I am trying to use a Mikrotik (192.168.100.17) as an OpenVPN server while leaving the primary router (192.168.100.1) in place. My goal is to have the WAN port of the Mikrotik using a Public IP and have VPN users connect to that. However, I would like the Mikrotik to be on the LAN and communicate with the devices on the network. I’ve included a picture of what I am attempting.
i am able to connect with openvpn and get a 192.168.8.x address.
If I set the mikrotik to 192.168.100.1 and make it the primary router for this network, I am able to ping and connect to stuff on the 192.168.100.x network.
If I set the Mikrotik to 192.168.100.17 and connect with openvpn I am not able to ping and connect to stuff on the 192.168.100.x network.
I believe this is because the Mikrotik is not routing the traffic when it is not acting as a router for 192.168.100.x network, but I’m not sure and it’s a little above my scope of knowledge.
Mikrotik Config
/interface bridge add admin-mac=XXXXXXXX auto-mac=no comment=defconf name=bridge
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/ip dhcp-server add interface=bridge name=defconf
/ip pool add name=vpn-pool ranges=192.168.8.50-192.168.8.55
/ppp profile add dns-server=8.8.8.8 local-address=192.168.8.1 name=vpn-profile remote-address=vpn-pool use-encryption=yes
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 default-profile=vpn-profile enabled=yes require-client-certificate=yes
/ip address add address=192.168.100.17/24 comment=defconf interface=bridge network=192.168.100.0
/ip address add address=XXXXX/24 interface=ether1 network=XXXXX
/ip cloud set ddns-enabled=yes
/ip dhcp-client add comment=defconf interface=ether1
/ip dhcp-server network add address=192.168.100.0/24 comment=defconf gateway=192.168.100.1 netmask=24
/ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static add address=192.168.2.2 comment=defconf name=router.lan
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=accept chain=input dst-port=80 protocol=tcp
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route add distance=1 gateway=XXXXXX
/ppp secret add name=XXX password=XXX profile=vpn-profile
/system clock set time-zone-name=America/New_York
/system identity set name="XXXXX"
tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
OpenVPN Config
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote XXXXX 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
#ca ca.crt
#cert client.crt
#key client.key
# Verify server certificate by checking that the
# certicate has the correct key usage set.
# This is an important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the keyUsage set to
# digitalSignature, keyEncipherment
# and the extendedKeyUsage to
# serverAuth
# EasyRSA can do this for you.
remote-cert-tls server
# If a tls-auth key is used on the server
# then every client must also have the key.
#tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Note that 2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-128-CBC
auth SHA1
auth-user-pass
#redirect-gateway def1
#the ABOVE command was routing all traffic across VPN - which is bad in most cases.
route-nopull
route 192.168.100.0 255.255.255.0
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo
#tls-cipher DEFAULT
# Set log file verbosity.
verb 3
# Silence repeating messages
;mute 20
# Mikrotik accepts a CA cert
<ca>
XXX
</ca>
# Mikrotik expects a VPN Client Certificate
<cert>
XXX
</cert>
# OpenVPN Client needs the VPN Client Private Key to decrypt
# info sent by the server during the SSL/TLS handshake
<key>
XXX
-----END ENCRYPTED PRIVATE KEY-----
</key>
