Mikrotik OpenVPN behind external router ?

David1234 · February 1, 2022, 10:36am

Hello
I have a main router D-link that I’m forword port 1194 to a mkirotik router (that I wnat to use as an OpenVPN server for my local network)
the Mikroitk is used sa a bridge (wlan+ethernet)

/interface bridge
add fast-forward=no name=bridge1
//interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 interface=ether1

/ip address
add address=10.0.0.2/24 interface=bridge1 network=10.0.0.0

/ip firewall filter
add action=accept chain=input comment="Ping to Router" protocol=icmp
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp

/ppp secret
add local-address=10.0.0.2 name=Phone password=********* remote-address=10.0.0.221 service=ovpn

/ppp profile
add name=OpenVPN-Profile only-one=yes use-encryption=yes

/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 enabled=yes require-client-certificate=yes

I can see the phone is connected on the Mikrotik and get 10.0.0.221
but I have no Ping to the local netwrok (10.0.0.1-10)
the openvpn config file route is
10.0.0.0 255.255.255.0
and when I traceroute from the phone I can see it’s sending the Mikrotik

do I need to change\add anything else ?

the network is setup that the D-link is the router\ Default gateway (10.0.0.1)
can this be the reason?

Hominidae · February 1, 2022, 10:56am

…as far as I know, you will need a dedicated transfer network for the ovpn connection, not just the same IPs from your local LAN for clients.
See: https://help.mikrotik.com/docs/display/ROS/OpenVPN#OpenVPN-OVPNServer

Also note the hint at the bottom of that page:

Since RouterOS does not support route-push you need to add manually which networks you want to access over the tunnel.

David1234 · February 1, 2022, 11:55am

but the Mikrotik is not hte client
it’s the server

so maybe I didn’t understand - what do I need to do ?
I need to add client open vpn on the server itself? so it will connect to itself?

****UPDATE

after “playing” with all kind of masquerade rules
I did this

/ip firewall nat
add action=masquerade chain=srcnat dst-address=10.0.0.0/24 src-address=10.0.0.221

and it’s working
I have only 1 devices for my Openvpn - so it’s a good solution for me now

I will try to chane the Openvpn address to another netwrok - and see if it’s also working

Sob · February 1, 2022, 12:08pm

You can also set arp=proxy-arp for bridge1, and then you won’t need masquerade.