OVPN connection doesn't work with ping or other traffic

RouterOS General
1

I have an openVPN server which allows me to connect through a VPN to my network. I want to make it possible for all devices on a LAN to connect through my local router to the remote network.

The networks in play:

  • 88 my local subnet


  • 22 the subnet used by openVPN server DHCP


  • 20 the remote subnet where all the devices I want to connect to are located

Currently the OVPN server acts as a NAT from 22 to 20 and back. I don’t want to change this.

I want to have it work that when I request a subnet 20 IP I get routed through the tunnel towards the network.

Current situation:
I have set up the following things:

  • a OVPN Client interface “ovpn-out1”, which connects to my server fine.


  • a DHCP client on “ovpn-out1” but this doesn’t work giving me an error saying that:
interface is not running (6



  • a NAT in the firewall as follows:
 out-interface=ovpn-out1
chain=srcnat
action=masquerade



  • routing destined for subnets 20 and 22 to gateway ovpn-out1 which it says is reachable

I seem to have gotten an IP as pinging 22.2 works but the gateway is still unreachable.

What am I doing wrong? As far as I understand it should be possible to have the router act as a middleman which relays messages destined for subnet 20 through the VPN tunnel and it’s server.

2

So I have found that the router does have an IP for the OVPN connection (so I removed the non working DHCP client) and the correct routing tables are set up to route through the OVPN server when the network is needed.
My routing table for these subnets is as follows and indicates to me that it should be able to route any subnet 20 and 22 request through 192.168.22.1

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 2 ADS  192.168.20.0/24                    192.168.22.1              1
 3 ADC  192.168.22.0/24    192.168.22.2    ovpn-out1                   0

I have set up the following srcnat

/interface list add name=VPN
/interface list member add comment=VPN interface=ovpn-out1 list=VPN
/ip firewall nat add action=masquerade chain=srcnat comment="VPN masquerade" ipsec-policy=out,none log=yes log-prefix=NAT out-interface-list=VPN

I have enabled the logging on the following firewall filter rule:

/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

However when I try to ping 192.168.22.1 from the router I get timeouts and only the outgoing traffic on the NAT is logged.

NAT srcnat: in:(unknown 0) out:ovpn-out1, proto ICMP (type 8, code 0), 192.168.22.2->192.168.22.1, len 56

No responses are logged. So the next important question is, how can I log the incoming ping responses? I know that 192.168.22.1 respons to ping as when I connect with another device and ping, it responds.

3

IP Firewall Mangel Mark an incoming connection with action= log and log prefix.

4 
 chain=input action=log src-address-list=<list of remote LAN addresses to filter out all the WAN noise> log=yes log-prefix="mark"

None logs from this mangle rule.

5

@trick2011

You can also use /tools torch and filter it the way you want.
2022-01-12_11-35-39.png

6

[quote=GregoryVenegas post_id=904837 time=1641978061 user_id=188200]
I never tried this Open VPN. But I am interested in this one and I have already heard about it. I also want to get more details. Thank you so much!
[/quote]

The current version of UDP has bugs if you don’t want to have a bad experience on your first try of this protocol don’t do it with this version. Other than reset due to TLS failing after 61min, it’s all good.