Need help with VPN setup

lowks · April 8, 2016, 11:35pm

I am trying to setup my Mikrotik box (RB750Gr2) to dial into my office VPN. Once that happens I want any machine connected to my house LAN to be able to access my office LAN. Currently how I am accessing VPN is by dialing in via a PTPP from my Desktop machine is located in my house LAN. After I log in I can ssh and access ips, domains as though I am in the office.

I have followed a couple of guides to do this and this is what I have done so far:

Setup a ptpp client in my tik. That connected successfully.
Created firewall rules srcnat src=* to dst=192.168.12.0/0 out=myvpninterface (My office ip is 192.168.12.x)
Create route dst address 192.168.12.0/24 to my vpninterface

I can already ping my office gateway, but when I try to ssh domains which I usually do when I am connected via vpn, I get connection refused as though I am not connected via VPN from my machine in the LAN. When I manually dial in again via that same machine, I can ssh in. Could someone point out what I am still lacking in my setup ?

pe1chl · April 9, 2016, 8:00am

The NAT rule should probably be like this:

srcnat src=192.168.88.0/24 dst=192.168.12.0/24 action=masquerade

don’t put the interface in there, it is not required as you already set the route for that network there.

lowks · April 9, 2016, 8:31am

After doing this, I still get connection refused when I try to ssh. Then I tried telnet port 22 and I still get connection refused.

pe1chl · April 9, 2016, 8:34am

Then start the Packet Sniffer on your VPN interface to see what is exactly happening.

lowks · April 9, 2016, 8:55am

Using the packetsniffer I can see packets going to the interface when I try to say ping my gateway which is 192.168.12.x, but ssh is still unsuccessful. Is this because it does not see my ip as coming from 192.168.12.x ? Btw these hosts that I am trying to ssh to are not in the 192.168.12.x range. However after normally using VPN client to login to my VPN on my desktop machine I am able to access these sites. These sites are something like: 69.168.x.x

pe1chl · April 9, 2016, 9:02am

Obviously you need to change your routing and masquerading so it works the same as with your native VPN client,
or at least so that you route all the addresses you want to reach over the VPN to the VPN interface.

I recently faced a similar problem: I had setup a VPN router that allows callers to reach a single network range
used by the company (a very large range 172.20.0.0/14 of which only parts are in use), yet some people added
new parts of the network at addresses outside that range. That already required static routes in all kinds of
equipment that were never required, but it caused the VPN to fail completely because it did not allow to route
more than one subnet automatically. Sometimes network engineers just don’t behave sensibly…

I could solve it by using BGP on the VPN. But of course that is only possible when you can manage the VPN router.