:typeof $country] = "nothing" || [:len $country] = 0) do={
+    :put "Enter the country for SSL certificate (e.g., US): ";
+    :local input5 do={:return};
+    :set country [$input5];
+}
+
+:local state;
+:while ([:typeof $state] = "nothing" || [:len $state] = 0) do={
+    :put "Enter the state for SSL certificate (e.g., California): ";
+    :local input6 do={:return};
+    :set state [$input6];
+}
+
+:local locality;
+:while ([:typeof $locality] = "nothing" || [:len $locality] = 0) do={
+    :put "Enter the locality for SSL certificate (e.g., San Francisco): ";
+    :local input7 do={:return};
+    :set locality [$input7];
+}
+
+:local organization;
+:while ([:typeof $organization] = "nothing" || [:len $organization] = 0) do={
+    :put "Enter the organization for SSL certificate (e.g., Github): ";
+    :local input8 do={:return};
+    :set organization [$input8];
+}
+
+
+    #### SCRIPT ###
+    :put ""
+    :put "--- STARTING CONFIGURATOR ---"
+
+    # Enable DDNS
+    :if ( [/ip cloud get ddns-enabled] = true ) do={
+        :put "DDNS already enabled"
+    } else={
+        :put "DDNS is not enabled, enabling..."
+        /ip cloud set ddns-enabled=yes
+        # Wait for cloud to be enabled
+        :delay 10s
+    }
+
+    # Get Cloud Address
+    :local cloudAddress [/ip cloud get dns-name]
+    :put "Cloud DNS Name: $cloudAddress"
+
+    # CREATE SSL CERTIFICATE
+    /certificate
+    add name=VPN_CA common-name=$cloudAddress country=$country state=$state locality=$locality organization=$organization key-usage=key-cert-sign,crl-sign
+    sign VPN_CA
+    add name=VPN_SERVER common-name=$cloudAddress country=$country state=$state locality=$locality organization=$organization key-usage=digital-signature,key-encipherment,tls-server
+    sign VPN_SERVER ca=VPN_CA
+    :delay 10s
+    :put "SSL Certificates created successfully"
+
+    # CREATE IP POOL
+    :local ipBase [:pick $remoteNetwork 0 ([:find $remoteNetwork "/"] - 1)]
+    :local ipRange ($ipBase . "2-" . $ipBase . "254")
+    /ip pool add name=vpn-pool ranges=$ipRange
+    :put "VPN IP Pool created successfully"
+
+    # CREATE VPN PROFILE
+    /ppp profile add name=vpn-profile local-address=($ipBase . "1") remote-address=vpn-pool
+    :put "VPN Profile created successfully"
+
+    # ENABLE SSTP VPN
+    /interface sstp-server server set enabled=yes certificate=VPN_SERVER default-profile=vpn-profile tls-version=only-1.2
+    :put "SSTP VPN enabled successfully"
+
+    # CREATE VPN USER
+    /ppp secret add name=$vpnUsername password=$vpnPassword profile=vpn-profile
+    :put "VPN User created successfully"
+
+    # CREATE MASQUERADE RULE FOR VPN
+    /ip firewall nat add chain=srcnat action=masquerade src-address=$remoteNetwork
+    :put "Masquerade rule for VPN created successfully"
+
+    # CREATE FIREWALL FILTER INPUT RULE
+    /ip firewall filter add chain=input action=accept protocol=tcp dst-port=$vpnPort place-before=3
+
+    # EXPORT CLIENT CERTIFICATE
+    /certificate export-certificate VPN_CA
+
+    :put ""
+    :put "[SUCCESS] SSTP VPN CONFIGURED"
+    :put "The client certificate is waiting in the files section for you to download"
+    :put ""
+    :put "- github.com/cattalurdai -"
+}