OpenVPN routing

Alexdv · February 20, 2020, 1:58am

Hi!
I’ve succesfully implemented openvpn server on HEX device, clients can connect and have access to internal network(192.168.83.0/24). But in each client config i need to specify route (route 192.168.83.0 255.255.255.0 172.16.10.1), where 172.16.10.1 is ip address of ovpn profile. 172.16.10.48/28 is network for remote users.
The question is if i set dhcp pool to 192.168.83.40-192.168.83.254, then set ovpn profile ip to 192.168.83.2 and 192.168.83.16/28 as a remote users’ network do i need to specify any routes in client configs?
P.S. as somebody may know, ROS don’t support openvpn “push route” feature, so i’m very interested in this, especially for android remote users, because openvpn connect android app is not supporting “route” directive.

tdw · February 20, 2020, 2:11pm

There are various options:

Per your suggestion overlap the local and remote client addresses, the OpenVPN server netmask=24 provides a suitable route, but you need to enable proxy-arp on the local network interface so the Mikrotik replies to any local client ARP requests on behalf of the remote VPN clients.
Use an adjacent subnet for the remote clients and adjust the netmask to cover local and remote clients. e.g. the existing 192.168.83.x/24 network for local clients, 192.168.82.x/24 for remote VPN clients with OpenVPN server netmask=23
Add routes to the client .ovpn configuration file and use an app which does support routes.

MTeeker · February 20, 2020, 8:44pm

(This reply is in response to a question of several months old. But it may still be useful to someone).

I have OpenVPN server running on my RB493G workhorse for several years now. The paid Android app (linked below) allows me to connect to my home network securely when I am on the road. It should make life a bit easier using OpenVPN server on MikroTik. Especially whether it’s TUN or TAP.

https://play.google.com/store/apps/details?id=it.colucciweb.vpnclientpro&hl=en_US

Alexdv · February 21, 2020, 11:18pm

that’s interesting. but where openvpn server netmask could be set? i can only set an ip address in openvpn profile(local address)

tdw · February 22, 2020, 12:35am

It is configured globally on the OpenVPN server (PPP > OVPN Server in Winbox), the Mikrotik Open VPN implementation doesn’t fit exactly into the PPP model they use for other VPNs.

Alexdv · February 23, 2020, 2:08pm

can t find this(

SiB · February 23, 2020, 4:18pm

At screenshot you see the “Default Profile: ovpn” then:
WinBox: PPP > Profiles tab > ovpn profile entry > General tab > Remote Address
provide pool or ip range

Alexdv · February 23, 2020, 11:46pm

[/quote]
At screenshot you see the “Default Profile: ovpn” then:
WinBox: PPP > Profiles tab > ovpn profile entry > General tab > Remote Address
provide pool or ip range
[/quote]
thanks! will try it tommorow

tdw · February 25, 2020, 6:10pm

It is the Netmask field, default value is 24 - equivalent to 255.255.255.0

Alexdv · February 25, 2020, 9:56pm

it worked! thank you, tdv