So I am currently working for an MSP that uses mikrotik at a lot of our voice or internet only clients. We currently have a few deployed mikrotik’s that are behind a NAT (roughly 50). We probably have a good 200 others that are public facing. Since we need a tunnel to manage the 50, I am trying to find a solution to setup a “phone home” VPN for management only of all the routers so there is a standard. I currently have an SSTP VPN setup on all the ones that are not remotely accessible, but I was hoping to find something that I could make a standard across all sites, quickly and efficiently. My other problem is making them unique will take quite a bit of time (250+ VPNs). Anyone have any experience with this? Other people have a use case where if I started working on a public coding they could contribute or utilize?
Use WireGuard S2S VPN. All client nodes are stub sides and can have anything (CGNAT, dynamic public IP, etc.).
Your Hub site ( Mikrotik VPN Server / Concentrator ) is the only one that needs to have a public IP (either static or dynamic using DDNS) that your remote clients will use to define the concentrator’s destination address
You can apply this concept to any VPN but SSTP uses only TCP and will not have either good performance or problems (google VPN TCP meltdown)
I use WireGuard for my remote managed endpoints and works like a charm
Have you checked built-in Back To Home feature?
OP, based on what kstein said, you can build pretty much qnything on thqt…from phone service to vxlans (like me)