Firewall Rules openVPN Server

RouterOS General
1

Hi,

after few hours - finally I got my openVPN server working. BUT now I have the problem to avoid access between openVPN Clients and my LAN-Bridge. Does anyone know how to setup access only in defined bridges?

bests, Christian

2

I think the problem in openvpn software you should edit again to set all information of your vpn

3

hi loveman,

now I spent some additional days - tried to get the openvpn server running again but without any success…
I am not able to connect anymore…
I startet the whole configuration from begin with following commands:

#create ca#
/certificate add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign

/certificate add name=server-template common-name=server

/certificate add name=client1-template common-name=client1


#sign certificates#
/certificate sign ca-template ca-crl-host={my_openvpnservers_public_address} name=myCa

/certificate sign server-template ca=myCa name=server

/certificate sign client1-template ca=myCa name=client1

#set certificates trusted#
/certificate set myCa trusted=yes
/certificate set server trusted=yes

#enable openvpn server#
/interface ovpn-server server
/interface ovpn-server server set enabled=yes 
/interface ovpn-server server set certificate=server 

#define openvpn dhcp-pool#
/ip pool add name=ovpn-pool range=192.168.10.1-192.168.10.253

#create openvpn profile#
/ppp profile add name=ovpn local-address=192.168.10.254 remote-address=ovpn-pool

#create user#
/ppp secret add name=client1 password=12345678 profile=ovpn

#export certificates#
/certificate export-certificate myCa
/certificate export-certificate client1 export-passphrase=12345678

my clients configuration:

client
dev tun
proto tcp-client
remote {my_openvpnservers_public_address}
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca myCa.crt
cert client1.crt
key client1.key
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-nocache

any ideas what happened? There must be something I completly forgot?..

bests, Christian

4

added in the openvpn server settings “aes 256”
added a bridge and a dhcp server is using the defined ip pool

now I am geting following output by openvpn client:

Wed Apr 29 01:27:24 2020 Current Parameter Settings:
Wed Apr 29 01:27:24 2020 config = ‘client1.ovpn’
Wed Apr 29 01:27:24 2020 mode = 0
Wed Apr 29 01:27:24 2020 show_ciphers = DISABLED
Wed Apr 29 01:27:24 2020 show_digests = DISABLED
Wed Apr 29 01:27:24 2020 show_engines = DISABLED
Wed Apr 29 01:27:24 2020 genkey = DISABLED
Wed Apr 29 01:27:24 2020 key_pass_file = ‘[UNDEF]’
Wed Apr 29 01:27:24 2020 show_tls_ciphers = DISABLED
Wed Apr 29 01:27:24 2020 connect_retry_max = 0
Wed Apr 29 01:27:24 2020 NOTE: --mute triggered…
Wed Apr 29 01:27:24 2020 285 variation(s) on previous 10 message(s) suppressed by --mute
Wed Apr 29 01:27:24 2020 OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 25 2019
Wed Apr 29 01:27:24 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Wed Apr 29 01:27:24 2020 library versions: OpenSSL 1.1.0j 20 Nov 2018, LZO 2.10
Wed Apr 29 01:27:24 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Wed Apr 29 01:27:24 2020 Need hold release from management interface, waiting…
Wed Apr 29 01:27:25 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Wed Apr 29 01:27:25 2020 MANAGEMENT: CMD ‘state on’
Wed Apr 29 01:27:25 2020 MANAGEMENT: CMD ‘log all on’
Wed Apr 29 01:27:25 2020 MANAGEMENT: CMD ‘echo all on’
Wed Apr 29 01:27:25 2020 MANAGEMENT: CMD ‘bytecount 5’
Wed Apr 29 01:27:25 2020 MANAGEMENT: CMD ‘hold off’
Wed Apr 29 01:27:25 2020 MANAGEMENT: CMD ‘hold release’
Wed Apr 29 01:27:27 2020 MANAGEMENT: CMD ‘password […]’
Wed Apr 29 01:27:27 2020 Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Wed Apr 29 01:27:27 2020 MANAGEMENT: >STATE:1588116447,RESOLVE,
Wed Apr 29 01:27:27 2020 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Wed Apr 29 01:27:27 2020 Local Options String (VER=V4): ‘V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client’
Wed Apr 29 01:27:27 2020 Expected Remote Options String (VER=V4): ‘V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server’
Wed Apr 29 01:27:27 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]92.248.37.73:1194
Wed Apr 29 01:27:27 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Apr 29 01:27:27 2020 Attempting to establish TCP connection with [AF_INET]92.248.37.73:1194 [nonblock]
Wed Apr 29 01:27:27 2020 MANAGEMENT: >STATE:1588116447,TCP_CONNECT,
Wed Apr 29 01:27:28 2020 TCP connection established with [AF_INET]92.248.37.73:1194
Wed Apr 29 01:27:28 2020 TCP_CLIENT link local: (not bound)
Wed Apr 29 01:27:28 2020 TCP_CLIENT link remote: [AF_INET]92.248.37.73:1194
Wed Apr 29 01:27:28 2020 MANAGEMENT: >STATE:1588116448,WAIT,
Wed Apr 29 01:27:28 2020 MANAGEMENT: >STATE:1588116448,AUTH,
Wed Apr 29 01:27:28 2020 TLS: Initial packet from [AF_INET]92.248.37.73:1194, sid=ce88af16 4acf0446
Wed Apr 29 01:27:28 2020 VERIFY OK: depth=1, CN=myCa
Wed Apr 29 01:27:28 2020 VERIFY KU OK
Wed Apr 29 01:27:28 2020 Validating certificate extended key usage
Wed Apr 29 01:27:28 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed Apr 29 01:27:28 2020 VERIFY EKU OK
Wed Apr 29 01:27:28 2020 VERIFY OK: depth=0, CN=server

But no final connection!

bests, Christian

5

On your computer client should add the certificate in windows “certificate” after that your openvpn can connect.