OpenVPN Server config

Hi. I performed an OpenVPN Server configuration, using the following commands:

1. I created certificates and I exported them:

/certificate add common-name=“CA” key-size=4096 days-valid=3650 key-usage=crl-sign,key-cert-sign
/certificate sign CA ca-crl-host=127.0.0.1 name=“CA”
(but I also tried to use 192.168.1.1 or DDNS address, instead of 127.0.0.1)

/certificate add name=server common-name=“server” key-size=4096 days-valid=3650 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign server ca=“CA” name=“server”

/certificate add name=client common-name=“client” key-size=4096 days-valid=3650 key-usage=tls-client
/certificate sign client ca=“CA” name=“client”

/certificate export-certificate CA export-passphrase=“”
/certificate export-certificate client export-passphrase=12345678

2.I defined ip pool and server

/ip pool
add name=ovpn ranges=192.168.2.2-192.168.2.254
/ip dhcp-server network
add address=192.168.2.0/24 comment=vpn dns-server=8.8.8.8 gateway=192.168.2.1 netmask=24

3. I created PPP profile and user

/ppp profile
add bridge=bridge2 dns-server=192.168.2.1 local-address=ovpn name=open_vpn remote-address=ovpn use-compression=no use-encryption=required
/interface ovpn-server server set certificate=server cipher=blowfish128,aes128,aes192,aes256 default-profile=open_vpn enabled=yes require-client-certificate=yes

/ppp secret
add name=client password=12345678 profile=open_vpn service=ovpn

4.I defined firewall rule

/ip firewall filter
add action=accept chain=input comment=VPN dst-port=xxxxx protocol=tcp

I managed to connect inside my vpn (using both my lan and lte hotpost) but in any case, I can’t use internet navigation. The only traffic allowed is inside the LAN network (I can reach my nas, my mikrotik router) but not external.
I’m using a macbook pro with tunnelblick (in which I tried to enable/disable the option “route all IPv4 traffic through the VPN” but nothing. I also tried from others networks or using other OS. The vpn works but not external internet traffic. If I try to use OpenVPN Client Connect, it’s impossible to connect or to import .ovpn config on macos, while on windows I can, but without external internet access).Any advice to solve ?

This is my vpn client config:

client
dev tun
proto tcp-client
remote DDNS Address
port xxxxx
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca CA.crt
cert client.crt
key client.key
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-user-pass auth.cfg
auth-nocache
redirect-gateway def1

If VPN works, internal network can be accessed, and you have client configured to use VPN as gateway, then it’s probably blocked by your router’s firewall. You must allow access from VPN client to internet somewhere in /ip firewall filter chain=firewall. Exact config depends on what you already have there.

Also make sure you have a NAT/Masquerade rule to Internet for the VPN Subnet

Thanks for the help. As you suggested, I create a masquerade rule (inside NAT section), specifying the ip range of my vpn (192.168.2.1-192.168.2.254) and now, it works!! I can go inside my network (using lte hotspot) and also using the external navigation. Just a little problem: I can’t access my mikrotik router using boh 192.168.1.1 both 192.168.2.1. It’s not a huge problem but if I need to change something using remote access..in this case, it is !

Access to router is configured in /ip firewall filter chain=input. I think default firewall allows access only from LAN defined as interface list, so you’d either need to add VPN client interface there (if you assigned one) or you’d need another rule to allow access from VPN. Using in-interface=all-ppp would do the trick (if you want to allow all VPN clients to access router).

@nebulaosx: you created two threads in wrong part of forum. This one is dedicated to Routerboard hardware issues … however your issues most probably belong to Beginner basics.