Hi Group
Sorry if this has been asked before but I need to know the best practices for allowing OpenVPN Clients access to the local LAN. The documentation for setting this up appears very scant.
Im setting up a separate routed connection as follows (Certs already generated):
/ip pool add name="openvpn-pool" ranges=172.30.253.10-172.30.253.249
/ip dhcp-server network add address=172.30.253.0/24 comment=OpenVPN gateway=172.30.253.1 netmask=24
/ppp profile set name=openvpn-profile local-address=172.30.253.1 remote-address=openvpn-pool use-compression=no only-one=yes use-encryption=required
/ppp secret add name=<user> profile=openvpn-profile password=<password> service=ovpn
/interface ovpn-server server set certificate=server cipher=blowfish128,aes128,aes192,aes256 default-profile=openvpn-profile enabled=yes require-client-certificate=yes
/ip firewall filter add chain=input protocol=tcp dst-port=1194 action=accept comment="Allow OpenVPN"
I could set up a forward rule based on the source IP Address range (172.30.253.10-172.30.253.249), but Im thinking a better idea is to manually assign an OpenVPN binding interface for each user and then set it up in an interface list which can be used in the firewall. E.g.:
/interface ovpn-server add name=ovpn-<user> user=<user>
/interface list add name=VPN
/interface list member add interface=ovpn-<user> list=VPN
/ip firewall filter add action=accept chain=forward comment="Forward VPN Traffic to LAN" in-interface-list=VPN out-interface-list=LAN
Does this seem reasonable?
Thanks Mike