Openvpn between two Mikrotiks in tap mode

Antho · February 10, 2016, 2:56pm

Hello,

I’m a little bit stuck by setting up an openvpn client/server with Mikrotik in tap mode (it works with tun mode).

This is the server configuration:

/ip pool
add name=default-dhcp ranges=10.1.0.10-10.1.0.100
add name=ovpn-pool ranges=172.17.0.10-172.17.0.100

/ppp profile
add bridge=bridge-local local-address=172.17.0.1 name=ovpn remote-address=ovpn-pool

/ppp secret
add name=client1 password=123 profile=ovpn

/interface ovpn-server server
set certificate=cert_1 enabled=yes mode=ethernet

This is my routing table on the server:

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.71.0.254               1
 1 ADC  10.1.0.0/24        10.1.0.254      bridge-local              0
 2 A S  10.2.0.0/24                        <ovpn-client1>            1
 3 ADC  10.71.0.0/24       10.71.0.8       ether1-gateway            0
 4 ADC  172.17.0.100/32    172.17.0.1      bridge-local              0

This is the client configuration:

/interface ovpn-client
add add-default-route=no auth=sha1 certificate=none cipher=blowfish128 connect-to=10.71.0.8 disabled=no mac-address=FE:42:0B:4E:38:E8 max-mtu=1500 mode=ethernet name=ovpn-client1 password=123 port=1194 \
    profile=default user=client1

This is my routing table on the client:

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.71.0.254               1
 1 A S  10.1.0.0/24                        ovpn-client1              1
 2 ADC  10.2.0.0/24        10.2.0.254      bridge-local              0
 3 ADC  10.71.0.0/24       10.71.0.7       ether1-gateway            0
 4 ADC  172.17.0.0/24      172.17.0.100    ovpn-client1              0

I try to ping from a PC (10.2.0.100) connected to the VPN client Mikrotik a PC (10.1.0.100) connected to the VPN server Mikrotik but it doesn’t works. I can see ICMP replies on the PC connected to the VPN server Mikrotik.
I can ping the PC connected to the VPN server Mikrotik from the VPN client Mikrotik.
I can’t ping the PC connected to the VPN client Mikrotik from the VPN server Mikrotik.

Somebody see where I’m wrong please ?

Thanks.