How to allow openvpn clients to communicate with LAN clients

My goal is to enable openvpn clients access to LAN resources.

I’m a newb to MikroTik. I’m using a RB4011iGS+5HacQ2HnD with an sfp S-RJ01 interfaced to the ISP (once in production). The MikroTik is running RouterOS 7.19.2. I am using WinBox to make configuration changes.

The router currently in my test network with the SFP interface getting an IP address from a DHCP server on a private LAN. The goal is to move the router into production once configuration is complete.

From the deconf configuration, I have added an Offbridge interface “comment=offbridge build” thanks anav I’ve added three DHCP servers “comment=subnet build” on ethernet interfaces ether7, ether8 & ether9. All the wired interface appear to be working (i.e. provide access to the Internet and can communicate with each other). wlan1 & wlan2 interface have been reconfigured to support a a guest-wifi that is isolated from LAN. Thanks to CGGXANNX for help..

I have openvpn configured. The clients can connect from Windows and Linux hosts and receive an IP address using openvpn connect software on the Windows box and CLI commands in Linux. That is where my success ends.

The attached configuration has both firewall rules and a bridge attempts to enable communication between the openvpn clients and LAN networks, with no success.

The openvpn clients can only see hosts on the subnet (.50) they are on. Hosts in the LAN networks (.88) can’t see the openvpn clients.

It took considerable effort to climb the hill of openvpn conductivity. Clients connecting successfully is done, I assumed the routing between the networks would be easier.

I appreciate any input that could resolve my issue.

# 2025-07-06 08:52:00 by RouterOS 7.19.2

/interface bridge
add admin-mac=## auto-mac=no comment=defconf name=bridge
add comment="subnet build" name="bridge 70"
add comment="subnet build" name="bridge 80"
add comment="subnet build" name="bridge 90"
add comment="guest wifi build" name=guest-bridge
add comment="openvpn config" name=ovpn-bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX comment="guest wifi build" country=canada default-forwarding=no disabled=no distance=indoors frequency=\
    auto mode=ap-bridge ssid=RRS_Guest_2G wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX comment="guest wifi build" country=canada default-forwarding=no disabled=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=RRS_Guest_5G wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether10 ] comment="offbridge build" name=OFFBridge
/interface wireless manual-tx-power-table
set wlan1 comment="guest wifi build"
set wlan2 comment="guest wifi build"
/interface wireless nstreme
set wlan1 comment="guest wifi build"
set wlan2 comment="guest wifi build"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk comment="guest wifi build" mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add comment="guest wifi build" name=guest-pool ranges=192.168.100.200-192.168.100.254
add comment="subnet build" name="pool 70" ranges=192.168.70.200-192.168.70.254
add comment="subnet build" name="pool 80" ranges=192.168.80.200-192.168.80.254
add comment="subnet build" name="pool 90" ranges=192.168.90.200-192.168.90.254
add comment="openvpn config" name=opvn-pool ranges=192.168.50.200-192.168.50.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=guest-pool comment="guest wifi build" interface=guest-bridge name=guest-server
add address-pool="pool 70" comment="subnet build" interface="bridge 70" name="server 70"
add address-pool="pool 80" comment="subnet build" interface="bridge 80" name="server 80"
add address-pool="pool 90" comment="subnet build" interface="bridge 90" name="server 90"
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add bridge=ovpn-bridge comment="openvpn config" dns-server=149.112.120.20,149.112.121.20 local-address=192.168.50.1 name=opvn-profile remote-address=opvn-pool use-encryption=yes
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge interface=ether1
add bridge="bridge 70" comment="subnet build" interface=ether7
add bridge="bridge 80" comment="subnet build" interface=ether8
add bridge="bridge 90" comment="subnet build" interface=ether9
add bridge=guest-bridge comment="guest wifi build" interface=wlan1
add bridge=guest-bridge comment="guest wifi build" interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
add comment="offbridge build" interface=OFFBridge list=LAN
add comment="subnet build" interface="bridge 70" list=LAN
add comment="subnet build" interface="bridge 80" list=LAN
add comment="subnet build" interface="bridge 90" list=LAN
add comment="openvpn config" interface=ovpn-bridge list=LAN
/interface ovpn-server server
add auth=sha256 certificate=ovpn-server cipher=aes256-cbc comment="openvpn config" default-profile=opvn-profile disabled=no mac-address=## name=ovpn-server1 \
    protocol=udp require-client-certificate=yes tls-version=only-1.2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.69.1/30 comment="offbridge build" interface=OFFBridge network=192.168.69.0
add address=192.168.100.1/24 comment="guest wifi build" interface=guest-bridge network=192.168.100.0
add address=192.168.70.1/24 comment="subnet build" interface="bridge 70" network=192.168.70.0
add address=192.168.80.1/24 comment="subnet build" interface="bridge 80" network=192.168.80.0
add address=192.168.90.1/24 comment="subnet build" interface="bridge 90" network=192.168.90.0
add address=192.168.50.1/24 interface=ovpn-bridge network=192.168.50.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.70.0/24 comment="subnet build" dns-server=192.168.70.1 gateway=192.168.70.1
add address=192.168.80.0/24 comment="subnet build" dns-server=192.168.80.1 gateway=192.168.80.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.90.0/24 comment="subnet build" dns-server=192.168.90.1 gateway=192.168.90.1
add address=192.168.100.0/24 comment="guest wifi build" dns-server=149.112.120.20,149.112.121.20 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=149.112.120.20,149.112.121.20
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=log chain=forward comment=ovpn-testing disabled=yes in-interface-list=WAN log=yes log-prefix=FW-INPUT src-address=192.168.2.225
add action=accept chain=input comment="openvpn config" dst-port=1194 protocol=udp
add action=accept chain=forward comment="Allow OVPN to LAN" dst-address=192.168.88.0/24 src-address=192.168.50.0/24
add action=accept chain=forward comment="Allow LAN to OVPN" dst-address=192.168.50.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="Allow established connections" connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="guest wifi build" dst-address=192.168.100.0/24 src-address=192.168.100.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="openvpn config" out-interface-list=WAN src-address=192.168.50.0/24
/ip service
set ftp disabled=yes
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="guest wifi build" in-interface=guest-bridge out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ppp secret
add comment="openvpn config" local-address=192.168.50.1 name## profile=opvn-profile service=ovpn
/system clock
set time-zone-autodetect=no time-zone-name=America/Winnipeg
/system identity
set name=edgerouter
/system leds
add interface=wlan1 leds=wlan1_signal1-led,wlan1_signal2-led,wlan1_signal3-led,wlan1_signal4-led,wlan1_signal5-led type=wireless-signal-strength
add interface=wlan1 leds=wlan1_tx-led type=interface-transmit
add interface=wlan1 leds=wlan1_rx-led type=interface-receive
/tool graphing interface
add interface=bridge
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I’m pretty confident that the ovpn-bridge should be left blank and no interface should be part of it, because its function is that of a loopback interface (in simple terms an address placeholder). That’s why the bridge parameter in the /ppp profile section should be left blank. Then you could also remove the two firewall rules you’ve added because your firewall is not that tight and should by default allow traffic between the subnets. The OVPN masquerade rule is also unnecessary

Before attempting your changes I had to resolve an issue. I had a backup of an ovpn configuration for the mikrotik that consistently worked, until it didn’t. The client would not connect. Disabling the ovpn server and enabling it on the mikrotik the client connection worked. The next reboot of the router and the problem was back.

UDP was the protocol the ovpn server was using. I elected to change to tcp. A corresponding change in the firewall rules and a new .ovpn client file I appear to be back to consistent client connections. The attached config reflects these changes in addition to others.

The bridge configuration and firewall rules never solved my problem so I removed them. The NAT rule I didn’t remove, I will discuss later.

I started getting into the weeds using the logs to see what was happening. I discovered I could see no traffic to the MikroTik outside of .50 subnet. A ping to .88.1 produced nothing but .50.1 generated log entries.

The issue is a misconfiguration on the opvn server impacting the client. I added redirect-gateway def1 to the client file and it worked.

# 2025-07-06 15:55:37 by RouterOS 7.19.2

/interface bridge
add admin-mac=## auto-mac=no comment=defconf name=bridge
add comment="subnet build" name="bridge 70"
add comment="subnet build" name="bridge 80"
add comment="subnet build" name="bridge 90"
add comment="guest wifi build" name=guest-bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX comment="guest wifi build" country=canada default-forwarding=no disabled=no distance=indoors frequency=\
    auto mode=ap-bridge ssid=RRS_Guest_2G wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX comment="guest wifi build" country=canada default-forwarding=no disabled=no distance=indoors \
    frequency=auto mode=ap-bridge ssid=RRS_Guest_5G wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether10 ] comment="offbridge build" name=OFFBridge
/interface wireless manual-tx-power-table
set wlan1 comment="guest wifi build"
set wlan2 comment="guest wifi build"
/interface wireless nstreme
set wlan1 comment="guest wifi build"
set wlan2 comment="guest wifi build"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk comment="guest wifi build" mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add comment="guest wifi build" name=guest-pool ranges=192.168.100.200-192.168.100.254
add comment="subnet build" name="pool 70" ranges=192.168.70.200-192.168.70.254
add comment="subnet build" name="pool 80" ranges=192.168.80.200-192.168.80.254
add comment="subnet build" name="pool 90" ranges=192.168.90.200-192.168.90.254
add comment="openvpn config" name=opvn-pool ranges=192.168.50.200-192.168.50.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=guest-pool comment="guest wifi build" interface=guest-bridge name=guest-server
add address-pool="pool 70" comment="subnet build" interface="bridge 70" name="server 70"
add address-pool="pool 80" comment="subnet build" interface="bridge 80" name="server 80"
add address-pool="pool 90" comment="subnet build" interface="bridge 90" name="server 90"
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add comment="openvpn config" local-address=192.168.50.1 name=opvn-profile remote-address=opvn-pool use-encryption=yes
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge interface=ether1
add bridge="bridge 70" comment="subnet build" interface=ether7
add bridge="bridge 80" comment="subnet build" interface=ether8
add bridge="bridge 90" comment="subnet build" interface=ether9
add bridge=guest-bridge comment="guest wifi build" interface=wlan1
add bridge=guest-bridge comment="guest wifi build" interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
add comment="offbridge build" interface=OFFBridge list=LAN
add comment="subnet build" interface="bridge 70" list=LAN
add comment="subnet build" interface="bridge 80" list=LAN
add comment="subnet build" interface="bridge 90" list=LAN
/interface ovpn-server server
add auth=sha256 certificate=ovpn-server cipher=aes256-cbc comment="openvpn config" default-profile=opvn-profile disabled=no mac-address=## name=ovpn-server1 \
    redirect-gateway=def1 require-client-certificate=yes tls-version=only-1.2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.69.1/30 comment="offbridge build" interface=OFFBridge network=192.168.69.0
add address=192.168.100.1/24 comment="guest wifi build" interface=guest-bridge network=192.168.100.0
add address=192.168.70.1/24 comment="subnet build" interface="bridge 70" network=192.168.70.0
add address=192.168.80.1/24 comment="subnet build" interface="bridge 80" network=192.168.80.0
add address=192.168.90.1/24 comment="subnet build" interface="bridge 90" network=192.168.90.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.70.0/24 comment="subnet build" dns-server=192.168.70.1 gateway=192.168.70.1
add address=192.168.80.0/24 comment="subnet build" dns-server=192.168.80.1 gateway=192.168.80.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.90.0/24 comment="subnet build" dns-server=192.168.90.1 gateway=192.168.90.1
add address=192.168.100.0/24 comment="guest wifi build" dns-server=149.112.120.20,149.112.121.20 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=149.112.120.20,149.112.121.20
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=log chain=forward comment=ovpn-testing disabled=yes in-interface-list=WAN log=yes log-prefix=FW-INPUT src-address=192.168.2.225
add action=accept chain=input comment="openvpn config" dst-port=1194 protocol=tcp src-address-list=""
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="guest wifi build" dst-address=192.168.100.0/24 src-address=192.168.100.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="openvpn config" src-address=192.168.50.0/24
/ip service
set ftp disabled=yes
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="guest wifi build" in-interface=guest-bridge out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ppp secret
add comment="openvpn config" local-address=192.168.50.1 name=sconway profile=opvn-profile service=ovpn
/system clock
set time-zone-autodetect=no time-zone-name=America/Winnipeg
/system identity
set name=edgerouter
/system leds
add interface=wlan1 leds=wlan1_signal1-led,wlan1_signal2-led,wlan1_signal3-led,wlan1_signal4-led,wlan1_signal5-led type=wireless-signal-strength
add interface=wlan1 leds=wlan1_tx-led type=interface-transmit
add interface=wlan1 leds=wlan1_rx-led type=interface-receive
/tool graphing interface
add interface=bridge
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Changing redirect-gateway=disabled to redirect-gateway=def1 in the opvn-server and building another client file is the fix. The change in the ovpn-server doesn’t change the pre-certificate config entries in the client file. I thought the replacement client would have the line redirect-gateway def1 it does not but it does route all traffic through the interface.

If I removed the extra firewall NAT rule:

add action=masquerade chain=srcnat comment="openvpn config" src-address=192.168.50.0/24

I can ping other subnet gateways but I can’t connect (i.e. ssh) to hosts on other subnets.

I have been using openvpn through pivpn on a Raspberry Pi with success for some months pending the install of MikroTik. The client file pivpn generates behaves differently than the MikroTik client file. All traffic routed through the VPN was default on the pivpn.

The other operational difference is in Linux. When the pivpn client starts at the CLI it returns the prompt. The MikroTik does not. A ctl-C is used to end the session in MikroTik. The pivpn has a manage command to stop the interface. I have been unsuccessful in getting the MikroTik generated client to work like the pivpn client.