Access Client Vpn From My Lan Address

RouterOS General
1

Good morning everyone.
I have set up a Mikrotik with a VPN server.
Everything works fine.
I would like to be able to access one of these VPN clients from my Mikrotik LAN.

Example:
Mikrotik VPN Server

Ip Address 10.10.10.1
Client With Windows Server 10.10.10.2

Lan Mikrotik 192.168.1.0/24

I would like to be able to access the connected client from my LAN 192.168.1.0/24. From the terminal I can ping it correctly.
But with my pc connected in Lan I can’t reach it?
It’s possible to do it? Should I set up a masquerade?

Thanks for your answers

2

The problem is the client receives traffic with source address on 192.168.1.0/24 range, and tries to reply to it directly; depending on scenario this is what may happen:

  • Attempts to reply via its local LAN, if it happens to be 192.168.1.0/24 also (pretty common): packets lost
  • If client local network is on a different local range (e.g. 192.168.2.0/24) client will use its default gateway, his local lan router which will attempt to reply via default route: internet: packets lost.

So you need to either:

  • Fix the routing “telling” the remote client how to reach 192.168.1.0/24 LAN: via 10.10.10.1 side of the VPN tunnel…
    or
  • Masquerade all traffic coming from 192.168.1.0/24 traversing VPN router to remote client as if it was originated on the VPN router itself, i.e. 10.10.10.1

Up to you to decide what fits you better:

1.- Adding routes to clients on remote “simple” VPN protocols is either not supported, or not trivial to implement; and those VPN protocols (on ROS 6.x) that supports it (split tunnel) ain’t trivial to setup or deploy on clients (certificates, etc) or require multiple configs depending on client OS.

2.- Masquerading is way easier to implement, but then, your remote clients will think all traffic is coming from the same IP, which may not be desirable for firewalling, logging, etc.

There’s a third option, which may or not be desirable on your scenario that suits fine smaller, “flat” address LANs: on VPN router, instead of using a different range for VPN connections, assign them IPs from same local LAN pool; then go to Bridge, and set the LAN bridge ARP setting to proxy-arp: instead of resorting to routing or masquerading, the router will forward (proxy) the ARP queries from VPN clients to LAN clients and viceversa.

There’s a requirement though… stay away from 192.168.1.0/24 on VPN Router LAN as that’s usually the LAN range by default on most routers, this won’t work if LANs at both sides use the same range.