openVPN can't access client subnet

rkrisi · August 24, 2020, 9:12pm

Dear Community!

I have an openVPN server configured on a RB4011 router. Everything works perfectly, except one thing:
I want to access one of the clients subnet, but I can’t get it to work.

The VPN subnet is 10.0.98.0/24
The client subnet is 192.168.1.0/24

I have added a static route to 192.168.1.0/24 and I can access the openVPN client through its subnet address (192.168.1.2).
However I can’t access anything else in this subnet. I can’t even ping it.

The RB4011 config:

# aug/24/2020 23:09:34 by RouterOS 6.47.1
# software id = CK9Q-MRSJ
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D1460B1C119B
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz name=channel_2ghz
add band=5ghz-a/n/ac name=channel_5ghz
/caps-man datapath
add local-forwarding=yes name=datapath1
/interface bridge
add comment="VLAN filtered Bridge" name=bridge_vlan protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=Pi-hole
set [ find default-name=ether3 ] comment=NAS
set [ find default-name=ether4 ] comment="TP-Link Switch"
set [ find default-name=ether5 ] comment=openHABian
set [ find default-name=ether10 ] comment="Management VLAN interface" poe-out=off
/interface ovpn-server
add name=ovpn_agard user=agard
add name=ovpn_bandi user=bandi
add name=ovpn_kristof user=kristof
/interface vlan
add interface=bridge_vlan name=vlan_guest vlan-id=20
add interface=bridge_vlan name=vlan_iot vlan-id=30
add interface=bridge_vlan name=vlan_management vlan-id=99
add interface=bridge_vlan name=vlan_private vlan-id=10
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security_iot
/caps-man configuration
add channel=channel_2ghz country=hungary datapath=datapath1 hide-ssid=yes installation=any mode=ap name=config_iot_2ghz security=security_iot ssid=atlas-IoT
add channel=channel_5ghz country=hungary datapath=datapath1 hide-ssid=yes installation=any mode=ap name=config_iot_5ghz security=security_iot ssid=atlas-IoT
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment="ISP only" name=WAN
add comment="Contains all VLANs" name=VLAN
add comment="Access to all VLANs" name=PRIVATE
add comment="Needed for inside PATs" name=PRIVATE+WAN
add comment="VLAN Bridge" name=BRIDGE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk comment="Guest Profile" eap-methods="" group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" group-key-update=1h management-protection=allowed mode=dynamic-keys name=profile_private supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" group-key-update=1h management-protection=allowed mode=dynamic-keys name=profile_iot supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee comment="Private Wi-Fi 5GHz" country=no_country_set disabled=no frequency=5500 frequency-mode=superchannel mode=ap-bridge name=wlan_atlas security-profile=\
    profile_private ssid=atlas station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:B9 master-interface=wlan_atlas multicast-buffering=disabled name=wlan_atlas_guest ssid=atlas-Guest station-roaming=enabled wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:BB master-interface=wlan_atlas multicast-buffering=disabled name=wlan_atlas_iot security-profile=profile_iot ssid=atlas-IoT station-roaming=enabled wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
set [ find default-name=wlan2 ] band=2ghz-g/n comment="Private Wi-Fi 2.4GHz" country=hungary disabled=no distance=indoors frequency=auto mode=ap-bridge name=wlan_fujijama security-profile=profile_private ssid=fujijama station-roaming=enabled \
    wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:E9:0F:BA master-interface=wlan_fujijama multicast-buffering=disabled name=wlan_fujijama_guest ssid=atlas-Guest station-roaming=enabled wds-cost-range=0 wds-default-cost=0 wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:BB:5A:E3 master-interface=wlan_fujijama multicast-buffering=disabled name=wlan_fujijama_iot security-profile=profile_iot ssid=atlas-IoT station-roaming=enabled wds-cost-range=0 \
    wds-default-cost=0 wds-mode=dynamic wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan_atlas comment="Private Wi-Fi 5GHz"
set wlan_fujijama comment="Private Wi-Fi 2.4GHz"
/interface wireless nstreme
set wlan_atlas comment="Private Wi-Fi 5GHz"
set wlan_fujijama comment="Private Wi-Fi 2.4GHz"
/ip hotspot profile
add hotspot-address=10.0.2.2 name=hsprof1
/ip kid-control
add name="Children control"
/ip pool
add name=dhcp_pool_private ranges=10.0.0.50-10.0.0.254
add name=dhcp_pool_guest ranges=10.0.2.3-10.0.2.254
add name=dhcp_pool_management ranges=10.0.99.3-10.0.99.254
add name=dhcp_pool_iot ranges=10.0.1.3-10.0.1.254
add name=dhcp_pool_ovpn ranges=10.0.98.10-10.0.98.254
/ip dhcp-server
add address-pool=dhcp_pool_private disabled=no interface=vlan_private lease-time=1d name=dhcp_private
add address-pool=dhcp_pool_guest disabled=no interface=vlan_guest lease-time=1h name=dhcp_guest
add address-pool=dhcp_pool_iot disabled=no interface=vlan_iot lease-time=1d name=dhcp_iot
add address-pool=dhcp_pool_management disabled=no interface=vlan_management lease-time=1h name=dhcp_management
/ppp profile
add dns-server=10.0.0.3 interface-list=PRIVATE local-address=10.0.98.2 name=ppp_private remote-address=dhcp_pool_ovpn use-encryption=yes
/queue simple
add max-limit=2M/60M name="Limit Guest VLAN" target=vlan_guest
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=config_iot_2ghz
add action=create-dynamic-enabled hw-supported-modes=ac,an master-configuration=config_iot_5ghz
/interface bridge port
add bridge=bridge_vlan interface=ether2 pvid=30
add bridge=bridge_vlan interface=sfp-sfpplus1
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=30
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=30
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether9 pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan_atlas pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan_fujijama pvid=10
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan_fujijama_guest pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan_atlas_guest pvid=20
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether10 pvid=99
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan_atlas_iot pvid=30
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan_fujijama_iot pvid=30
/ip neighbor discovery-settings
set discover-interface-list=VLAN
/interface bridge vlan
add bridge=bridge_vlan tagged=bridge_vlan,ether2 untagged=ether3,ether6,ether7,ether8,wlan_atlas,wlan_fujijama,ether9 vlan-ids=10
add bridge=bridge_vlan tagged=bridge_vlan,ether2 untagged=wlan_fujijama_guest,wlan_atlas_guest vlan-ids=20
add bridge=bridge_vlan tagged=bridge_vlan untagged=ether10 vlan-ids=99
add bridge=bridge_vlan tagged=bridge_vlan untagged=wlan_fujijama_iot,wlan_atlas_iot,ether2,ether5,ether4 vlan-ids=30
/interface detect-internet
set detect-interface-list=WAN lan-interface-list=VLAN wan-interface-list=WAN
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ppp_private
/interface list member
add interface=ether1 list=WAN
add interface=vlan_management list=VLAN
add interface=vlan_private list=VLAN
add interface=vlan_guest list=VLAN
add interface=vlan_management list=PRIVATE
add interface=vlan_private list=PRIVATE
add interface=ether1 list=PRIVATE+WAN
add interface=vlan_private list=PRIVATE+WAN
add interface=vlan_management list=PRIVATE+WAN
add interface=vlan_iot list=VLAN
add interface=bridge_vlan list=BRIDGE
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=ppp_private enabled=yes netmask=16 require-client-certificate=yes
/interface wireless access-list
add comment=COMP1 interface=wlan_atlas mac-address=08:62:66:BC:8C:BF
add comment="Kristof iPhone" interface=wlan_atlas mac-address=40:9C:28:6C:0B:F4
add comment="Kristof iPad" interface=wlan_atlas mac-address=F4:5C:89:5D:9C:1C
add comment=SurfacePro interface=wlan_atlas mac-address=98:5F:D3:5E:A0:75 vlan-mode=no-tag
/interface wireless cap
set certificate=request
/ip address
add address=10.0.99.2/24 interface=vlan_management network=10.0.99.0
add address=10.0.0.2/24 interface=vlan_private network=10.0.0.0
add address=10.0.2.2/24 interface=vlan_guest network=10.0.2.0
add address=10.0.1.2/24 interface=vlan_iot network=10.0.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=10.0.0.3 comment="Private Pi-hole" mac-address=B8:27:EB:06:5F:0F server=dhcp_private
add address=10.0.2.3 client-id=ff:eb:6:5f:f:0:1:0:1:26:51:64:a7:b8:27:eb:6:5f:f comment="Guest Pi-hole" mac-address=B8:27:EB:06:5F:0F server=dhcp_guest
add address=10.0.1.3 comment="IoT Pi-hole" mac-address=B8:27:EB:06:5F:0F server=dhcp_iot
add address=10.0.0.10 client-id=1:8:62:66:bc:8c:bf comment="Kristof COMP1" mac-address=08:62:66:BC:8C:BF server=dhcp_private
add address=10.0.1.130 comment="Kristof Floor Lamp" mac-address=EC:FA:BC:12:83:9F server=dhcp_iot
add address=10.0.1.131 comment="Kristof Sign Lamp" mac-address=C8:2B:96:10:AF:4F server=dhcp_iot
add address=10.0.1.120 comment="Living Room LED Bottom" mac-address=DC:4F:22:C0:75:0A server=dhcp_iot
add address=10.0.1.110 comment="Kitchen LED Bottom" mac-address=DC:4F:22:C0:74:57 server=dhcp_iot
add address=10.0.1.112 comment="Kitchen Lights" mac-address=EC:FA:BC:14:83:26 server=dhcp_iot
add address=10.0.1.121 comment="Aquarium Lights" mac-address=EC:FA:BC:86:CD:DD server=dhcp_iot
add address=10.0.1.100 comment="Bathroom Lamp" mac-address=B4:E6:2D:4A:5A:A4 server=dhcp_iot
add address=10.0.1.122 comment="Living Room Floor Lamp" mac-address=CC:50:E3:F3:AA:23 server=dhcp_iot
add address=10.0.1.180 comment="Terrace Lamp" mac-address=98:F4:AB:B9:24:21 server=dhcp_iot
add address=10.0.1.101 comment="Bathroom Mirror Light" mac-address=C8:2B:96:11:4F:B4 server=dhcp_iot
add address=10.0.1.123 comment="Ceiling Lights" mac-address=C8:2B:96:10:AB:53 server=dhcp_iot
add address=10.0.1.102 comment="Washing Machine" mac-address=98:F4:AB:B8:6D:01 server=dhcp_iot
add address=10.0.1.113 comment=Dishwasher mac-address=98:F4:AB:B8:64:0F server=dhcp_iot
add address=10.0.1.114 comment="Kitchen Plate Lights" mac-address=98:F4:AB:F3:43:E2 server=dhcp_iot
add address=10.0.1.111 comment="Kitchen LED Top" mac-address=DC:4F:22:C0:73:5B server=dhcp_iot
add address=10.0.1.124 comment="Living Room Shelf LED" mac-address=DC:4F:22:C0:7A:BB server=dhcp_iot
add address=10.0.1.10 comment="Xiaomi Robot Vacuum" mac-address=78:11:DC:EB:54:08 server=dhcp_iot
add address=10.0.1.5 client-id=1:b8:27:eb:79:c6:f9 comment=MagicMirror mac-address=B8:27:EB:79:C6:F9 server=dhcp_iot
add address=10.0.1.140 comment="R\E9ka Sony TV" mac-address=18:4F:32:AC:B0:A2 server=dhcp_iot
add address=10.0.1.125 comment="Living Room TV" mac-address=08:9E:08:C0:BA:67 server=dhcp_iot
add address=10.0.1.126 comment="Living Room Speaker" mac-address=E4:F0:42:20:42:53 server=dhcp_iot
add address=10.0.1.132 comment="Kristof Shelf Lamp" mac-address=D8:F1:5B:B0:4B:76 server=dhcp_iot
add address=10.0.1.11 client-id=1:50:13:95:bf:f7:dc comment="Living Room Camera" mac-address=50:13:95:BF:F7:DC server=dhcp_iot
add address=10.0.1.12 comment="Xiaomi Air Purifier" mac-address=34:CE:00:FB:DB:F3 server=dhcp_iot
add address=10.0.1.127 comment=Awair mac-address=70:88:6B:10:1E:8C server=dhcp_iot
add address=10.0.1.6 client-id=1:12:42:e7:8f:9d:54 comment="Printer Server" mac-address=12:42:E7:8F:9D:54 server=dhcp_iot
add address=10.0.1.13 comment="Paradox Alarm Interface" mac-address=00:19:BA:0D:D5:53 server=dhcp_iot
add address=10.0.1.141 comment="Reka Desk Lamp" mac-address=40:31:3C:D0:D9:30 server=dhcp_iot
add address=10.0.1.128 client-id=1:0:4:20:f0:af:64 comment="Living Room Harmony Hub" mac-address=00:04:20:F0:AF:64 server=dhcp_iot
add address=10.0.1.142 comment="R\E9ka Main Lamp" mac-address=E0:98:06:95:B1:B2 server=dhcp_iot
add address=10.0.1.133 comment="Kristof Desk Lamp" mac-address=78:11:DC:55:9E:00 server=dhcp_iot
add address=10.0.1.150 comment="Bedside Lamp Left" mac-address=04:CF:8C:15:BD:5E server=dhcp_iot
add address=10.0.1.151 comment="Bedside Lamp Right" mac-address=04:CF:8C:25:61:92 server=dhcp_iot
add address=10.0.1.4 client-id=1:dc:a6:32:d:4b:73 comment=openHABian mac-address=DC:A6:32:0D:4B:73 server=dhcp_iot
add address=10.0.1.103 client-id=1:0:5:cd:fa:59:be comment="Bathroom HEOS Speaker" mac-address=00:05:CD:FA:59:BE server=dhcp_iot
add address=10.0.1.8 client-id=1:90:e:b3:6:6e:a7 comment=OSMC mac-address=90:0E:B3:06:6E:A7 server=dhcp_iot
add address=10.0.1.14 client-id=1:0:d9:d1:ba:9f:1e comment=PlayStation mac-address=00:D9:D1:BA:9F:1E server=dhcp_iot
add address=10.0.1.15 client-id=1:44:f0:34:88:88:7c comment="Kaon DVR" mac-address=44:F0:34:88:88:7C server=dhcp_iot
add address=10.0.1.16 client-id=1:0:5:cd:9d:14:ac comment="Denon AVR-X3400H" mac-address=00:05:CD:9D:14:AC server=dhcp_iot
add address=10.0.1.134 comment="Kristof Main Lamp" mac-address=E0:98:06:95:B0:84 server=dhcp_iot
add address=10.0.1.7 client-id=1:d4:ca:6d:68:7f:ab comment="Mikrotik IoT Access Point" mac-address=D4:CA:6D:68:7F:AB server=dhcp_iot
add address=10.0.1.17 comment="Sensibo Sky" mac-address=34:15:13:FA:A1:1D server=dhcp_iot
add address=10.0.1.104 comment="Withings Scale" mac-address=00:24:E4:47:FE:7E server=dhcp_iot
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.3 gateway=10.0.0.2
add address=10.0.1.0/24 dns-server=10.0.1.3 gateway=10.0.1.2
add address=10.0.2.0/24 dns-server=10.0.2.3 gateway=10.0.2.2
add address=10.0.99.0/24 dns-server=8.8.8.8 gateway=10.0.99.2
/ip dns
set allow-remote-requests=yes servers=10.0.0.3
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.0.1.16 list=Stream
add address=10.0.1.103 list=Stream
add address=10.0.1.125 list=Stream
add address=10.0.1.126 list=Stream
add address=10.0.1.4 list=NAS
add address=10.0.1.8 list=NAS
add address=10.0.1.5 list=NAS
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=input comment="Allow vlan_private Full Access" in-interface-list=PRIVATE
add action=accept chain=input comment="Streaming devices access network" src-address-list=Stream
add action=accept chain=input comment="Allow openHAB to access router graphing" dst-address=10.0.1.2 src-address=10.0.1.4
add action=accept chain=input comment="Accept CAPsMAN traffic" dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="Multicast IGMP" in-interface-list=VLAN protocol=igmp
add action=drop chain=input comment=Drop connection-state=""
add action=accept chain=forward comment="Accept port forwards" connection-nat-state=dstnat connection-state=new
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="Allow openHAB to access COMP1" dst-address=10.0.0.10 src-address=10.0.1.4
add action=accept chain=forward comment="Allow Streaming on VLANs" dst-address-list=Stream
add action=accept chain=forward comment="Allow Streaming on VLANs" src-address-list=Stream
add action=accept chain=forward comment="Allow NAS Access" dst-address=10.0.0.252 src-address-list=NAS
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Forward queries from openVPN" in-interface-list=PRIVATE
add action=drop chain=forward comment=Drop connection-state=""
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="Allow internal access to servers using router's external IP addresses" dst-address=10.0.0.0/24 src-address=10.0.0.0/24
add action=masquerade chain=srcnat comment=masquerade dst-address=!10.0.0.0/16 ipsec-policy=out,none out-interface-list=WAN src-address=10.0.0.0/16
add action=dst-nat chain=dstnat comment=NAS dst-port=18022 in-interface-list=PRIVATE+WAN protocol=tcp to-addresses=10.0.0.252 to-ports=22
add action=dst-nat chain=dstnat comment="Transmission Web Interface" dst-port=19091 in-interface-list=PRIVATE+WAN protocol=tcp to-addresses=10.0.0.252 to-ports=9091
add action=dst-nat chain=dstnat comment=Transmission dst-port=49850 in-interface-list=PRIVATE+WAN protocol=tcp to-addresses=10.0.0.252 to-ports=49850
add action=dst-nat chain=dstnat comment=HTTPS dst-port=61443 in-interface-list=PRIVATE+WAN protocol=tcp to-addresses=10.0.0.252 to-ports=443
add action=dst-nat chain=dstnat comment=Lighttpd dst-port=61081 in-interface-list=PRIVATE+WAN protocol=tcp to-addresses=10.0.0.252 to-ports=8080
add action=dst-nat chain=dstnat comment="OH  link" dst-port=61082 in-interface-list=PRIVATE+WAN protocol=tcp to-addresses=10.0.0.252 to-ports=8081
add action=dst-nat chain=dstnat comment="Let's Encrypt cert auth" disabled=yes dst-port=80 in-interface-list=PRIVATE+WAN protocol=tcp to-addresses=10.0.1.4 to-ports=18484
/ip hotspot user
add name=admin
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=ovpn_agard
/ip smb
set comment=RB4011 domain=WORKGROUP enabled=yes interfaces=vlan_private
/ip smb shares
add directory=/hotspot name=hotspot
/ip smb users
add name=admin read-only=no
/ip ssh
set always-allow-password-login=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=vlan_private type=internal
add interface=vlan_guest type=internal
add interface=vlan_iot type=internal
/ppp secret
add name=kristof profile=ppp_private service=ovpn
add name=bandi profile=ppp_private service=ovpn
add name=agard profile=ppp_private remote-address=10.0.98.3 service=ovpn
/routing igmp-proxy interface
add interface=vlan_iot upstream=yes
add interface=vlan_private
add interface=vlan_guest
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=RB4011
/system leds
set 0 interface=vlan_private
add interface=wlan_fujijama leds=wlan_fujijama_signal1-led,wlan_fujijama_signal2-led,wlan_fujijama_signal3-led,wlan_fujijama_signal4-led,wlan_fujijama_signal5-led type=wireless-signal-strength
add interface=wlan_fujijama leds=wlan_fujijama_tx-led type=interface-transmit
add interface=wlan_fujijama leds=wlan_fujijama_rx-led type=interface-receive
/system logging
add topics=ovpn,debug
/system ntp client
set enabled=yes server-dns-names=0.hu.pool.ntp.org,1.hu.pool.ntp.org,2.hu.pool.ntp.org,3.hu.pool.ntp.org
/tool e-mail
set address=smtp.gmail.com from="\"Mikrotik Router\" <radokristof12@gmail.com>" port=587 start-tls=yes user=radokristof12@gmail.com
/tool graphing interface
add allow-address=10.0.0.0/16
/tool graphing queue
add allow-address=10.0.0.0/16
/tool graphing resource
add allow-address=10.0.0.0/16
add allow-address=10.0.99.0/24
/tool mac-server
set allowed-interface-list=PRIVATE
/tool mac-server mac-winbox
set allowed-interface-list=PRIVATE

The interfaces of the connected client:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.2  netmask 255.255.255.0  broadcast 192.168.1.255
        ether b8:27:eb:11:f7:76  txqueuelen 1000  (Ethernet)
        RX packets 1481958  bytes 486175723 (463.6 MiB)
        RX errors 4  dropped 0  overruns 0  frame 0
        TX packets 1316313  bytes 283029298 (269.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2187318  bytes 265621438 (253.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2187318  bytes 265621438 (253.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.0.98.3  netmask 255.255.0.0  destination 10.0.98.3
        inet6 fe80::5dd1:abd6:6d2b:f905  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 16644  bytes 1521895 (1.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21537  bytes 17747485 (16.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

One strange thing I have found is that when I try to ping the client, in tcpdump I can see that it receives the icmp packets and replies to it:

14:13:04.403755  In ethertype IPv4 (0x0800), length 76: 10.0.0.10 > 192.168.1.2: ICMP echo request, id 1, seq 1, length 40
14:13:04.403861 Out ethertype IPv4 (0x0800), length 76: 192.168.1.2 > 10.0.0.10: ICMP echo reply, id 1, seq 1, length 40
14:13:05.356589  In ethertype IPv4 (0x0800), length 76: 10.0.0.10 > 192.168.1.2: ICMP echo request, id 1, seq 2, length 40
14:13:05.356683 Out ethertype IPv4 (0x0800), length 76: 192.168.1.2 > 10.0.0.10: ICMP echo reply, id 1, seq 2, length 40

However pinging another device:

14:13:51.550987  In ethertype IPv4 (0x0800), length 76: 10.0.0.10 > 192.168.1.1: ICMP echo request, id 1, seq 4, length 40
14:13:51.551040 Out b8:27:eb:11:f7:76 ethertype IPv4 (0x0800), length 76: 10.0.0.10 > 192.168.1.1: ICMP echo request, id 1, seq 4, length 40
14:13:56.080196  In ethertype IPv4 (0x0800), length 76: 10.0.0.10 > 192.168.1.1: ICMP echo request, id 1, seq 5, length 40
14:13:56.080244 Out b8:27:eb:11:f7:76 ethertype IPv4 (0x0800), length 76: 10.0.0.10 > 192.168.1.1: ICMP echo request, id 1, seq 5, length 40
14:14:01.150836  In ethertype IPv4 (0x0800), length 76: 10.0.0.10 > 192.168.1.1: ICMP echo request, id 1, seq 6, length 40
14:14:01.150875 Out b8:27:eb:11:f7:76 ethertype IPv4 (0x0800), length 76: 10.0.0.10 > 192.168.1.1: ICMP echo request, id 1, seq 6, length 40

Only the requests can be seen and no answer. The interesting thing here is that the src/dst is not even swapped in the In/Out messages as I would assume from the previous ping.
Of course, I can ping 192.168.1.1 locally.

IP forwarding is enabled in Linux. I have tried everything what I have found on the internet, but I can’t get this to work…

Hope someone can spot where my config is wrong.

Thanks in advance!

quackyo · August 25, 2020, 8:10am

Is there a route back from client subnet to your subnet? if not, there must be. If not the device in client subnet tries to reply through default gateway.

rkrisi · August 25, 2020, 8:31am

Yes there is! If I try to ping anything from this client to my subnet, it works correctly.

However the routes looks a little suspicious, I don’t know if it’s correct or not:

0.0.0.0         192.168.1.1     0.0.0.0         UG    202    0        0 eth0
10.0.0.0        0.0.0.0         255.255.0.0     U     0      0        0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U     202    0        0 eth0

The 10.0.0.0/16 is my subnet where the openVPN server is. But I don’t know why the Gateway is 0.0.0.0

IP route show:

default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.2 metric 202
10.0.0.0/16 dev tun0 proto kernel scope link src 10.0.98.3
192.168.1.0/24 dev eth0 proto dhcp scope link src 192.168.1.2 metric 202

Here it looks ok, for me.

Pinging a device from this client:

PING 10.0.0.3 (10.0.0.3) 56(84) bytes of data.
64 bytes from 10.0.0.3: icmp_seq=1 ttl=63 time=132 ms
64 bytes from 10.0.0.3: icmp_seq=2 ttl=63 time=48.6 ms
64 bytes from 10.0.0.3: icmp_seq=3 ttl=63 time=90.5 ms

rkrisi · December 6, 2020, 4:41pm

Solved. Needed to add an iptables MASQUERADE for the RPI:

iptables -t nat -A POSTROUTING -d (here your local network) -j MASQUERADE

brianhc · May 19, 2024, 11:51pm

Dear rkrisi, please could you detail the necessary steps to be able to do what you mention?
Thanks!