Community discussions

MikroTik App
 
kubco2
newbie
Topic Author
Posts: 42
Joined: Tue Mar 05, 2013 11:57 pm

clients in Mikrotik cannot access Debian OpenVPN Server

Thu Mar 21, 2013 2:56 pm

Hello,

I have problem with ovpn settings or firewall settings.
Problem is that i cannot connect/traceroute/ping from lan network on Mikrotik_ovpn_client to Debian_ovpn_server.
/tool sniffer packet shows that packets was sent from 192.168.88.1 to 172.19.18.1
but "tcpdump -v -n -i tun0" on server side doesnt show any packets(except discovery packets)
and i can see in "tcpdump -v -n -i tun0" if I ping from 172.19.18.14 -> 172.19.18.1


I can traceroute Mikrotik_ovpn_client->Debian_ovpn_server
[admin@MikroTik] > /tool traceroute 172.19.18.1
 # ADDRESS                                 RT1   RT2   RT3   STATUS              
 1 172.19.18.1                             13ms  13ms  12ms   
But i cannot traceroute from lan network on Mikrotik_ovpn_client->Debian_ovpn_server
[admin@MikroTik] > /tool traceroute 172.19.18.1 src=192.168.88.1
 # ADDRESS                                 RT1   RT2   RT3   STATUS              
 1 0.0.0.0                                 0ms   0ms   0ms                       
Can ping local ovpn ip on Mikrotik_ovpn_client
[admin@MikroTik] > /tool traceroute 172.19.18.14 src=192.168.88.1     
 # ADDRESS                                 RT1   RT2   RT3   STATUS              
 1 172.19.18.14                            5ms   4ms   5ms                

Mikrotik_Client route
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.151.0.1                2
 1 ADC  10.151.0.0/22      10.151.0.115    ether1-gateway_1          0
 2 ADC  172.19.18.1/32     172.19.18.14    ovpn-out1                 0
 3 ADC  192.168.88.0/24    192.168.88.1    bridge-local              0
Mikrotik_Client firewall
 
 0   chain=forward action=accept in-interface=ovpn-out1 out-interface=bridge-local 
 1   chain=forward action=accept in-interface=bridge-local out-interface=ovpn-out1 
 2   chain=input action=accept protocol=icmp in-interface=ovpn-out1 
 3   ;;; default configuration
     chain=input action=accept protocol=icmp 
 4   ;;; default configuration
     chain=input action=accept connection-state=established in-interface=ether1-gateway_1 
 5   ;;; default configuration
     chain=input action=accept connection-state=related in-interface=ether1-gateway_1 
 6   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway_1 
 0   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway_1 
Debian(OVPN server) route
ip route show
172.19.18.2 dev tun0  proto kernel  scope link  src 172.19.18.1 
172.18.19.0/24 dev eth0  proto kernel  scope link  src 172.18.19.222 
172.19.18.0/24 via 172.19.18.2 dev tun0 
default via 172.18.19.11 dev eth0 
firewall
iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh 
-A FORWARD -i tun0 -o eth0 -j ACCEPT 
-A FORWARD -i tun0 -o tun0 -j ACCEPT 
-A FORWARD -i eth0 -o tun0 -j ACCEPT 
-A fail2ban-ssh -j RETURN 
SOLUTION:
1.
With no extra routes and firewall rules you can ping only inside of ovpn network: client(172.19.18.14)<->ovpn server(172.19.18.1)
With additional settings in ovpn.server(Debian server /etc/openvpn/Server.conf):
client-to-client
you can now ping whole opvn network inside
2.
With additional settings in ovpn.server(Debian server /etc/openvpn/Server.conf):
route 192.168.88.0/24 255.255.255.0
and ccd setting in ovpn.server.client.ccd(Debian server /etc/openvpn/servers/Server/ccd/client):
iroute 192.168.88.0 255.255.255.0
both route and iroute are necessary This was my main mistake, I tried it once one and then another without first.
And no extra firewall rules(if you drop all packets on server firewall(mikrotik client firewall) , you probably need forwarding networks before drop packets, I cant test it because doing it remotely).
Now it is possible to ping from client network 192.168.88.0/24 -> 172.19.18.1 and vice versa
3.
If ovpn server is connected to another LAN(gateway 172.18.19.11) f.e. as a ovpn box with ip 172.18.19.222, you can add to additional settings in ovpn.server(Debian server /etc/openvpn/Server.conf):
push "route 172.18.19.0/24 255.255.255.0"
Set routes in gateway 172.18.19.11
ip route add 172.19.18.0/24 via 172.18.19.222
ip route add 192.168.88.0/24 via 172.18.19.222
now you can access from ovpn_client lan network 192.168.88.0/24 -> 172.18.19.0/24 and vice versa
Remember to allow forwarding on server if you are dropping packets

Now all clients on all networks can ping another

Final config on ovpn_server:
/etc/openvpn/Server.conf
port 1194
proto tcp-server
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.19.18.0 255.255.255.0
crl-verify crl.pem
ifconfig-pool-persist servers/Server/logs/ipp.txt
cipher AES-256-CBC
user nobody
group nogroup
status servers/Server/logs/openvpn-status.log
log-append servers/Server/logs/openvpn.log
verb 2
mute 0
max-clients 100
management 127.0.0.1 10001
keepalive 10 120
client-config-dir /etc/openvpn/servers/Server/ccd
client-to-client
persist-key
persist-tun
ccd-exclusive
route 192.168.88.0/24 255.255.255.0 ## this will link with iroute in client config when he is up
push "route 172.18.19.0 255.255.255.0"
/etc/openvpn/servers/Server/ccd/client
ifconfig-push 172.19.18.14 172.19.18.1 ## for static client ip
iroute 192.168.88.0 255.255.255.0 ## this will add on debian server route to client's LAN
ovpn_server routes:
172.19.18.2 dev tun0  proto kernel  scope link  src 172.19.18.1 
172.18.19.0/24 dev eth0  proto kernel  scope link  src 172.18.19.222 
172.19.18.0/24 via 172.19.18.2 dev tun0 
192.168.88.0/24 via 172.19.18.2 dev tun0 
default via 172.18.19.11 dev eth0 
mikrotik network on which ovpn_server is connected:
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 1 ADC 172.18.19.0/24     172.18.19.11    bridge1                   0
 2 A S  172.19.18.0/24                     172.18.19.222             1
 4 A S  192.168.88.0/24                    172.18.19.222             1

Some info about my system.
Mikrotik ovpn_client:
LAN addresses
192.168.88.0/24
OVPN address:
172.19.18.14
/interface ovpn-client print
0 R name="ovpn-out1" mac-address=xyz max-mtu=1500
connect-to=serverIP port=1194 mode=ip user=client
password="" profile=default-encryption certificate=cert1 auth=sha1
cipher=aes256 add-default-route=no
****
Debian ovpn_server:
LAN:
172.18.19.222/24
OVPN_LAN:
172.19.18.1/24
Last edited by kubco2 on Fri May 03, 2013 7:38 pm, edited 6 times in total.
 
kubco2
newbie
Topic Author
Posts: 42
Joined: Tue Mar 05, 2013 11:57 pm

Re: clients in Mikrotik cannot access Debian OpenVPN Server

Thu Mar 21, 2013 5:35 pm

please
 
kubco2
newbie
Topic Author
Posts: 42
Joined: Tue Mar 05, 2013 11:57 pm

Re: clients in Mikrotik cannot access Debian OpenVPN Server

Fri Mar 22, 2013 3:12 am

 
giobulia
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Thu Jun 23, 2011 4:30 pm

Re: clients in Mikrotik cannot access Debian OpenVPN Server

Mon Sep 02, 2013 8:01 pm

Hello,

I can't connect OpenVPN server (Centos) to Mikrotik, can you help me?

Thank you
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Amazon [Bot], JesusUve, rarriazu, xrlls and 87 guests