OVPN for beginner

BSL5 · June 6, 2021, 6:08pm

Hi.
I have HAP Ac2. Configure it with several tutorials (and spend several months).

laptop (wifi) —>mobile phone (tethering)—>|INTERNET|—>HAPAC2 (eth1=WAN) —>my pc (eth2=part of BridgeLAN (eth2-5, all WiFI) )

OVpn pool - 10.0.0.2-10.0.0.20
LAN - 90.90.90.0/24
When I’m connected with ovpn, I can from laptop:

ping 10.0.0.1
ping 90.90.90.1
But I can’t ping my pc (90.90.90.13).
My PC can ping 10.0.0.1 and 90.90.90.1 but can’t ping laptop.
Router can ping both.
How use ovpn to connect with my pc like RDP or print on my wifi printer??
When try use Remote desktop - I can’t access to my pc.

MickeyT · June 8, 2021, 6:48am

I had the same problem when I initially setup a MikroTik as a VPN server (SSTP and OpenVPN). The solution I found (I don’t claim this is the best idea but it worked for the system I configured) is to change the /interface bridge arp setting to proxy-arp.

If anyone has a better/more secure suggestion, I’d like to hear about it.

BSL5 · June 13, 2021, 6:11pm

I tried proxy-arp on Bridge and Bridge with eth ports (2-5) - still nothing.

erkexzcx · June 14, 2021, 6:05pm

Let me ask you something offtopic - why OpenVPN? It’s slow…

I’ve wrote guide some time ago a tutorial of IPSEC/IKE2 VPN with certificates for remote access. Slightly slower than Wireguard, but very well supported VPN type.
http://forum.mikrotik.com/t/ipsec-ike2-with-certificates-vpn-server-guide-for-remote-access/149434/1

MickeyT · June 17, 2021, 1:40pm

OpenVPN can be slow but has the advantage that (in TCP mode) it survives CG-NAT which is still in common use and causes all sorts of problems for VPNs that use UDP. Plus, being natively supported in RouterOS, you do get some hardware acceleration to improve matters.

BSL5 · June 26, 2021, 6:30pm

I tried IPSEC and you don’t belive - it’s the same problem. I can’t ping 90.90.90.13 or connect to shared folder on 90.90.90.13. I can’t ping 10.0.0.x from 90.90.90.13

erkexzcx · June 27, 2021, 10:28am

My PC can ping 10.0.0.1 and 90.90.90.1 but can’t ping laptop.
Router can ping both.

It’s because you have the following rule in your router that allows to ping it from literally any IP:

/ip firewall filter add action=accept chain=input comment="Allow ICMP" protocol=icmp

OVpn pool - 10.0.0.2-10.0.0.20

Did you whitelist these IPs in your router? I am fairly sure you have this firewall rule that drops such traffic, because 10.0.0.2-10.0.0.20 is coming from WAN interface and it’s private IPs:

/ip firewall filter add action=drop chain=forward comment="Drop coming from WAN where source IP is private" in-interface-list=WAN src-address-list=not_in_internet

Before suggesting you anything, I hope you have these rules at the top of your “forward” chain:

/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="Allow established,related" connection-state=established,related

Now add these rules above those 2 rules - you will allow traffic coming from 10.0.0.2-10.0.0.20 and bypass fasttrack. Someone fix me on how to mark OpenVPN traffic, I’ve never set up OpenVPN in Mikrotik routers (there should be separate interface?):

/ip firewall filter add action=accept chain=forward src-address=10.0.0.2-10.0.0.20
/ip firewall filter add action=accept chain=forward dst-address=10.0.0.2-10.0.0.20

If you go with IPSEC, then adding these 2 rules instead is sufficient:

/ip firewall filter add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec

Let me know if you managed to fix it

More info on firewall: https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall

BSL5 · July 3, 2021, 4:21pm

Thx erkexzcx.
You help mi.
I added:

/ip firewall filter add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
/ip firewall filter add action=accept chain=forward src-address=10.0.0.2-10.0.0.20
/ip firewall filter add action=accept chain=forward dst-address=10.0.0.2-10.0.0.20

Connect via Ovpn and ping from laptop to PC - nothing. I want to wrote - IT STILL NOT WORKING.
I check NAT for ovpn (seems all ok for ovpn):

     chain=srcnat action=masquerade src-address=10.0.0.0/24 dst-address=90.90.90.0/24 out-interface=bridge_LAN log=no log-prefix="" 
     chain=srcnat action=masquerade src-address=90.90.90.0/24 dst-address=10.0.0.0/24 out-interface=xray_s log=no log-prefix=""

This should work with your firewall rules.
I removed both and added once again, and TADDDAAAAAA - IT WORKS.

Small question:
In my work we have 3 shops; main with DB and 2 connected to main. All IP range is 192.168.1.0/24. 3 ISP.
Is possible to do one “range” with ovpn/ipsec (of course after clean up)??