OpenVPN firewall rules

Franq · September 3, 2016, 9:15am

I have setup succesfully a openvpn connection with my laptop. But cannot access the internet via the VPN.

I have this firewall rules:

/ip firewall address-list
add address=10.1.10.0/24 list=OurLocalLAN
add address=10.0.0.0/24 list=OurLocalLAN
/ip firewall filter
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=accept chain=forward comment="Allow Ping" icmp-options=0:0 protocol=icmp
add action=accept chain=forward comment="Allow Ping" icmp-options=8:0 protocol=icmp
add action=accept chain=forward comment="Allow Traceroute" icmp-options=11:0 protocol=icmp
add action=accept chain=forward comment="Allow Traceroute" icmp-options=3:3 protocol=icmp
add action=accept chain=forward comment="Allow Path MTU Discovery" icmp-options=3:4 protocol=icmp
add action=drop chain=forward comment="Drop all other ICMP" protocol=icmp
add action=accept chain=forward comment="Allow connections from the LAN" connection-state=new in-interface=bridge-LAN
add action=accept chain=forward comment="Allow portforwarded connections" connection-nat-state=dstnat
add action=accept chain=forward comment="Allow established connections" connection-state=established
add action=accept chain=forward comment="Allow related connections" connection-state=related
add action=drop chain=forward comment="Drop all other traffic through the router"

add action=accept chain=input comment="Allow acces to the router from the LAN using address list" src-address-list=OurLocalLAN
add action=accept chain=input comment="Allow established connections to the router" connection-state=established
add action=accept chain=input comment="Allow related connections to the router" connection-state=related
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 protocol=tcp
add action=drop chain=input comment="Drop all other traffic to router"

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes

If I disable the rule below it’s working fine:

add action=drop chain=forward comment="Drop all other traffic through the router"

So I have to have another rule to accept traffic via the VPN. Can someone help me with that rule?

Thx!

Franq · September 3, 2016, 10:30am

I now have and it works.

add address=10.0.0.0/24 list=OpenVPN
add action=accept chain=forward comment="Allow OpenVPN" in-interface=all-ppp protocol=tcp src-address-list=OpenVPN

Is this a safe rule to use?