Port forwarding to Mirkotik VPN Client not working

RouterOS Beginner Basics
1

Please i honestly help.
We have our web application hosted on a VPServer with a public ip of 216.xx.xx.yy and a Natted private network (192.168.10.0/24) behind a CRS-125-24G Mikrotik router with a public ip of 41.xx.xx.xx.
What i want to achieve is to make the mikrotik router a gateway in such a way that when our web application is being accessed both from the local network (192.168.10.0/24) and the internet via (41.xx.xx.xx on port 29000) we should be able to reach the VPServer on port 29000.

So, i setup up the OpenVPN server on the Mikrotik and assigned 192.168.100.254 to the vpn client (VPServer) which is connecting fine.
I also, port forwarded 41.xx.xx.xx. on 29000 to the 192.168.100.254 on 29000.

Achievement:

  1. From the Natted private network (192.168.10.0/24) we can access both the web application using both Mikrotik public Ip (41.xx.xx.xx. on 29000) and the vpn client ip (192.168.100.254:29000)
  2. The VPServer can access the web page on it's vpn ip (192.168.100.254:29000)

But my challenges now are:

  1. we can't access the web application on the VPServer from the internet via 41.xx.xx.xx on 29000
  2. the VPServer can't access the web application using 41.xx.xx.xx on 29000

My Configuration file:

jun/09/2022 12:06:29 by RouterOS 6.49.6

software id = RG1P-CSDJ

model = CRS125-24G-1S

serial number = 944F07442FC9

/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN rx-flow-control=auto
tx-flow-control=auto
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool2 ranges=192.168.10.10-192.168.10.100
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge1 lease-time=23h
name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1_WAN list=WAN
add interface=ether11 list=LAN
add list=LAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes
require-client-certificate=yes
/ip address
add address=192.168.10.200/24 interface=bridge1 network=192.168.10.0
add address=41.xx.xx.xx interface=ether1_WAN network=41.xx.xx.xx
/ip arp
add address=192.168.10.254 disabled=yes published=yes
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.21,8.8.8.8 gateway=
192.168.10.200 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept established,related,untracked"
connection-state=established,related,untracked
add action=drop chain=input comment="Drop all not coming from LAN" disabled=
yes in-interface-list=!LAN
add action=accept chain=input dst-port=1194 in-interface=all-ppp log=yes
log-prefix=ovpn protocol=tcp
add action=drop chain=input comment="Drop invalid connection"
connection-state=invalid disabled=yes
add action=accept chain=input comment="Allow IPSec UDP" protocol=udp
src-port=1701,500,4500
add action=accept chain=input comment="Allow IPSec" protocol=ipsec-esp
add action=accept chain=input log-prefix=WAN_icmp protocol=tcp
add action=accept chain=input comment=
"Accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="Accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=Fasttrack
connection-state=established,related disabled=yes
add action=accept chain=forward comment=
"Accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
disabled=yes
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
disabled=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port for Connection"
dst-address=41.xx.xx.xx dst-port=29000 log=yes log-prefix=29000
protocol=tcp to-addresses=192.168.100.254 to-ports=29000
add action=masquerade chain=srcnat dst-address=192.168.10.0/24 src-address=
192.168.10.0/24
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add distance=1 gateway=41.xx.xx.xx
/ppp secret
add local-address=192.168.100.1 name=VPServer remote-address=192.168.100.254
service=ovpn

Thanks in advance

2

Pls can someone try to help me out on the above question0

3
  1. If the application doesn’t care about original source addresses, simple fix is:
/ip firewall nat
add chain=srcnat dst-address=192.168.100.254 protocol=tcp dst-port=29000 action=masquerade

Now the problem is that dstnat works, but if client is e.g. 1.2.3.4 connecting to 41.xx.xx.xx, server sees source 1.2.3.4, so it tries to respons to it directly using its main connection, but it doesn’t work, because client expects response from 41.xx.xx.xx. With this rule, application will see 192.168.100.1 as source, will send response back to VPN server, and connetion tracking will take care of the rest.

If the application does need to see original source addresses, this router can’t help you, it would have to be handled on VPServer.

  1. VPN server is this router and 41.xx.xx.xx is its own address, right? It won’t work with RouterOS v6, unless you’d use really ugly config (in fact, even worse when it’s local address). But do you really need router itself connecting to the application?

Edit: Scratch 2), I misread it. If it’s from VPServer, then 1) fixes that too.

4

Thanks Sob for your solution 1.
That solution 1 was what i used and it solved the problem.

Thanks so much