Hi guys,
I'm trying to configure a site-to-site connection using OpenVPN, and I'm experimenting with dynamic routing. I read on someone’s blog that this is impossible to achieve on RouterOS v6. I tried again on RouterOS v7, but the same issue occurs.
I know that site-to-site OpenVPN works fine with static routing, but I'm curious whether it’s possible to make it work with dynamic routing (OSPF or BGP).
Has anyone successfully implemented this, or can confirm whether it’s supported?
Thanks!
For dynamic routing on a site-to-site VPN you need a tunnel that can transport any traffic as controlled by a routing table. VPN protocols that use a “policy” defining what to route (local and remote subnet) cannot be used, unless you layer such a tunnel (IPIP, GRE, L2TP) on top of them.
Hi @Bagas06
OSPF works fine with OpenVPN - the only “difficulty” is that the openvpn server side has a mask of /32, where the mask of the clients is by default /24, configurable with the netmask= parameter on the OpenVPN server. I opted to set a /32 on both sides, and for it to work, the OSPF interface type has to be set to ptp.
I did a quick lab:
192.168.90.0/24 - Router4 - (.....) - Router3 - 192.168.91.0/24
OpenVPN Server OpenVPN Client
Here is the OSPF status seen from router3 (OpenVPN client)
[admin@router3] > /routing/ospf/neighbor/print
Flags: V - virtual; D - dynamic
0 D instance=ospf area=backbone address=172.31.255.1 router-id=192.168.90.1
state="Full" state-changes=5 adjacency=25m54s timeout=36s
[admin@router3] > /routing/route/print
Flags: A - ACTIVE; c - CONNECT, o - OSPF
Columns: DST-ADDRESS, GATEWAY, AFI, ROUTING-TABLE, DISTANCE, SCOPE, TARGET-SCOPE, IM>
DST-ADDRESS GATEWAY AFI ROUT DIS SCOPE TA IMMEDIATE-GW >
[...]
Ao 172.31.255.2/32 172.31.255.1%ovpn1 ip main 110 20 10 172.31.255.1%ovp>
Ao 192.168.90.0/24 172.31.255.1%ovpn1 ip main 110 20 10 172.31.255.1%ovp>
[...]
And a traceroute from a machine on the 192.168.91.0/24, hitting a machine on the 192.168.90.0/24:
Here are the configurations changes.
Router4 (OpenVPN server)
/system identity
set name=router4
/interface ovpn-server
add name=ovpn1 user=router3
/interface list
add name=VPN
/ip pool
add name=ovpnpool ranges=172.31.255.2
/ppp profile
add local-address=172.31.255.1 name=ovpnsrv remote-address=ovpnpool
/ppp secret
add name=router3 profile=ovpnsrv password=*****
/routing ospf instance
add disabled=no name=ospf routing-table=main
/routing ospf area
add disabled=no instance=ospf name=backbone
/routing ospf interface-template
add area=backbone disabled=no interfaces=bridge passive
add area=backbone disabled=no interfaces=ovpn1 type=ptp
/interface list member
add interface=ovpn1 list=VPN
/interface ovpn-server server
add certificate=ovpnsrv comment="OVPN Server" disabled=no mac-address=\
FE:B1:CC:DB:09:E9 name=ovpnsrv netmask=32 port=1149 protocol=udp
/ip address
add address=192.168.90.1/24 comment=defconf interface=bridge network=192.168.90.0
add address=10.0.0.1/24 interface=ether1 network=10.0.0.0
/ip firewall filter
add action=accept chain=input dst-port=1149 protocol=udp
add action=accept chain=input in-interface-list=VPN protocol=ospf
add action=accept chain=forward dst-address-list=VPN src-address-list=LAN
add action=accept chain=forward dst-address-list=LAN src-address-list=VPN
Router3 (OpenVPN client)
/interface ovpn-client
add connect-to=10.0.0.1 mac-address=FE:32:37:1E:6F:7B name=ovpn1 port=1149 \
protocol=udp user=router3 password=*****
/interface list
add name=VPN
/routing ospf instance
add disabled=no name=ospf routing-table=main
/routing ospf area
add disabled=no instance=ospf name=backbone
/routing ospf interface-template
add area=backbone disabled=no interfaces=bridge passive
add area=backbone disabled=no interfaces=ovpn1 type=ptp
/system identity
set name=router3
/interface list member
add interface=ovpn1 list=VPN
/ip address
add address=192.168.91.1/24 comment=defconf interface=bridge network=192.168.91.0
add address=10.0.0.2/24 interface=ether1 network=10.0.0.0
/ip firewall filter
add action=accept chain=input in-interface-list=VPN protocol=ospf
add action=accept chain=forward in-interface-list=LAN out-interface-list=VPN
add action=accept chain=forward in-interface-list=VPN out-interface-list=LAN
For fun, I added a second OpenVPN client to the mix (router2) with almost the same configuration as router3. On router4 (the OpenVPN server), I added an entry to /interface/ovpn-server to bind the second username and interface, and added it to the OSPF interface-template.
On router4, the new router shows as a neighbor -
On router2, the routes are learnt through router4 -
Going from 192.168.92.0/24 to 192.168.91.0/24 works fine - it goes through router4
It is likely possible to configure it to work more in a one-to-many VPN (Called "DMVPN" in Cisco world, "ADVPN" in Fortigate's).
Hi, thank you everyone!
I just logged into the forum again after a hectic week. I appreciate all the suggestions and answers. I’ll run a quick lab as soon as possible, and I’ll let you know if I run into any other issues.
Thanks again!
Hi,
I just wanted to give you an update. I ran a quick lab and your script worked perfectly.
Thank you for the help, I really appreciate it.
