I’m still a bit new to Mikrotik, it’s not as easy as I would have wished for but on the other hand I learn alot .
I have a windows 2019 VPS machine that runs OpenVPN as server and I use the RB1100x4 as a OpenVPN-client.
Behind the RB1100x4 I have a network 192.168.88.0/24
The VPN has the network 10.9.0.0/24.
The ovpn IP-address of the server is 10.9.0.1.
The ovpn IP-address of the RB1100x4 is 10.9.0.2.
I can ping from 10.9.0.1 - 10.9.0.2.
I can ping from 192.168.88.x to 10.9.0.1.
I can NOT ping from 10.9.0.1 to 192.168.88.x.
Routes on windows server are set as follows:
Network Destination Netmask Gateway Interface Metric
192.168.88.0 255.255.255.0 10.9.0.2 10.9.0.1 35
To be able to ping from computers behind RB1100x4 to the server I had to add:
Would be helpful to have the rest of your firewall rules, but you likely need to add a forward chain rule, and make sure its above any drop rules in the forward chain.
In the client machine you are connecting to the vpn with, you will either need to make sure default route is checked in the vpn config or add a static route for 192.168.88.0/24 using the 10.9.0.1 gateway as well.
This is the client machine. The server runs on a Windows VPS machine.
The route on the windows vps is correct but still no ping from 10.9.0.1 to 192.168.88.x
/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ppp profile
add name=openvpn-client use-compression=no use-encryption=yes use-mpls=no
/interface ovpn-client
add certificate=betongvagen.crt_0 cipher=aes256 connect-to=“not showing this”
mac-address=02:BD:7B:5E:F6:26 name=ovpn-out1 port=1195 profile=
openvpn-client user=betongvagen
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip firewall filter
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=
10.9.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ovpn-out1
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=not showing this
/tool sniffer
set file-limit=10000KiB file-name=packet-sniffer filter-interface=all
The fact you added a masquerade rule to the rb1100 on the ovpn out interface and can now ping the server leads me to believe the route in the server (dst-192.168.88.0/24) to use the vpn client isnt correct. A trace route from the server to 192.168.88.x should show if its trying to use the proper gateway.
.