Limit WAN Winbox access to OpenVPN connected user

matzero · June 14, 2019, 12:51pm

Hi

I’d like to limit access to Winbox port of my MikroTik only to:

LAN - no limits in Winbox port access
WAN - allow only to user connected using OpenVPN

I tried by using src ip range to limit access only to IP range assigned by OpenVPN but apparently firewall checks “real” user’s IP (it’s dynamic) not IP assigned by OpenVPN

How can I add rule to match traffic generated by OpenVPN clients and allow only them to access Winbox?

sebastia · June 14, 2019, 3:13pm

I tried by using src ip range to limit access only to IP range assigned by OpenVPN but apparently firewall checks “real” user’s IP (it’s dynamic) not IP assigned by OpenVPN

that’s the way to go. clients need to use the openvpn ip to connect with Winbox. And then their source ip will be automatically the vpn ip.
Default route at clients is probably not over the vpn, which selects non-vpn ip as source…