OpenVPN Server + DHCP

RouterOS General
1

Hi,

i setup a OpenVPN Server on a RB to connect some IoT devices with our network. The IP adresses for the IoT devices should provided via a DHCP-Server. But if i try to setup the DHCP Server i get everytime the messages DHCP invalid. Could somebody take a look to the config and could give a hint.

Thanks + Regards

# 2024-12-12 14:28:39 by RouterOS 7.15.3
# software id = W0EM-SE0S
#
# model = RB750Gr3
/interface bridge
add admin-mac=D4:01:C3:87:6E:9A arp=proxy-arp auto-mac=no comment=defconf \
    ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface ovpn-server
add name=ovpn-in1 user=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-vpn ranges=172.20.1.10-172.20.1.100
/ppp profile
add bridge=bridge local-address=0.0.0.0 name=vpn-srv01 use-encryption=yes \
    use-ipv6=no
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
add addresses=0.0.0.0/0 name=lesen
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge interface=ovpn-in1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge untagged=ether5,bridge vlan-ids=1600
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5 certificate=sww_server-cert cipher=aes128-cbc,aes192-cbc \
    enabled=yes require-client-certificate=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.241.31.4/29 comment="xxx" interface=ether5 network=\
    10.241.31.0
add address=172.31.1.11/29 comment="yyy" interface=ether1 \
    network=172.31.1.8
add address=172.27.1.1/24 disabled=yes interface=ovpn-in1 network=172.27.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server
add address-pool=dhcp-vpn interface=ovpn-in1 lease-time=12h name=dhcp-vpn
/ip dhcp-server network
add address=172.20.1.0/24 gateway=172.20.1.1 netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1 netmask=24
add address=192.168.200.0/32 dns-none=yes gateway=192.168.200.1 netmask=25
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,172.31.1.9
/ip dns static
add address=1.1.1.1 name=Cloudflare
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="accept input OpenVPN" dst-port=1194 \
    in-interface-list=WAN log=yes log-prefix=ovpn protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add check-gateway=ping comment="Standard Internet Route" disabled=no \
    distance=1 dst-address=0.0.0.0/0 gateway=172.31.1.9 routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
add comment="MGM" disabled=no distance=1 dst-address=172.27.1.0/28 \
    gateway=10.241.31.1 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ppp secret
add name=c1 profile=vpn-srv01 service=ovpn
add name=c2 profile=vpn-srv01 service=ovpn
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=r-vpn
/system logging
set 0 topics=info,ovpn
add topics=debug,ovpn
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=172.31.1.9
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

Most VPNs are IP / layer 3, not ethernet / layer 2 and have their own mechanisms for client IP address assignment, they do not use DHCP. If the IoT devices are using their own inbuilt OpenVPN client the address will be provided from the pool or explicit addresses in the server PPP profile or secrets during the VPN connection setup.

3

So i need to assign a remote-address in the ppp profile for the openvpn server, correct? But if i do this, the dhcp-server ist still invalid.

I changed the interface from dhcp-server from “ovpn-in1” to “bridge” and know the dhcp-server is active and not invalid.

4

Yes. Creating a DHCP server is not necessary.

I changed the interface from dhcp-server from “ovpn-in1” to “bridge” and know the dhcp-server is active and not invalid.

Attaching the server to the bridge provides DHCP service through ethernet interfaces which are members of the bridge.

You have specified a bridge in the PPP profile - this is only necessary to enable layer 2 bridging using BCP in PPP-based VPN protcols (PPTP, L2TP, SSTP), and likely only required when using layer2 OpenVPN (ethernet / tap) rather than layer 3 (IP / tun).

5

I think i try first to setup a normal OpenVPN connection from a client to a Mikrotik Router with username und password. If this is working, i try to figure out how to get a connection without username und password.

For the moment i stuck on this messages on the router side:

username not provided