Hi Everyone,
I’m trying to setup an OpenVPN bridge mode server on RouterOS 6.15, but I’m not having any luck. The issue seems to be that the OpenVPN server is only listening on the LAN side. IE, if my public IP is 1.2.3.4 and my LAN is set to 192.168.1.1/24, I can telnet to the OpenVPN port (1194) at 192.168.1.1 but not at 1.2.3.4 Do I need to add some sort of port forwarding rule to make the router listen to the VPN externally? That seems really stupid if so… Why would I want to listen for VPN connections on my internal network?
The documentation I used to set things up was http://wiki.mikrotik.com/wiki/OpenVPN#RouterOS_2 It doesn’t really offer a good explanation as to how you specify the external interface, which I think is what is causing my problem.
For anyone else that comes across this problem, I found a solution which does not seem to be documented anywhere. The problem is that the firewall blocks all access on the WAN port by default, and when you enable a service it doesn’t automatically open up the access. To do so you have to enter the firewall filter menu and add the accept rule in BEFORE the “drop everything” rule. Use print to find the rule number:
/ip firewall filter
print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=input action=accept protocol=icmp
1 ;;; default configuration
chain=input action=accept connection-state=established
2 ;;; default configuration
chain=input action=accept connection-state=related
3 ;;; default configuration
chain=input action=drop in-interface=ether1-gateway <-- It's this one, so number 3
...
And then add in the rule for whatever service you want. So if you want OpenVPN it’s TCP port 1194. If you want PPTP it’s 1723, ssh would be 22…
add action=accept chain=input disabled=no port=1194 protocol=tcp comment="Remote OpenVPN access" place-before=3
add action=accept chain=input disabled=no port=1723 protocol=tcp comment="Remote PPTP access" place-before=3