OpenVPN between RouterOS and Ubiquiti EdgeRouter

mgrant · May 30, 2016, 5:18pm

I need to set up OpenVPN between a HAP LITE and a Ubiquiti EdgeRouter. Both support OpenVPN.

The EdgeRouter is the server, the HAP Lite is the client.

The EdgeRouter requires I use a DH Paramaters file. How do I configure that on the HAP side? I tried appending it to the certificate file but that didn’t seem to work.

I am getting pretty close to getting this working. The HAP tries to connect, I see in the OpenVPN logs on the EdgeRouter that it starts a connection and then rejects it. The DH Paramaters file is the one thing I’m missing on the HAP side which I am hopeful is the last thing I need to make this work.

I guess RouterOS’s openvpn is not going to support a static TLS key anytime soon? This seems like it might avoid having to set up certificates and a CA for just a single link.

mgrant · May 31, 2016, 9:25pm

I figured this out. You only need the DH params file on the server.

The thing I was missing was I needed to reimport the key once I signed my cert.

mgrant · June 2, 2016, 1:59pm

I now have a working openvpn between an EdgeRouter and a hAP Lite. I can ping the hAP from the edgerouter and I can even ssh into the hAP from the edgerouter. Connectivity seems good!

However, I’m having either a routing problem or a firewall problem. I can’t ping or get to anything on the other subnet, either side. If I tcpdump vtun1, I see the pings going to the other side but nothing comes back.

vtun1 is 10.101.1.1 on the edgerouter side and 10.101.1.2 on the hAP side.

I’m using 192.168.0.0/24 on the lan side of the edgerouter and 192.168.2.0/24 on the lan side of the hAP. The hAP has a route to 192.168.0.0/24 via 10.101.1.1 and visa versa, the edgerouter has a route to 192.168.2.0/24 via 10.101.1.2.

On the edgerouter, I CAN ping 10.101.1.2 but I CANNOT ping 192.168.2.1 or anything on the 192.168.2.x subnet. tcpdump shows icmp going out but nothing coming back.

21:54:04.298435 IP 10.101.1.1 > 192.168.2.1: ICMP echo request, id 16983, seq 1, length 64
21:54:05.297629 IP 10.101.1.1 > 192.168.2.1: ICMP echo request, id 16983, seq 2, length 64
21:54:06.297633 IP 10.101.1.1 > 192.168.2.1: ICMP echo request, id 16983, seq 3, length 64

However, on the hAP side, I CAN ping BOTH 10.101.1.1 and 192.168.0.1. tcpdump shows the icmp echos and replies.

The routing on the hAP side looks like this:

[admin@MikroTik] /ip route> pr
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.1.1               1
 1 ADC  10.101.1.1/32      10.101.1.2      openvpn               0
 2 ADS  192.168.0.0/24                     10.101.1.1                1
 3 ADC  1.2.3.0/24     1.2.3.4   ether1                    0
 4 ADC  192.168.2.0/24     192.168.2.1     bridge                    0

The firewall rules are:

[admin@MikroTik] /ip firewall> export
# may/31/2016 17:47:14 by RouterOS 6.35
# software id = DTS7-0WE6
#
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add chain=forward comment="defconf: accept established,related" connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1

Is this a firewall problem? Do I need a rule allowing traffic to go from lan to the vpn? It does not look like a routing problem.

mgrant · June 2, 2016, 11:03pm

Ok so I solved this too.

I needed an iroute command to get openvpn on the edgerouter to internally route to the hAP. This command went in /var/run/openvpn/ccd/vtun1/clientname where clientname was the cn in the certificate connecting to the edgerouter.