OpenVPN Server, Can Connect to LAN but not Internet

madtorq · October 5, 2018, 3:55pm

Hello, I have a CCR1036 that I just set up an open VPN server on following this guide (except my client IPs are on the same subnet as my LAN and I enabled proxy ARP on my LAN interface) https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/ pretty simple and straight forward.

I am able to connect fine with clients and access hosts on the LAN, but I am unable to reach the outside internet when connected thru the VPN… cannot ping IPs and nothing is resolving. I am guessing there is some sort of firewall rule that was not included in that guide that I need to add? or something I am missing, any input is welcome. If you would like parts of my config posted, happy to do so, not sure what is relevant.

Thanks!

madtorq · October 5, 2018, 4:09pm

ok I made a discovery

Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Allow OpenVPN
      chain=input action=accept protocol=udp dst-port=1194 log=no log-prefix="" 

 1    ;;; Allow OpenVPN
      chain=input action=accept protocol=tcp dst-port=1194 log=no log-prefix="" 

 2    ;;; Allow access to the router from the LAN
      chain=input action=accept src-address-list=LocalLAN log=no log-prefix="" 

 3    ;;; Allow established connections to the router
      chain=input action=accept connection-state=established log=no log-prefix="" 

 4    ;;; Allow related connection to the router
      chain=input action=accept connection-state=related log=no log-prefix="" 

 5    ;;; Drop invalid connections
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 6    ;;; Allow connections from the LAN
      chain=forward action=accept connection-state=new in-interface=bridge1 log=no log-prefix="" 

 7    ;;; Allow NAT port forwards - DONT FORGET THIS RULE!
      chain=forward action=accept connection-nat-state=dstnat log=no log-prefix="" 

 8    ;;; Allow established connections
      chain=forward action=accept connection-state=established log=no log-prefix="" 

 9    ;;; Allow related connections (ftp, etc). 
      chain=forward action=accept connection-state=related log=no log-prefix="" 

10    ;;; Drop all other traffic thru the router.
      chain=forward action=drop log=no log-prefix="" 

11    ;;; Allow traffic from internal LAN to router itself
      chain=input action=accept dst-address=10.10.13.1 in-interface=bridge1 log=no log-prefix="" 

12    ;;; Allow ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

13    ;;; Drop all other traffic that has not been previously allowed to router
      chain=input action=drop log=no log-prefix=""

If I disable rule 10, then my client is able to connect to the internet just fine. I would rather keep that, so my specific question is what rule do I need to add to explicitly allow the VPN traffic to access the internet? Also forgot to mention that my vpn clients are getting IPs in the same subnet as the rest of the LAN.

Sob · October 5, 2018, 4:39pm

You can do it with this somewhere before #10:

/ip firewall filter
add chain=forward in-interface=all-ppp action=accept

Also, your current rules can be improved. For forward:

#8 should be first, because it will match most packets
#8 and #9 can be combined in one rule
#5 should come after that and then you don’t need to worry about connection states, because it’s only new from there
And similar for input.

madtorq · October 5, 2018, 4:44pm

thank you very much, that worked.

I will make some optimizations as you suggested. I split the established and related connections rule more for readability for myself when I first set this up a couple years ago, but combining them is neater, thank you.