I’m having some difficulties wrapping my head around this.. Here’s what I have.
OpenVPN Server - Router1
public static IP - 192.168.10.1/24 - ether1
OpenVPN Client - Router2
public DHCP assigned IP - 192.168.20.1/24 - ether1
I have an OpenVPN client on Router2 that can successfully connect to Router1 through the interwebs. But, I’m having to allow traffic from Router1 back to Router2 with the rule of:
/ip firewall filter
add chain=input in-interface=ether1 src-address=192.168.10.1 protocl=tcp src-port=1194 action=accept
Without this rule on the OVPN client (router2), the ovpn connection will not connect, and in my default “drop everything else” rule at the end of my firewall list, I can see packets being dropped from 192.168.10.1 with a source port of 1194 and a destination address of 192.168.20.1(router2) and a random dst port.
Is this normal for OVPN, for the client to need connections originating from the server to be allowed back into the client router?
Obviously, I see the need for port 1194 to be opened in the firewall rules of the server, but, didn’t expect it to need to be open on the client too?