I have the following configuration in a lab environment:
# aug/03/2024 23:56:44 by RouterOS 6.48.6
# model = 951Ui-2HnD
/ip pool
add name=vpn_pool ranges=172.168.0.5-172.168.0.10
/ppp profile
add local-address=172.168.0.1 name=ovpn_profile remote-address=vpn_pool
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256 enabled=yes require-client-certificate=yes
/ip address
add address=192.168.5.50/24 interface=ether2 network=192.168.5.0
add address=10.10.11.1/24 interface=ether4 network=10.10.11.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
/ppp secret
add name=huso password=huso profile=ovpn_profile service=ovpn
Ether2 Port: Connected to a Windows laptop with IP address 192.168.5.51 and subnet mask 255.255.255.0.
Ether4 Port: Connected to another Windows laptop with IP address 10.10.11.2 and subnet mask 255.255.255.0.
The VPN connection is successfully established on the Windows laptop connected to the Ether2 port. However, it is not possible to ping the addresses 10.10.11.1 or 10.10.11.2.
When I add the line route 10.10.11.0 255.255.255.0 to the OpenVPN client config file, the ping works.
What I want to achieve is to perform this routing configuration on the MikroTik device instead of adding routes on the client machine.
I have tried various options, including adding routes and NAT rules, but nothing seems to work.
I saw the following information in MikroTik documentation:
Since my RouterOS version is outdated, I cannot use the push route setting. However, when I perform the manual addition, I encounter the following issues:
When adding routes, the ovpn-huso interface is shown as “unreachable.”
In the firewall NAT rule, ovpn-huso is shown as “not ready.”
I upgraded the RouterOS version to 7.15.3 for testing. I added the push route configuration as the latest modification. I couldn’t solve the issue with RouterOS versions before v7; as I mentioned, there was no setting like push route in the OVPN server settings before v7, which is why I couldn’t configure a similar push route setting in RouterOS v6. The most recent configuration is as follows:
[admin@RouterOS] > export
# 2024-08-04 14:48:17 by RouterOS 7.15.3
# software id =
#
# model = RB951Ui-2HnD
# serial number =
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vpn_pool ranges=172.168.0.5-172.168.0.10
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add local-address=172.168.0.1 name=ovpn_profile remote-address=vpn_pool
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1 certificate=Server cipher=aes256-cbc default-profile=ovpn_profile enabled=yes \
push-routes="10.10.11.0 255.255.255.0" require-client-certificate=yes
/ip address
add address=192.168.5.50/24 interface=ether2 network=192.168.5.0
add address=10.10.11.1/24 interface=ether4 network=10.10.11.0
/ip dhcp-client
add interface=ether2 use-peer-ntp=no
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.5.1
add disabled=no dst-address=10.10.11.0/24 gateway=172.168.0.1 routing-table=main \
suppress-hw-offload=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp secret
add name=huso profile=ovpn_profile service=ovpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Nicosia
/system identity
set name=RouterOS
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=216.239.35.0
/system package update
set channel=long-term
[admin@RouterOS] >
I found the solution you mentioned after researching following my initial post and added an update below it. This feature you mentioned is available from RouterOS v7 onwards, unfortunately it does not exist in v6. My question is whether there is a way to achieve this in v6. Some of my devices are older models like the RB750, so I do not want to upgrade to v7. As a temporary solution, I added a route to the OVPN client file, which worked for me. As I mentioned, I am just curious if there is an alternative solution in v6 that replaces the “set-redirect -gateway” setting.
In the meantime, thank you very much to everyone for your attention.