OpenVPN server - remote client can't ping internal network

Hey guys
I set up an OpenVPN server on my MT router. All I need is to be able to access the local network at home from a remote PC, located in my office in this case. The remote PC got connected to the VPN, receives a local IP (192.168.1.231),. but can only ping the router (192.168.1.1). Also to the outside world, it has the external IP of my office (203.x.x.x), not of my home network (103.x.x.x) when I check it with “what’s my IP” sites.
I read about adding a masquerade rule in NAT. I did, but not sure if I did it correctly.:

add action=masquerade chain=srcnat out-interface=<ovpn-nikolav>

It didn’t help anyway.

My config:

# apr/17/2019 09:03:29 by RouterOS 6.43.4
# software id = EUPZ-AKWW
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7C08947EE5
/interface bridge
add name=LAN protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface l2tp-client
add connect-to=uk2.safervpn.com disabled=no mrru=1600 name="SaferVPN L2TP" \
    user=nvodenicharov@gmail.com
/interface vlan
add interface=ether1 name=ether1.10 vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1.10 name=pppoe-wan \
    use-peer-dns=yes user=nick@mikipro.co.nz
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm \
    management-protection=allowed mode=dynamic-keys name=wpasecurity \
    supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee country="new zealand" disabled=no mode=ap-bridge name=\
    wlan1 security-profile=wpasecurity ssid=nick wireless-protocol=802.11
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country="new zealand" disabled=no frequency=auto mode=ap-bridge name=\
    wlan2 security-profile=wpasecurity ssid=nick wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.200
add name=VPN-POOL ranges=192.168.1.220-192.168.1.234
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LAN lease-time=12h name=dhcp1
/ppp profile
add dns-server=192.168.1.1 local-address=192.168.1.1 name=VPN-PROFILE \
    remote-address=VPN-POOL use-encryption=yes
/interface bridge port
add bridge=LAN hw=no interface=ether2
add bridge=LAN hw=no interface=ether3
add bridge=LAN hw=no interface=ether4
add bridge=LAN hw=no interface=ether5
add bridge=LAN interface=wlan2
add bridge=LAN interface=wlan1
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=default max-mru=1460 max-mtu=1460 \
    use-ipsec=yes
/interface ovpn-server server
set auth=sha1 certificate=server@MikroTik cipher=aes128,aes192,aes256 \
    default-profile=VPN-PROFILE enabled=yes port=443 \
    require-client-certificate=yes
/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
/ip dhcp-server lease
add address=192.168.1.27 comment=Chromecast mac-address=A4:77:33:0E:CC:EF \
    server=dhcp1
add address=192.168.1.25 allow-dual-stack-queue=no comment=\
    "Asus Zenfone Max Pro M1" mac-address=04:92:26:34:5B:28 server=dhcp1
add address=192.168.1.35 allow-dual-stack-queue=no comment="Honor Nova 2i" \
    mac-address=04:79:70:48:E7:43 server=dhcp1
add address=192.168.1.10 allow-dual-stack-queue=no comment=DNS-325 \
    mac-address=78:54:2E:24:02:9B server=dhcp1
add address=192.168.1.15 client-id=1:64:76:ba:a1:84:60 mac-address=\
    64:76:BA:A1:84:60 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
add address=208.67.222.222 name=OpenDNS1
add address=208.67.220.220 name=OpenDNS2
add address=8.8.8.8 name=Google1
add address=8.8.4.4 name=Google2
/ip firewall address-list
add address=x.x.x.x list=safe-hosts
add address=x.x.x.x list=safe-hosts
add address=121.74.0.0/16 list=safe-hosts
add address=192.168.1.100-192.168.1.199 list=DHCP_adresses
/ip firewall filter
add chain=input comment="Input. All all ICMP" in-interface=pppoe-wan \
    protocol=icmp
add chain=input comment="Input. Allow established/related" connection-state=\
    established,related in-interface=pppoe-wan
add chain=input comment="Allow known hosts." in-interface=pppoe-wan \
    src-address-list=safe-hosts
add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp
add chain=forward comment="Forward. Allow established/related." \
    connection-state=established,related
add action=accept chain=input comment="Allow OpenVPN" dst-port=443 protocol=\
    tcp
add action=drop chain=forward disabled=yes src-address-list=DHCP_adresses \
    time=7h-8h,mon,tue,wed,thu,fri
add action=drop chain=input comment="Input. Drop All." in-interface=pppoe-wan
add action=drop chain=forward comment="Forward. Drop Invalid" \
    connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=L2TP passthrough=\
    yes src-address=192.168.1.10-192.168.1.20
/ip firewall nat
add action=masquerade chain=srcnat out-interface=<ovpn-nikolav>
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=pppoe-wan
add action=dst-nat chain=dstnat dst-port=9091 in-interface=pppoe-wan \
    protocol=tcp to-addresses=192.168.1.10 to-ports=9091
add action=dst-nat chain=dstnat dst-port=80 in-interface=pppoe-wan protocol=\
    tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat dst-port=21 in-interface=pppoe-wan protocol=\
    tcp to-addresses=192.168.1.10 to-ports=21
add action=dst-nat chain=dstnat dst-port=22 in-interface=pppoe-wan protocol=\
    tcp to-addresses=192.168.1.10 to-ports=22
add action=dst-nat chain=dstnat dst-port=55536-55663 in-interface=pppoe-wan \
    protocol=tcp to-addresses=192.168.1.10 to-ports=55536-55663
add action=masquerade chain=srcnat out-interface="SaferVPN L2TP"
/ip firewall service-port
set ftp ports=2121
set sip disabled=yes sip-direct-media=no
/ip route
add distance=1 gateway="SaferVPN L2TP" routing-mark=L2TP
/ip service
set telnet port=2323
set ftp disabled=yes
set www port=8080
set ssh port=2222
/ppp secret
add name=nikolav profile=VPN-PROFILE service=ovpn
/system clock
set time-zone-autodetect=no time-zone-name=Pacific/Auckland
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org
/system routerboard settings
set silent-boot=no

If IP addresses given to VPN clients overlap with LAN subnet, you need to enable proxy ARP on LAN interface. To other LAN devices, they looks as part of local subnet, so they send ARP request and get no reply. With proxy ARP enabled, router will answer on behalf of VPN client.

If you want to route traffic to internet through VPN server, you need to configure client to use it as default gateway.

Thanks Sob!
Can you help with the config? I should’ve probably mentioned that I’m complete in regards of networking and Mikrotik.

Nope, I probably don’t need that, if I can access the local network.

Take your LAN interface (in your case bridge named “LAN”) and change its default arp=enabled to arp=proxy-arp. That’s it.

Thanks, Sob
I tried with some other interfaces before and it didn’t work at all.
Now I can ping the router (192.168.1.1) from the remote PC, but can’t ping any of the internal hosts like 192.168.1.10, nor I can access them in any way. From the router, I can’t ping the remote PC (192.168.2.232). But now Winbox works with the internal address of the router.
Any idea how I can see the other host as well?
The whole idea of this exercise is to be able to access my NAS (192.168.1.10) remotely.

So now you have:

/interface bridge
add name=LAN protocol-mode=none arp=proxy-arp

Correct? If so, it should work. It’s not your firewall, it doesn’t block anything. It could be problem on client side, check if it has proper route to 192.168.1.0/24.

Hey Sob
Yes, it all looks correct to me:

/interface bridge
add arp=proxy-arp name=LAN protocol-mode=none

I’m not sure about the route though:
What I see in the export command is:

/ip route
add distance=1 gateway="SaferVPN L2TP" routing-mark=L2TP

I added this one manually for another VPN I use.
But I can see the route in the GUI:

I guess they are dynamic routes?
Should I make a static one?

P.S. One more thing. From the remote client, I can ping the router only if the VPN pool is 192.168.1.x. If it is 192.168.2.x I can’t ping, nor I can use Winbox.

I meant routes on remote PC (VPN client). It needs to know that 192.168.1.0/24 is reachable via VPN. So check that.

And I thought the previous 192.168.2.232 was a typo, I don’t see that address or subnet anywhere in config you posted. If you changed VPN pool to different subnet, it removes the need for proxy ARP. But it can make things more difficult with firewalls on computers, because they often allow access only from local subnet by default.

I tried before with the 192.68.2 subnet, but I chanded the pool to 192.168.1.x now. I also added 192.168.1.0 to the config file of the client, but nothing changed. Still can’t ping beyond the router.

My config file:

client
dev tun
proto tcp-client
remote x.x.x.x 443
nobind
persist-key
persist-tun
cipher AES-256-CBC
auth SHA1
pull
verb 2
mute 3

# Create a file 'user.auth' with a username and a password
#
# cat << EOF > user.auth
# user
# password
# EOF
auth-user-pass user.auth

# Copy the certificates from MikroTik and change
# the filenames below if needed
ca cert_export_MikroTik.crt
cert cert_export_nikolav@MikroTik.crt
key cert_export_nikolav@MikroTik.key

route 192.168.1.0 255.255.255.0

Sorry for late reply, I missed the thread. Check what exactly happens. Either watch for packets using Tools->Torch, or add logging rules to different chains and you’ll see if they are correctly coming from VPN, if they pass through router, if any replies are coming back, where they go, etc. Packet from VPN client should be seen in prerouting first, coming from VPN interface, then in forward, next in postrouting leaving to LAN. And same for replies, only incoming and outgoing interfaces will be swapped. At some step it will break and depending on which one it will be, it will tell your what’s wrong.

I am afraid there may be an issue with the interpretation of the config file at the client. In many cases, the route keyword within OpenVPN configuration just tells the OpenVPN software how to handle some destinations, but you have to tell the operating system separately to use the virtual OpenVPN interface as a gateway to these destinations. I usually see people hitting this in the opposite scenario, when they set the (single) OpenVPN interface of the server as a gateway towards subnets behind some OpenVPN clients, but don’t tell to the OpenVPN server which subnets are behind which clients (using the iroute statement in the client-specific part of server configuration). In client mode there is no ambiquity (there is only one remote end), but I’m still not sure whether OpenVPN running in client mode automatically installs the OS-level routes if it only has them in its local configuration.

In an OpenVPN client setup against a Mikrotik server I’ve got prepared by someone else, there is a separate .bat file to install the route to Windows, whereas if the server is a non-Mikrotik one, and therefore capable of pushing routes to the client, this .bat file is not necessary and the OpenVPN client adds the routes received from the server to the routing table of the OS.

So instead of adding route 192.168.1.0 255.255.255.0 in your openvpn.conf, you may have to run route add 192.168.1.0 mask 255.255.255.0 192.168.1.1 (on Windows) or an equivalent comman on Linux.

I realized I’m actually ABLE to ping most of the internal hosts… But so far I was trying with only one - 192.168.1.10. So I can ping say 192.168.1.101, which is some of my kid’s PCs. I can’t ping/access the only one I care about - 192.168.1.10, which is my NAS and which is behind another VPN client installed on the router - I’m using SaferVPN in that instance. The moment I put 192.168.1.10 outside of the SaferVPN setup I can ping and access it from the internal network.
So, what I need is to access this particular IP (192.168.1.10) when it IS behind the SaferVPN. This is the only reason I need to use the OpenVPN server on the router. Is it actually possible?

PS. Sindy, I tried this, but it didn’t help. I still can’t ping the remote PC from the router.

Cheers!

Ok, I missed this bit, now it makes sense. Exclude your VPN subnet from marking:

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=L2TP passthrough=yes \
    src-address=192.168.1.10-192.168.1.20 dst-address=!<VPN subnet>

Hey Sob.
Still nothing. What I did is:

[admin@MikroTik] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=prerouting action=mark-routing new-routing-mark=L2TP passthrough=yes src-address=192.168.1.10-192.168.1.20 dst-address=192.168.1.220-192.168.1.234 
      log=no log-prefix=""

Don’t miss the red part (it means “not”): dst-address=!

.

O, yes, I missed it. Now it works!
Thanks a lot, Sob!

In my simple case it helped to set local bridge interface with “arp=proxy-arp”

interface bridge set 0 arp=proxy-arp

After this setting my remotely connected PC started to ping other nodes in local network and vice-versa.
Thanks.