OpenVPN cannot access LAN

HamsDa · April 17, 2020, 12:17pm

Hello dear MikroTik Users!

I’m an IT-guy in training and I borrowed the old MikroTik my company doesn’t use anymore, so I could learn how RouterOS works in my free time.
Obviously, this is the sole reason I borrowed the MikroTik.
It’s not because I’m totally excited for having a new toy to play with.

To the problem at hand:
In my company we run OpenVPN on MikroTik, handing out an adress range which is a forbidden subset of our companys DomainController DHCP Server.
Company DHCP: 172.16.14.UU - 172.16.14.VV /24 (DC DHCP, does not hand out OpenVPN Server addresses)
OpenVPN DHCP: 172.16.14.XX - 172.16.14.YY /24 (MikroTik DHCP)
The company also does not route everything through the VPN, only 172.16.14.0/24 and some specific public IPs.
This is done via the OpenVPN configuration file we hand out.

I’ve been fiddling with OpenVPN on MikroTik at home, but I cannot get it to work like this.

You can look at my home network in the screenshot I uploaded.

What works:

I can connect to OpenVPN
I can ping MikroTik through VPN (+ WebFig works too)
I get an IP adress in OpenVPN-Pool (192.168.10.90 - .99)

What does not work:

I cannot reach anything through VPN except MikroTik

What I did (from the beginning):

Reset company MikroTik configuration with “No default configuration” checked (I guess I did not fully grasp the consequences of doing that)
Reinstalled RouterOS stable with netinstall

MikroTik configuration:

/interface bridge
add name="LAN Bridge"
/interface ethernet
set [ find default-name=ether1 ] name="WAN (ether1)"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="DHCP Pool for assigning on LAN network" name=lan_pool ranges=\
    192.168.10.100-192.168.10.199
add comment="OpenVPN DHCP Pool" name=ovpn_pool ranges=\
    192.168.10.90-192.168.10.99
/ip dhcp-server
add address-pool=lan_pool disabled=no interface="LAN Bridge" lease-script=\
    "LAN Bridge DHCP Server" name=dhcpsrv
/ppp profile
add comment="OpenVPN Profile" dns-server=192.168.10.1 local-address=\
    192.168.10.1 name=ovpn remote-address=ovpn_pool use-compression=yes \
    use-encryption=yes
/interface bridge port
add bridge="LAN Bridge" interface=ether2
add bridge="LAN Bridge" interface=ether3
add bridge="LAN Bridge" interface=ether4
add bridge="LAN Bridge" interface=ether5
/interface ovpn-server server
set certificate=MikroTik.crt_0 cipher=blowfish128 default-profile=ovpn \
    enabled=yes
/ip address
add address=192.168.10.1/24 comment="LAN IP" interface="LAN Bridge" network=\
    192.168.10.0
/ip dhcp-client
add disabled=no interface="WAN (ether1)"
/ip dhcp-server lease
add address=192.168.10.2 client-id=1:RPI3:MAC:ADD:RESS comment=\
    "Raspberry Pi 3B+ static lease" mac-address=RPI3:MAC:ADD:RESS server=\
    dhcpsrv
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.10.1
/ip firewall filter
add action=accept chain=input comment="Accept all from LAN" in-interface=\
    "LAN Bridge"
add action=accept chain=input comment="accept OpenVPN" dst-port=1194 \
    in-interface="WAN (ether1)" protocol=tcp
add action=accept chain=forward in-interface=all-ppp out-interface=\
    all-ethernet
add action=drop chain=input comment="drop all from WAN" in-interface=\
    "WAN (ether1)"
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Change SRC IP from LAN Packets to Router Public IP (masquerade)" \
    out-interface="WAN (ether1)"
/ppp secret
add name=NAME password=PASSWORD profile=ovpn service=ovpn
/system clock
set time-zone-name=TIMEZONE

OpenVPN configuration file:

client
dev tun
proto tcp
remote SOME-DDNS-ADDRESS 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca SOME-EASYRSA-CERT.crt
verb 3
auth-user-pass

I tried adding

route 192.168.10.0 255.255.255.0

but that did not help.

While searching around the internet I encountered threads like these http://forum.mikrotik.com/t/no-access-to-lan-over-openvpn-can-only-ping-router/119291/1 where the solved answer is “enable the masquerade rule”.
My masquerade rule seems to be the same except for

ipsec-policy=out,none

which I tried and did not seem to help.
Do I need a different one or is mine just straight up wrong?

If you need any more information, just ask.
I hope I removed out all the sensible stuff in my configuration.

I hope someone of you can help me look in the right direction for solving this issue.
visio network.png

HamsDa · April 20, 2020, 9:11pm

So, I deleted all the config and started everything from scratch.
It is now working and I think, I know where the problem was located.

Non-working config:

add action=accept chain=forward in-interface=all-ppp out-interface=all-ethernet

Working config:

add action=accept chain=input in-interface=all-ppp

It seems like I accidently used the wrong chain (forward instead of input).

[EDIT]
I had to do this setup (OpenVPN on MikroTik with DHCP Pool = internal LAN IP Pool) today for a company and I got totally stuck again.
After hours of testing and following the live log, I had to add proxy arp to the LAN Bridge, so I could reach other machines through the VPN.
Without this, I could only reach the MikroTik Firewall through VPN.

The local LAN Machines CANNOT ping the VPN-Guest, but that wasn’t necessary in this case, as this is nothing more than a remote connection to RDP to some machines (which now works).