Hi,
I’m trying to set up Open VPN server on my mikrotik. I have generated certificates and I get connected but, when I’m connected through VPN I can not:
a) Connect to my mikrotik router to any of it’s IPs: Let’s say 192.168.10.1
b) I would like to resolve DNSs from my Mikrotik to my VPN clients, but I can’t. if i put dns-server=192.168.10.1 to my OVPN profile, I can’t resolve DNS when I’m connected to VPN and I can ping 192.168.10.1.
I have commented out my public Network xxx.xxx.xxx.xxx
This is my config:
# mar/05/2018 09:40:43 by RouterOS 6.41.2
# software id = T1Q8-0MEJ
#
# model = 1100AHx2
/interface bridge
add fast-forward=no name="Bridge CCTV"
add fast-forward=no name="Bridge Invitado"
add fast-forward=no name="Bridge OVPN"
add fast-forward=no name="Bridge Oficina"
/interface ethernet
set [ find default-name=ether1 ] name="ether1 WAN0"
set [ find default-name=ether2 ] name="ether2 WAN1"
set [ find default-name=ether3 ] name="ether3 LAN"
set [ find default-name=ether4 ] name="ether4 - TOTA"
set [ find default-name=ether6 ] name="ether6 - LAN"
set [ find default-name=ether7 ] name="ether7 - WIFI"
/interface ovpn-server
add name=ovpn-xxxx user=xxxx
add name=ovpn-xxxx user=xxxx
/interface list
add exclude=dynamic name=discover
add name=WAN_interfaces
add name=LOCAL_interfaces
/ip pool
add name=dhcp_pool_Oficina ranges=192.168.10.10-192.168.10.200
add name=dhcp_pool_WInvitado ranges=192.168.11.10-192.168.11.254
add name=ovpn_pool ranges=192.168.97.10-192.168.97.100
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
"ether3 LAN" lease-time=1d name=dhcp1
add address-pool=dhcp_pool_Oficina authoritative=after-2sec-delay disabled=no \
interface="Bridge Oficina" name=dhcp2
add address-pool=dhcp_pool_WInvitado authoritative=after-2sec-delay disabled=\
no interface="Bridge Invitado" name=dhcp3
/ppp profile
set *0 change-tcp-mss=default
add local-address=192.168.97.191 name=OVPN-profile remote-address=ovpn_pool \
use-encryption=yes
/queue simple
add max-limit=1M/1M name=CCTV target="Bridge CCTV"
add max-limit=1M/1M name=Invitado target="Bridge Invitado"
add max-limit=4M/4M name=Oficina target="Bridge Oficina"
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface="Bridge Oficina" list=discover
add interface="Bridge Invitado" list=discover
add interface="Bridge CCTV" list=discover
add interface="ether4 - TOTA" list=WAN_interfaces
add interface="ether1 WAN0" list=WAN_interfaces
add interface="ether2 WAN1" list=WAN_interfaces
add interface="Bridge CCTV" list=LOCAL_interfaces
add interface="Bridge Invitado" list=LOCAL_interfaces
add interface="Bridge Oficina" list=LOCAL_interfaces
/interface ovpn-server server
set certificate=server-certificate cipher=blowfish128,aes128,aes192,aes256 \
default-profile=OVPN-profile enabled=yes require-client-certificate=yes
/ip address
add address=192.168.0.1/24 interface="ether3 LAN" network=192.168.0.0
add address=192.168.10.1/24 comment="Direcciones Pool Oficina Oficina" \
interface="Bridge Oficina" network=192.168.10.0
add address=192.168.11.1/24 comment="Direcciones Pool Invitado" interface=\
"Bridge Invitado" network=192.168.11.0
add address=192.168.12.1/24 comment="Direcciones Pool CCTV" interface=\
"Bridge CCTV" network=192.168.12.0
add address=192.168.200.1/24 interface=ether8 network=192.168.200.0
add address=xxx.xxx.xxx.xxx/24 interface="ether4 - TOTA" network=xxx.xxx.xxx.0
/ip arp
add address=192.168.0.127 interface="ether3 LAN" mac-address=\
08:9E:01:4F:82:F7
/ip dhcp-client
add dhcp-options=hostname,clientid interface="ether1 WAN0"
/ip dhcp-server lease
add address=192.168.10.127 mac-address=D4:6E:0E:05:93:03 server=dhcp2
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 \
netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 \
netmask=24
add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
/ip firewall address-list
add address=192.168.0.100-192.168.0.230 list=allowed_to_router
add address=190.98.152.152-190.98.152.200 list=blocked_ips
add address=192.168.10.10-192.168.10.254 list=allowed_to_router_2
add address=192.168.0.0/16 list=addresses_LOCAL
/ip firewall filter
add action=fasttrack-connection chain=input connection-state=\
established,related
add action=accept chain=input comment=\
"Accept all connections stablished and related" connection-state=\
established,related
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"Accept all connections on local bridges" in-interface="Bridge Invitado"
add action=accept chain=input in-interface="Bridge Oficina"
add action=accept chain=input in-interface="Bridge CCTV"
add action=accept chain=input comment="Accept UDP 1701, 500, 4500" \
dst-address=xxx.xxx.xxx.xxx in-interface="ether4 - TOTA" port=\
1701,500,4500 protocol=udp
add action=accept chain=input comment="Allow ipsec protocol" dst-address=\
xxx.xxx.xxx.xxx protocol=ipsec-esp
add action=accept chain=input dst-address=xxx.xxx.xxx.xxx protocol=ipsec-ah
add action=accept chain=input comment="Allow Openvpn" dst-port=1194 protocol=\
tcp
add action=drop chain=input comment="Drop all invalid connections" \
connection-state=invalid
add action=drop chain=input comment=\
"Drop all packets que no est\E1n destinados a rutas de direcciones ip" \
dst-address-type=!local tcp-flags=""
add action=drop chain=input comment=\
"Drop all packets which does not have unicast source IP address" \
dst-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet whi\
ch should not exist in public network" in-interface-list=WAN_interfaces \
src-address-list=addresses_LOCAL
add action=drop chain=input comment=\
"Drop every connection input not matched before" log=yes log-prefix=\
droped
add action=drop chain=forward comment=\
"Deny access from bridge Invitado to other bridges" in-interface=\
"Bridge Invitado" out-interface="Bridge Oficina"
add action=drop chain=forward in-interface="Bridge Oficina" out-interface=\
"Bridge Invitado"
add action=drop chain=forward comment="Deny access from Oficina to CCTV" \
in-interface="Bridge Oficina" out-interface="Bridge CCTV"
add action=drop chain=forward in-interface="Bridge CCTV" out-interface=\
"Bridge Oficina"
add action=accept chain=forward comment=\
"Accept established and related packets"
add action=accept chain=forward comment="Accept NAT connections from WANs" \
connection-nat-state=dstnat connection-state=established,related \
in-interface-list=WAN_interfaces
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface-list=\
WAN_interfaces
add action=drop chain=forward comment="Drop all packets from public internet w\
hich should not exist in public network" in-interface-list=WAN_interfaces \
src-address-list=addresses_LOCAL
add action=drop chain=forward comment="Drop all packets from local network to \
internet which should not exist in public network" dst-address-list=\
addresses_LOCAL in-interface-list=LOCAL_interfaces
add action=drop chain=forward comment="Drop all packets in local network which\
\_does not have local network address" in-interface-list=LOCAL_interfaces \
src-address=!192.168.0.0/16
/ip firewall nat
add action=masquerade chain=srcnat comment="SRC NAT to all local IPS" \
out-interface-list=WAN_interfaces src-address=192.168.0.0/16
add action=dst-nat chain=dstnat
dst-port=80 in-interface="ether4 - TOTA" protocol=tcp to-addresses=\
192.168.10.127 to-ports=80
add action=masquerade chain=srcnat dst-address=192.168.10.127 \
dst-port=80 out-interface="Bridge Oficina" protocol=tcp src-address=\
xxx.xxx.xxx.xxx
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=aes-256,3des \
generate-policy=port-override
/ip ipsec policy
set 0 proposal=VPN-l2tp-proposal
/ip route
add distance=1 dst-address=xxx.xxx.xxx.xxx/32 gateway=xxx.xxx.xxx.yyyy \
routing-mark=to_WAN_TOTA
add distance=1 gateway=xxx.xxx.xxx.xxx
/ppp secret
add name=xxxx profile=OVPN-profile
add name=yyyy profile=OVPN-profile
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system ntp client
set enabled=yes primary-ntp=131.0.232.2 secondary-ntp=164.73.232.34 \
server-dns-names="1.ar.pool.ntp.org,1.south-america.pool.ntp.org,3.south-a\
merica.pool.ntp.org"
And this is my .ovpn (commented route are test I’ve made with no success)
client
dev tun
proto tcp
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-128-CBC
auth SHA1
auth-user-pass
verb 3
redirect-gateway def1
#route 0.0.0.0 0.0.0.0 192.168.10.1 1
#route 192.168.10.0 255.255.255.0
<ca>
</ca>
<cert>
</cert>
<key>
</key>