OVPN port forwarding

Uzusama · January 9, 2020, 3:06pm

Hi all,

I used to have OVPN running on my NAS, To get it working I just need to add the NAS ip and port to the dlink router port forwarding setting. After changing to Mikrotic router and following the guides to do port forwarding . But my phone still fail to connect to ovpn server. could you please help to see if i have set wrongly?

router ip is 192.168.0.1
ovpn ip is 192.168.0.135 port 1194

https://www.reddit.com/r/mikrotik/comments/ces0ge/port_forwarding_for_pivpn_openvpn/
http://forum.mikrotik.com/t/forward-ports-for-openvpn/103228/1
https://monovm.com/blog/port-forwarding-on-mikrotik/

below is the firewall rules

/ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked”
connection-state=established,related,untracked
add action=accept chain=input comment=“allow IPsec NAT” dst-port=4500 protocol=udp
add action=accept chain=input comment=“allow IKE” dst-port=500 protocol=udp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=accept chain=input comment=“allow pptp” dst-port=1723 protocol=tcp
add action=accept chain=input comment=“allow sstp” dst-port=443 protocol=tcp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)”
dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=
in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=
out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked”
connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed”
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward dst-address=192.168.0.135 dst-port=1194 in-interface=ether1
protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“OVPN port forward 1194” dst-address=192.168.0.135
dst-address-type=local dst-port=1194 in-interface=ether1 protocol=udp to-addresses=
192.168.0.135

Sob · January 9, 2020, 3:11pm

Remove dst-address=192.168.0.135 from dstnat rule. And you don’t need forward the filter rule you added, because these packet are already allowed.