Can establish VPN connection but no connectivity to local lan and wan

chribonn · January 15, 2021, 9:02pm

Hi,

I’ve enabled OpenVPN on my Mikrotik. I have two users that need to connect using VPN. My problem is that even though I manage to establish a connection traffic both to the local LAN as well as any attempts to access internet resources fail.

My setup is the following:

Network: 192.168.16.0/24
DHCP Server range: 192.168.16.20-192.168.16.99
Gateway: 192.168.16.1

OpenVPN Client #1: 192.168.16.240 / Local Address: 192.168.16.1
OpenVPN Client #2: 192.168.16.241 / Local Address: 192.168.16.1

My Mikrotik config and OpenVPN config below. I would only like traffic to the local network to be routed to OpenVPN.

I have tried the OpenVpn config both with redirect-gateway def1 commented and not with identical results.

Thank you in anticipation.

# jan/15/2021 21:37:54 by RouterOS 6.48
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 665805B580DC
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Cisco AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
set [ find default-name=ether4 ]
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=malta disabled=no frequency=2442 mode=ap-bridge ssid=SOHO-AP
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-eCee country=malta disabled=no frequency=5260 mode=ap-bridge \
    ssid=SOHO-AP
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
    supplicant-identity=MikroTik
/interface wireless
add mac-address=E6:8D:8C:D6:E4:5F master-interface=wlan1 name=wlan1-admin \
    security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5E master-interface=wlan1 name=\
    wlan1-guest security-profile=guest ssid=GUEST-AP
add mac-address=E6:8D:8C:D6:E4:60 master-interface=wlan2 name=wlan2-admin \
    security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5D master-interface=wlan2 name=\
    wlan2-guest security-profile=guest ssid=GUEST-AP
/ip pool
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=SOHO_POOL disabled=no interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
set *FFFFFFFE use-upnp=no
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2-guest pvid=20
add bridge=BR1 interface=wlan1-admin pvid=99
add bridge=BR1 interface=wlan2-admin pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=\
    10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-guest,wlan2-guest vlan-ids=20
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-admin,wlan2-admin vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
    require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=xxx.yyy.zzz.180/27 comment="Fixed IP provided by ISP" interface=\
    ether1 network=xxx.yyy.zzz.160
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
add address=192.168.89.1/24 comment="OpenVPN Network" interface=SOHO_VLAN \
    network=192.168.89.0
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=192.168.0.1 \
    gateway=10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.0.1 \
    gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN from WAN" dst-port=1194 \
    protocol=tcp
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Allow Establised and Related Connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward comment=SFTP disabled=yes dst-address=\
    192.168.16.5 dst-port=22 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=Plex disabled=yes dst-address=\
    192.168.16.8 dst-port=32400 in-interface=ether1 protocol=tcp
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-address=xxx.yyy.zzz.180 \
    dst-port=80 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-address=xxx.yyy.zzz.180 \
    dst-port=443 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-address=xxx.yyy.zzz.180 \
    dst-port=5552 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-address=xxx.yyy.zzz.180 \
    dst-port=52400 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
/ip route
add comment="ISP gateway" distance=1 gateway=xxx.yyy.zzz.161
/ip service
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add comment="IP Address Assigned to user" local-address=192.168.16.1 name=\
    chri remote-address=192.168.16.240 service=ovpn
add local-address=192.168.16.1 name=conn remote-address=192.168.16.241 \
    service=ovpn
/system clock
set time-zone-name=Europe/Malta
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

Open VPN config

client
dev tun
proto tcp
remote xxx.yyy.zzz.180
port 1194
nobind
persist-key
persist-tun

tls-client

remote-cert-tls server

resolv-retry infinite

cipher AES-256-CBC
auth SHA1
auth-user-pass
auth-nocache
redirect-gateway def1

# Set log file verbosity.
verb 3

# Silence repeating messages
mute 10

<ca>
-----BEGIN CERTIFICATE-----
MIIDO
IktACH3Q==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIID
EODurq
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFH
ee3A==
-----END ENCRYPTED PRIVATE KEY-----
</key>

Sob · January 15, 2021, 10:40pm

I didn’t study it in detail, but one obvious problem, if you’re giving addresses from LAN subnet to VPN clients, you need to enable proxy ARP for interface which has this subnet.

chribonn · January 16, 2021, 6:47am

Thank you for the pointer. I read through the document https://wiki.mikrotik.com/wiki/Manual:IP/ARP.

Will local-proxy-arp on BR1 be sufficient to allow openvpn clients to see one another?

Thanks

Sob · January 16, 2021, 7:37pm

Corrections:

proxy-arp, not local-proxy-arp
on SOHO_VLAN, not on BR1

It’s only for communication with devices on SOHO_VLAN. Communication between OpenVPN clients doesn’t need it. Only currently it’s blocked by firewall. You can either add static interface for each client and use that for rules, or this for unlimited access:

/ip firewall filter
add chain=forward in-interface=all-ppp out-interface=all-ppp action=accept

chribonn · January 16, 2021, 9:37pm

Corrections:

proxy-arp, not local-proxy-arp

on SOHO_VLAN, not on BR1

It’s only for communication with devices on SOHO_VLAN. Communication between OpenVPN clients doesn’t need it. Only currently it’s blocked by firewall. You can either add static interface for each client and use that for rules, or this for unlimited access:
/ip firewall filter
add chain=forward in-interface=all-ppp out-interface=all-ppp action=accept

Hello @Sob - I appreciate your help and these topics are above me.

I added the entry you mentioned but still could not communicate (I tried an RD session and a UNC path). Admittedly I am not sure how to code the proxy-arp and so I didn’t enter it. I tried making sense of https://wiki.mikrotik.com/wiki/Manual:IP/ARP#Proxy_ARP but could not figure out how ether2 comes into play when it is not shown in the diagram of the two networks.

I am updating my Mikrotik code and the OpenVPN config as it stands

# jan/16/2021 23:00:00 by RouterOS 6.48
# software id = 0E9A-7W1F
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 665805B580DC
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Connected to ISP"
set [ find default-name=ether2 ] comment="Connected to Cisco AP"
set [ find default-name=ether3 ] comment="Connected to LAN Switch"
set [ find default-name=ether4 ]
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=malta disabled=no frequency=2442 mode=ap-bridge ssid=SOHO-AP
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-eCee country=malta disabled=no frequency=5260 mode=ap-bridge \
    ssid=SOHO-AP
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=GUEST_VLAN vlan-id=20
add interface=BR1 name=SOHO_VLAN vlan-id=10
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Base \
    supplicant-identity=MikroTik
/interface wireless
add mac-address=E6:8D:8C:D6:E4:5F master-interface=wlan1 name=wlan1-admin \
    security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5E master-interface=wlan1 name=\
    wlan1-guest security-profile=guest ssid=GUEST-AP
add mac-address=E6:8D:8C:D6:E4:60 master-interface=wlan2 name=wlan2-admin \
    security-profile=Base ssid=BASE
add disabled=no mac-address=E6:8D:8C:D6:E4:5D master-interface=wlan2 name=\
    wlan2-guest security-profile=guest ssid=GUEST-AP
/ip pool
add name=SOHO_POOL ranges=192.168.16.20-192.168.16.99
add name=GUEST_POOL ranges=10.0.20.2-10.0.20.254
/ip dhcp-server
add address-pool=SOHO_POOL disabled=no interface=SOHO_VLAN name=SOHO_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
/ppp profile
set *0 use-upnp=no
set *FFFFFFFE use-upnp=no
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1-guest pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2-guest pvid=20
add bridge=BR1 interface=wlan1-admin pvid=99
add bridge=BR1 interface=wlan2-admin pvid=99
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,ether4,wlan1,wlan2 vlan-ids=\
    10
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-guest,wlan2-guest vlan-ids=20
add bridge=BR1 tagged=BR1,ether2 untagged=wlan1-admin,wlan2-admin vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=SOHO_VLAN list=VLAN
add interface=GUEST_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes \
    require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=xxx.yyy.zzz.180/27 comment="Fixed IP provided by ISP" interface=\
    ether1 network=xxx.yyy.zzz.160
add address=192.168.16.1/24 interface=SOHO_VLAN network=192.168.16.0
add address=10.0.20.1/24 interface=GUEST_VLAN network=10.0.20.0
/ip dhcp-server network
add address=10.0.20.0/24 comment="Guest Subnet" dns-server=192.168.0.1 \
    gateway=10.0.20.1
add address=192.168.16.0/24 comment="SOHO Subnet" dns-server=192.168.0.1 \
    gateway=192.168.16.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN from WAN" dst-port=1194 \
    protocol=tcp
add chain=input comment="Allow all ICMP" protocol=icmp
add action=accept chain=input comment=\
    "Allow Establised and Related Connections" connection-state=\
    established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward comment=\
    "Source: https://forum.mikrotik.com/viewtopic.php\?f=2&t=171682" \
    in-interface=all-ppp out-interface=all-ppp
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=\
    192.168.16.0/24 src-address=192.168.16.0/24
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment=HTTP dst-address=xxx.yyy.zzz.180 \
    dst-port=80 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=HTTPS dst-address=xxx.yyy.zzz.180 \
    dst-port=443 protocol=tcp to-addresses=192.168.16.4
add action=dst-nat chain=dstnat comment=SFTP dst-address=xxx.yyy.zzz.180 \
    dst-port=5552 protocol=tcp to-addresses=192.168.16.5 to-ports=22
add action=dst-nat chain=dstnat comment=Plex dst-address=xxx.yyy.zzz.180 \
    dst-port=52400 protocol=tcp to-addresses=192.168.16.8 to-ports=32400
add action=dst-nat chain=dstnat comment=BlueIris dst-address=xxx.yyy.zzz.180 \
    dst-port=8080 protocol=tcp to-addresses=192.168.16.5 to-ports=8080
/ip route
add comment="ISP gateway" distance=1 gateway=xxx.yyy.zzz.161
/ip service
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add comment="IP Address Assigned to user" local-address=192.168.16.1 name=\
    chribonn remote-address=192.168.16.240 service=ovpn
add local-address=192.168.16.1 name=connie remote-address=192.168.16.241 \
    service=ovpn
/system clock
set time-zone-name=Europe/Malta
/system identity
set name=RouterSwitchAP
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

client
dev tun
proto tcp
remote xxx.yyy.zzz.180
port 1194
nobind
persist-key
persist-tun

tls-client

remote-cert-tls server

resolv-retry infinite

cipher AES-256-CBC
auth SHA1
auth-user-pass
auth-nocache
#redirect-gateway def1

# Set log file verbosity.
verb 3

# Silence repeating messages
mute 10

<ca>
-----BEGIN CERTIFICATE-----
MIID
ACH3Q==
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MII
urq
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIF
e3A==
-----END ENCRYPTED PRIVATE KEY-----
</key>

Sob · January 17, 2021, 1:05am

ARP is used to get device’s MAC address (hardware address) for given IP address, because packets in same subnet are actually sent to hardware address of target device. When you have a subnet, in your case 192.168.16.0/24, devices connected to it expect that other devices with IP addresses from this subnet are directly reachable, i.e. connected to e.g. same transparent switch and not behind router.

But it’s not true for your 192.168.16.240, which is given to VPN client. So when another 192.168.16.x device sends ARP request for 192.168.16.240, nothing responds, because ARP doesn’t pass through router. That’s why you need proxy APR. If you enable it on interface with 192.168.16.0/24 subnet, which is SOHO_VLAN, and router knows that 192.168.16.240 is elsewhere, it will respond with own MAC address. Requesting device won’t know the difference, so it will send packets to router, and it will route them to VPN client.

Simple, right? I assume you use WebFig or WinBox, so find SOHO_VLAN in interfaces and change its ARP option from default “enabled” to “proxy-arp”.

And yes, I missed that before, you’ll need few more firewall rules, because now the communication is blocked. What exactly, that depends on your needs. For example, this will allow access from VPN clients to SOHO_VLAN:

/ip firewall filter
add chain=forward in-interface=all-ppp out-interface=SOHO_VLAN action=accept

This would allow access to all VLANs:

/ip firewall filter
add chain=forward in-interface=all-ppp out-interface-list=VLAN action=accept

This will allow devices in SOHO_VLAN to connect to VPN clients:

/ip firewall filter
add chain=forward in-interface=SOHO_VLAN out-interface=all-ppp action=accept

chribonn · January 17, 2021, 2:43pm

@Sob.

Thank you for your support. It worked.

Your explaination makes it all sound so simple but that only proves that you are a network guru probably able to visualize the packets that different layers being routed through the mikrotik

Sob · January 17, 2021, 8:22pm

It’s not that difficult, play with it, experiment, it will get to you. As for packets, how they are passing through router, yes, I know that. But I cheated, I read this: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow#Routing_Diagram.