OpenVPN server, and VPN client problems

Hello everyone, this is my first post in this community. After a week of struggling with this issue, I’ve decided to seek advice from the experts here. I’ve detailed my problem below and would greatly appreciate any guidance.

I’m facing a particularly challenging issue, though everything else in my setup works fine. I have a MikroTik router with an LTE Stick mode Huawei Modem connected via USB. The LTE connection, DHCP, and Masquerade are all functioning correctly.

Since my modem doesn’t have a static IP, I configured my MikroTik as a client to connect to my Synology Server at home. I experimented with both OpenVPN and IPSEC and eventually decided to stick with IPSEC. My MikroTik successfully connects to the Synology L2TP/IPSEC server and is assigned the IP address 10.2.0.2. Additionally, my iPhone, when connected to the same Synology L2TP/IPSEC server, gets the IP address 10.2.0.3.

Here’s where the problem lies: Although my iPhone can ping 10.20.0.2, and NAT seems to be working fine (I can browse the internet on my iPhone), I can’t access the MikroTik’s web interface or WinBox service at this IP. To tackle this, I set up an OPENVPN SERVER on the MikroTik today. I can access the MikroTik configuration page at 192.168.34.0 through a web browser and connect via WinBox on port 8291. However, obtaining a public IP address incurs additional charges from my GSM provider, which I’m trying to avoid.

Ideally, I’d like to be able to access my MikroTik’s webfig interface by entering 10.2.0.2 on my iPhone while it’s connected to my Synology. Interestingly, accessing 10.2.0.1 on my iPhone brings up the Synology interface, which is exactly what I want.

I’m stumped as to why this isn’t working and have included my settings below for review. Any help or insights would be immensely appreciated!

Thank you in advance for your help!

And small update:

1. Ping 10.2.0.1 from Mikrotik does not work. 2. I connected my second iPhone to Synology VPN and received 10.2.0.3. I can ping form 10.2.0.2 to 10.2.0.3 and it works.
   This means that the problem is on Mikroitk.

And erratum : Ideally, I’d like to be able to access my MikroTik’s webfig interface by entering 10.2.0.2 on my iPhone while it’s connected to my Synology [should be 10.2.0.0].

My aim: I want to not to pay for Public IP anymore and to be able to use the VPN connected to my home network and to enter 10.2.0.2 to be able to see Mikrotik’s Config interface, and also to be able to use Winbox to connect to 10.20.0.2

Resume by AI:

ChatGPT
Analyzing the provided MikroTik configuration, here are the key points and observations:

General Configuration:
Router Model: RB951G-2HnD.
RouterOS Version: 7.12.1.

Interfaces: Standard setup with wireless (wlan1) and several Ethernet interfaces.

VPN Configuration:
OpenVPN Client: Configured to connect to MYNAME.mywire.org on UDP port 1195 with sha512 authentication and aes256-cbc cipher.

L2TP/IPsec Client: Also set up to connect to MYNAME.mywire.org.

OpenVPN Server: Enabled with various ciphers and SHA1/MD5 authentication.

IP Addressing and DHCP:

IP Pools: Two pools defined, default-dhcp for the local network and OVPN-pool for VPN clients.

DHCP Server: Configured for the local network with the pool default-dhcp.

Firewall and NAT:
Various firewall filter and NAT rules are in place.
Notable rules include allowing VPN traffic to the LAN and the router, accepting WinBox traffic (port 8291), and a masquerade rule for outbound traffic.
Specific rule to allow OpenVPN traffic (Ovpn pass) on TCP port 1194 from interface ppp-out1.

Wireless Configuration:
Wireless network configured with WPA2-PSK security.

Miscellaneous:
DNS: Remote DNS requests are allowed.
IPsec Peer: Configured with a peer entry pointing to MYNAME.mywire.org.
System Clock: Set to the Warsaw timezone.

Security Observations:
Default firewall rules are in place to protect the router, including dropping invalid connections and restricting input chain to non-LAN interfaces.
The use of both SHA1 and MD5 in the OpenVPN server settings is noted; however, these are generally considered less secure than newer algorithms.

Potential Areas for Review:
Ensure the OpenVPN and L2TP/IPsec client configurations match the server settings at MYNAME.mywire.org.
Review the OpenVPN server settings, particularly the cipher and authentication methods, for security and compatibility with clients.
Verify the NAT and firewall rules, especially if there are specific traffic flow requirements or issues.
This configuration appears to be set up for both connecting to a remote VPN server and hosting an OpenVPN server, with standard network settings for local and VPN client IP address distribution

# 2024-01-01 04:47:37 by RouterOS 7.12.1
# software id = 7KQR-3SQ7
#
# model = RB951G-2HnD
# serial number = XXXXXX
/interface bridge
add name=OVPN-bridge
add admin-mac=XX-XX:6B:58:59:7F auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTi wireless-protocol=802.11
/interface ovpn-client
add add-default-route=yes auth=sha512 cipher=aes256-cbc connect-to=\
    MYNAME.mywire.org disabled=yes mac-address=XX:XX:95:22:77:2C name=\
    ovpn-out1 port=1195 protocol=udp user=ak4
/interface l2tp-client
add connect-to=MYNAME.mywire.org disabled=no name=l2tp-out1 use-ipsec=yes \
    user=ak4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/iot lora servers
add address=eu.mikrotik.thethings.industries name=TTN-EU protocol=UDP
add address=us.mikrotik.thethings.industries name=TTN-US protocol=UDP
add address=eu1.cloud.thethings.industries name="TTS Cloud (eu1)" protocol=\
    UDP
add address=nam1.cloud.thethings.industries name="TTS Cloud (nam1)" protocol=\
    UDP
add address=au1.cloud.thethings.industries name="TTS Cloud (au1)" protocol=\
    UDP
add address=eu1.cloud.thethings.network name="TTN V3 (eu1)" protocol=UDP
add address=nam1.cloud.thethings.network name="TTN V3 (nam1)" protocol=UDP
add address=au1.cloud.thethings.network name="TTN V3 (au1)" protocol=UDP
/ip ipsec peer
add address=MYNAME.mywire.org name=peer1
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=OVPN-pool ranges=192.168.34.100-192.168.34.150
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface ppp-client
add allow=pap,chap,mschap1 apn=vpn dial-on-demand=no disabled=no \
    info-channel=1 name=ppp-out1 port=usb1 user=vpn
/ppp profile
set *FFFFFFFE bridge=OVPN-bridge dns-server=9.9.9.9,149.112.112.112 \
    local-address=192.168.34.1 remote-address=OVPN-pool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5 certificate=SERVER cipher=\
    blowfish128,aes128-cbc,aes192-cbc,aes256-cbc default-profile=\
    default-encryption enabled=yes require-client-certificate=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.34.1/24 interface=OVPN-bridge network=192.168.34.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="Allow VPN to lan" src-address=\
    10.2.0.0/24
add action=accept chain=input comment="do winboxa" dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=80 log=yes protocol=tcp
add action=accept chain=input comment="Allow VPN to router" src-address=\
    10.2.0.0/24
add action=accept chain=input comment="Ovpn pass" dst-port=1194 in-interface=\
    ppp-out1 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=dropnotfromlan
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=log chain=input dst-port=80 log=yes log-prefix="input: " protocol=\
    tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
# lte1 not ready
add action=masquerade chain=srcnat out-interface=*7
add action=masquerade chain=srcnat out-interface=ppp-out1
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec identity
add peer=peer1
/ip service
set www address=0.0.0.0/0
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=ak profile=default-encryption remote-address=192.168.34.154 service=\
    ovpn
/system clock
set time-zone-name=Europe/Warsaw
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Hello I also just joined this community, It seems like a routing issue. Check if your MikroTik has a route back to your iPhone’s subnet (10.2.0.0/24). Ensure that the firewall on MikroTik allows traffic from the L2TP/IPSEC subnet to the MikroTik itself. Double-check your NAT settings and make sure there’s no conflicting rule. Also, confirm that the MikroTik’s default gateway is correctly set. Hope this helps!

Please help when someone could look more at my configuration I I sent you I am sitting with this for many days already and have no luck.
You have virulent firewall config in the file I sent in my post

DAv 0.0.0.0/0 ppp-out1 Distance 1
Dac 10.2.0.0./32 l2tp-out1
Dac 10.112.112.127/32 ppp-out1
DAc 192.168.34.0/24 OVPN-bridge
DAc 192.168.88.0/24 bridge

I am still patiently waiting for help. Thank you
I found out the problem, all I had to to was to switch off add default routing

Ping Issue (MikroTik to 10.2.0.1):

Check the routing table on MikroTik using the ip route command to ensure there is a route to 10.2.0.1.
Verify the firewall rules for the outgoing traffic on MikroTik.
Accessing MikroTik’s Webfig Interface (10.2.0.2) from Synology VPN:

Confirm that the firewall on MikroTik allows traffic on port 80 or 443 for the Webfig interface.
Ensure that the Webfig service is running and accessible within the local network.
Winbox Connection to 10.2.0.2:

Make sure the firewall allows traffic on the Winbox port (default is 8291).
Verify that the Winbox service is running on MikroTik.
Overall VPN Connectivity:

Double-check VPN client configurations on both MikroTik and Synology.
Verify that the VPN tunnels are established successfully (check logs on both ends).
Ensure that routing is correctly set up for VPN-connected devices.
Public IP Transition:

Confirm that the VPN server (Synology) is correctly configured to route traffic to the MikroTik device.
Adjust the OpenVPN and L2TP/IPsec client configurations on MikroTik accordingly.
Reviewing and addressing these points should help you identify and resolve the specific issues you’re facing.