I want to make a VPN connection from a router for management purposes.
So I want to place this VPN in a seperate VRF, so that the VPN cannot be accessed from the router interfaces, the VPN is only there to connect to it remotely.
I have created the ovpn-client as usual, and created a VRF table and placed the ovpn-client interface in that VRF. However nothing happens, the tunnel is running and up, but I cannot access it remotely.
Tried marking the connections from the VPN subnet and directing it to its routing table, but I couldn’t find an example for this use-case.
When your use of VRF is just a direction you took for this, and not some mandatory situation, you can achieve the same thing using a firewall forward rule.
Drop any forward traffic towards that interface. Your management traffic towards the router will only appear in input and output chains, not in forward chain.
Thanks for your answer! However, what if I have a similar local subnet which collides with the subnet of the VPN?
That way there will be a subnet collision in the routing table which I can’t solve with simple filtering, right?
I think I might found why it did not work. I tried SSH and winbox connection and these need to be set to that VRF where I want to use it, but I did not had time to test it.
This was the problem. If I move the services to that VRF it will work.
But what if I want to access it from multiple VRF? Also Remote Syslog does not seem to work on different VRF (can’t set VRF).
Yes, VRF seems like a clean solution but often it is just a little bit too limited… and the configuration is incoherent.
You always need to check the manual because in some places you specify VRF separately, in other places you can use address@vrf notation.
Still, all services operate in a single VRF even when that is counter-intuitive. E.g. for NTP client you can set only a single VRF and then an IP per server, but you would want @vrf independently for each server (so the router can sync to servers in different VRFs).
Yes, after using it for some days, I can see the problems with it in ROS…
Right now what I have in my mind about this, is that I should create a separate bridge, place it in a different VRF, add some physical ports to it (so that I can manage it locally) and place the VPN here.
Set the needed services to this VRF, so it can be accessed through that bridge.
I just don’t know what should I do with services which does not seem to support VRF. Syslog is one of them. You can’t define VRF and it does not accept the @vrf notation either…
The requirement is clear, something like winbox in remotely via the iphone over wireguard, where the incoming admin can connect to the router. What makes you think this has anything to do with VRF???
A normal wireguard connection and knowledge of firewall rules will meet the requirements!
To spell out for you in simple terms.
As should be understood by the above, the incoming remote wireguard connection will have access to the router/winbox.
Normally a local admin does this and thus the second rule.
THe rest of the LAN still needs access to the router normally for DNS services ( and sometimes NTP etc.)
On the forward chain side, we give the remote admin coming in access to any of the lan subnets.
With the use of drop rules at the end of both chains no other traffic is permitted. Thus no one else can access the router for config purposes and there are no rules permitting access from any LAN user to the wg interface.
Thanks for your detailed answer, I will look into it, but I think you have missed some key points about my config.
I’m using openVPN, not Wireguard (but this does not change much)
I’m connecting the router I want to config to a VPN server! So the router is not a VPN server.
The problem comes from the fact that I get an IP address from the VPN server from the 172.16.8.0/21 subnet
If I don’t move the VPN connection to a different VRF and I only use firewall to block anyone accessing the VPN subnet (172.16.8.0/21) and there is another local network with the same network and subnet mask, it won’t work (router will drop everything, because it thinks it is VPN traffic).
Am I missing something basic or how it could be done that only specific local devices (ie.: a bridge) can access a VPN and you can access remotely, through its VPN IP and no one can access it?
You are correct, I have no clue how your network is cobbled together or why.
Seems pretty simple to me, use the VPN capability in MT and drop this ovpnserver.
Done!
I can change to any kind of VPN, but it has to be a client on the Mikrotik side, because these routers are usually behind a CGNAT or does not have a public IP address. Also I’m managing 50-100 devices/networks, so it is easier to connect to one VPN and access the routers there.
Once again what you state is more confusing then helpful.
What do you mean mikrotik has to be the client side? The client side to what…
A. do you mean the MT router Wireguard has a publicly accessible WANIP and thus can be used as a server?
B. do you mean that the MT router is a client and does not have a publicly accessible WANIP and thus connects to WHAT ???
If you are connecting to other routers and not linux/android/windows/ios devices, and other routers are not wireguard capable yeah SOL, stuck with crappy other choices.
I never talked about Wireguard.
I have a VPS (Virtual Private Server) which has a PUBLIC IP and I want to connect Mikrotik routers (clients) to that server, because the Mikrotik routers (clients) does not have any publicly accessible IP address.
Yes, exactly what I would like to achieve! Thanks for your diagram. However I did not find any working solution for this.
I'm open to other options as well, but the "client" networks behind these routers usually include several subnets, sometimes even overlapping with my VPN subnet. That's why it would be ultimate if I can use a different VRF.
Yes, VRF support is there for ovpn, I can place the ovpn connection in its own VRF and it will work. However Some services in Mikrotik does not support VRF, so I can't move management to a different VRF because (for example syslog) can only use the main routing table. Also I don't know if you can make some services available in multiple VRF. For example Winbox should be available locally as well. How this is done usually? Placing a port in the management VRF?
services which are VRF aware only can work in ONE vrf. there is no multi-verf-service feature in rOS (yet ? )
so winbox is either in MAIN or in “VRF-xy”
yep, forwarding to syslog is not VRF ready in rOS but for that, as a temp. workaround maybe, you could do a route leak to main table or a lookup for your target in the VRF and test it.
I still can’t understand your answers. This is a working system, not a hobby project where I can change anything I want.
And also I still can’t understand how this will benefit my case. Also why I would use CHR? I could run a Wireguard server on a Linux server as well.
Even if I change it to Wireguard, these questions will stand. How I can ensure that some services are available through VPN and local as well, how I can separate the VPN tunnel from the other networks, etc…
? )