OpenVPN Server with Dual WAN

TwIXx · October 16, 2024, 7:19pm

Hi there,

I have set up around two years ago an OpenVPN Server, that I can connect to my hown when I’m in holidays.
I didn’t used the OpenVPN Server for several months. Now I tried to connect from my phone and it didn’t work again.
It works, from my PC or phone, when I’m in the local LAN, but not from external.

I have a Dual WAN setup ISP1 (Public IP: 1XX.XXX.XXX) in is ether1 and ISP2 (Public IP: 2XX.XXX.XXX) in is ether 2.
The VPN connection should go over ISP1 and Port 2096. I have set up a DDNS for the IP of ISP1.

These is an export from my configuration:

# 2024-10-16 21:04:32 by RouterOS 7.15.3
# software id =
#
# model = RB5009UG+S+
# serial number =
/interface bridge
add admin-mac=DC:2C:6E:DD:5C:DC auto-mac=no comment=defconf frame-types=\
    admit-only-vlan-tagged name=bridgeLocal port-cost-mode=short \
    vlan-filtering=yes
/interface vlan
add interface=bridgeLocal name=vlan-standard vlan-id=1
add interface=bridgeLocal name=vlan-wlan vlan-id=20
add interface=bridgeLocal name=vlan-wlan-guest vlan-id=30
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.2-192.168.2.254
add name=OVPN-pool ranges=192.168.10.100-192.168.10.200
add name=wlan ranges=192.168.20.1-192.168.20.254
add name=wlan-guest ranges=192.168.30.1-192.168.30.254
/ip dhcp-server
add address-pool=dhcp interface=vlan-standard lease-time=10m name=lan
add address-pool=wlan interface=vlan-wlan name=wlan
add address-pool=wlan-guest interface=vlan-wlan-guest name=wlan-guest
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
set *FFFFFFFE bridge=bridgeLocal local-address=192.168.10.1 remote-address=\
    OVPN-pool
/routing table
add disabled=no fib name=Thurcom
add disabled=no fib name=UPC
add disabled=no fib name=Proton
/interface bridge port
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether1 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether5 internal-path-cost=10 path-cost=10 pvid=20
add bridge=bridgeLocal comment=defconf interface=ether6 internal-path-cost=10 \
    path-cost=10 pvid=30
add bridge=bridgeLocal comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether8 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set accept-redirects=no disable-ipv6=yes forward=no
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether3 vlan-ids=20
add bridge=bridgeLocal tagged=bridgeLocal,ether3 vlan-ids=30
add bridge=bridgeLocal tagged=bridgeLocal,ether3 vlan-ids=1
/interface list member
add interface=ether1 list=WAN
add interface=bridgeLocal list=LAN
add interface=ether2 list=WAN
add interface=vlan-standard list=LAN
add interface=vlan-wlan list=LAN
add interface=vlan-wlan-guest list=LAN
/interface ovpn-server server
set auth=sha1,md5 certificate=SERVER cipher=\
    blowfish128,aes128-cbc,aes192-cbc,aes256-cbc default-profile=\
    default-encryption enabled=yes port=2096 require-client-certificate=yes
/ip address
add address=192.168.2.1/24 comment=LAN interface=vlan-standard network=\
    192.168.2.0
add address=192.168.10.1/24 comment=VPN interface=vlan-standard network=\
    192.168.10.0
add address=192.168.3.1/24 comment=IoT interface=vlan-standard network=\
    192.168.3.0
add address=192.168.20.1/24 interface=vlan-wlan network=192.168.20.0
add address=192.168.30.1/24 interface=vlan-wlan-guest network=192.168.30.0
add address=10.2.0.2/30 interface=*12 network=10.2.0.0
/ip arp
add address=192.168.3.3 comment="Wechselrichter 1" interface=vlan-standard \
    mac-address=A8:10:87:97:D9:F4
add address=192.168.3.4 comment="Wechselrichter 2" interface=vlan-standard \
    mac-address=24:0B:B1:1B:28:DF
add address=192.168.2.6 interface=vlan-standard mac-address=DC:2C:6E:D6:24:15
add address=192.168.2.3 interface=vlan-standard mac-address=00:22:58:93:96:7A
add address=192.168.2.2 interface=vlan-standard mac-address=A4:BB:6D:63:30:B6
add address=192.168.2.5 interface=vlan-standard mac-address=A4:2B:B0:1D:F0:09
add address=192.168.2.223 comment="Wechselrichter 3" interface=vlan-standard \
    mac-address=84:D6:C5:57:56:81
/ip cloud
set ddns-update-interval=10m
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no
add interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.2.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.2.1 \
    netmask=24
add address=192.168.20.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes max-concurrent-tcp-sessions=30 servers=\
    1.1.1.1,1.0.0.1 use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=\
    yes
/ip firewall address-list
add address=173.245.48.0/20 list=Cloudflare
add address=103.22.200.0/22 list=Cloudflare
add address=103.21.244.0/22 list=Cloudflare
add address=103.31.4.0/22 list=Cloudflare
add address=141.101.64.0/18 list=Cloudflare
add address=108.162.192.0/18 list=Cloudflare
add address=190.93.240.0/20 list=Cloudflare
add address=188.114.96.0/20 list=Cloudflare
add address=197.234.240.0/22 list=Cloudflare
add address=198.41.128.0/17 list=Cloudflare
add address=162.158.0.0/15 list=Cloudflare
add address=104.16.0.0/13 list=Cloudflare
add address=104.24.0.0/14 list=Cloudflare
add address=172.64.0.0/13 list=Cloudflare
add address=131.0.72.0/22 list=Cloudflare
add address=192.168.2.2 list=Thurcom-Routing
add address=192.168.2.10 list=Thurcom-Routing
add address=192.168.2.17 list=ProtonVPN
/ip firewall filter
add action=drop chain=input comment="Drop Winbox from WAN" dst-port=8291 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=accept chain=input comment="OVPN pass" dst-port=2096 in-interface=\
    ether1 protocol=tcp
add action=accept chain=forward comment="HTTPS pass" connection-nat-state=\
    dstnat connection-state=new dst-port=443 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="Drop all incoming" disabled=yes \
    in-interface-list=!LAN log=yes log-prefix=drop
add action=accept chain=input comment="Allow all incoming from Subnet" \
    protocol=tcp src-address=192.168.2.0/24
add action=drop chain=forward comment="Drop all from IoT" disabled=yes \
    out-interface-list=WAN src-address=192.168.3.0/24
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    disabled=yes log=yes log-prefix=invalid
add action=accept chain=forward comment="Allow all from WLAN to Local LAN" \
    connection-state=new disabled=yes in-interface=vlan-wlan log=yes \
    log-prefix=VLAN out-interface=vlan-standard
add action=accept chain=forward comment="Allow all from Local LAN to WLAN" \
    connection-state=new disabled=yes in-interface=vlan-standard log=yes \
    log-prefix=VLAN out-interface=vlan-wlan
add action=drop chain=forward comment="Drop all from Guest WLAN to Local LAN" \
    disabled=yes in-interface=vlan-wlan-guest out-interface=vlan-standard
/ip firewall mangle
add action=accept chain=prerouting comment=Accept dst-address=\
    1XX.XXX.XXX.0/22 dst-address-type=!local
add action=accept chain=prerouting dst-address=2XX.XXX.0/21 \
    dst-address-type=!local
add action=accept chain=prerouting dst-address=192.168.2.0/24
add action=accept chain=prerouting comment="Accept for Wechselrichter" \
    dst-address=192.168.3.0/24 in-interface=vlan-standard
add action=accept chain=prerouting dst-address=192.168.3.0/24 in-interface=\
    vlan-wlan
add action=accept chain=prerouting dst-address=192.168.20.0/24 in-interface=\
    vlan-standard
add action=mark-connection chain=input comment=Input dst-address-type=!local \
    in-interface=ether1 new-connection-mark=Thurcom passthrough=no
add action=mark-connection chain=input dst-address-type=!local in-interface=\
    ether2 new-connection-mark=UPC passthrough=no
add action=mark-connection chain=prerouting comment=Mark-con \
    dst-address-type=!local in-interface=ether1 new-connection-mark=Thurcom \
    passthrough=no
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=ether2 new-connection-mark=UPC passthrough=no
add action=mark-connection chain=prerouting comment=PCC dst-address-type=\
    !local in-interface=bridgeLocal new-connection-mark=Thurcom passthrough=\
    no per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface=bridgeLocal new-connection-mark=UPC passthrough=no \
    per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=output comment=Output connection-mark=Thurcom \
    new-routing-mark=Thurcom passthrough=no
add action=mark-routing chain=output connection-mark=UPC new-routing-mark=UPC \
    passthrough=no
add action=mark-routing chain=prerouting comment=Mark-Route connection-mark=\
    Thurcom disabled=yes in-interface=bridgeLocal new-routing-mark=Thurcom \
    passthrough=no
add action=mark-routing chain=prerouting connection-mark=UPC disabled=yes \
    in-interface=bridgeLocal new-routing-mark=UPC passthrough=no
add action=mark-routing chain=prerouting dst-address-type=!local \
    new-routing-mark=Thurcom passthrough=no src-address-list=Thurcom-Routing
add action=mark-routing chain=prerouting comment=ProtonVPN disabled=yes \
    dst-address-type=!local new-routing-mark=Proton passthrough=no \
    src-address-list=ProtonVPN
add action=mark-routing chain=prerouting dst-address-type=!local \
    in-interface=all-vlan new-routing-mark=UPC passthrough=no
add action=mark-routing chain=prerouting comment=Laptops dst-address-type=\
    !local new-routing-mark=UPC passthrough=yes src-mac-address=\
    C8:5A:CF:8E:06:A2
add action=mark-routing chain=prerouting dst-address-type=!local \
    new-routing-mark=UPC passthrough=yes src-mac-address=0C:7A:15:94:3A:4A
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp \
    src-address-list=Cloudflare to-addresses=192.168.2.2 to-ports=443
add action=masquerade chain=srcnat disabled=yes out-interface=ether2 \
    src-address=192.168.2.238
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
add action=masquerade chain=srcnat comment="Allow VPN Subnet to LAN" \
    dst-address=192.168.2.0/24 src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="Allow LAN Subnet to IoT" \
    dst-address=192.168.3.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="Allow WLAN Subnet to IoT" \
    dst-address=192.168.3.0/24 src-address=192.168.20.0/24
add action=masquerade chain=srcnat comment="Allow WLAN to LAN" dst-address=\
    192.168.2.0/24 src-address=192.168.20.0/24
add action=masquerade chain=srcnat comment="Allow LAN to WLAN" dst-address=\
    192.168.20.0/24 src-address=192.168.2.0/24
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=1XX.XXX.XXX.1 pref-src=0.0.0.0 \
    routing-table=Thurcom suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=2XX.XXX.XXX.1 pref-src=\
    0.0.0.0 routing-table=UPC scope=30 suppress-hw-offload=no target-scope=10
add comment=Proton disabled=yes distance=1 dst-address=0.0.0.0/1 gateway=\
    10.2.0.1 pref-src=0.0.0.0 routing-table=Proton scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=Proton disabled=yes distance=1 dst-address=128.0.0.0/1 gateway=\
    10.2.0.1 pref-src=0.0.0.0 routing-table=Proton scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet address=192.168.2.0/24 disabled=yes
set ftp address=192.168.2.0/24 disabled=yes
set www address=192.168.2.0/24 disabled=yes
set ssh address=192.168.2.0/24
set api address=192.168.2.0/24 disabled=yes
set winbox address=192.168.2.0/24,192.168.20.0/24
set api-ssl address=192.168.2.0/24 disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp secret
add name=OVPN-cyrill profile=default-encryption remote-address=192.168.10.100
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.2.238/32 \
    table=UPC
/system clock
set time-zone-name=Europe/Zurich
/system logging
add topics=dns
/system note
set note=\
    "Authorized administrators only. Access to this device is monitored."
/tool bandwidth-server
set enabled=no
/tool sniffer
set filter-dst-ip-address=192.168.3.3/32 filter-interface=all \
    filter-src-ip-address=192.168.2.10/32

Does anyone of you have an idea, what the problem could be?

Regards,
TwIXx