Hi, I’m having trouble configuring Mikrotik as OVPN client.
I reseted config, with no default config. I created PPP profile, OVPN interface etc, I checked the Add default route.
I added NAT masquerade for out-interface ovpn-client.
OVPN connects with server no problem, I can ping gateway, I can ping 8.8.8.8 etc., but I can’t get internet to work.
What am I missing? OVPN server is also Mikrotik, I can connect and surf with OpenVPN app without any problems.
/interface bridge
add name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge \
ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge name=dhcp1
/ppp profile
add change-tcp-mss=yes name=ovpnProfile only-one=yes use-encryption=required \
use-mpls=no
/interface ovpn-client
add add-default-route=yes certificate=client.crt_0 cipher=aes256 connect-to=\
193.xx.xx.xx mac-address=02:22:00:F9:4D:2D name=ovpn-client profile=\
ovpnProfile user=tomaz
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=wlan1
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ovpn-client src-address=\
192.168.1.0/24
I can ping from Mikrotik terminal, but I can’t ping from CMD.
10.0.0.1 is my main home router gateway
10.88.88.1 is mikrotik OVPN server VPN subnet
192.168.1.0/24 is mikrotik OVPN client dhcp pool
193.xx.xx.xx is public ip of OVPN server
Any help would be appreciated, thank you
Do I read you right that you cannot ping from the command line window of a Windows machine connected to the Mikrotik?
If so, what can you see if you run /tool sniffer quick ip-protocol=icmp ip-address=8.8.8.8 on the Mikrotik and start pinging 8.8.8.8 from the Windows?
Damn, now I can’t ping from mikrotik anymore, and I didn’t change anything, routes look the same, I don’t get it.
But yes you’ve read it right, I couldn’t ping from windows machine directly connected to mikrotik but I could from mikrotik terminal.
I stil tried your proposal even thou I can’t ping from winbox nor cmd
/tool sniffer quick ip-protocol=icmp ip-address=8.8.8.8
INTERFACE TIME NUM DI SRC-MAC DST-MAC VLAN
ether3 1.861 1 <- 1C:1B:0D:03:13:24 B8:69:F4:FB:38:79
bridge 1.861 2 <- 1C:1B:0D:03:13:24 B8:69:F4:FB:38:79
ovpn-client 1.861 3 ->
any other ideas?
Well, the first one is to make the CLI window as wide as your screen allows and run the sniffer again. The sniffer output above shows that the ICMP echo request packet arrives from the PC and is forwarded via the openvpn tunnel, but due to narrow screen it doesn’t show whether it has been properly src-nated. In any case, the issue is at the openvpn server side. If the request is properly src-nated, I’d think about firewall and/or NAT issue at server side; if it is not, it depends on the network design whether the server should be aware of 192.168.1.0/24 being accessible via your client or whether the server is a 3rd party one and the private subnets of the clients are irrelevant for it.
Hmm, I think the problem is in routing. I actually got it to work when I connected to ovpn, then I disabled route 0.0.0.0/0 to gateway 10.0.0.1 (main router), and I actually got the right public ip and internet worked. But then the tunnel disconnected and didn’t want to connect anymore until I added the deleted route. Then of course internet stopped working. The OVPN server is mikrotik.
/tool sniffer quick ip-protocol=icmp ip-address=8.8.8.8
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU FP
wlan1 16.021 1 <- 7C:7A:91:85:4B:2A C4:AD:34:2A:A7:FB 192.168.1.6 8.8.8.8 ip:icmp 74 0 no
bridge 16.021 2 <- 7C:7A:91:85:4B:2A C4:AD:34:2A:A7:FB 192.168.1.6 8.8.8.8 ip:icmp 74 0 no
ovpn-3240 16.021 3 -> 192.168.1.6 8.8.8.8 ip:icmp 60 0 no
wlan1 20.773 4 <- 7C:7A:91:85:4B:2A C4:AD:34:2A:A7:FB 192.168.1.6 8.8.8.8 ip:icmp 74 0 no
bridge 20.773 5 <- 7C:7A:91:85:4B:2A C4:AD:34:2A:A7:FB 192.168.1.6 8.8.8.8 ip:icmp 74 0 no
ovpn-3240 20.773 6 -> 192.168.1.6 8.8.8.8 ip:icmp 60 0 no
wlan1 25.717 7 <- 7C:7A:91:85:4B:2A C4:AD:34:2A:A7:FB 192.168.1.6 8.8.8.8 ip:icmp 74 0 no
bridge 25.717 8 <- 7C:7A:91:85:4B:2A C4:AD:34:2A:A7:FB 192.168.1.6 8.8.8.8 ip:icmp 74 0 no
ovpn-3240 25.718 9 -> 192.168.1.6 8.8.8.8 ip:icmp 60 0 no
wlan1 30.717 10 <- 7C:7A:91:85:4B:2A C4:AD:34:2A:A7:FB 192.168.1.6 8.8.8.8 ip:icmp 74 0 no
bridge 30.717 11 <- 7C:7A:91:85:4B:2A C4:AD:34:2A:A7:FB 192.168.1.6 8.8.8.8 ip:icmp 74 0 no
ovpn-3240 30.717 12 -> 192.168.1.6 8.8.8.8 ip:icmp 60 0 no
ok, disregard previous post, I did the config from scratch, now it works. I didn’t do anything different afk.
[nc@MikroTik] > export hide-sensitive
# jan/15/2021 18:42:54 by RouterOS 6.47.4
# software id = 25DN-WP8V
#
# model = 951G-2HnD
# serial number = 965009C01071
/interface bridge
add name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge \
ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge name=dhcp1
/ppp profile
add change-tcp-mss=yes name=ovpnProfile only-one=yes use-encryption=required \
use-mpls=no
/interface ovpn-client
add add-default-route=yes certificate=client.crt_0 cipher=aes256 connect-to=\
193.xx.xx.xx mac-address=02:22:00:F9:4D:2D name=ovpn-client profile=\
ovpnProfile user=test
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=wlan1
/ip address
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=84.255.210.79
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ovpn-client src-address=\
192.168.1.0/24
/ip route
add distance=1 gateway=ovpn-client
/system clock
set time-zone-name=Europe/Ljubljana
[nc@MikroTik] >
Which DNS should I use, does it matter if I use the provider in my home or provider from VPN server side?
How can I manipulate with routes so that I can make 0.0.0.0/0 ovpn-out AS ?
It depends on what you use the VPN for.
If you don’t want your ISP to know what sites you are browsing, or you want to bypass regional restrictions of some content provider, use the VPN provider’s DNS. And make sure you redirect any DNS queries sent by the clients directly to the DNS address other than the one you’ve assigned them to the VPN provider’s one.
If you don’t care about either, you can stay with your ISP’s DNS.
I don’t get the question - you screenshot shows it already is AS…?
Yes, but in the first screenshot (second post) it wasn’t, that’s why it didn’t work.
Here I got lucky, because I couldn’t reproduce dynamically that ovpn-client route was the AS.
But then I researched a little bit and I saw I have to put route distance on dhcp client (ether1) on 2 and then I get the ovpn-client route AS or DAS (if I check the add default route under PPP interface).
Thank you very much for your help, I learned a lot 