OpenVPN client not receiving Mikrotik's WAN IP (server)

RouterOS General
1

I’m using RB2011iL (v6.49.2) and I have setup 2 VPN servers on it (PPTP and OpenVPN). With PPTP, I’m not having any issues. Now with OpenVPN, I’m able to connect successfully from my client (laptop) to the MT, but I’m not receiving the MT’s WAN IP. The client’s WAN IP address doesn’t change after a successful OVPN connection. I don’t have this problem when I connect using PPTP.

FYI, to test connectivity, I’m using my phone as hotspot on T-Mobile Network and that’s the same IP that shows after OVPN is connected on the laptop (and not the MT’s WAN IP).

I thought that maybe I needed to add a NAT rule:

0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none
1 ;;; masq. OpenVPN traffic
chain=srcnat action=masquerade src-address=10.10.118.0/24 out-interface-list=WAN log=no log-prefix=“”

Mikrotik setup:
LAN: 172.21.117.100 - 172.21.117.254
PPTP Pool: 10.10.117.10 - 10.10.117.254
OVPN Pool: 10.10.118.10-10.10.118.250

Please let me know if there’s any other info that I can provide you with because tbh I have no idea what am I missing here!! Thank you for your assistance!

2

Would you send a config export + your OVPN client profile please.

3

I appreciate the assistance, here’s the config as requested:

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.21.117.100-172.21.117.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=PPTP-Pool ranges=10.10.117.10-10.10.117.254
add name=OVPN-Pool ranges=10.10.118.10-10.10.118.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=PPTP-Pool
name=PPTP-Profile only-one=yes remote-address=PPTP-Pool
add dns-server=8.8.8.8 local-address=10.10.118.1 name=OVPN-Profile
remote-address=OVPN-Pool wins-server=8.8.4.4
set FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=OVPN-Profile
enabled=yes require-client-certificate=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=PPTP-Profile
enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=172.21.117.1/24 comment=LAN interface=bridge network=172.21.117.0
add address= interface=ether1 network=
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=172.21.117.230 client-id=1:e8:a7:2f:15:ce:f1 mac-address=
E8:A7:2F:15:CE:F1 server=defconf
/ip dhcp-server network
add address=172.21.117.0/24 comment=defconf gateway=172.21.117.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=172.21.117.1 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=input comment=“Drop Blacklisted IP’s” log=yes
src-address-list=BlackList
add action=accept chain=input comment=“Allowed Access Rule” src-address-list=
Allowed
add action=accept chain=input comment=Xbox disabled=yes dst-port=3544
protocol=udp
add action=accept chain=input comment=“OpenVPN - 443” disabled=yes dst-port=
443 protocol=tcp
add action=accept chain=input comment=“OpenVPN - 1194” dst-port=1194
protocol=tcp
add action=accept chain=input comment=“PPTP VPN” dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=forward comment=“XBOX - TCP Port” disabled=yes
dst-address=172.21.117.230 dst-port=3074 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment=“XBOX - UDP Ports” disabled=yes
dst-address=172.21.117.230 dst-port=88,500,3544,4500,53,3074
in-interface=ether1 protocol=udp
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=“allow IPsec NAT” disabled=yes
dst-port=4500 protocol=udp
add action=accept chain=input comment=“allow IKE” disabled=yes dst-port=500
protocol=udp
add action=accept chain=input comment=“allow l2tp” disabled=yes dst-port=1701
protocol=udp
add action=accept chain=input comment=“allow pptp” disabled=yes dst-port=1723
protocol=tcp
add action=accept chain=input comment=“allow sstp” disabled=yes dst-port=443
protocol=tcp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” disabled=yes
dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=“masq. OpenVPN traffic”
src-address=10.10.118.0/24
add action=masquerade chain=srcnat comment=“masq. vpn traffic” disabled=yes
src-address=192.168.89.0/24
add action=dst-nat chain=dstnat comment=“XBOX - UDP Port 56102” disabled=yes
dst-address= -port=56102 protocol=udp to-addresses=
172.21.117.230 to-ports=56102
add action=dst-nat chain=dstnat comment=“XBOX - UDP Ports” disabled=yes
dst-port=88,3074,53,500,3544,4500 in-interface=ether1 protocol=udp
to-addresses=172.21.117.230 to-ports=88
add action=dst-nat chain=dstnat comment=“XBOX - TCP Port” disabled=yes
dst-port=3074 in-interface=ether1 protocol=tcp to-addresses=
172.21.117.230 to-ports=3074
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=
add distance=1 dst-address=10.10.118.0/24 gateway=10.10.118.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh port=2999
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add disabled=yes name=vpn
add name= password=****** profile=OVPN-Profile service=ovpn
/system clock
set time-zone-autodetect=no time-zone-name=America/New_York
/system script
add dont-require-permissions=no name=Dynu owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=
“”
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Client Config:

client
dev tun
proto tcp-client
remote (MT WAN IP)
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca CA.crt
cert client.crt
key client.key
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass secret
auth-nocache

route 172.21.117.1 255.255.255.0

4

You need to tell client to use VPN as gateway. I don’t use it, so I don’t know the details, but search for “redirect-gateway” option, it should be it.

5

Thank you so much Sob, that worked!! I just needed to add “redirect-gateway def1” at the end of the client config file as described here (http://forum.mikrotik.com/t/route-all-my-traffic-through-a-vpn/105121/1).