Openvpn server on rRpi - how to aloow openvpn clients to acess Rpi LAN

plopes1960 · January 28, 2019, 11:47am

Hi all!

This is my first topic, so, please, be kind with my noobice

I have a RB951 and a Rpi as a Openvpn server. And I would like to the clients of the vpn server, be able to access to the LAN of the rpi. I believe that I missing something of “routes”.
Can anyone give me a hand?

RB951 LAN 10.100.200.0/24
Rpi ip - 10.100.200.99
openvpn lan 10.9.0.0/24

server.conf #rpi

port 1194
proto udp
dev tun
ca ca.crt
cert cert.crt
key key.key  
dh dh2048.pem
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=password wpa2-pre-shared-key=password
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-128
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,aes-128-ctr
/ip pool
add name=dhcp ranges=10.100.200.1-10.100.200.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=ether2 lease-time=1d name=dhcp1
/interface list member
add interface=ether1 list=WAN
add list=LAN
/ip address
add address=148.XX.XX.82/22 interface=ether1 network=148.XX.XX.0
add address=10.100.200.1/24 interface=ether2 network=10.100.200.0
/ip dhcp-server lease
add address=10.100.200.250 mac-address=A6:D8:5S:BF:1B:FC server=dhcp1
/ip dhcp-server network
add address=10.100.200.0/24 dns-server=1.1.1.1,8.8.4.4 gateway=10.100.200.1 netmask=24
/ip dns
set servers=1.1.1.1,8.8.4.4
/ip firewall nat
add action=accept chain=srcnat dst-address=10.100.100.0/24 src-address=10.100.200.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=1194 protocol=udp to-addresses=10.100.200.99 to-ports=1194
/ip ipsec peer
add address=83.XXX.XXX.150/32 local-address=148.XX.XX.82 secret=oficina00
/ip ipsec policy
add dst-address=10.100.100.0/24 sa-dst-address=83.XXX.XX.150 sa-src-address=148.XX.XX.82 src-address=10.100.200.0/24 tunnel=yes
/ip route
add distance=1 gateway=148.XXX.XX.81
/system clock
set time-zone-name=Europe
/system identity
set name="MTik router"

zandhaas · January 28, 2019, 1:18pm

I implemented the below NAT rule for my openvpn:

;;; OpenVPN via Rpi
chain=dstnat action=dst-nat to-addresses=10.100.200.99 to-ports=1194 protocol=udp dst-address-list=WAN-IP dst-port=1194

by the Way…
Default is it not possible to setup a VPN from within your local network.
You have to test it from a remote IP.

plopes1960 · January 28, 2019, 2:51pm

on terminal, when I paste this

chain=dstnat action=dst-nat to-addresses=10.100.200.99 to-ports=1194 protocol=udp dst-address-list=XXX.XX.XX.XX dst-port=1194

give me a error

syntax error (line 1 column 6)

zandhaas · January 28, 2019, 2:57pm

Do you have a dest-address-list called WAN-IP??

If not you have to create it or use dst-adress with your wan-ip adress.

plopes1960 · January 28, 2019, 3:02pm

but I have replaced with my WAN ip

chain=dstnat action=dst-nat to-addresses=10.100.200.99 to-ports=1194 protocol=udp dst-address-list=XXX.XX.XX.XX dst-port=1194

still give me a error… syntax error and highlight the equal on chain=dstnat

matuss · January 28, 2019, 3:38pm

Change dst-address-list to dst-address if you changed address list name to your address:

chain=dstnat action=dst-nat to-addresses=10.100.200.99 to-ports=1194 protocol=udp dst-address=XXX.XX.XX.XX dst-port=1194

plopes1960 · January 28, 2019, 3:44pm

chain=dstnat action=dst-nat to-addresses=10.100.200.99 to-ports=1194 protocol=udp dst-address-list=XXX.XX.XX.XX dst-port=1194

Change dst-address-list to dst-address if you changed address list name to your address:
chain=dstnat action=dst-nat to-addresses=10.100.200.99 to-ports=1194 protocol=udp dst-address=XXX.XX.XX.XX dst-port=1194

same error syntax error

plopes1960 · January 28, 2019, 4:19pm

Can anyone help me to do this?

set up a route on the Mikrotik RB951 to route the VPN client subnet (10.9.0.0/24) to the OpenVPN server (10.100.200.99)

RossSSor · January 28, 2019, 8:45pm

Hello
I have setup everything at home, but with a RockPro64 as openvpn server and openvpn client (with Ubuntu 18.04 as OS).
My LAN is managed by a RB3011.

To do that I have set up 3 VLAN on the RockPro64 (because the device has only one network interface) as follow :

1 for management (vLAN 102)
1 for VPNin (vLAN 100)
1 for VPNout (vLAN 101)
The default gateway of the RockPro64 is on the VLAN 100.
I have added routes to my private LAN (multiple VLANs) on the RockPro64 via vLAN 102 (not via the default gateway).
I have setted up iptables rules on the RockPro64 to do traffic forwarding/masquerading from the tun interface to vlan 102.

On the mikrotik , I have set a dntnat rulle to forwad public udp port to RockPro64 on VLAN 100 (VPNin for me).
As the traffic from RockPro64 to my lan is coming from VLAN 102, I can add rules to accept/drop/etc on the MK (but it can also be done on the RockPro64 with iptables).

For VPNout, when I sent traffic to VLAN 101, it goes to internet through a VPN tunnel (for example viprvpn, etc…)
Most of the config for VPNout is on the RockPro64 (iptables, ip rule and ip route).

Regards
Pierre

sebastia · January 28, 2019, 9:07pm

hey try this

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=10.100.200.99 protocol=udp dst-address-type=local dst-port=1194

pfoerster · February 2, 2019, 11:35am

Make also sure to have IPv4 forwarding activated on the Raspberry Pi OVPN server !!
Remove the “#” from #net.ipv4.ip_forward=1 in the file /etc/sysctl.conf and reboot the RasPi.
Otherwise the RasPi OVPN server will NOT forward OVPN client traffic into the local LAN segment !