This week I put my first Microtik Routerboard into operation and so far I like everything very much. To give our field staff access to our internal network, I set up an OpenVPN server as described in the wiki (https://wiki.mikrotik.com/wiki/OpenVPN#Seperate_segment_for_VPN_and_destination_network). Here I have the problem that no local dynamic hostnames are resolved. DNS queries only works for static DNS entries.
My local network has IP 192.168.168.111.0/24 and the VPN network has IP 192.168.113.0/24, and everything is allowed in the firewall except for requests from WAN.
For me it looks like a bug, because the static DNS requests work. So there can’t be anything wrongly configured or blocked in my opinion.
I would be very pleased if you could tell me how to solve the problem.
Btw. I’m using RouterOS v6.40.4.
/interface ovpn-server server
set auth=sha1 certificate=OVPN-Server cipher=aes256 default-profile=ovpn \
enabled=yes port=443 require-client-certificate=yes
/ip address
add address=192.168.111.1/24 interface=bridge_office network=192.168.111.0
/ip firewall filter
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=accept chain=input comment="OpenVPN remote connection" dst-port=443 \
protocol=tcp
add action=drop chain=input comment="drop all from WAN" in-interface=wan
add action=fasttrack-connection chain=forward comment=fasttrack \
connection-state=established,related
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="drop invalid connection" \
connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface=wan
/ip pool
add name=dhcp_ovpn10 ranges=192.168.113.37-192.168.113.38
add name=dhcp_ovpn9 next-pool=dhcp_ovpn10 ranges=192.168.113.33-192.168.113.34
add name=dhcp_ovpn8 next-pool=dhcp_ovpn9 ranges=192.168.113.29-192.168.113.30
add name=dhcp_ovpn7 next-pool=dhcp_ovpn8 ranges=192.168.113.25-192.168.113.26
add name=dhcp_ovpn6 next-pool=dhcp_ovpn7 ranges=192.168.113.21-192.168.113.22
add name=dhcp_ovpn5 next-pool=dhcp_ovpn6 ranges=192.168.113.17-192.168.113.18
add name=dhcp_ovpn4 next-pool=dhcp_ovpn5 ranges=192.168.113.13-192.168.113.14
add name=dhcp_ovpn3 next-pool=dhcp_ovpn4 ranges=192.168.113.9-192.168.113.10
add name=dhcp_ovpn2 next-pool=dhcp_ovpn3 ranges=192.168.113.5-192.168.113.6
add name=dhcp_ovpn1 next-pool=dhcp_ovpn2 ranges=192.168.113.1-192.168.113.2
/ppp profile
add dns-server=192.168.111.1 local-address=dhcp_ovpn1 name=ovpn \
remote-address=dhcp_ovpn1 use-encryption=required
/ppp secret
add name=xxx password=yyy profile=ovpn service=ovpn
The client setup looks like these:
client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
cipher AES-256-CBC
verb 3
route 192.168.111.0 255.255.255.0
EDIT 2017/10/26
I created a firewall logging rule and I can see that there are requests to the DNS server on port 53 and that I get a response. But I still get “host unknown” on the client.
EDIT 2017/10/27
Ok.. Seems it was my fault. I didn’t know that I have to put all hostnames into the static cache. I installed a DHCP lease script, which puts the hostnames from the DHCP leases into the static cache. That solved my problem 