Hi!
Recently I set up a OpenVPN server on Mikrotik in IP (tun) mode (Mikrotik to mikrotik). Everything worked fine, the servers (witch are behind the mikrotiks) can see each other, but when I connect a linux machine directly to the vpn I can’t ping any of the servers. I get the VPN IP 172.16.10.70 but I can not ping 192168.0.200.
I understand it’s because of the IP/Ethernet (Tun/Tap) setting.
Can I change the IP/Ethernet setting without messing up my config?
I understand that if I use Ethernet mode I have to put LAN & VPN interfaces into one Bridge, is that correct?
Hi,
If you get IP of 172.16.10.70 (linux box?) and trying to ping 192.168.0.200 (on of the servers behind vpn?). This sounds like routing/ firewall issue.
You should add routes to send the traffic for the networks you want to reach via the correct gateway (the other end of the VPN).
But should it work with my TUN configuration?
Yes, adding routes should work with a TUN configuration.
Depending on the scale of your deployment and the effort you want to put in admin, you can just add a static
route to your MikroTik or you can use an automatic routing protocol like BGP.
I would normally use BGP for this, just add the networks you want to route and the peer under Routing->BGP
under the AS number that is already there by default (65530).
The problem was with routing. Now my linuz machile works fine, but wi dows wont get a default route. I understand its not posible to push routes from server side on mikrotik?
That is correct. That is why I suggest the use of BGP. But a manual route setting is possible as well.
Is it possible to add something to the clients .ovpn file to push a route?
When you distribute your own .ovpn files to clients there is a lot that can be done.
I do that myself, but I don’t use the MikroTik OpenVPN server because it is such a pile of sh*t. (sorry)
When you want to setup an OpenVPN service that is reasonably capable and can use more reasonable
setup like UDP protocol, compression, pushing of routes from the server side, etc etc you really need to
setup a separate server for that, e.g. running the Linux opensource OpenVPN package.
For “install and forget” operation you could also consider a proprietary OpenVPN appliance.
pe1chl
I know that even a raspberry pi would do better.
Yes, when the performance is good enough for your purpose that certainly is the better option!
At least until the mythical “version 7 RouterOS” is finally released (which promises to solve these issues).
Until the new version is released can I redirect all my traffic to the VPN connection on a Windows client?
Maybe by adding something like: push “redirect-gateway”?? What is the correct syntax for windows to work with this?
No, the OpenVPN server can do nothing like that.
When you install OpenVPN on a Raspberry Pi, of course it is possible.
In the server config you would write: push “route 192.168.0.0 255.255.0.0”
It should also be possible to write the route line in the .ovpn file (without push).
Yes, I understand that ROS has a limited version of OpenVPN, but can I add some line to the CLIENT (windows machine) .ovpn file to make the VPN the default route?
That is what I wrote: you could put a route line in the .ovpn file and see if that works.
Added
redirect-gateway autolocal
and it works fine