Open VPN setting for my home LAN

RouterOS General
1

Dears,

finally i have setted the open vpn in my hapac2 router, and i can log in from my mobile to vpn. The problem is that i cannot reach any local ip address in my lan. (nas, sprinklering system, alarm system, securty cameras, etc.)
Here is my sensitive hided export file:

# aug/05/2022 14:49:59 by RouterOS 6.49.6
# software id = VL3Q-ZYA9
#
# model = RBD52G-5HacD2HnD
# serial number = D7160C8BD2C8
/interface bridge
add admin-mac=48:8F:5A:F8:CA:6A auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid="Deme Router 2GHz" station-roaming=enabled \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid="Deme Router 5GHz" \
    station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
add name="ovpn pool" ranges=192.168.2.2-192.168.2.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add local-address=192.168.2.1 name=openVPN remote-address="ovpn pool"
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=openVPN \
    enabled=yes require-client-certificate=yes
/ip address
add address=192.168.1.50/24 comment=defconf interface=ether2 network=\
    192.168.1.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.201 client-id=1:50:67:f0:69:75:b4 mac-address=\
    50:67:F0:69:75:B4 server=defconf
add address=192.168.1.200 client-id=1:5c:6a:80:37:f6:f2 mac-address=\
    5C:6A:80:37:F6:F2 server=defconf
add address=192.168.1.170 allow-dual-stack-queue=no client-id=\
    1:44:47:cc:99:c7:68 comment="IP camera behajt\F3" mac-address=\
    44:47:CC:99:C7:68 server=defconf
add address=192.168.1.137 client-id=1:0:95:69:83:c9:7a comment=Riasztokozpont \
    mac-address=00:95:69:83:C9:7A server=defconf
add address=192.168.1.121 client-id=1:2c:a5:9c:c6:a5:b6 comment=\
    "Outdoor station" mac-address=2C:A5:9C:C6:A5:B6 server=defconf
add address=192.168.1.120 client-id=1:2c:a5:9c:b5:8a:5c comment=\
    "Indoor station" mac-address=2C:A5:9C:B5:8A:5C server=defconf
add address=192.168.1.171 client-id=1:24:28:fd:81:93:99 comment=\
    "IP camera udvar" mac-address=24:28:FD:81:93:99 server=defconf
add address=192.168.1.172 client-id=1:24:f:9b:98:46:ac comment=\
    "Udvar h\E1tul" mac-address=24:0F:9B:98:46:AC server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.50 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.50 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="open vpn" dst-port=1194 protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="Plc forward\
    \n" disabled=yes dst-port=8080 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.1.234 to-ports=80
add action=dst-nat chain=dstnat comment="Nas forward" disabled=yes dst-port=\
    9091 in-interface=ether1 protocol=tcp to-addresses=192.168.1.200 \
    to-ports=9091
/ip upnp
set enabled=yes
/ppp secret
add local-address=192.168.2.1 name=admin profile=openVPN remote-address=\
    192.168.1.50 service=ovpn
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name="MikroTik hAP AC2"
/system leds settings
set all-leds-off=immediate
/system ntp client
set primary-ntp=162.159.200.123
/system ntp server
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

i think i dont understand some routing setting, or i just missed it.
here you can find the ovpn file for the client

client
proto tcp
port 1194
remote 92.118.176.26
dev tun
nobind
persist-key
tls-client
ca ca.crt
cert client2.crt
key client2.key
ping 10
verb 3
cipher AES-256-CBC
auth SHA1
pull
auth-user-pass passwd

after a long hours of trying its drive me crazy. plz help!

Dávid

2

Hello,
I think you should inject your local IP range into your VPN client config file.

route 192.168.88.0 255.255.255.0
redirect-gateway def1

3

Nope it does not help…

4

On Bridge → bridge see ARP and if selected “Enable” → set it to proxy-arp.

5

Nope...

6

You have network 192.168.1.0/24 and pool for dhcp:
192.168.1.100-192.168.1.254

and you have network 192.168.2.0/24 and pool for openvpn:
192.168.2.2-192.168.2.250

Thats fine. But look this:

/ppp secret
add local-address=192.168.2.1 name=admin profile=openVPN remote-address=\
    192.168.1.50 service=ovpn

From: https://wiki.mikrotik.com/wiki/Manual:PPP_AAA

remote-address meens:

Tunnel address or name of the pool from which address is assigned to remote ppp interface.

So, you have user called admin with remote address 192.168.1.50.
After that user connected to vpn maybe he get IP 192.168.1.50 and maybe the internet connection on your devices in local network has stops?

In your configuration I also see that ip address 192.168.1.50 you are using for default gateway for devices in your dhcp network and that ip address is setuped on ether2 interface.

That situation in Bulgaria we call: ‘Mandja s grozde’ :wink:


So:

  1. Your dhcp server configured to running on interface bridge - ok
  2. IP address: 192.168.1.50 is on interfaces ether2 - change interface to bridge.

in PPP secret - for user admin change remote address from 192.168.1.50 to 192.168.2.2 (for example, to be e in your ovpn created pool and if you want user admin to get static 192.168.2.2 every time), or set remote address to “ovpn pool” to get random address from ‘ovpn pool’

You can also check ‘Application Examples’ posted in: https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN

7

Hi,

I setted the interface of the ip address: 192.168.1.50 to bridge and set the ppp secret settings as you mentioned, but it did not help. (anyway i cannot set it to "ovpn pool", but it does not matter)
but i noted something, if i set the the remote address to 192.168.1.51, i can reach the addresses in my local network except my router ip (192.168.1.50)? so something on my bridging not well? how can i set it?

Thanks!

Dávid